Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

scvhost.exe problem


  • Please log in to reply
12 replies to this topic

#1 mitchell

mitchell

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 20 October 2009 - 01:16 AM

when i start up my computer before logging on many different windows pop up saying error scvhost.exe
after logging on after a few seconds my computer screen goes blue and shuts down.

im on an IBM thinkpad R52 running Windows XP

also if my computer runs long enough for me to see the desktop icons saying pornotube.com, youporn.com and nudetube.com appear and when i delete them they just reappear later.

i don't quite know what other information to post sorry, ask me anything and i'll tell you what you need me too.

help would be appreciated and i have run a Hijack this log and i am posting it here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:01 PM, on 20/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\smss.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Mitchell\reader_s.exe
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\restorer64_a.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\restorer64_a.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\fonts\services.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\A5.tmp
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\restorer64_a.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {42D26868-25C3-4be1-8652-559E76B25B77} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {78D48D53-58D1-4614-B47B-4AA5CEDBF0EA} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [5648] C:\WINDOWS\system32\D.tmp.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [restorer64_a] C:\WINDOWS\system32\restorer64_a.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [ter8m] RUNDLL32.EXE C:\WINDOWS\system32\msxm192z.dll,w
O4 - HKLM\..\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKLM\..\RunOnce: [áN@] áN@
O4 - HKLM\..\RunOnce: [ÑN@] ÑN@
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\RunOnce: [SpybotDeletingA6784] command.com /c del "C:\WINDOWS\system32\servises.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5701] cmd.exe /c del "C:\WINDOWS\system32\servises.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5043] command.com /c del "C:\Documents and Settings\Mitchell\reader_s.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8392] cmd.exe /c del "C:\Documents and Settings\Mitchell\reader_s.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5811] command.com /c del "C:\WINDOWS\System32\reader_s.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2469] cmd.exe /c del "C:\WINDOWS\System32\reader_s.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [sys64_nov] C:\Documents and Settings\Mitchell\sys64_nov.exe
O4 - HKCU\..\Run: [zmmclr] C:\WINDOWS\system32\ncmdds.exe
O4 - HKCU\..\Run: [mqlwindl] C:\WINDOWS\system32\lsprcxs.exe
O4 - HKCU\..\Run: [wesspell] C:\WINDOWS\system32\qazbrnn.exe
O4 - HKCU\..\Run: [restorer32_a] C:\Documents and Settings\Mitchell\restorer32_a.exe
O4 - HKCU\..\Run: [crsmons] C:\WINDOWS\system32\iomssls.exe
O4 - HKCU\..\Run: [opqlsys] C:\WINDOWS\system32\velplsme.exe
O4 - HKCU\..\Run: [xisbcom] C:\WINDOWS\system32\lmssspr.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7518] command.com /c del "C:\WINDOWS\system32\servises.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1033] cmd.exe /c del "C:\WINDOWS\system32\servises.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1945] command.com /c del "C:\Documents and Settings\Mitchell\reader_s.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4355] cmd.exe /c del "C:\Documents and Settings\Mitchell\reader_s.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7852] command.com /c del "C:\WINDOWS\System32\reader_s.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1006] cmd.exe /c del "C:\WINDOWS\System32\reader_s.exe"
O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\fonts\services.exe
O4 - HKLM\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Mitchell\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Mitchell\reader_s.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {EE31AE88-AE7A-4C52-9330-A0A3B3468C02} - (no file)
O20 - AppInit_DLLs: visoziyo.dll c:\windows\system32\linanotu.dll c:\windows\system32\ c:\windows\system32\namiroto.dll tidadegi.dll c:\windows\system32\ramuzovi.dll c:\docume~1\alluse~1\applic~1\bohupota\bohupota.dll c:\windows\system32\jejuvusu.dll c:\windows\system32\nozapuso.dll
O21 - SSODL: numazatir - {30424edb-e777-4f38-807c-1179dc194391} - c:\windows\system32\linanotu.dll (file missing)
O21 - SSODL: vulibaguh - {18e3fe43-2227-4b9f-9d79-5ddd1bdb9e20} - c:\windows\system32\namiroto.dll (file missing)
O21 - SSODL: teyikadat - {0ecc48ff-ab97-4234-9638-155bedb05322} - (no file)
O21 - SSODL: tebikugad - {2062905d-f85a-4bae-872d-4c2f73e3a340} - (no file)
O21 - SSODL: hiyedebul - {c9443155-e02f-439f-81f1-a70e0c36f646} - (no file)
O21 - SSODL: gipalowig - {286a85cc-6e80-4aa0-98a7-87764ce24670} - c:\windows\system32\ramuzovi.dll (file missing)
O21 - SSODL: huzebalan - {11fc3c24-235b-430b-814b-81c35177e7c5} - c:\docume~1\alluse~1\applic~1\bohupota\bohupota.dll (file missing)
O21 - SSODL: korotofaj - {79c3f9bb-8bd0-42ca-9743-8cd26fd64fa5} - c:\windows\system32\jejuvusu.dll (file missing)
O21 - SSODL: vafikewet - {242a4be7-6229-4a75-9c54-639c7f308d5d} - c:\windows\system32\nozapuso.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {30424edb-e777-4f38-807c-1179dc194391} - c:\windows\system32\linanotu.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {18e3fe43-2227-4b9f-9d79-5ddd1bdb9e20} - c:\windows\system32\namiroto.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {0ecc48ff-ab97-4234-9638-155bedb05322} - (no file)
O22 - SharedTaskScheduler: mujuzedij - {2062905d-f85a-4bae-872d-4c2f73e3a340} - (no file)
O22 - SharedTaskScheduler: gahurihor - {c9443155-e02f-439f-81f1-a70e0c36f646} - (no file)
O22 - SharedTaskScheduler: gahurihor - {286a85cc-6e80-4aa0-98a7-87764ce24670} - c:\windows\system32\ramuzovi.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {11fc3c24-235b-430b-814b-81c35177e7c5} - c:\docume~1\alluse~1\applic~1\bohupota\bohupota.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {79c3f9bb-8bd0-42ca-9743-8cd26fd64fa5} - c:\windows\system32\jejuvusu.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {242a4be7-6229-4a75-9c54-639c7f308d5d} - c:\windows\system32\nozapuso.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System32 Service (service) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 11983 bytes

    Advertisements

Register to Remove


#2 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 20 October 2009 - 01:54 AM

Posted Image

Hi, welcome to the WTT Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:

  • Absence of symptoms does not always mean the computer is clean
  • Please do not run any scans or fixes without my direction.
  • Finally, stay with this topic until I give you the final 'All clear' post.

You can continue to use Safe Mode with Networking if booting into normal mode is not working for you.

First, if possible, please go to the following URL, and upload the file regedit.exe from C:\Windows\System32
http://www.bleepingc....php?channel=88

After that, please download Combofix from any of the links below but rename it to mitchell.exe before saving it to your desktop.

Link 1
Link 2


==================================

Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#3 mitchell

mitchell

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 20 October 2009 - 02:39 AM

i have no file in my C: windows/system32 called regedit.exe the closest i could find was regedt32.exe d i upload that?

#4 mitchell

mitchell

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 20 October 2009 - 02:47 AM

i found one called regedit.exe but it was just in C: WINDOWS and not in system32 i will upload it now

#5 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 20 October 2009 - 03:02 AM

We'll skip ComboFix for now, if you haven't already started.

Please go to VirusTotal, and upload the following files for analysis:
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe

Post the results here.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#6 mitchell

mitchell

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 20 October 2009 - 03:16 AM

the internet wont let me onto this site it says "Internet Explorer cannot display the webpage"

#7 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 20 October 2009 - 03:20 AM

Try Jotti or VirScan.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#8 mitchell

mitchell

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 20 October 2009 - 03:29 AM

in a sec ill post the other two
Okay, i used virscan and this is my result for regedit.exe:

VirSCAN.org Scanned Report :
Scanned time : 2009/10/20 19:14:40 (EST)
Scanner results: 65% Scanner(s) (24/37) found malware!
File Name : regedit.exe
File Size : 166912 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 10221b1a22f9ae92f9e4e06c611a1aa2
SHA1 : 11126cb55fa7a7afd80128c1b2335308b4b09406
Online report : http://virscan.org/r...df3f769b12.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091020154054 2009-10-20 5.04 -
AhnLab V3 2009.10.18.01 2009.10.18 2009-10-18 1.25 Win32/Virut.F
AntiVir 8.2.1.35 7.1.6.125 2009-10-19 0.10 W32/Virut.Gen
Antiy 2.0.18 20091020.3030211 2009-10-20 0.12 -
Arcavir 2009 200910191611 2009-10-19 0.06 -
Authentium 5.1.1 200910200614 2009-10-20 1.27 W32/Virut.AI!Generic (Possible)
AVAST! 4.7.4 091019-0 2009-10-19 0.01 Win32:Vitro
AVG 8.5.288 270.14.23/2447 2009-10-20 0.59 Win32/Virut
BitDefender 7.81008.4411570 7.28447 2009-10-20 3.81 Win32.Virtob.Gen.12
CA (VET) 9.0.0.143 35.1.7074 2009-10-20 12.39 -
ClamAV 0.95.2 9912 2009-10-20 0.04 -
Comodo 3.12 2663 2009-10-20 2.04 -
CP Secure 1.3.0.5 2009.10.20 2009-10-20 0.07 -
Dr.Web 4.44.0.9170 2009.10.20 2009-10-20 5.80 Win32.Virut.56
F-Prot 4.4.4.56 20091020 2009-10-20 1.32 W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.10.20.06 2009-10-20 0.14 Virus.Win32.Virut.ce [AVP]
Fortinet 2.81-3.120 10.964 2009-10-20 0.26 -
GData 19.8493/19.516 20091020 2009-10-20 8.07 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20091019 2009.10.19 2009-10-19 0.55 -
Ikarus T3.1.01.72 2009.10.20.74178 2009-10-20 4.36 -
JiangMin 11.0.800 2009.10.19 2009-10-19 8.52 Win32/Virut.bo
Kaspersky 5.5.10 2009.10.20 2009-10-20 0.07 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.10.20.14 2009-10-20 0.74 -
McAfee 5.3.00 5776 2009-10-19 4.05 W32/Virut.n.gen
Microsoft 1.5101 2009.10.20 2009-10-20 10.41 Virus:Win32/Virut.BM
Norman 6.01.09 6.01.00 2009-10-19 4.01 W32/Virut.DB
Panda 9.05.01 2009.10.19 2009-10-19 7.04 W32/Sality.AO
Trend Micro 8.700-1004 6.558.02 2009-10-19 0.04 PE_VIRUX.J
Quick Heal 10.00 2009.10.20 2009-10-20 1.35 W32.Virut.G
Rising 20.0 21.52.12.00 2009-10-20 1.15 Win32.Virut.cl
Sophos 3.00.1 4.46 2009-10-20 2.61 W32/Scribble-B
Sunbelt 5458 5458 2009-10-19 3.15 Virus.Win32.Virut.ce (v)
Symantec 1.3.0.24 20091019.002 2009-10-19 0.09 W32.Virut.CF
nProtect 20091019.02 5889965 2009-10-19 10.84 -
The Hacker 6.5.0.2 v00048 2009-10-19 1.04 W32/Virut.gen4
VBA32 3.12.10.11 20091019.1412 2009-10-19 1.89 Virus.Win32.Virut.X6
VirusBuster 4.5.11.10 10.112.73/2009446 2009-10-19 3.40 -

#9 mitchell

mitchell

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 20 October 2009 - 03:34 AM

virscan result for userinit.exe:

VirSCAN.org Scanned Report :
Scanned time : 2009/10/20 19:18:19 (EST)
Scanner results: 65% Scanner(s) (24/37) found malware!
File Name : userinit.exe
File Size : 45056 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 20bc47245e7a8e5d29e6a472fd9a6ae3
SHA1 : 8b93a7570af063d16ba00dbe237125ad88c6d3ec
Online report : http://virscan.org/r...10d45afc33.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091020154054 2009-10-20 4.60 -
AhnLab V3 2009.10.18.01 2009.10.18 2009-10-18 1.23 Win32/Virut.F
AntiVir 8.2.1.35 7.1.6.125 2009-10-19 0.12 W32/Virut.Gen
Antiy 2.0.18 20091020.3030211 2009-10-20 0.12 -
Arcavir 2009 200910191611 2009-10-19 0.04 -
Authentium 5.1.1 200910200614 2009-10-20 1.25 W32/Virut.AI!Generic (Possible)
AVAST! 4.7.4 091019-0 2009-10-19 0.01 Win32:Vitro
AVG 8.5.288 270.14.23/2447 2009-10-20 0.59 Win32/Virut
BitDefender 7.81008.4411570 7.28447 2009-10-20 3.94 Win32.Virtob.Gen.12
CA (VET) 9.0.0.143 35.1.7074 2009-10-20 19.12 -
ClamAV 0.95.2 9912 2009-10-20 0.01 -
Comodo 3.12 2663 2009-10-20 1.07 -
CP Secure 1.3.0.5 2009.10.20 2009-10-20 0.05 -
Dr.Web 4.44.0.9170 2009.10.20 2009-10-20 5.74 Win32.Virut.56
F-Prot 4.4.4.56 20091020 2009-10-20 1.24 W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.10.20.06 2009-10-20 0.12 Virus.Win32.Virut.ce [AVP]
Fortinet 2.81-3.120 10.964 2009-10-20 0.20 -
GData 19.8493/19.516 20091020 2009-10-20 5.20 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20091019 2009.10.19 2009-10-19 0.43 -
Ikarus T3.1.01.72 2009.10.20.74178 2009-10-20 4.39 -
JiangMin 11.0.800 2009.10.19 2009-10-19 6.87 Win32/Virut.bo
Kaspersky 5.5.10 2009.10.20 2009-10-20 0.07 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.10.20.14 2009-10-20 0.66 -
McAfee 5.3.00 5776 2009-10-19 3.38 W32/Virut.n.gen
Microsoft 1.5101 2009.10.20 2009-10-20 7.32 Virus:Win32/Virut.BM
Norman 6.01.09 6.01.00 2009-10-19 4.01 W32/Virut.DB
Panda 9.05.01 2009.10.19 2009-10-19 2.50 W32/Sality.AO
Trend Micro 8.700-1004 6.558.02 2009-10-19 0.04 PE_VIRUX.J
Quick Heal 10.00 2009.10.20 2009-10-20 1.21 W32.Virut.G
Rising 20.0 21.52.12.00 2009-10-20 0.94 Win32.Virut.cl
Sophos 3.00.1 4.46 2009-10-20 2.59 W32/Scribble-B
Sunbelt 5458 5458 2009-10-19 1.64 Virus.Win32.Virut.ce (v)
Symantec 1.3.0.24 20091019.002 2009-10-19 0.05 W32.Virut.CF
nProtect 20091019.02 5889965 2009-10-19 7.56 -
The Hacker 6.5.0.2 v00048 2009-10-19 0.75 W32/Virut.gen4
VBA32 3.12.10.11 20091019.1412 2009-10-19 1.94 Virus.Win32.Virut.X6
VirusBuster 4.5.11.10 10.112.73/2009446 2009-10-19 3.18 -

#10 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 20 October 2009 - 03:37 AM

Sorry mitchell. :(

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

See miekiemoes' blog for similar comments here:
Link
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#11 mitchell

mitchell

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 20 October 2009 - 03:37 AM

and finally result for explorer.exe:

VirSCAN.org Scanned Report :
Scanned time : 2009/10/20 19:23:12 (EST)
Scanner results: 70% Scanner(s) (26/37) found malware!
File Name : explorer.exe
File Size : 1052672 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 776490007bf28ce9e134e417010333e2
SHA1 : 6f8f33bfc2d2575efc0589dd1f6383746a8b8d8d
Online report : http://virscan.org/r...421881b851.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091020154054 2009-10-20 5.50 Virus.Win32.Virut.q!IK
AhnLab V3 2009.10.18.01 2009.10.18 2009-10-18 1.07 Win32/Virut.F
AntiVir 8.2.1.35 7.1.6.125 2009-10-19 0.26 W32/Virut.Gen
Antiy 2.0.18 20091020.3030211 2009-10-20 0.12 -
Arcavir 2009 200910191611 2009-10-19 0.06 -
Authentium 5.1.1 200910200614 2009-10-20 1.36 W32/Virut.AI!Generic (Possible)
AVAST! 4.7.4 091019-0 2009-10-19 0.05 Win32:Vitro
AVG 8.5.288 270.14.23/2447 2009-10-20 0.42 Win32/Virut
BitDefender 7.81008.4411570 7.28447 2009-10-20 3.85 Win32.Virtob.Gen.12
CA (VET) 9.0.0.143 35.1.7074 2009-10-20 15.90 -
ClamAV 0.95.2 9912 2009-10-20 0.17 -
Comodo 3.12 2663 2009-10-20 6.04 -
CP Secure 1.3.0.5 2009.10.20 2009-10-20 0.12 -
Dr.Web 4.44.0.9170 2009.10.20 2009-10-20 5.80 Win32.Virut.56
F-Prot 4.4.4.56 20091020 2009-10-20 1.20 W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.10.20.06 2009-10-20 0.13 Virus.Win32.Virut.ce [AVP]
Fortinet 2.81-3.120 10.964 2009-10-20 0.39 -
GData 19.8493/19.516 20091020 2009-10-20 7.59 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20091019 2009.10.19 2009-10-19 0.42 -
Ikarus T3.1.01.72 2009.10.20.74178 2009-10-20 5.95 Virus.Win32.Virut.q
JiangMin 11.0.800 2009.10.19 2009-10-19 8.70 Win32/Virut.bo
Kaspersky 5.5.10 2009.10.20 2009-10-20 0.07 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.10.20.14 2009-10-20 0.64 -
McAfee 5.3.00 5776 2009-10-19 3.36 W32/Virut.n.gen
Microsoft 1.5101 2009.10.20 2009-10-20 7.05 Virus:Win32/Virut.BM
Norman 6.01.09 6.01.00 2009-10-19 4.01 W32/Virut.DB
Panda 9.05.01 2009.10.19 2009-10-19 3.40 W32/Sality.AO
Trend Micro 8.700-1004 6.558.02 2009-10-19 0.05 PE_VIRUX.J
Quick Heal 10.00 2009.10.20 2009-10-20 6.18 W32.Virut.G
Rising 20.0 21.52.12.00 2009-10-20 3.31 Win32.Virut.cl
Sophos 3.00.1 4.46 2009-10-20 2.56 W32/Scribble-B
Sunbelt 5458 5458 2009-10-19 3.28 Virus.Win32.Virut.ce (v)
Symantec 1.3.0.24 20091019.002 2009-10-19 0.11 W32.Virut.CF
nProtect 20091019.02 5889965 2009-10-19 11.67 -
The Hacker 6.5.0.2 v00048 2009-10-19 1.23 W32/Virut.gen4
VBA32 3.12.10.11 20091019.1412 2009-10-19 1.99 Virus.Win32.Virut.X6
VirusBuster 4.5.11.10 10.112.73/2009446 2009-10-19 3.88 -

#12 mitchell

mitchell

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 20 October 2009 - 03:47 AM

Thank you youve been a huge help. is there anything i could do to make sure it NEVER!! comes back???

#13 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 20 October 2009 - 07:06 PM

I'll give you my prevention tips. ;)

How to reduce your chances of infection in the future

Web Browsers
Internet Explorer does come pre-installed with all Windows machines - but this doesn't necessarily mean you have to use it! Because it is the most widely used browser, it is targeted by more malware writers, making you more susceptible to infection. There are many other free alternatives out there that offer better security, take one of these for a spin and see if it takes your fancy.
Mozilla Firefox
Google Chrome
Opera

WOT - Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Green to go
Yellow for caution
Red to stop
WOT has an addon available for Firefox, Google Chrome and Internet Explorer.

If you would prefer to keep using Internet Explorer, follow these additional steps to make the browser more secure.
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Additional Security Measures
Keep your software up-to-date - You should be manually performing updates of your software once a week to ensure that you are current with anti-virus definitions and patched for any security vulnerabilities. This does not just apply to your anti-virus/anti-malware software; malware authors rely on exploiting commonly used software such as Java and Adobe Reader, which need to be kept up to date as well.

Keep Windows up-to-date - Use Windows Update regularly to stay current with security patches and service packs.

MVPS Hosts File - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

Firewalls - Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient - but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly.

What Not To Do
The Perils of P2P File Sharing - Even if a P2P application is on the 'safe' list, malware can still be downloaded through infected files - executables, zip files and even MP3s. It is just not worth the risk.

Fake Security/Optimization Software - Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Additional Reading
How to prevent Malware - I strongly recommend that you read Miekiemoses' good advice
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users