Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

win 32 virut.nbm ... and... win 32 vitro attacked ..

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

win 32 virut.nbm ... and... win 32 vitro attacked ..

Unread postby onder » April 10th, 2009, 2:07 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:47:41, on 10.04.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CryptLoad] C:\Documents and Settings\ONDER\Desktop\CryptLoad_1.1.6_en\RouterClient.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\2.5.0\SmrtShpr.dll (file missing)
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\SmartShopper\Bin\2.5.0\SmrtShpr.dll (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{378903F8-37F5-4C65-9BA4-64D65DCA1542}: NameServer = 4.2.2.2,4.2.2.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Güncelleme Hizmeti (gupdate1c9ab1aae0882a4) (gupdate1c9ab1aae0882a4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 5115 bytes



StartupList report, 10.04.2009, 08:48:48
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16791)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\ONDER\Start Menu\Programlar\Başlangıç]
OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nod32kui = "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
USB Storage Toolbox = C:\Program Files\USB Disk Win98 Driver\Res.EXE
SoundMan = SOUNDMAN.EXE
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
googletalk = C:\Program Files\Google\Google Talk\googletalk.exe /autostart
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
CryptLoad = C:\Documents and Settings\ONDER\Desktop\CryptLoad_1.1.6_en\RouterClient.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = notepad.exe %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

ShoppingReport - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing) - {100EB1FD-D03E-47FD-81F3-EE91287F9465}
AcroIEHelperStub - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
(no name) - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll - {3049C3E9-B461-4BC5-8870-4C09146192CA}

--------------------------------------------------

Enumerating Task Scheduler jobs:

GoogleUpdateTaskMachine.job
PCConfidential.job
rpc.job

--------------------------------------------------

Enumerating Download Program Files:

[Facebook Photo Uploader 5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PhotoUploader5.ocx
CODEBASE = http://upload.facebook.com/controls/200 ... oader5.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/fl ... rashim.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/s ... wflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\system32\webcheck.dll
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 5.978 bytes
Report generated in 0,062 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only




Problem is : After win 32.nbm and vitro attack i had some problems with loging in.. After that i opened it in safety mode.. and after some operations, nod32 killed a lot of virut.nbm and 1 nitro... Sorry for that but i have pushed fixed checked and analyze this buttons once before i used NOD32 and avast 4.8.... Now it seems ok... but avast startup cleaning doesnt work.. after restart, a dark screen appears and stay.. with esc button i can skip that..
What can be my problem ..what should i do ? Thank you...
onder
Active Member
 
Posts: 2
Joined: April 10th, 2009, 1:35 am
Advertisement
Register to Remove

Re: win 32 virut.nbm ... and... win 32 vitro attacked ..

Unread postby NonSuch » April 14th, 2009, 8:09 pm

I am sorry, but I have very bad news for you. This machine has Virut and other infections as well, but Virut is the worst of it.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

It is imperative that your system be reformated and your Windows operating system be reinstalled. This is necessary because Virut is a virulent file infector that will infect every .exe and .scr file on your system, and .rar files as well. As an added "bonus," Virut is a poorly written and buggy file infector, which is why our scanners cannot properly disinfect the files and, since many of these infected files will be vital system files, they cannnot simply be removed.

So, the situation is that the files cannot be removed, nor can they be properly disinfected. This leaves only one choice, reformat and reinstall the Windows operating system.

Prior to reformatting the system, you may back up your important data. Under no circumstances should a USB device be plugged into the infected computer in order to transfer data to it as any such device could become infected and may then transfer the infection to other computers or back to the newly cleaned computer. No files should be saved other than documents and pictures. No screensavers, no executables, no program set-up files... just documents and pictures. Otherwise, the infection will be reintroduced to the newly reinstalled operating system. All data files should be scanned with anti-virus and anti-spyware programs prior to being returned to the hard drive after it has been reformatted.

Should you have any questions, please feel free to ask.

This posting is provided "AS IS" with no warranties, and confers no rights.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California

Re: win 32 virut.nbm ... and... win 32 vitro attacked ..

Unread postby onder » April 15th, 2009, 4:37 pm

thank you for your reply... But let me ask you someting. From that they until now i have been using my computer.. and it seems okay.. is this virut a passive virus.. and i did a lot of work on it.. İt is worthless u mean? :) And if i shouldnt use usb then where i should backup my files.. how does it work? .. İn D: ? .. İt is going to be my first reformat..
Thanks for help
onder
Active Member
 
Posts: 2
Joined: April 10th, 2009, 1:35 am

Re: win 32 virut.nbm ... and... win 32 vitro attacked ..

Unread postby NonSuch » April 15th, 2009, 5:37 pm

No, Virut is not a passive virus. Virut is a family of polymorphic (it keeps mutating, constantly changing itself) memory-resident, appending file infectors that have Entry Point Obscuring (EPO) capabilities. Viruses belonging to this family infect files with .EXE, .SCR, .php, .asp and .htm file extensions. All viruses belonging to the Virut family also contain an IRC-based backdoor that provides unauthorized access to infected computers. It can be controlled remotely.

If an attempt is made to clean a computer that is infected with this family of malware, if even the tiniest bit of it is left, it will regenerate itself. It will append itself to vital system files. It can change a computer into a useless paperweight and it will keep spewing forth its infection until the computer is reformatted.

Absolutely no files should should be saved except text documents and pictures... nothing else. Whatever you save should be backed up to CD or DVD. Even so, everything should be scanned prior to returning it to the computer after it has been reformatted.

Graphic instructions for performing a reformat and clean install of Windows XP can be found here:

http://www.winsupersite.com/showcase/wi ... _clean.asp

Additionally, depending on your particular brand of computer, you may have a restore partition on your hard drive that would allow you to restore the computer back to its original factory state (a destructive reinstallation that includes a reformat). You should be able to locate information on doing such a destructive install, if it's available for your machine, on the computer manufacturer's web site.

Prior to reformatting you should use a known clean computer to download to CD or DVD an anti-virus program so that you may install it to the newly reformatted computer prior to connecting it to the internet.

Avoiding a reformat of your computer, unfortunately, is not an option.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California

Re: win 32 virut.nbm ... and... win 32 vitro attacked ..

Unread postby NonSuch » April 19th, 2009, 3:40 am

As the resolution of this issue requires a reformat, and there have been no further questions posted regarding that process, this topic is now closed.

You can help support this site from this link:
Donations For Malware Removal
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 12 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware