The old "Your System is Infected" desktop take-over

[deepblerg]

Hi,
I'm running Windows XP and I'm getting the "Your System Is Infected! System has been stopped due to a serious malfuction." desktop wallpaper. When I right click and go to Display Properties, it does not allow me to change it. There are also a bunch of porn icons added to the desktop.
As per the sticky in this forum I have installed and performed the SUPERAntiSpyware scan. Desktop is now back to normal but getting some .DLL error text boxes on startup. Below are the results of the SUPERAntiSpyware scan. Thanks in advance for any help you can provide.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/07/2009 at 02:49 AM

Application Version : 4.29.1004

Core Rules Database Version : 4162
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 01:35:31

Memory items scanned : 426
Memory threats detected : 7
Registry items scanned : 5368
Registry threats detected : 19
File items scanned : 116756
File threats detected : 79

Trojan.Agent/Gen-FakeAlert[Calc]
C:\WINDOWS\SYSTEM32\CALC.DLL
C:\WINDOWS\SYSTEM32\CALC.DLL
[calc] C:\WINDOWS\SYSTEM32\CALC.DLL
[calc] C:\DOCUME~1\NETWOR~1\NTUSER.DLL
C:\DOCUME~1\NETWOR~1\NTUSER.DLL
C:\DOCUMENTS AND SETTINGS\DEFAULT\LOCAL SETTINGS\TEMP\RUNDLL32.DLL

Trojan.Unclassified/C00-WL/A
C:\WINDOWS\SYSTEM32\__C009AD91.DAT
C:\WINDOWS\SYSTEM32\__C009AD91.DAT
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\__c009AD91

Trojan.Agent/Gen-Bongl[L]
C:\WINDOWS\SYSTEM32\MSXM192Z.DLL
C:\WINDOWS\SYSTEM32\MSXM192Z.DLL
[ter8m] C:\WINDOWS\SYSTEM32\MSXM192Z.DLL

Trojan.Agent/Gen-Reader_S
C:\WINDOWS\SYSTEM32\READER_S.EXE
C:\WINDOWS\SYSTEM32\READER_S.EXE
C:\DOCUMENTS AND SETTINGS\DEFAULT\READER_S.EXE
C:\DOCUMENTS AND SETTINGS\DEFAULT\READER_S.EXE
[reader_s] C:\WINDOWS\SYSTEM32\READER_S.EXE
[reader_s] C:\DOCUMENTS AND SETTINGS\DEFAULT\READER_S.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#reader_s [ C:\WINDOWS\System32\reader_s.exe ]

Trojan.Dropper/Gen-NV
C:\WINDOWS\SYSTEM32\RESTORER32_A.EXE
C:\WINDOWS\SYSTEM32\RESTORER32_A.EXE
C:\DOCUMENTS AND SETTINGS\DEFAULT\RESTORER32_A.EXE
C:\DOCUMENTS AND SETTINGS\DEFAULT\RESTORER32_A.EXE
[restorer32_a] C:\WINDOWS\SYSTEM32\RESTORER32_A.EXE
[restorer32_a] C:\DOCUMENTS AND SETTINGS\DEFAULT\RESTORER32_A.EXE
C:\WINDOWS\Prefetch\RESTORER32_A.EXE-2C748582.pf

Trojan.Unclassified/C00-Installer
[A00F111D78.exe] C:\DOCUME~1\DEFAULT\LOCALS~1\TEMP\_A00F111D78.EXE
C:\DOCUME~1\DEFAULT\LOCALS~1\TEMP\_A00F111D78.EXE
C:\DOCUMENTS AND SETTINGS\DEFAULT\LOCAL SETTINGS\TEMP\_A00F111D78.EXE

Trojan.Agent/Gen
[Wallpaper] C:\WINDOWS\SYSTEM32\CRITICAL_WARNING.HTML
C:\WINDOWS\SYSTEM32\CRITICAL_WARNING.HTML
C:\WINDOWS\system32\A.TMP
C:\WINDOWS\system32\B.TMP
C:\DOCUMENTS AND SETTINGS\DEFAULT\LOCAL SETTINGS\TEMP\BNB.TMP
C:\DOCUMENTS AND SETTINGS\DEFAULT\LOCAL SETTINGS\TEMP\BNE.TMP
C:\WINDOWS\TEMP\VRT13.TMP
C:\WINDOWS\Prefetch\B.TMP-0826A2ED.pf
C:\WINDOWS\Prefetch\VRT13.TMP-0180F840.pf

Trojan.Unknown Origin
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg

Trojan.Media-Codec/V4
C:\Program Files\Video Add-on\ictmdl.dll
C:\Program Files\Video Add-on

Trojan.Unclassified/C00-WL
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C009AD91
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C009AD91#Asynchronous
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C009AD91#DllName
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C009AD91#Impersonate
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C009AD91#Startup
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C009AD91#Logon

Rogue.ProtectionSystem
C:\Program Files\Protection System

Adware.Tracking Cookie
.ads.pointroll.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.advertising.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.advertising.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.advertising.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.advertising.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.clicksor.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.jamster.com.au [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.partygaming.122.2o7.net [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.partypoker.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.partypoker.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.partypoker.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
.virginmoneyaustralia.122.2o7.net [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
a.tribalfusion.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
a.tribalfusion.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
ad.zanox.com [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
ads.revsci.net [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\4e0vtbi5.Default User2\cookies.txt ]
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@mediaplex[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@serving-sys[2].txt

Trojan.Agent/Gen-FDUPX
C:\DOCUMENTS AND SETTINGS\DEFAULT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\QTFO1OJY\BOT[1].TXT
C:\WINDOWS\SYSTEM32\1E.TMP
C:\WINDOWS\Prefetch\1E.TMP-343B9247.pf

Trojan.Agent/Gen-Tmp[Hehe]
C:\WINDOWS\SYSTEM32\1D.TMP
C:\WINDOWS\Prefetch\1D.TMP-058FFBF9.pf

Trojan.Agent/Gen-NumTemp
C:\WINDOWS\SYSTEM32\5.TMP
C:\WINDOWS\SYSTEM32\6.TMP
C:\WINDOWS\SYSTEM32\9.TMP
C:\WINDOWS\Prefetch\6.TMP-3B726FB8.pf

Trojan.Agent/Gen-Dropper[Temp]
C:\WINDOWS\SYSTEM32\C.TMP
C:\WINDOWS\SYSTEM32\D.TMP
C:\WINDOWS\Prefetch\C.TMP-31A4EB53.pf
C:\WINDOWS\Prefetch\D.TMP-1D59F25F.pf

Trojan.Smitfraud Variant-Gen/Bensorty
C:\WINDOWS\SYSTEM32\U0070.DLL

Trojan.WinUpdate
C:\WINDOWS\SYSTEM32\WINUPDATE.EXE
C:\WINDOWS\Prefetch\WINUPDATE.EXE-0F50C4F5.pf

Trojan.Agent/Gen-FakeAlert
C:\WINDOWS\TEMP\VRT15.TMP
C:\WINDOWS\Prefetch\VRT15.TMP-16B447B2.pf

Trojan.Agent/Gen-SoftWin[Virut]
C:\WINDOWS\TEMP\VRT19.TMP
C:\WINDOWS\Prefetch\VRT19.TMP-05801C8F.pf

[deepblerg]

Sorry forgot to say that the SUPERAntiSpyware scan above was NOT performed in Safe Mode as my PC for some reason will not boot into Safe Mode and could only boot using Last Known Good Configuration.

[Broni]

Upload following files to http://www.virustotal.com/ for security check:
- explorer.exe located @ C:\Windows
- userinit.exe and svchost.exe located @ C:\Windows\System32
Post scans results.

[deepblerg]

Hi Broni,
I tried the www.virustotal.com link but it does not load up on the infected PC. However, it loads on my uninfected laptop. Could the trojan be affecting this? Anyway, here's my Malwarebytes Anti-Malware scan log:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

7/11/2009 9:40:17 AM
mbam-log-2009-11-07 (09-40-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 221877
Time elapsed: 1 hour(s), 37 minute(s), 53 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\explorer.exe:userini.exe (Rootkit.ADS) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\protect (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00A3B00.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR09.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\default\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Explorer.exe:userini.exe (Rootkit.ADS) -> Delete on reboot.
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

[Broni]

Could the trojan be affecting this?

I have a bad feeling this infection. We may be dealing with Virut here.

I suggest, you install Panda USB and AutoRun Vaccine: http://research.pandasecurity.com/ar...n-Vaccine.aspx on your good computer first.
Then, copy those three files, I mentioned before, to USB stick.
Plug the USB stick to your good computer and scan the files at VirusTotal.

[deepblerg]

Ok I did that and here are the logs from virustotal.com

explorer.exe:
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.06 Virus.Win32.Virut.q!IK
AhnLab-V3 5.0.0.2 2009.11.06 -
AntiVir 7.9.1.61 2009.11.06 W32/Virut.Gen
Antiy-AVL 2.0.3.7 2009.11.05 -
Authentium 5.2.0.5 2009.11.06 W32/Virut.AI!Generic
Avast 4.8.1351.0 2009.11.06 -
AVG 8.5.0.423 2009.11.06 -
BitDefender 7.2 2009.11.06 -
CAT-QuickHeal 10.00 2009.11.06 W32.Virut.G
ClamAV 0.94.1 2009.11.06 -
Comodo 2866 2009.11.07 -
DrWeb 5.0.0.12182 2009.11.06 Win32.Virut.56
eTrust-Vet 35.1.7108 2009.11.06 Win32/Virut.17408
F-Prot 4.5.1.85 2009.11.06 W32/Virut.AI!Generic
F-Secure 9.0.15370.0 2009.11.04 -
Fortinet 3.120.0.0 2009.11.06 -
GData 19 2009.11.07 -
Ikarus T3.1.1.74.0 2009.11.06 Virus.Win32.Virut.q
Jiangmin 11.0.800 2009.11.06 Win32/Virut.bo
K7AntiVirus 7.10.890 2009.11.06 -
Kaspersky 7.0.0.125 2009.11.07 Virus.Win32.Virut.ce
McAfee 5794 2009.11.06 W32/Virut.n.gen
McAfee+Artemis 5794 2009.11.06 W32/Virut.n.gen
McAfee-GW-Edition 6.8.5 2009.11.06 Heuristic.LooksLike.Win32.Suspicious.H
Microsoft 1.5202 2009.11.06 Virus:Win32/Virut.gen!O
NOD32 4580 2009.11.06 Win32/Virut.NBP
Norman 6.03.02 2009.11.06 -
nProtect 2009.1.8.0 2009.11.06 -
Panda 10.0.2.2 2009.11.06 -
PCTools 7.0.3.5 2009.11.06 Malware.Virut
Prevx 3.0 2009.11.07 -
Rising 21.54.44.00 2009.11.06 -
Sophos 4.47.0 2009.11.06 -
Sunbelt 3.2.1858.2 2009.11.06 Virus.Win32.Virut.ce (v)
Symantec 1.4.4.12 2009.11.07 W32.Virut.CF
TheHacker 6.5.0.2.063 2009.11.06 -
TrendMicro 9.0.0.1003 2009.11.06 PE_VIRUX.J
VBA32 3.12.10.11 2009.11.06 -
ViRobot 2009.11.6.2025 2009.11.06 -
VirusBuster 4.6.5.0 2009.11.06 -


svchost.exe:
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.06 -
AhnLab-V3 5.0.0.2 2009.11.06 -
AntiVir 7.9.1.61 2009.11.06 W32/Virut.Gen
Antiy-AVL 2.0.3.7 2009.11.05 -
Authentium 5.2.0.5 2009.11.06 W32/Virut.AI!Generic
Avast 4.8.1351.0 2009.11.06 -
AVG 8.5.0.423 2009.11.06 Win32/Heur
BitDefender 7.2 2009.11.06 -
CAT-QuickHeal 10.00 2009.11.06 W32.Virut.G
ClamAV 0.94.1 2009.11.06 -
Comodo 2866 2009.11.07 -
DrWeb 5.0.0.12182 2009.11.06 Win32.Virut.56
eTrust-Vet 35.1.7108 2009.11.06 Win32/Virut.17408
F-Prot 4.5.1.85 2009.11.06 W32/Virut.AI!Generic
F-Secure 9.0.15370.0 2009.11.04 -
Fortinet 3.120.0.0 2009.11.06 -
GData 19 2009.11.07 -
Ikarus T3.1.1.74.0 2009.11.06 -
Jiangmin 11.0.800 2009.11.06 Win32/Virut.bo
K7AntiVirus 7.10.890 2009.11.06 -
Kaspersky 7.0.0.125 2009.11.07 Virus.Win32.Virut.ce
McAfee 5794 2009.11.06 W32/Virut.n.gen
McAfee+Artemis 5794 2009.11.06 W32/Virut.n.gen
McAfee-GW-Edition 6.8.5 2009.11.06 Heuristic.LooksLike.Win32.SuspiciousPE.B
Microsoft 1.5202 2009.11.06 Virus:Win32/Virut.gen!O
NOD32 4580 2009.11.06 Win32/Virut.NBP
Norman 6.03.02 2009.11.06 W32/Obfuscated.EA
nProtect 2009.1.8.0 2009.11.06 -
Panda 10.0.2.2 2009.11.06 Suspicious file
PCTools 7.0.3.5 2009.11.06 Malware.Virut
Prevx 3.0 2009.11.07 -
Rising 21.54.44.00 2009.11.06 -
Sophos 4.47.0 2009.11.06 -
Sunbelt 3.2.1858.2 2009.11.06 Virus.Win32.Virut.ce (v)
Symantec 1.4.4.12 2009.11.07 W32.Virut.CF
TheHacker 6.5.0.2.063 2009.11.06 -
TrendMicro 9.0.0.1003 2009.11.06 PE_VIRUX.J
VBA32 3.12.10.11 2009.11.06 -
ViRobot 2009.11.6.2025 2009.11.06 Win32.Virut.AM
VirusBuster 4.6.5.0 2009.11.06 -



userinit.exe:
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.06 -
AhnLab-V3 5.0.0.2 2009.11.06 -
AntiVir 7.9.1.61 2009.11.06 W32/Virut.Gen
Antiy-AVL 2.0.3.7 2009.11.05 -
Authentium 5.2.0.5 2009.11.06 W32/Virut.AI!Generic
Avast 4.8.1351.0 2009.11.06 -
AVG 8.5.0.423 2009.11.06 Win32/Heur
BitDefender 7.2 2009.11.06 -
CAT-QuickHeal 10.00 2009.11.06 W32.Virut.G
ClamAV 0.94.1 2009.11.06 -
Comodo 2866 2009.11.07 -
DrWeb 5.0.0.12182 2009.11.06 Win32.Virut.56
eSafe 7.0.17.0 2009.11.05 -
eTrust-Vet 35.1.7108 2009.11.06 Win32/Virut.17408
F-Prot 4.5.1.85 2009.11.06 W32/Virut.AI!Generic
F-Secure 9.0.15370.0 2009.11.04 -
Fortinet 3.120.0.0 2009.11.06 -
GData 19 2009.11.07 -
Ikarus T3.1.1.74.0 2009.11.06 -
Jiangmin 11.0.800 2009.11.06 Win32/Virut.bo
K7AntiVirus 7.10.890 2009.11.06 -
Kaspersky 7.0.0.125 2009.11.07 Virus.Win32.Virut.ce
McAfee 5794 2009.11.06 W32/Virut.n.gen
McAfee+Artemis 5794 2009.11.06 W32/Virut.n.gen
McAfee-GW-Edition 6.8.5 2009.11.06 Heuristic.BehavesLike.Win32.Virus.H
Microsoft 1.5202 2009.11.06 Virus:Win32/Virut.gen!O
NOD32 4580 2009.11.06 Win32/Virut.NBP
Norman 6.03.02 2009.11.06 W32/Obfuscated.EA
nProtect 2009.1.8.0 2009.11.06 -
Panda 10.0.2.2 2009.11.06 Suspicious file
PCTools 7.0.3.5 2009.11.06 Malware.Virut
Prevx 3.0 2009.11.07 -
Rising 21.54.44.00 2009.11.06 -
Sophos 4.47.0 2009.11.06 -
Sunbelt 3.2.1858.2 2009.11.06 Virus.Win32.Virut.ce (v)
Symantec 1.4.4.12 2009.11.07 W32.Virut.CF
TheHacker 6.5.0.2.063 2009.11.06 -
TrendMicro 9.0.0.1003 2009.11.06 PE_VIRUX.GEN-1
VBA32 3.12.10.11 2009.11.06 -
ViRobot 2009.11.6.2025 2009.11.06 -
VirusBuster 4.6.5.0 2009.11.06 -

[Broni]

I was afraid, that was the case


You are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
*.exe
*.scr
*.htm
*.html
*.xml
*.zip
*.rar
*.doc
*.jpg
*.pdf

Backup all your documents and important items only.
DO NOT backup any files mentioned above.

I suggest you do the following immediately:

* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
* From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
* DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

To find out more information about how you may have got infected in the first place, you can read this article.

I am sorry I cannot give any better news.

[deepblerg]

Thanks for your help Broni and I will do a reformat as you suggest. I want to back up my important files. But with the .doc, .jpg, .pdf and .html files, how do you recommend safely backing them up? Is it possible to do?

[Broni]

You have to scan every single file with two programs.
I'd recommend your regular AV program and DrWeb: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Dr.Web is pretty good with recognizing Virut.