Author Topic: ...please help me...  (Read 44045 times)

0 Members and 1 Guest are viewing this topic.


  • Guest
Re: ...please help me...
« Reply #15 on: February 04, 2009, 05:18:14 AM »
Don't worry. Just backup all your personal data before reformatting.


  • Guest
Re: ...please help me...
« Reply #16 on: February 04, 2009, 05:46:38 AM »
I have another question. What will hapen if I will have some infected exe's ond HD, but I will not run them?

Offline scythe944

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2913
    • My Tech Blog
Re: ...please help me...
« Reply #17 on: February 04, 2009, 06:15:17 AM »
I have another question. What will hapen if I will have some infected exe's ond HD, but I will not run them?

I'd suggest that after formatting, re-scan all of your disks for viruses to make sure that the exe's that you have aren't infected.  After that, I'd guess that you were good to go...
For generic computer (not avast) problems, you can also visit my forum for help:


  • Guest
Re: ...please help me...
« Reply #18 on: February 04, 2009, 12:01:25 PM »
emcivile, you are after format?

I tried a lot of software, also deleted a lot of register entries, and scan didnt found VIRUT, but now Im scanning all hard drives by Kaspersky Rescue CD, somebody told me that this stuff repraied his system, I will see and reply here.

BTW. Can I just delete all registry and install windows using repray option? I know that I will not have many of important non windows applications entries, but I can handle it, I can reinstall. I dont want to format, because I have many folders, photos, music, movies etc and I dont want to move all stuff to other disks.

I think formatting is a MUST in this case. I think that this virus can replicate in exe files stored in your pc, in installers too. so I deleted everithing an I sore only photos and music. no HTML or other things. too dangerous. fortunately I have a strong backup system based on a 750 GB NAS. consider something similar after this experience.

I'll format tomorrow every single disk.

I have noticed also that AVAST can't find infected EXEs.

last night I finished a deep scan with avast and no viruses were found BUT: when I deleted registry key and I plug the LAN to the router for an internet connection AVAST found a VIRx.TMP file (where  stands for a number from 1 to 4). becouse of this I imagine that there are some other exe infected files that runs normally in windows but are not found by AVAST....

please, someone to confirm this.

Best regards!






the problem is that AVAST is not ABLE to find the virus. AVAST find only infected htm and html files.
Avast is not able to report infected EXEs too.

today I was on a XP of a friend. I executed REGEDIT to view if he has the same reg keys. he has all of them but no connection and no TMP files downoladed... is he infected. I explain: the reg keys up shown are normally in non infected XP copies or added ONLY a consequence of this DAMN virus???

I found W32\VIRTU on my drive. It ifecdet a component of MIONET used to open my NAS. disinfected.

is this the end?
« Last Edit: February 04, 2009, 01:12:25 PM by emcivile »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33925
  • malware fighter
Re: ...please help me...
« Reply #19 on: February 04, 2009, 01:28:19 PM »
Hi sqallpl & emciville,

Do the manual cleansing first, delete the malware system files, the registry entries, cleanse your hosts file (it has been altered too) etc. etc. Maybe you have to make a back-up of all your important data,
you must have to work from SafeMode and/or temporaily have to disable system restore, then I think you could have a task at re-installing your system, because you can never tell as too what extent it has been compromised,

In short the normal cleansing for this malware:
When the virus executes, it creates the following event so that only one instance of the threat runs on the compromised computer:

W32.Virut.U is a virus that infects .exe and .scr files on the compromised computer.
Next, the virus checks the value for the following registry entry:

The above registry entry contains IP address and port number information.
The virus may then use this information to open a back door on the compromised computer.

If the value in the above registry entry is not available,
the virus may open a back door on TCP port 80 using the following IRC server:
ircd.zief.plThe above registry entry contains IP address and port number information. The virus may then use this information to open a back door on the compromised computer.

It uses the following name on the above channel:

The back door allows a remote attacker to download files on to the compromised computer and execute them.

Damage Level: Medium
Payload: Opens a back door on the compromised computer.
Modifies Files: Infects .exe and .scr files.

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.If the antivirus product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.

After the files are deleted, restart the computer in Normal mode.

After the computer is cleansed you should change all your passwords for your normal log-in accounts...
and for the future use only user rights for your normal activities when online, and full admin rights only for downloading updates, enabling programs, or makingchanges to your configuration

« Last Edit: February 04, 2009, 03:39:16 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


  • Guest
Re: ...please help me...
« Reply #20 on: February 04, 2009, 07:58:26 PM »
ok, seen. now I am formatting everything.

I cleaned other drives with a deep scan and I disabled system restore not in safe mode but in normal mode. it's the same.

another question: is possible that virus infected my data on a NAS I use to backup things? it is a WD Mybook II with lan 10-100-1000.

I connected it last time when I supposed to solve with a last norton ghost image.


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33925
  • malware fighter
Re: ...please help me...
« Reply #21 on: February 04, 2009, 08:52:17 PM »

Hi emcivile,

Well you will see, whenever .exe and .scr files are infected, or you find changed entries in the registry I mentioned earlier, you will understand are not free of it there,


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


  • Guest
Re: ...please help me...
« Reply #22 on: February 04, 2009, 10:19:07 PM »
ahm.... but: two of my firends have these reg keys on theyr pc... but they have never done nothing... I explain: now I found an installation pack containing VIRTU of part of it that I downloaded from torrent and unfortunately I opened it...
this firends have the same reg keys you have shown me... but nothing from avast or other antivirus programs.... I'll write them to tell to check.



  • Guest
Re: ...please help me...
« Reply #23 on: February 06, 2009, 03:12:10 AM »
I cleaned my PC with everything that could be found on the planes of internet, read all that was written here and followed all instructions... After 2 days of torture and formatting 5 times... call me a quitter, but I'm switching to Linux.


  • Guest
Re: ...please help me...
« Reply #24 on: February 08, 2009, 01:23:48 PM »
Hi everyone,

I got infected by the same virus this morning, but after 2 windows reinstalls, I managed to get rid of it, although not fully.

I'm using windows XP SP2 and avast! home 4.8, the latest version.

Apparently, as polonus has said in one of his posts, this virus infects all .exe, .htm, .html and .scr files in your computer.
It even managed to infect explorer.exe and userinit.exe in my previous windows installation (as reported by combofix), disabled my mozilla firefox and alot of other softwares (media player classic, foobar2000,etc). Avast gave me a lot of "blocked access from" messages. When I tried to reinstall the softwares from the installers I got, the .html and .htm files created by the installer got infected instantly by the virus.
This is really one hell of a virus. I got this virus from my friend's flash disk ( forgot to clean it before I browsed the disk).

What I did to cleanse the virus was update avast to the latest version, do a thorough scan on safemode (avast deleted all .htm and .html files it can find on my harddisk, but it couldn't detect the infected .exes), then delete all the installers I had (I have 3 partitions on my disk), do a complete windows reinstall and download all the installers I once had.

After that, I ran a thorough scan once more from safe mode (avast found 3 .scr entries and deleted them) then restart.
With this method, all the softwares that was disabled by the virus works again. Didn't find any weird entries on hijackthis, and the latest combofix didn't report anything. No changed entries in registry and hosts file, too.

But still, I found something weird everytime i log in. Explorer.exe won't run automatically (had to run it manually from task manager), and I got this (will attach picture later) error message everytime I log into my computer. Apart from those, everything runs normally (I think). Any way to fix this?

Hope this helps, btw.
« Last Edit: February 08, 2009, 01:37:36 PM by hamzahhaz »


  • Guest
Re: ...please help me...
« Reply #25 on: February 08, 2009, 02:05:29 PM »
Your system will keep getting infected until you update Windows to SP3 that has been available for over 6 months that has several security fixes.

In IE go to Tools then Windows Update then let it install all the updates.

By the way, next Tuesday is Patch Tuesday and a couple of new critical updates will be available.


  • Guest
Re: ...please help me...
« Reply #26 on: February 09, 2009, 09:37:19 AM »
I've found a solution for this virus.

I've cleaned it thorougly by using AVG's virut remover (, then reformatting my computer.

The remover deleted almost all of my installers, but hey, everything works now, don't find anything strange anymore in my computer, logs for hijackthis and combofix are clean too.

Hope this helps.


  • Guest
Re: ...please help me...
« Reply #27 on: February 13, 2009, 09:06:59 PM »
You don't really need to scan your hard drive if you are going to reformat. A good reformat will clear all your data away. Having said that, if you really want to be sure you have wiped out all the nasties, use a bootcd that has some utilities on it, several are available on the internet. All you really need is a utility that will overwrite the hard drive with zero's, some hard drives come with such a utility disc from the manufacturer. There are also a number available on the internet. You should power your computer completely down and then unplug from the power, wait 60 seconds for the memory to clear. Replug the power, reboot from a utility cd, wipe the hard drive by writing zero's to it - this can take 1 hr to several hours depending on how many passes you want to do.  When this is done, repartition the drive using either dos (fdisk) or one of the programs like partitionmagic, there are several free linux utilities that can do this as well. I would suggest when creating partitions, make the boundaries at a new sizes, ie boot partition of 42gb, data 36 gb, if the old setup was perhaps 60gb boot, and 16gb data. Now format it and then let windows format it again when you do the install.

You should run a port scanner and a process explorer after you do the reinstall, to make sure you do not have any gremlins running in the background or using your network. When you install windows make sure your network cable is unplugged so that nothing and no one can access the machine while you do the install. Install an antivirus and do all windows updates.

Once you have a clean system, do a backup and save a copy of your registry, put both on a cd or dvd and save them in case you need to restore the system to a known good state, this will save a lot of time in case you get reinfected.

Now start scanning any cds or dvds you may have burned lately to make sure they don't have crapware hiding on them.


  • Guest
Re: ...please help me...
« Reply #28 on: March 31, 2009, 04:07:07 PM »
Hey guys, i think i have the same virus here so i did a scan with avast and deleted one compromised file, but now when i'm launching my web browser, avast blocks a connection to "" and i wanted to know how could i get rid of this without having to format my computer. Here's my report on HijackThis if it could help you :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:55:39, on 31/03/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKLM\..\Run: [Habu] C:\Program Files\Razer\Habu\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.05\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.05\MediaManager\grab.html
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


  • Guest
Re: ...please help me...
« Reply #29 on: March 31, 2009, 04:08:16 PM »
O13 - Gopher Prefix:
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) -
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

End of file - 10407 bytes