Virut.j and Mariofev!mem Infection UPDATE! HELP!

[mjbosko]

After running Malwarebytes' Anti-Malware, my firewall seemed to be restored. However, upon reboot, I ran another McAfee virus scan to make sure everything was taken care of, but the problem was worse.

Virut.j and Mariofev!mem are rampid throughout my system. During the scan, my computer had to shutdown. I managed to jot down some of the viruses that were detected.

system32\svchost.exe was infected with Virut.j
also system32\7.tmp was infected

I do not know where else to turn. I have updated log files appropriately attached. Please help!


DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by Administrator at 23:05:40.56 on Mon 03/02/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.289 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
svchost.exe C:\WINDOWS\TEMP\VRT1.tmp
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/myway
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Dell Photo AIO Printer 942] "c:\program files\dell photo aio printer 942\dlbubmgr.exe"
mRun: [DellMCM] "c:\program files\dell photo aio printer 942\memcard.exe"
mRun: [DLBUCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBUtime.dll,_RunDLLEntry@16
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/lib/liu/support/plugins/ebraryRdr.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155469679595
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://download.microsoft.com/download/c/d/c/cdc1ac44-d0db-4723-a092-33be8b4f6d9d/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://onlinedesigner.hgtv.com/images/app/view22rte.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
S1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-10-22 104000]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
S2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 191488]
S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-1-21 1247600]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-23 24576]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-10-22 72264]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-10-22 34152]
S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-10-22 168776]

=============== Created Last 30 ================

2009-03-02 22:56 578,560 a------- c:\windows\system32\btzuztf
2009-03-02 22:56 105,984 a------- c:\windows\system32\3.tmp
2009-03-02 22:56 40 a------- c:\windows\system32\2.tmp
2009-03-02 22:42 262,144 a------- c:\windows\system32\nvtpm32.dll
2009-03-02 22:42 40 a------- c:\windows\system32\4.tmp
2009-03-02 22:32 105,984 a------- c:\windows\system32\azton.mt
2009-03-02 22:32 105,984 a------- c:\windows\system32\6.tmp
2009-03-02 22:32 40 a------- c:\windows\system32\5.tmp
2009-03-02 21:47 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-03-02 21:47 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-02 21:47 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 21:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-02 21:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-02 21:41 578,560 a------- c:\windows\system32\ckvpy
2009-03-02 21:41 105,984 a------- c:\windows\system32\12.tmp
2009-03-02 21:41 40 a------- c:\windows\system32\11.tmp
2009-03-02 21:39 578,560 a------- c:\windows\system32\svtfhd
2009-03-02 19:54 105,984 a------- c:\windows\system32\10.tmp
2009-03-02 18:11 250 a------- c:\windows\gmer.ini
2009-03-02 17:42 578,560 a------- c:\windows\system32\jqwerz
2009-03-02 17:29 <DIR> --d----- c:\program files\Trend Micro
2009-03-02 15:56 578,560 a------- c:\windows\system32\fegpfzs
2009-03-02 14:15 552 a------- c:\windows\system32\d3d8caps.dat
2009-03-02 00:03 0 a------- c:\windows\mqcd.dbt
2009-03-02 00:02 28,672 a------- c:\windows\system32\kdoqmn.sr
2009-03-02 00:02 32,768 a------- c:\windows\system32\odjan.wa
2009-03-02 00:02 32,768 a------- c:\windows\system32\kei1w.an
2009-03-02 00:02 28,672 a------- c:\windows\system32\doqkm.zt
2009-03-02 00:02 77,312 a------- c:\windows\system32\rkoq.pxf
2009-03-02 00:02 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-03-01 21:31 0 a------- c:\windows\system32\25.tmp
2009-03-01 21:31 105,984 a------- c:\windows\system32\24.tmp
2009-03-01 21:31 40 a------- c:\windows\system32\21.tmp
2009-02-26 18:10 260 a------- c:\windows\xccwinsys.ini
2009-02-26 18:10 <DIR> --d----- c:\windows\system32\inf
2009-02-26 18:10 676,352 a------- c:\windows\system32\rtl60.bpl
2009-02-26 18:10 155,227 a------- c:\windows\system32\adx.exe
2009-02-26 18:09 11,531 a------- c:\windows\system32\load.exe

==================== Find3M ====================

2009-03-02 22:42 578,560 a------- c:\windows\system32\user32.DLL
2009-03-02 22:38 364,544 a------- c:\windows\system32\ati2evxx.exe
2009-03-01 23:32 35,328 a------- c:\windows\pchealth\helpctr\binaries\notiflag.exe
2009-03-01 23:31 169,984 a------- c:\windows\pchealth\helpctr\binaries\msconfig.exe
2009-03-01 23:31 18,432 a------- c:\windows\pchealth\helpctr\binaries\hscupd.exe
2009-03-01 23:31 99,840 a------- c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2009-03-01 23:31 769,024 a------- c:\windows\pchealth\helpctr\binaries\helpctr.exe
2009-03-01 23:22 52,808 a------- c:\windows\help\sbsi\training\usersid.exe
2009-03-01 23:22 233,472 a------- c:\windows\help\sbsi\training\ounins32_s.exe
2009-03-01 22:53 283,648 a------- c:\windows\winhlp32.exe
2009-03-01 22:53 149,504 a------- c:\windows\UNWISE.EXE
2009-03-01 22:53 299,520 a------- c:\windows\uninst.exe
2009-03-01 22:53 25,600 a------- c:\windows\twunk_32.exe
2009-03-01 22:53 15,360 a------- c:\windows\TASKMAN.EXE
2009-03-01 22:52 32,768 a------- c:\windows\slrundll.exe
2009-03-01 22:52 67,736 a------- c:\windows\setpwrcg.exe
2009-03-01 22:52 69,120 a------- c:\windows\notepad.exe
2009-03-01 22:52 306,688 a------- c:\windows\IsUninst.exe
2009-03-01 22:52 98,304 a------- c:\windows\dla.exe
2009-02-28 11:54 229,376 a------- c:\windows\system32\fxscover.exe
2009-02-28 11:52 123,392 a------- c:\windows\system32\mplay32.exe
2009-02-28 11:52 102,912 a------- c:\windows\system32\clipbrd.exe
2009-02-28 11:05 150,528 a------- c:\windows\system32\imapi.exe
2009-02-28 11:00 744,448 a------- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2009-02-28 10:47 146,432 a------- c:\windows\regedit.exe
2009-02-28 09:37 677,888 a------- c:\windows\system32\mstsc.exe
2009-02-28 09:37 343,040 a------- c:\windows\system32\mspaint.exe
2009-02-28 09:37 78,848 a------- c:\windows\system32\msiexec.exe
2009-02-28 09:36 15,360 a------- c:\windows\system32\ctfmon.exe
2009-02-28 09:36 69,120 a------- c:\windows\system32\notepad.exe
2009-02-28 09:35 28,672 a------- c:\windows\system32\verclsid.exe
2009-02-28 09:34 44,544 a------- c:\windows\system32\alg.exe
2009-02-28 09:34 22,528 a------- c:\windows\system32\wscntfy.exe
2009-02-27 11:53 26,112 a------- c:\windows\system32\userinit.exe
2009-02-27 11:52 135,680 a------- c:\windows\system32\taskmgr.exe
2009-02-27 11:52 57,856 a------- c:\windows\system32\spoolsv.exe
2009-02-27 11:52 12,800 a------- c:\windows\system32\spiisupd.exe
2009-02-27 11:51 95,744 a------- c:\windows\system32\scardsvr.exe
2009-02-27 11:51 33,280 a------- c:\windows\system32\rundll32.exe
2009-02-27 11:51 76,800 a------- c:\windows\system32\nslookup.exe
2009-02-27 11:50 514,560 a------- c:\windows\system32\logonui.exe
2009-02-27 11:50 7,680 a------- c:\windows\system32\hostname.exe
2009-02-27 11:50 267,776 a------- c:\windows\system32\fxssvc.exe
2009-02-27 11:50 10,752 a------- c:\windows\system32\dumprep.exe
2009-02-27 11:50 45,568 a------- c:\windows\system32\drwtsn32.exe
2009-02-27 11:49 10,752 a------- c:\windows\system32\doskey.exe
2009-02-27 11:49 466,944 a------- c:\windows\system32\dlbucoms.exe
2009-02-27 11:48 184,320 a------- c:\windows\system32\accwiz.exe
2009-02-27 11:39 10,752 a------- c:\windows\hh.exe
2009-02-27 10:39 100,864 a------- c:\windows\system32\logagent.exe
2009-02-27 10:39 135,168 a------- c:\windows\system32\cscript.exe
2009-02-27 10:39 1,077,248 a------- c:\windows\help\sbsi\training\orun32.exe
2009-02-27 10:39 155,648 a------- c:\windows\system32\wscript.exe
2009-02-27 10:38 1,033,728 a------- c:\windows\explorer.exe
2009-02-26 23:41 704,512 a------- c:\windows\system32\ss3dfo.scr
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 79,360 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 22,528 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2006-03-25 22:43 774,144 a------- c:\program files\RngInterstitial.dll
2008-08-05 12:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080520080806\index.dat

============= FINISH: 2321.93 ===============

[amateur]

Hello and welcome to TSF.

Quote:

Virut.j and Mariofev!mem are rampid throughout my system. During the scan, my computer had to shutdown. I managed to jot down some of the viruses that were detected.

system32\svchost.exe was infected with Virut.j
also system32\7.tmp was infected

Virut is a polymorphic file infector, infecting all the executable files(.exe) and screen saver files(.scr) by way of corrupting them beyond repair. Many in the community believe that the best approach is to reformat and reinstall, i.e. clean install. While backing up your files prior to r/r, please make sure that you do not backup any executables, screen savers and compressed files such as zip, rar and cab, and also the htm/html/php files as they may also contain infected files.

Good luck. Surf Safely and Think Prevention!

[mjbosko]

But based on my logs and whatnot, is there any solution you can offer me regarding the Mariofev!mem infection? I was able to contain Virut.j and eliminate it for the most part.

I would like to know more about this virus.

[amateur]

Hi,

Quote:

But based on my logs and whatnot, is there any solution you can offer me regarding the Mariofev!mem infection? I was able to contain Virut.j and eliminate it for the most part.

I would like to know more about this virus.

Your log is riddled with infection, including backdoor trojans, Virut being the worst of all. It's polymorphic structure makes it difficult to detect and clean, because its code is constantly changing. If this were to be my system, I wouldn't even hesitate a second to reformat and reinstall. As I already explained, Virut infects every exe file. This means that you may not delete these files, but they should be disinfected. And since it's a buggy virus, the files cannot be properly disinfected. Even if we attempt to clean it, our efforts will be futile. There's no tool that can fix this infection at the moment. Some tools claim to disinfect it but they also end up corrupting the system files in the end just like the virut itself. So, I am afraid there's no other option but a reformat and reinstall.

Btw, Virut is mostly spread via crack and keygen sites. In future, I would strongly recommend that you stay away from such sites.

Here's some information on this infection:

http://www.microsoft.com/security/en...=Win32%2fVirut
http://vil.nai.com/vil/content/v_143034.htm
http://www.avast.com/eng/win32-virut.html
http://www.symantec.com/security_res...558-99&tabid=1

If you need assistance in performing a clean install, here is a good guide to walk you through the process:

http://www.windowsreinstall.com/winx...tallguides.htm

You might also like to have a look at this blog by our colleague, miekiemoes:

http://miekiemoes.blogspot.com/2009/...-throwing.html