[Mohi212]

hi . i have a pc . its pentium 4 , 1gb ram, 160 gb . I have widows xp installed on it . Recently, it wasn't working properly . I used to click open on anyone of the users accounts and it would come loading your personal settings and would suddenly appear logging off . so I understood it was a virus . First, I formatted the whole C drive in which xp was installed and then reinstalled it . It seemed to be working fine . So, i installed anti-malware's malwarebytes , pctool anti-virus and super anti-spyware . They installation files were in the E drive . anti-malware and super anti-spyware detected some things but it didn't do anything to the pc . But when i started to scan it with pc tools, it found many infections of 1 virus in many files of windows and also some of other drives . Something named win.32.virut G or something . So, naturally, i removed all the infections . but when i did that , it turns out that somehow, explorer.exe was also infected , so the whole desktop disappeared . and also the task manager. So i restarted the thing and when i open any user account, it would just be showing the wallpaper and nothing else, no desktop icons or whatsoever . When I pressed alt ctrl del for task manager, it would say that it cant open it and i can send an error report etc. you know, that common msg of xp . So re-installed it again and it seems to be working fine for now . i havent installed pc tools or anything other anti-virus of or anti-malware or anti spyware from the pc cuz it would do this same thing again . i dont know but it can be that the intsallation files of these on my pc are also infected . So anyways please help me out as i am in quite a pinch here . and please dont tell me to format the whole hard disk drive because i have all my important stuff in E drive and F . C is where windows is installed and D is fully empty . So help me please .

[cheesepuff]

i think there is a cure for virut now, but i dont know where. from what i understand, virut is very bad. it infects every .exe in your pc. near impossible to get rid of unless u reformat. all that is true IF i remember correctly.

edit- also, since every exe could be infected, dont copy or move any .exe to a diferent pc. cuz then it will start to infect the other pc.

[Mohi212]

um ok . well now, my pc is closing after every 10 mins when i get a weird msg that some software did work or something so if i want to send the report or not . even when i dont do anything , it restarts after a few seconds .

[cheesepuff]

wow...thats not good....

[evilfantasy]

Virut is a virus that infects all executable files and screensavers. Virut also opens a back door providing the attacker with unauthorized remote access to the infected computer. Definition: Polymorphic virus.

There is no way to cure this infection. Your only option is to perform a full reformat. Do NOT attempt a repair install. Trying to fix this infection will only leave the computer unusable. See Virut on the Rise and Virut and other File infectors - Throwing in the Towel? for more information.

Note that if you decide to try and clean this you must be extremely careful on what is backed up as these new infections can get into many different file extensions ( DLL, EXE, SCR, HTM, HTML, MP3, AVI, WMV, PDF.....etc). A complete reformat and reinstall is highly suggested! Avoid backing up compressed files (zip/cab/rar.....etc). Virut can also penetrate compressed files that have .exe or .scr inside them.

If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace!

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third.

-) Dr.Web CureIt!
-) AVG Win32/Virut Removal Tool
-) Symantwc W32.Virut Removal Tool
-) McAfee Avert Stinger
-) Microsoft Windows Malicious Software Removal Tool

If you do not know how to perform a fresh install, use this website -> http://www.windowsreinstall.com/

I strongly suggest you do the following immediately!

If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers.

From a clean computer change all of your online passwords including for email, banks, financial accounts, PayPal, eBay, online credit card companies and any online forums or groups you belong to etc.

DO NOT change passwords or do any transactions while using the infected computer. The attacker will get the new passwords and transaction information.

[Mohi212]

hmm . ok heres the thing . i have 4 partitions on my hard disk , C D E & F . the MOST important one to me is E and F. D is empty and C is for xp , so i can del that . mostly on E, i have lots of pictures and other html stuff . so can they be saved . i mean, are they infected or not . and if for example, i burn them all on a dvd-r or dvd-rw , will the virus burn in it or with it . so i should burn them first, and then check that back up dvd or another pc ? is that what u mean

[evilfantasy]

Read everything I wrote about backing up and scanning the backups.

[Mohi212]

well, i somehow managed to download malware anti-malbytes . i guess its of no use but anyways, here it is .

Malwarebytes' Anti-Malware 1.36
Database version: 2135
Windows 5.1.2600 Service Pack 2

5/15/2009 10:14:19 PM
mbam-log-2009-05-15 (22-14-19).txt

Scan type: Quick Scan
Objects scanned: 97083
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 70

Memory Processes Infected:
C:\Documents and Settings\Chingo man\Local Settings\Application Data\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.
C:\Documents and Settings\Chingo man\Local Settings\Application Data\services.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.
C:\Documents and Settings\Chingo man\Local Settings\Application Data\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{23kln5j0-4opm-11we-aax5-24ef1f387232} (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run\svc (Spyware.OnlineGamer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Bron-Spizaetus (Worm.Brontok) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Tok-Cirrhatus (Worm.Brontok) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\tok-cirrhatus-2652 (Worm.Brontok) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.OnlineGamer) -> Data: c:\progra~1\thunmail\testabd.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Data: c:\windows\kesenjangansosial.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe "C:\WINDOWS\KesenjanganSosial.exe") Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\ThunMail (Spyware.OnlineGamer) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\k-1-3542-4232123213-7676767-8888886\root.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ljdfgf36.log (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRR1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRR2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRR3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aisha\Local Settings\Temporary Internet Files\Content.IE5\OVO9YRUX\abb[1].txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aisha\Local Settings\Temporary Internet Files\Content.IE5\OVO9YRUX\bb090223[1].exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\Program Files\ThunMail\testabd.dll (Spyware.OnlineGamer) -> Quarantined and deleted successfully.
C:\Program Files\ThunMail\testabd.exe (Spyware.OnlineGamer) -> Quarantined and deleted successfully.
C:\WINDOWS\KesenjanganSosial.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SHELLNEW\RakyatKelaparan.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aisha\Start Menu\Programs\Startup\Empty.pif (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Burhan\Start Menu\Programs\Startup\Empty.pif (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chingo man\Start Menu\Programs\Startup\Empty.pif (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Empty.pif (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Start Menu\Programs\Startup\Empty.pif (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sara\Start Menu\Programs\Startup\Empty.pif (Worm.Brontok) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmd-brontok.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chingo man\Local Settings\Application Data\br6327on.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aisha\Local Settings\Application Data\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Burhan\Local Settings\Application Data\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chingo man\Local Settings\Application Data\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Application Data\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sara\Local Settings\Application Data\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aisha\Local Settings\Application Data\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Burhan\Local Settings\Application Data\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chingo man\Local Settings\Application Data\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Application Data\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sara\Local Settings\Application Data\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aisha\Local Settings\Application Data\services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Burhan\Local Settings\Application Data\services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chingo man\Local Settings\Application Data\services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Application Data\services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sara\Local Settings\Application Data\services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aisha\Local Settings\Application Data\smss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Burhan\Local Settings\Application Data\smss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chingo man\Local Settings\Application Data\smss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Application Data\smss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\smss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sara\Local Settings\Application Data\smss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aisha\Local Settings\Application Data\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Burhan\Local Settings\Application Data\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chingo man\Local Settings\Application Data\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Application Data\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sara\Local Settings\Application Data\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aisha\Local Settings\Application Data\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Burhan\Local Settings\Application Data\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chingo man\Local Settings\Application Data\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Application Data\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sara\Local Settings\Application Data\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

[evilfantasy]

Sorry but I've tried before and I simply won't put myself through it again. Virut is constantly spreading so it can not be contained. It infects all of your System Files so removing it would leave the computer unbootable.

You really have no choice but to reformat and reinstall.

[Mohi212]

ok but i am pretty sure my pc doesnt keep on restarting because of virut thingy. so atleast help me getting rid of spyware and all that . cuz i know they are causing this .