Win32: Virut

Hi,
My comodo av can not detect the Win32: Virut virus!
I have lots of infected files on my pc and the cav say nothing
Any help?

You can try with COMODO Boclean Anti-malware:
http://www.comodo.com/boclean/boclean.html

Virut is in his segnature.

Well, I have Boclean installed, Comodo Firewall and Comodo Anti Virus … and nothing happens!

Perhaps it is a new variant.
How did you discover that it is “Virut”?

Btw, try downloading Hijackthis (all 2 versions):
http://www.merijn.org/programs.php#hijackthis
http://www.download.com/HijackThis/3000-8022_4-10379544.html

Make a log with all 2 version and encloses two log files to the post (not to publish the log, but only attach files).

ok, I’ll do that, but I send a zip file to comodo labs for testing with a Virut (as avg) infected exe program

Yes, You can also use CAVS to send the file directly.

See below … file 80x26.exe (25.600 bytes) is infected by Virut but nothing is reported

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:32:52, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Arquivos de programas\Comodo\Firewall\CPF.exe
G:\ARQUIV~1\Comodo\CBOClean\BOC425.exe
G:\WINDOWS\system32\taskswitch.exe
G:\WINDOWS\system32\pctspk.exe
G:\Arquivos de programas\Comodo\Comodo AntiVirus\CMain.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe
G:\Arquivos de programas\Messenger\msmsgs.exe
G:\Arquivos de programas\Comodo\CBOClean\BOCORE.exe
G:\Arquivos de programas\Comodo\Firewall\cmdagent.exe
G:\Arquivos de programas\Comodo\common\CAVASpy\cavasm.exe
G:\Arquivos de programas\Raxco\PerfectDisk\PDAgent.exe
G:\WINDOWS\system32\svchost.exe
G:\Arquivos de programas\Raxco\PerfectDisk\PDEngine.exe
G:\Arquivos de programas\Comodo\Comodo AntiVirus\Cavaud.exe
G:\Arquivos de programas\MSN Messenger\msnmsgr.exe
G:\totalcmd\TOTALCMD.EXE
G:\Arquivos de programas\MSN Messenger\usnsvc.exe
G:\Arquivos de programas\Mozilla Firefox\firefox.exe
G:\Arquivos de programas\Skype\Phone\Skype.exe
G:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
G:\Arquivos de programas\Mass Downloader\massdown.exe
G:\Documents and Settings\Arthur\Desktop\Virut\80x26.exe
H:_dad\hijackthis\hijackthis.exe

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - G:\ARQUIV~1\MASSDO~1\MDHELPER.DLL
O4 - HKLM..\Run: [COMODO Firewall Pro] “G:\Arquivos de programas\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [BOC-425] G:\ARQUIV~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM..\Run: [VEngine] G:\Arquivos de programas\Comodo\VEngine\VEngine.exe
O4 - HKLM..\Run: [D-Link AirPlus G] G:\Arquivos de programas\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM..\Run: [ANIWZCS2Service] G:\Arquivos de programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [CoolSwitch] G:\WINDOWS\system32\taskswitch.exe
O4 - HKLM..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “G:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe”
O4 - HKLM..\Run: [WinampAgent] “G:\Arquivos de programas\Winamp\winampa.exe”
O4 - HKLM..\Run: [cnfgCav] “G:\Arquivos de programas\Comodo\Comodo AntiVirus\CMain.exe”
O4 - HKCU..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Skype] “G:\Arquivos de programas\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [Picasa Media Detector] G:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe
O4 - HKCU..\Run: [MSMSGS] “G:\Arquivos de programas\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: Baixar &tudo com o Mass Downloader - G:\Arquivos de programas\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Baixar com o &Mass Downloader - G:\Arquivos de programas\Mass Downloader\Add_Url.htm
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - G:\Arquivos de programas\Mass Downloader\massdown.exe
O9 - Extra ‘Tools’ menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - G:\Arquivos de programas\Mass Downloader\massdown.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O17 - HKLM\System\CCS\Services\Tcpip..{70E4A2C3-10DA-4741-8F57-577DF0E5EFD7}: NameServer = 192.168.0.254
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - G:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: monln - G:\WINDOWS\SYSTEM32\monln.dll
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - G:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - G:\WINDOWS\system32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Unknown owner - G:\Arquivos de programas\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (file missing)
O23 - Service: BOCore - COMODO - G:\Arquivos de programas\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - G:\Arquivos de programas\Comodo\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - G:\Arquivos de programas\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - G:\Arquivos de programas\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - G:\Arquivos de programas\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: User Profile Hive Cleanup (UPHClean) - Unknown owner - G:\Arquivos de programas\UPHClean\uphclean.exe (file missing)
O23 - Service: Serviço de Compartilhamento de Rede do Windows Media Player (WMPNetworkSvc) - Unknown owner - G:\Arquivos de programas\Windows Media Player\WMPNetwk.exe (file missing)


End of file - 6255 bytes

According to CA,this is a polymorphic virus of some sophistication.With CAVS still being beta and lacking advanced detection techniques,it’s not surprising if it evades detection.

http://ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=65861

Hi,

I was told to attach the log in a file and not to post the log.
And even using all two Hijackthis.

BTW, these 5 elements should be fixed:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra ‘Tools’ menuitem: [ at ] xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

Why do you have this file 80x26.exe here:
G:\Documents and Settings\XXXXX\Desktop\Virut\80x26.exe

and where it was first to move there?

Can you submit that file to www.virustotal.com and post here the log?

You should also download Spybot - Search & Destroy and make an update and scan your disk:
http://www.download.com/3000-8022_4-10743107.html

I would use the Spybot S&D helloween version. You can find it here :

http://www.majorgeeks.com/SpyBot-Search_&_Destroy_Tools_Beta_d5396.html

Although it is still a Beta, it has some bug fixes the official 1.5 release lacks.

Greetz, Red.

Hi,

File 80x26 results from VirusTotal attached

[attachment deleted by admin]

(file - Warning file 80x26.exe.HERE.zip - canceled)

I was told to attach the log not malware!

Please do not ever attached malware in the post, can be dangerous for inexperienced users.

We must try to solve problems rather than create them! :-\

File will be sent to the COMODO Laboratory.