Raheem Jamali Posted January 17, 2018 Posted January 17, 2018 Hi guys, I dont know if this has been posted before sorry for duplication (if any). My Pc with Windows 7 (32bit) has become virtually non usable after i got the virus Runouce. I did a clean installation of Windows 7 but it is still there... scanned with malwarebytes anti malware and removed the virus but after i restarted the PC the virus came back. Tried Safe Mode but nothibg is working... i am attaching few error logs and scan log here in the post archived in zip. Any help will be appreciated.
Tripredacus Posted January 17, 2018 Posted January 17, 2018 What is the name of the virus being reported to you? The name usually starts with W32.
Raheem Jamali Posted January 17, 2018 Author Posted January 17, 2018 Here is a scan log. DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.7600.16385 Run by Raheem at 19:16:14 on 2018-01-14 . ============== Running Processes ================ . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Smadav\SmadavProtect32.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\runouce.exe \\?\C:\Windows\system32\wbem\WMIADAP.EXE C:\Windows\system32\WUDFHost.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\conhost.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\System32\svchost.exe -k WerSvcGroup . ============== Pseudo HJT Report =============== . mRun: [Runonce] c:\windows\system32\runouce.exe uPolicies-Explorer: DisallowRun = dword:1 uPolicies-DisallowRun: 1 = Mshta.exe uPolicies-DisallowRun: 2 = powershell.exe uPolicies-DisallowRun: 3 = bitsadmin.exe mPolicies-System: ConsentPromptBehaviorAdmin = dword:5 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 TCP: NameServer = 172.31.79.142 172.31.79.144 157.54.104.75 157.54.14.146 157.54.14.162 157.54.80.10 SSODL: WebCheck - <orphaned> . ============= SERVICES / DRIVERS =============== . R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0 R? StorSvc;Storage Service . =============== Created Last 30 ================ . 2018-01-15 02:44:00 -------- d-----w- c:\users\raheem\appdata\local\Desktopicon 2018-01-14 05:00:52 -------- d-----w- c:\users\raheem\appdata\roaming\PE Explorer 2018-01-13 22:08:27 -------- d-----w- c:\users\raheem\appdata\local\Apps 2018-01-13 22:08:26 -------- d-----w- c:\users\raheem\appdata\local\Deployment 2018-01-13 21:55:55 -------- d-----w- c:\users\raheem\appdata\roaming\Zbshareware Lab 2018-01-13 21:55:55 -------- d-----w- c:\programdata\Zbshareware Lab 2018-01-13 21:54:46 -------- d-sh--w- C:\[Smad-Cage] 2018-01-13 21:54:46 -------- d-----w- c:\users\raheem\appdata\roaming\Smadav 2018-01-13 21:54:43 -------- d-----w- c:\program files\SMADAV 2018-01-13 21:54:37 -------- d-----w- c:\users\raheem\appdata\local\Programs 2018-01-13 21:54:03 10748 --sha-r- c:\windows\system32\runouce.exe 2018-01-13 21:51:37 -------- d-----w- c:\windows\system32\wbem\Performance 2018-01-13 21:45:13 -------- d-sh--w- C:\Recovery 2018-01-13 21:38:14 -------- d-----w- c:\windows\Panther 2018-01-13 21:37:59 -------- d-sh--w- C:\Boot . ==================== Find3M ==================== . . ============= FINISH: 19:16:25.15 ===============
jumper Posted January 17, 2018 Posted January 17, 2018 "Most antivirus programs identify runouce.exe as malware—e.g. Microsoft identifies it as Virus:Win32/Chir.B@mm, and TrendMicro identifies it as PE_Chir. B-O or PE_CHIRUX.B." - https://www.file.net/process/runouce.exe.html Once removed, try creating a read-only folder in "C:\Windows\system32" named "runouce.exe" to prevent it from coming back.
jaclaz Posted January 18, 2018 Posted January 18, 2018 Well, if it retirns after a (proper) reinstall, it means that *somewhere* it is still there (like on another device on the same lan, the installations files, etc.). The creation of a read only folder might be a "temporary" workaround, still it needs to be understood where it remains resident and kill this possible source of re-infection. jaclaz
Raheem Jamali Posted January 18, 2018 Author Posted January 18, 2018 Thanks for replying. I have tried removing it using Malwarebytes Anti malware. It removed the virus but when i restarted the pc it came back. Computer is overheating due to the virus and almost every software fails to start. I have scanned the other drives like D, E, F shown the hidden system files it was no where.
jaclaz Posted January 18, 2018 Posted January 18, 2018 That virus (actually the whole family of similar viruses) will be *everywhere* on your system, under a zillion different filenames. Try running Combofix following EXACTLY what is suggested here: https://www.bleepingcomputer.com/forums/t/450940/system-is-infected-with-the-win32chirbmm-runouceexe-virus-many-programmes-have-been-corrupted/ jaclaz
Raheem Jamali Posted January 19, 2018 Author Posted January 19, 2018 Hello, as Jaclaz had suggested i downloaded ComboFix and tried to use combofix to clean my computer. When I try to run the program, I get an alert saying, "!! ALERT !! It is NOT SAFE to continue! The contents of the ComboFix package has been compromised. Please download a fresh copy from:http://www.bleepingcomputer.com/combofix/how-to-use-combofix Note: You may be infected with a file patching virus (Virut)" now only option left to me is format the hdd and reinstall Windows or Installing a Linux Distro with Wine...
Raheem Jamali Posted January 20, 2018 Author Posted January 20, 2018 (edited) Thanks all for support. after i failed to Run ComboFix i downloaded the w32.virut.cf removal tool from link below and executed it. : https://us.norton.com/online-threats/w32.virut.cfremovaltool-2009-022016-4444-99-writeup.html After scanning and Cleaning by This tool in installed ComboFix and executed it i got the following log: After Scanning as in Log i got to know that my system file userinit.exe is corrupted and is a malware. I furthe scanned it online on http://virustotal.com it was detected as W32.virut. In the last i downloaded userinit.exe for Win 7 and replaced it using System file replacer CMD tool it fixed my pc. Thanks all specially Jaclaz... virutlog.txt Edited January 22, 2018 by Tripredacus added attachment
Tripredacus Posted January 22, 2018 Posted January 22, 2018 Removed log and added as an attachment instead.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now