Jump to content

Runouce Virus in Windows 7


Raheem Jamali

Recommended Posts

Hi guys,

I dont know if this has been posted before sorry for duplication (if any). My Pc with Windows 7 (32bit) has become virtually non usable after i got the virus Runouce. I did a clean installation of Windows 7 but it is still there... scanned with malwarebytes anti malware and removed the virus but after i restarted the PC the virus came back. Tried Safe Mode but nothibg is working... i am attaching few error logs and scan log here in the post archived in zip. Any help will be appreciated.

Link to comment
Share on other sites


 Here is a scan log.

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.7600.16385
Run by Raheem at 19:16:14 on 2018-01-14
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Smadav\SmadavProtect32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\runouce.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
mRun: [Runonce] c:\windows\system32\runouce.exe
uPolicies-Explorer: DisallowRun = dword:1
uPolicies-DisallowRun: 1 = Mshta.exe
uPolicies-DisallowRun: 2 = powershell.exe
uPolicies-DisallowRun: 3 = bitsadmin.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 172.31.79.142 172.31.79.144 157.54.104.75 157.54.14.146 157.54.14.162 157.54.80.10
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? StorSvc;Storage Service
.
=============== Created Last 30 ================
.
2018-01-15 02:44:00    --------    d-----w-    c:\users\raheem\appdata\local\Desktopicon
2018-01-14 05:00:52    --------    d-----w-    c:\users\raheem\appdata\roaming\PE Explorer
2018-01-13 22:08:27    --------    d-----w-    c:\users\raheem\appdata\local\Apps
2018-01-13 22:08:26    --------    d-----w-    c:\users\raheem\appdata\local\Deployment
2018-01-13 21:55:55    --------    d-----w-    c:\users\raheem\appdata\roaming\Zbshareware Lab
2018-01-13 21:55:55    --------    d-----w-    c:\programdata\Zbshareware Lab
2018-01-13 21:54:46    --------    d-sh--w-    C:\[Smad-Cage]
2018-01-13 21:54:46    --------    d-----w-    c:\users\raheem\appdata\roaming\Smadav
2018-01-13 21:54:43    --------    d-----w-    c:\program files\SMADAV
2018-01-13 21:54:37    --------    d-----w-    c:\users\raheem\appdata\local\Programs
2018-01-13 21:54:03    10748    --sha-r-    c:\windows\system32\runouce.exe
2018-01-13 21:51:37    --------    d-----w-    c:\windows\system32\wbem\Performance
2018-01-13 21:45:13    --------    d-sh--w-    C:\Recovery
2018-01-13 21:38:14    --------    d-----w-    c:\windows\Panther
2018-01-13 21:37:59    --------    d-sh--w-    C:\Boot
.
==================== Find3M  ====================
.
.
============= FINISH: 19:16:25.15 ===============

Link to comment
Share on other sites

"Most antivirus programs identify runouce.exe as malware—e.g. Microsoft identifies it as Virus:Win32/Chir.B@mm, and TrendMicro identifies it as PE_Chir. B-O or PE_CHIRUX.B."
- https://www.file.net/process/runouce.exe.html

Once removed, try creating a read-only folder in "C:\Windows\system32" named "runouce.exe" to prevent it from coming back.

Link to comment
Share on other sites

Well, if it retirns after a (proper) reinstall, it means that *somewhere* it is still there (like on another device on the same lan, the installations files, etc.).

The creation of a read only folder might be a "temporary" workaround, still it needs to be understood where it remains resident and kill this possible source of re-infection.

 

jaclaz

 

Link to comment
Share on other sites

Thanks for replying. I have tried removing it using Malwarebytes Anti malware. It removed the virus but when i restarted the pc it came back. Computer is overheating due to the virus and almost every software fails to start. I have scanned the other drives like D, E, F shown the hidden system files it was no where.

Link to comment
Share on other sites

That virus (actually the whole family of similar viruses) will be *everywhere* on your system, under a zillion different filenames.

Try running Combofix following EXACTLY what is suggested here:

https://www.bleepingcomputer.com/forums/t/450940/system-is-infected-with-the-win32chirbmm-runouceexe-virus-many-programmes-have-been-corrupted/

jaclaz

Link to comment
Share on other sites

Hello, as Jaclaz had suggested i downloaded ComboFix and tried to use combofix to clean my computer. When I try to run the program, I get an alert saying, 

"!! ALERT !! It is NOT SAFE to continue!
The contents of the ComboFix package has been compromised.
Please download a fresh copy from:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infected with a file patching virus (Virut)"

now only option left to me is format the hdd and reinstall Windows or Installing a Linux Distro with Wine...

Link to comment
Share on other sites

Thanks all for support. after i failed to Run ComboFix i downloaded the w32.virut.cf removal tool from link below and executed it. : https://us.norton.com/online-threats/w32.virut.cfremovaltool-2009-022016-4444-99-writeup.html

After scanning and Cleaning by This tool in installed ComboFix and executed it i got the following log:

After Scanning as in Log i got to know that my system file userinit.exe is corrupted and is a malware. I furthe scanned it online on http://virustotal.com it was detected as W32.virut.

In the last i downloaded userinit.exe for Win 7 and replaced it using System file replacer CMD tool it fixed my pc. Thanks all specially Jaclaz...

virutlog.txt

Edited by Tripredacus
added attachment
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...