| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 78621 | 2007-04-22 11:09:00 | Virut Virus | fatcam (9001) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 543249 | 2007-04-22 11:09:00 | Hi Everyone Just wondering if anyone has come across a nasty variant of the Virut virus. It has infected my PC and is proving quite a challenge to remove. I have scanned my hard drive in another machine with numerous tools and repaired windows but it still comes back. I believe it is lying dormant somewhere and a registry entry is bring it back to life Cheers |
fatcam (9001) | ||
| 543250 | 2007-04-22 11:33:00 | Have you tried using Speedy's HiJackThis file? | winmacguy (3367) | ||
| 543251 | 2007-04-22 14:25:00 | And shut off SYSTEM RESTORE>>> | SurferJoe46 (51) | ||
| 543252 | 2007-04-22 14:55:00 | And shut off SYSTEM RESTORE>>> OK . . that got shut off at 8 MINUTES into the EDIT function . . . gads! Let's try again: First, a short description of what you have: W32/Virut . d is a polymorphic, entry point obscuring (EPO) file infecter with IRC bot functionality . It appends to the end of the last section of executable (PE) files an encrypted copy of its code . The decryptor is polymorphic and can be located either: - Immediately before the encrypted code at the end of the last section - At the end of the code section of the infected host in 'slack-space' (assuming there is any) - At the original entry point of the host (overwriting the original host code) The decryptor will either receive control directly or an API call within the host code body will be overwritten to point to it (EPO technique) . In all cases where host code is overwritten by the virus the original bytes are stored within the encrypted virus body, and are restored before transferring control back to the host . Now, get the following: AVG-Free ( . grisoft . com/freeweb . php/doc/2/" target="_blank">free . grisoft . com) . (The Anti-virus will also bring in the Spyware protection too . . . but be sure to get the Rootkit Killer there ((free)) too!) Download the following three files : Note: It is absolutely necessary to save the rmvirut . nt and rmvirut . dos into the same folder as rmvirut . exe . ( rmvirut . exe ( . grisoft . cz/filedir/util/avg_rem_sup . dir/rmvirut/rmvirut . exe" target="_blank">www . grisoft . cz), rmvirut . nt ( . grisoft . cz/filedir/util/avg_rem_sup . dir/rmvirut/rmvirut . nt" target="_blank">www . grisoft . cz), rmvirut . dos ( . grisoft . cz/filedir/util/avg_rem_sup . dir/rmvirut/rmvirut . dos" target="_blank">www . grisoft . cz)) and Boot into Safe Mode and now run the rmvirut . exe file . Shut off SYSTEM RESTORE Now run a full systems scan with AVG-Free, downloaded before . Re-Boot into Regular Mode, re-scan with AVG-Free and re-check results . You can also specify the disks (or partitions) to heal as a command parameters, e . g . : "rmvirut C: D:" . If the command is used without parameters, it heals all disks (partitions) on computer . Run the AVG Complete Test in SAFE MODE and again in regular booted mode . You SHOULD be free of virut! The morphing problem is why it's so hard to remove and why there are multiple Safe Mode bootings and such . It likes to hide . I don't ever recommend even running System Restore . |
SurferJoe46 (51) | ||
| 543253 | 2007-04-22 15:16:00 | A final (sigh!) note: W32/Virut . d is a file infecting virus . Infection starts with manual execution of the binary . Executables in network shares may also get infected if accessed by the compromised machine . This virus can also be instructed to scan for vulnerable systems and infect them . The virus has a number of bugs in its code, and as a result it may mi-sinfect a proportion of executable files . In those cases of mis-infection in which repair data is present within the virus body, and has not been miscalculated by it, the current DAT set will repair the virus as per the non-corrupted case . However, unfortunately, some W32/Virut . d infections are corrupted beyond repair . W32/Virut . d Type Virus SubType Win32 Discovery Date 03/16/2007 Length ~9,000 bytes Minimum DAT 4986 (03/16/2007) Updated DAT 5006 (04/11/2007) Minimum Engine 4 . 4 . 00 Description Added 03/16/2007 Description Modified 04/03/2007 9:40 AM (PT) |
SurferJoe46 (51) | ||
| 543254 | 2007-04-23 01:19:00 | Thanks for the help. I have used the AVG tool already but it is obvious now that I have not followed it up with more scans to completely rid my system of all signs of the virus. It hides very well, definitely one that I hope never to see again. Cheers |
fatcam (9001) | ||
| 1 | |||||