11 replies to this topic

[RubbeR DuckY]

Take a look here to see the CNET first look video..

By the way, Seth states we do not remove viruses. While this is true, it is not entirely true. We do remove certain types of viruses such as this one and this one.

[YoKenny1]

It looks good but I had to disable my HOSTS file as it blocked:

adlog.com.com
pn2.adserver.yahoo.com

Virus.Virut is a bit of a nasty piece of work.

[TeMerc]

I already had someone asking about the virus thing, comparing to malware. Or saying that by definition, a virus is malware.

The line is too blurred, we cannot get into saying we remove viruses. I suggest we may get some based on heuristic scanning but over all, we'd fail pretty good at any virus testings and rightfully so.

[TeMerc]

RubbeR DuckY, on Feb 21 2009, 01:07 PM, said:

Take a look here to see the CNET first look video..

By the way, Seth states we do not remove viruses. While this is true, it is not entirely true. We do remove certain types of viruses such as this one and this one.

No chance I'd ever try to fix any Virut infections, reformat only way to go. Pretty good discussion going on in back rooms here.

[TeMerc]

YoKenny1, on Feb 21 2009, 01:44 PM, said:

It looks good but I had to disable my HOSTS file as it blocked:

adlog.com.com
pn2.adserver.yahoo.com

Oh, so that's why it won't play for me, lol

[Tarun]

Firefox 3.0 RC3 on his desktop...?

[GT500]

Video won't play in Opera 10 alpha.

[lakrigg]

Worked out this procedure to remove w32.sality.v and variants from pc's
you will need to source these files I use

Step 1 - Copy Appropriate safeboot registry key to PC c:\
Step 2 - Boot ERD Commander 2007 & run c:\safeboot*.reg file
Step 3 - Reboot PC into Safemode with NETWORKING
Step 4 - Run 'DrWeb-Cureit.exe' (Latest version will not need to update)
Step 5 - Run "Fixpolicies" run "taskmanager.reg" install "UnhookExec.ini"
Step 6 - Run "W32 Sality Remover" (run this from command line eg c:\rmsality.exe c: d: e: f:
Step 7 - Reboot computer & Run 'DrWeb-Cureit' from normal mode
Step 8 - Re-install SAV & Malwarebytes, update and run.


Computer should be clean

[AdvancedSetup]

So you're telling me that EVERY signed file is now back to normal and will pass a SIGVERIF check and MD5 check that they are 100% back to normal. I seriously doubt it, thus as stated by most everyone in the field. You CAN NOT trust a computer that has had any such type of infection.

The time and trouble spent cleaning it off, and then to not be able to trust the box is why we don't recommend doing as you suggest.
If you're happy with the results that's okay for you, but not something I'd recommend to anyone that expects to do banking and other secure tasks on their computer again.

[PhoenixRaven]

I gotta be honest here, and I am not trying to sound rude, however you say you remove virut. That is a little misleading, as Virut infects all .exe and .scr files on a comp there is almost no way to get rid of it without a full reformat. If MBAM was to remove all infections it would remove those files, which are necessary for the computer to run. I had a virut infection, and MBAM did a good job of removing the immediate infections but was unable to remove the infection in full because of its polymorphic ability.

The fact is there is currently no way to clean a system infected with Virut without a full reformat that I am aware of, please correct me if i am incorrect.

[AdvancedSetup]

There are methods to recover but again the issue as I see it is, would you really ever trust the box again to do all your personal financial transactions and other sensitive transactions on the system. Speaking for myself, NO I would not trust the system and I would rebuild it from scratch.

[Origin]

Speaking from experience, today I came in contact with the Virut virus despite my Anti Virus and Firewall with HIPS protection though my firewall did help, it notified me of reader_s which is a sign of Virut and I blocked all connection to this file. Thinking I had prevented the virus from entering my system, I carried on my usual activities but I wanted to make sure it was gone so I ran a system scan with HJT and the bugger was still there:

O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe

That appeared twice in HijackThis, now anyone who has knowledge of interpreting HJT lines knows reader_s is not a good sign and now definitely knows that you have the Virut virus in your computer. So what now, Game Over? While I knew it was, I kept going on with trying to disinfect it, I used MBAM to try to relieve the infection which it slightly did by deleting the two reader_s files and some other malignant files. My browser was now back to normal and the speed as well. Unfortunately I spoke too soon, after a while of using my browser it started to slow down incredibly. I decided to run MBAM again to see if it could find anything but it would freeze. Now freezing is a good sign of a Rootkit, plus it crashing gave it away. I ran The Avenger but no dice, it didn't find any RootKits. I then decided to run GMER to see if there was any Rootkit about my system, but windows didn't not recognize GMER at all another sign of Virut. So then I tried ComboFix, I ran it, it did discover reader_s and as I figured two Rootkits, one being LEGACY. I then made ran CFScript to delete some infected file, folders, and reg keys and then rebooted my computer. Once in my account I noticed my wall paper had been removed but its just due to CF. I tested my browser but it was slower then ever and took forever to load pages. It took ages just to load google.

In conclusion, you can say that MBAM does remove Virut per say as it removes reader_s.exe being a Virut variant therefore what RubbeR DuckY says is true in some way. My solution: Format. I'm back to normal now backed up some of my PSD files and pictures. I messed up by deleting the screen shots of the process but oh well.

By the way for those of you who want to read more about Virut, read the article is Miekies blog which most of you already might have read but for those who haven't:

http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Here is a can explaining it for those of you too lazy to visit the link


Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

~Origin