33 replies to this topic

[skubik]

This problem is all over the internet with no solution, anyone know how to remove it?

[GT500]

This is almost certainly Win32.Virut, which I would believe is a pain in the neck to get rid of.

Please follow these instruction for posting logs in our malware removal forum, and one of our volunteers will take a look at them when they get a chance.

[extremeboy]

Hello.

It is indeed a file related to the nasty Virut file infector infection. Most experts suggest a format/reinstall.

Take a read below.

Virut File Infector Warning
Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

With Regards,
Extremeboy

[extremeboy]

If you do not want to format/reinstall, then go ahead and follow GT500 instructions.

With Regards,
Extremeboy

[GT500]

extremeboy said:

... Most experts suggest a format/reinstall.

Hold off on the reformatting, I've posed a question to the guys who work our malware removal section to see if they believe they can kill it. I know that Bruce has mentioned this one is hard to kill without damaging the system, but nothing is impossible to remove. The question is, are the tools we have capable of doing it. I'll post the answer when I get it.

[GT500]

OK, the infection can be killed, but the process is far too complicated to go through on the forums, and requires using certain bootable CD's to do manual removal while the infection isn't running. Since there's no way we can talk a user through all of this on the forums or the helpdesk, as extremeboy said, reformating is your best option.

[skubik]

well could you PM me the details? i do this for a living and i have 2 computers that need cleaned, to me reformatting is NEVER an option, also i noticed newest AVG definitions won't even notice the infection on most exe's

[DaChew]

skubik, on Feb 24 2009, 08:36 AM, said:

well could you PM me the details? i do this for a living and i have 2 computers that need cleaned, to me reformatting is NEVER an option, also i noticed newest AVG definitions won't even notice the infection on most exe's

Reformatting is always an option, especially when time is considered, but you have been warned, so if you have the time.

You need to know what you are up against, this thread will show you

http://www.malwarebytes.org/forums/index.p...amp;#entry58063

post 15 outlines a removal and cleanup strategy

There are too many curable infections already to waste time with ones like this

[skubik]

DaChew, on Feb 24 2009, 02:01 PM, said:

Reformatting is always an option, especially when time is considered, but you have been warned, so if you have the time.

You need to know what you are up against, this thread will show you

http://www.malwarebytes.org/forums/index.p...amp;#entry58063

post 15 outlines a removal and cleanup strategy

There are too many curable infections already to waste time with ones like this

after removing the rootkits/infected dll's/files in temp folders and running dr. web cure-it from a cd in safe mode everything is fixed!

fresh anti vir install did show some remnants in the dllcache folder which i replaced with sfc, but we're doin good now... no reason to reformat for this one

[GT500]

skubik said:

after removing the rootkits/infected dll's/files in temp folders and running dr. web cure-it from a cd in safe mode everything is fixed!

That's assuming that anti-virus scans caught everything. I would be very suspicious of any executable on your system (including legitimate software), as they very well could be infected.

[jpfletch]

So basically, even antimalware people are collapsing to a malware and telling people to bend to its will and reformat? What is this world coming to. Oh well, I guess I have to go buy an external HD. I really thought MBAM would help protect my PC but lately, even though I don't even browse porn, warez, or anything like that, I've gotten stuff that MBAM has failed to scratch. The people who make these viruses must be the real geniuses unfortunately.

[AdvancedSetup]

Just FYI - Win32.Virut is a VIRUS not Malware.

[GT500]

AdvancedSetup said:

Just FYI - Win32.Virut is a VIRUS not Malware.

It's a pretty nasty one too. It infects other executables on your computer, and you can never tell if they are all clean. There's almost no point in even trying to clean up a Virut infection, simply because you have to replace every executable on your computer without allowing any of them to run during the process. The only way is to use an image disk to reimage your hard drive, which wipes out all of the data that was on it.

[Monkeyboy]

Hello!

Sorry to bring this post up again, but I'm having the same problem and it's driving me nuts! I found this tool on Normans site that may be helpful. I have not tried it yet (have to wait until I get home), but I hope it works and maybe it will be useful to others: http://www.norman.co...rt_tools/68989/

Even if it works I think I'll reformat and reinstall to be sure, but my question is what to do with my other drives? I have another local drive used to store stuff and another external USB-drive. Both were hooked up when I got infected and I had not turned off Auto-play for the USB-drive. Will I have to reformat these drives as well? Please tell me no! I have many exe-files all over these two drives but they are just stored there so none of them have run. Thanks for any help!

[Origin]

Monkeyboy, on Jul 17 2009, 03:33 AM, said:

Hello!

Sorry to bring this post up again, but I'm having the same problem and it's driving me nuts! I found this tool on Normans site that may be helpful. I have not tried it yet (have to wait until I get home), but I hope it works and maybe it will be useful to others: http://www.norman.co...rt_tools/68989/

Even if it works I think I'll reformat and reinstall to be sure, but my question is what to do with my other drives? I have another local drive used to store stuff and another external USB-drive. Both were hooked up when I got infected and I had not turned off Auto-play for the USB-drive. Will I have to reformat these drives as well? Please tell me no! I have many exe-files all over these two drives but they are just stored there so none of them have run. Thanks for any help!

Hello Monkeyboy, in this case it would be better to format. Virut infects all .exe and .scr files in your computer to a point where they get corrupted and stop working. That tool will work in theory to remove some Virut variants but since virut is already in your system it already spread to many files. Why you say a format is recommended, lets say Virut infected a crucial system file, your security software will sense the infection and delete it and at the same time deleting the crucial system file rendering your system useless. If you backed up an .exe or .scr or any zipped files in your external hard drive you will have to format that as well.

More information can be found in Miekies blog here:

http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html

[mountaintree16]

@ extremeboy

Do you know where Virut comes from or how one gets it? Scary... :/

[TeMerc]

mountaintree16, on Jul 17 2009, 03:08 PM, said:

@ extremeboy

Do you know where Virut comes from or how one gets it? Scary... :/

It has come with rogue software, P2P, crackz, keygens, warez....you name it's been delivered that way.

[Monkeyboy]

Thanks for replying, Origin! I tried the Norman Virut Cleaner when I got home from work, but it didn't even run. I was able to run the latest Microsoft Malicious Removal Tool and it found 3000+ Virut.BM infected files on my three hard drives! This thing is seriously mad! I know my computer got infected Wednesday night. So in two days this sob has infected over 3000 files on my computer!

So my OS is toast. Pretty much every critical Windows file is infected beyond repair. And that is ok. I don't mind reformatting and reinstalling Windows, but the problem is with my two other hard drives. I have tons of both work and personal stuff there that I can't lose so reformatting those is out of the question. I think I will go through each file MMRT reports as infected, remove those that are not important and try to fix the ones that I need. But this thing has really made me paranoid. I'm not sure I can trust MMRT to find all the infected or hidden files this thing has created… I don’t want to end up in an endless loop where my hard drives keep infecting each other.

@ mountaintree16: This thing can spread over networks and is super aggressive. I have not downloaded rogue software, P2P, crackz, keygens or warez. My girlfriend brought some stuff from work in a USB-stick and that was it. Two days later 3000+ files are infected and the OS corrupt. It can also infect computers through browser vulnerabilities via a simple web page. How my anti-virus software (Norman, updated daily) couldn't detect it is beyond me. I'm pretty pissed with them right now.

You can read more about Virut.BM on this page: http://www.microsoft.com/security/portal/E...in32%2fVirut.BM

People, be careful. I've had a computer for as long as I can remember and have never had one infected with a virus (at least not with anything serious that wasn't dealt with quickly). Then out of nowhere this piece of crap totally messes up my computer BIG time and gives me some serious grief.

PS. I still love my girlfriend.

[yardbird]

Follow these instructons please: the experts will get you fixed up. Thes Virut are spreading to alot of users, but you will come out clean in the HJK forum... good luck.

Scan and post logs - read note at bottom in green
If you're having Malware related issues with your computer that you're unable to resolve.

• Please read and follow the instructions provided here: I'm infected - What do I do now?
  
• If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  
• When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

[Monkeyboy]

Thanks, yardbird! I will post logs as soon as possible.