Reply
Affiliate
tapsikret
Posts: 8
Registered: ‎08-18-2009

Anybody knows how to remove this virus? Win32.Virut Virus

[ Edited ]

Win32/Virut.NBM
Aliases: Virus.Win32.Virut.ce (Kaspersky), W32.Virut.CF (Symantec), W32/Virut.n.gen virus (McAfee)
Type of infiltration: Virus
Size: variable
Affected platforms: Microsoft Windows
Signature database version: 3832 (20090206)

Short description
Win32/Virut.NBM is a polymorphic file infector. The virus connects to the IRC network. It can be controlled remotely.
Executable files infection
The virus searches for executables with one of the following extensions:

* .exe
* .scr

Executables are infected by appending the code of the to the last section.
The host file is modified in a way that causes the virus to be executed prior to running the original code.
It avoids those with any of the following strings in their names:

* WINC
* WCUN
* WC32
* OTSP

It infects the following files:

* *.htm
* *.php
* *.asp

The virus inserts an IFrame element with an URL link into the file.
Other information
The virus is sent data and commands from a remote computer or the Internet.

It communicates with the following servers using IRC protocol:

* irc.zief.pl
* proxim.ircgalaxy.pl

It can execute the following operations:

* download files from a remote computer and/or Internet
* run executable files

The following file is modified:

* %system%\drivers\etc\hosts

The virus writes the following entries to the file:

* 127.0.0.1 jL.chura.pl

The virus may set the following Registry entries:

* [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\
SharedAccess\Parameters\FirewallPolicy\StandardPro file\
AuthorizedApplications\List]
"%filepath%" = "%filepath%:*:enabled:@shell32.dll,-1"

The performed data entry creates an exception in the Windows Firewall program.

 

 


I am a Trend Micro Affiliate. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Trend Micro Employee
genoshaft
Posts: 7
Registered: ‎08-17-2009

Re: Anybody knows how to remove this virus? Win32.Virut Virus

[ Edited ]

Hello. I suggest that you try the following malware troubleshooting steps. Scan your computer with Trend Micro System Cleaner and Trend Micro Rootkitbuster.


You may refer to the following link for details on how to use the Trend Micro System Cleaner:


http://esupport.trendmicro.com/Pages/How-do-I-use-the-Trend-Micro-System-Cleaner.aspx


For the RootkitBuster, try downloading it on the following link:


http://www.trendmicro.com/download/rbuster.asp


The tools should be able to detect and remove the virus from your computer. If the problem persists, I suggest that you generate the HijackThis Logs of your computer so that we can check for malicious registry entries and identify the location or directory of the virus. You may refer to the following link for details on how to generate the logs:


http://esupport.trendmicro.com/Pages/How-to-generate-Trend-Micro-HiJackThis-logs-for-malware-analysi...


Kindly paste the generated log here. Thanks.




I am a Trend Micro employee. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Affiliate
tapsikret
Posts: 8
Registered: ‎08-18-2009

Re: Anybody knows how to remove this virus? Win32.Virut Virus

the trend micro system cleaner can detect and remove the virus but after you restart the computer. its back again

the rootkit buster wont run error says something like the integrity of the software has been compromised

Hijack this can detect the infected files.. ive tried this one and analized the files here http://hijackthis.de/.. but again after restarting the computer everything is back again..

 

btw..

cant seem to get rid of this host file entry 127.0.0.1 jL.chura.pl

 


I am a Trend Micro Affiliate. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Trend Micro Employee
genoshaft
Posts: 7
Registered: ‎08-17-2009

Re: Anybody knows how to remove this virus? Win32.Virut Virus

I suggest that you paste the HijackThis Log here so that we can check the directory of the virus. Kindly provide also the directories of the detected files which are located on the Sysclean Log. So that we can analyze it.


I am a Trend Micro employee. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Affiliate
tapsikret
Posts: 8
Registered: ‎08-18-2009

Re: Anybody knows how to remove this virus? Win32.Virut Virus

[ Edited ]

i have already formatted the pc and gave up on the virus..

 

infected files that were detected by Internet security pro, Hijack this, sysclean.

 

reader_s.exe

winword98.exe

servises.exe

 

location c:windows/system32

 

i will have the pc infected again just to collect the logs.

sysclean logs will only display those things listed above.

malware bytes log would give us more info

 

if you have a spare pc or if your confident enough that you'll be able to remove they virus

just download the virus from the link posted on the top of this page.

 


I am a Trend Micro Affiliate. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Trend Micro Employee
genoshaft
Posts: 7
Registered: ‎08-17-2009

Re: Anybody knows how to remove this virus? Win32.Virut Virus

If you think that the files are malicious, you may use TwinFix to delete the viruses. Please refer to the following link for details on how to use TwinFix:

 

http://esupport.trendmicro.com/Pages/How-does-the-Twin-Fix-tool-work-and-how-is-it-used.aspx


I am a Trend Micro employee. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Affiliate
tapsikret
Posts: 8
Registered: ‎08-18-2009

Re: Anybody knows how to remove this virus? Win32.Virut Virus

[ Edited ]

i have also used the twin fix application i have downloaded that one from the support site..

but again i can only place there the 3 malicious files that internet security pro, hijack and sysclean detected

 

reader_s.exe

winword98.exe

servises.exe

 

located in c:windows/system32

 

if we can have a brave soul who would be willing to have thier pc infected that would be great.

btw if you'll have the pc infected

you can nolonger do the following...

- boot in normal mode

- cant open rootkit buster

- cant open combofix

- cant run autoruns

but you can

- run system cleaner but cant get rid of the virus

- run hijack this but cant get rid of the virus

- run internet security pro in safemode and scan and it will be able to detect and lock but after a restart everything is back

- can run twinfix as may times as you want but will not be able to remove the virus

- can run malware bytes get the log and manually delete the files but again after a restart everything is back

 

for sure we can have someone from trend micro try this virus and generate the logs and find the solution.

i can get the logs but not now.. im not in front of that pc


I am a Trend Micro Affiliate. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Trend Micro Employee
Rexival_Feraer
Posts: 73
Registered: ‎08-13-2009

Re: Anybody knows how to remove this virus? Win32.Virut Virus

Hi All,

 

Thank you for sharing your knowledge to help other users of the community - keep it up.

 

 

Hello Tapsikret

 

I have edited your post to remove the link on where others can get the samples. Because all of us are curious in nature, some users might click the link and get their machines infected. I know both of us doesn't want that to happen.


I am a Trend Micro employee. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Affiliate
tapsikret
Posts: 8
Registered: ‎08-18-2009

Re: Anybody knows how to remove this virus? Win32.Virut Virus

[ Edited ]

@Rexival_Feraer

 

Thats ok with me if youre going to remove the link..

 

anyway if anybody would want to try thier luck on this virus just PM me.. and i'll give you the link

 

btw here is a link from another forum where we have discussed about the virus

 

[Mod Note: Removed link from post <broken link>]


I am a Trend Micro Affiliate. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Stone Esquire
dcasey301
Posts: 1
Registered: ‎08-30-2009

Re: Anybody knows how to remove this virus? Win32.Virut Virus

I would like a link to this virus...I caught  this  (my own fault) and it was the nastiest I have ever seen...My only regret is that I did not save it so that I could toy with it on one of my offline systems...I couldn't find anything to defeat it, luckily I learned my lesson long ago and have everything backed up, but it still took my entire system down..Would love to mess around with this monster again....steer clear of this one

Please use plain text.