Virus.Win32.Virut.ce

This is the first hit on google when searching this. The security level on this virus should be extremely high. I have been fighting with it at an accounting firm for a week, after no help from any of the major ant virus sites, a bunch of tips that failed, this particular virus is much more than most think it is. Beware it not only attaches itself to basically anything, but it also keeps connections open after is “appears” to be cleaned, continues to eat bandwidth, and it WILL come back.

I advise every body to use later version of Kaspersky and update it

I’ve been working on a pc for 3 days. I’ve used a deep erase, reformat and it still comes back.
Kapersky finds the virus, but is usually unable to disinfect or delete.
The virus attaches to thousands or .exe and scr files, especially the windows system .exe’s. AV repair on these files usually results in a corrupted OS.
I’ve been using UBCD, TRK and puppy linux tools.

someone mentioned using UBCD and malwarebytes, then following with MS-MRT.

MS says:
Recovery Steps
To detect this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Note: Virus:Win32/Virut.BM’s method of infection may damage some infected files beyond repair. In these cases, in order to return a machine to its pre-infected state, it may be necessary to install a clean backup of the operating system and associated applications.

Bottom Line: FORMAT THE DISK with extreme prejudice.

This is unbelievable !

Its really one of the great ones. Its spreading itself through executables, integrating itself and autoexecuting each time the procedure is being called. Its creating a network driver in c:\windows\system32\drivers\{random letters}.sys
The driver automatically detects network connection and downloads the rest of the malware from some other infected stations of headquarters servers. Its usually creating executable in C:\Documents and Settings\{username}\Local Settings\Temp or whatever your ~temp directive tell it to.
Its also creating c:\Documents and Settings\{username}\Local Settings\s_reader.exe
I’ve been able to seen it working when calling:
#> netstat -na
from the cmd console. It was connection itself on the web receiving http packets.
Even if you reinstall OS you will eventually call one of the infected executable which will execute the same procedure of makes sure the virus is already loaded into memory. The best method:
1| Use BARTPE along with Kaspesky Internet Security (I use 7.0.1.135 updated every few hours.) - have it updated to the latest as KAV would not know about the virus until Sunday Feb. 15 2009. After booting the BARTPE cd you would have full access to the infected hard drive. You’ll then be able to use KAV to desinfect.
2| Reinstall fresh copy of OS and make sure the first thing you do after being able to see the desktop is to install and update as fast as possible Kaspersky Antivirus of Kaspersky Internet Security (I use 7.0.1.135).
3| Have the hard drive moved to another working computer which has the latest antivirus database updated.

WOW… awesome virus. Last time I saw a such cool virus was in DOS ! It’s a good programmer’s work. But.. it’s destroying our computers and it’s bad…

Yes this virus destroys your operating system. No need to try to fight it, use “ultimate boot cd” to recover your important data and to clean out the virus. Do not backup any executable files! Reformat the drives and reinstall Windows. Don’t try a “repair” installation, format and reinstall. Only sure way to get rid of it for good. Nasty sh*t!

Try this. It’s a free removal tool from AVG.
http://www.avg.com/us.virus-removal.ndi-67762

Wow.

I’m impressed. Pissed as hell, but impressed none the less.
My laptop is a total loss. I’m DBANing it & starting over.
Hope my backups are ok. This thing is the nastiest virus I’ve ever seen. Good luck all who get it. My advice?

Get a Mac.

my antivirus is ????? hahaha hope you know this

what a bad ass virus its killin me lol kaspersky its trying to delete it …. im still waitting …

Only way to cure sistem is to download live cd from dr.web (64MB) and to try to clean system from boot cd. That is only option. except of losing all files! I had such virus and fight it 3 days. I won. Now I installed kaspersky and hope ti will protect me in the future.

God damn it!!!!!!!

http://www.avg.com/us.virus-removal.ndi-67762

Neither Live cd or CureIt help. Just Kaspersky free utility recognize virus as “virus.win32.virut.ce”. Most progs were cured, but system resident ones are still infected. Fight continue…

(Thinking. if any reason in heuristics?…)

Hi, is there any way to be sure I dont have got this virus in my computer? I’m sure I had it, RM Virut (removal tool by AVG) found and cleaned seven infected files. But then, I tried AVG full scan, CureIt, ComboFix, RSIT, AVPtool and i also scanned some .exe files on virustotal.com , didn’t find anything at all. I just can’t believe i would get rid of such a nasty virus only with some simple removal tool…

i have been fighting with this virus for 2 long months and now kaspersky has disinfected most of my files but the main problem is that after disinfection when we try to execute the repaired files it say that the files are not a valid win32 application…………………i am now geeting xp sp3 and vista ultimate and will reformat my pc next week.
god save my external hard drive and its data

I have Windows Vista; Kaspesky detected Virus.Win32.Virut.ce & It either disinfected or deleted few virus under C:\Windows\System32\ ….
eg. C:\Windows\System32\dfrgui.exe
next thing I know is files such as control.exe is deleted, system restore file is deleted. Yes, I was unable to do system restore from Start>Programs…….
I had to reboot with recovery option (F8) & was able to restore to previous point. However, I still have viruses & would be really nice if someone could help.

i have yhis virus it gives a good figth i hope i can kill it defore gets to my archive drive i have use symantec virut cleaner avast antivirus goin to do a deep format on the drive yes the one that puts 0 to make sure there is no ghost data data it will take long but its the only thing left to do

I have been infected just 2 reboots ago so i suggest i’m in the same shit as everybody here… The fun is that i’m on huge LAN so i hope it wont come out of this PC. I’m not calling any procedure outside my PC except browser comming out of the HTTP proxy

hxxp://www.avg.com/us.virus-removal.ndi-67762 did not found anything, but when i want to scan drive from OS - this utility tells me that there is active virus in the memmory.. what to do next?

I’m infected too. In my case, this virus puts a <iframe> code on all my “footer.php” files too.

The <iframe> includes the URL jL.chura.pl/rc/: a malware URL.

:(

I REMOVED THIS VIRUS IN 2 HOURS!!!

Here is how:
1. Make System restore- choose day, when you did not have virus.

2.Uninstall your anti-virus program, if it is not Avira(it is free!)! (I used Kaspersky, but it is too weak for this virus!)

3. Install free Avira.
4.Scan all-complete system!
5.All viruses Avira will sent to quarantine.
6.Delete from quarantine ALL FILES (”delete selected object from quarantine…”), what is infected with W32/Cholera (Avira call this-Virus.Win32.Virut.ce- so).
7. Make more full scans, at least 4- so many, till your scans can not find any virus!
8.Thats all-your computer is clean now!

See my story-martyrdom here:
http://forum.avira.com/wbb/index.php?page=Thread&threadID=87809

P.S. Forget to mention. I had more than 700 Virus.Win32.Virut.ce, but after System restore- only 20.

But after System restore some viruses stay in folder System Volume Information.

Destroy them with Avira!

i know internet since the time of 28kbs modems when we connected over phone line and i never saw anything like this , my kaspersky can not fight this virus and it when it says that everything is clean and i try to execute one of the cleaned files (like : regedit.exe) it tells me again that file is infected !!!!!
the only possible thing i see here is that virus were already on system when i installed kaspersky , the original exe of instalation in hd of kaspersky is infected .
so when it says that all files are cleaned then it starts all over again because of kaspersky exe active file .
I believe that the only solution is install an antivirus and keep it active (even infected) then install another antivirus like avg free , in this way kaspersky wont let avg instalations files be infected and then avg can clean everything .
Other way is format the damm disk and install windows again .

I have kapersky antivirus 7 MP1 I reloaded xp in safe mode then removed all threats possible in safe mode then reloaded in debugging mode and removed rest of threats. works because virus doesn’t operate in safe or debugging mode.

I’ve been fighting this one for 5 days, it basically wiped out the network. I had to reformat the domain controller and three PCs. A few were able to be recovered with a system restore, but others were not because all the system restore executables were infected. It depended on how fast I caught it.

Regedit and Taskmgr disabled. Network shares attacked speedily. This thing is a bloody work of evil genius.

Symantec Corporate 9 and AVG didn’t detect it until too late. In other words, they missed the primary infection, and only woke up after the secondary packages were dropped.

And get this. One PC has been formatted and reinfected three times! I’m reinstalling the OS and drivers from the OEM Dell CDs, there’s no way they could be infected. Or is there?

I forgot to add, I couldn’t use safe mode because every single system, including the domain controller, blue-screened on any type of safe mode reboot. There are 6 different models of Dell, so the inability to safe boot has to be part of the primary infection.

This is the worst virus I’ve ever had. It infects almost all exe file n consumes lot of bandwidth (both sent n received packets if u check in conn manager esp. if using dial up).
1. Reinstall windows
2. Install n ACTIVATE ZoneAlarm Sec.Suite
3. Block all port 65520
4. Look if winlogon try to access internet then u still infected!!
5. Block winlogon n win.explorer from accessing internet!!

In regards to my PC that was reinfected three times, I figured out that I had never unplugged it. Powered off - yes, completely unplugged from the wall - no. What a freaking monster this thing is.

I´ve had this virus for 2 weeks and my f-secure didn´t do anything! The final thing to do, after many experiments, was to format the whole harddrive (got the chance to split it to C: and D:) and re-installed EVERYTHING.
A good thing is that my computer is quite “un-personal” so I didn´t have to burn a lot of stuff to a cd. I use now Avira anti virus, it´s free, I lost my f-secure when I uninstalled and re-installed it. (I´ve paid for it til august!!) I got this bitch-virus when I was downloading games, stupid me!! Must remember not to try it again! It was a bitchy-bitch virus!! ;D

Format HD, reinstall OS. The only guaranteed solution, at the moment.

No doubt, Virut walks all over MS and anti virus utilities. No point in re-installing Windows, it’s time to retire it and use Wine for anything I need that isn’t available in Linux.

I suspect that I got that VIRUS at hxxp://www.xpcodecpack.com/download. I downloaded and intalled that codec pack and I got my avira antivir destroyed.
Think I will reformat.

Thought I would provide an update, I doubt I’m out of the clear but the latest Kapersky trial version is at least able to display that it detects the damn thing, which is more than anything else I tried, inclusive of dr. web - maybe I just wasn’t able to get the dr. web to update properly. Perhaps I’ll follow up after I’ve either deployed devian or eradicated virut. The *easiest* way to see if you’re getting some kind of protection is whether the C:\windows\system32\drivers\etc\hosts file is getting that additional host entry after you reboot. You can also run netstat to observe whether port 65520 is open, and if it is you need to block it quickly (EMSA Port Blocker) or pull your cable (again) rofl Windows sucks

I managed to clean the virus as for now and still in testing stage to see if the virus really is gone. I’m in day 2 right now, and everything seems to be ok.

btw, these are the main tools i used:

kapersky 2009 (1 month trial key) + lastest virus definition
drweb cureit
fixvirut - symantec

Cleaning it was a pain in the ass though. Every 30 - 50 virut threats detected, i stopped the kapersky scan, & neutralize (disinfect & delete) before re-scanning again. About 400+ threats detected on my system. It’s advisable to disconnect your pc from the internet & any networks. After scan finished completely, I ran cureit (took about 3 hours). Then I used fixvirut, scan for another few hours. Then I turned off my pc, and went to sleep. It took me one whole day to do all these.

The next day, I repeat everything again. The virus subsequently disappeared as I repeat the steps, until all seems to be ok up to this day. I reinstalled damaged system files by running windows xp setup & choose to repair windows. Again, I’m in day 2 of testing stage. Hopefully the virus won’t resurface.

Oh, by the way, don’t forget to turn off system restore. Other people seem to be able to remove this virus too with their own methods. I don’t guarantee my method will work on your system though. And I still don’t want to confirm that my system is already free of this virus as I think it’s still early to say so. I’m going to test my system for a week or more only then I can be sure of it. Cheers.

Wow, what a mess!
I actually have no idea on how I got this virus, but I got it some 4 reboots ago.

I can’t say I fixed it, but I sure came a long way, so here’s what I did. [Ninja edit: Yep! it did work!!]

First of all, disconnect from the internet. Get another computer to download what you need (basically both virut removal tools linked in the comments, the AVG and the Symantec one, plus Kaspersky AV 2009 trial).

Get your XP CD you used for your installation.
Reboot your windows on safe mode and use the Administrator account.

Run “cmd”. From here, create a useful bat file (edit run.bat, for example) containing this 6 lines:

del /f /q C:\windows\explorer.exe
del /f /q C:\windows\taskmgr.exe
del /f /q C:\windows\system32\dllcache\explorer.exe
del /f /q C:\windows\system32\dllcache\taskmgr.exe
expand **YOURCDDRIVE**:\i386\explorer.ex_ C:\windows\explorer.exe
expand **YOURCDDRIVE**:\i386\taskmgr.ex_ C:\windows\taskmgr.exe

The virus doesn’t infect .bat files, so this will be your very useful utility to kill the virus.
So, with your XP CD on your drive, run the bat (always with cmd) and voila! now you have task manager.
Run the task manager (type taskmgr on your cmd prompt) and kill the explorer.exe running.
run your bat again, and now you have an uninfected explorer.exe

Using your task manager, run both virut removing tools AND your KAV09 installer, run them all, get something to drink and/or eat.

Reboot into SAFE MODE AGAIN (with the admin account, not your username), run your nifty .bat again, kill explorer.exe again, run .bat again, run all programs again and make sure that they are not finding anything.

I then realised the virus messed with your login and users, so I created another user from safe mode (called test), and run windows in debug mode, login in with the new user (test) and you’ll get fully working kaspersky. Run it again.

Here’s the part nobody know which fixes your XP installation (like a reinstall/ repair) but faster and better.
Always on debug mode, with your test user, XP CD on drive, run the following command:

sfc /scannow

It should take a while, so go get dessert.

What it does is it gets a clean copy of each system file that is not exactly the same as in the cd, so it basically gets your system to an almost new state.

It’s very possible that the virus FUBAR’d your main user account, but I can assume by now that that’s the least of your concerns.

Tips:
1) Always have an antivirus running: FFS, KAV2009 costs 13 euros if you buy with 2 other friends (3 licenses, 39 euros) for ONE FULL YEAR. That’s dirt cheap, don’t run cracked antivirus, they will stop working when you need them (Murphy’s law)

2) DON’T use System Restore. It’s useless and it helps most virii hide and reappear. Just have recent backups on a hard drive you DON’T use for any other reason than backups (1 terabyte external HD is around 70 euros now)

3) Use linux. Or mac. And stick to windows for games / 3D design / whatever you really need windows for.

Also, run the following line to restore your Windows default settings / Group Policies:

secedit /configure /db %temp%\temp.mdb /cfg “%systemroot%\inf\defltwk.inf

If you came so far and your windows is still not working perfectly, a repair might now do the job =)

Gosh, and I thought I was alone in facing this nightmare. It’s been screwing up my system for weeks now.
Have decided to reformat and start all over. Taking no chances…

I cured the Virut infection on my computer in a couple of days.

Here’s how:

#1: Create a Windows version of the UltimateBootCD using an XP CD’s files and slipstream SP1 and SP2 into the files before you burn the UBCD.

#2: Download DrWeb CureIt! and either configure it as a plugin on the UBCD or burn it to a separate CD to open after you boot the computer. Note: You’ll need two CD ROM drives to do this, as the UBCD takes up one.

#3: Boot up using the UBCD and run CureIt!, delete any files it cannot repair. Then, power down your computer for 5+ minutes after so the virus cannot hide in the memory.

#4: Repeat step 3 until CureIt! no longer detects the virus.

#5: Repair any damaged Windows files with the XP CD, don’t use recovery console, instead select repair installation.

That’s all there is to it, good luck.

Oh yeah, and DISABLE System Restore, it’s absolutely useless and most viruses just hide there to constantly return and cause problems.

Any questions, feel free to ask here.

It whould be nice to hear if cleaned computers stayed clean. My virus win32.virut.ce is resurrected twice already. And I hope it does not blacklist IP-s somewhere, so that it could send new virus packages to cleaned and newly online computers.

I NEED SOMEONE’S HELP! I have the generic pup.x program on my computer and Mcafee can’t remove all of it tried system restore, etc, nothing works any suggestions please reply will be greatly appeciated.

Hi community, yes I got this damn virus too. Was spending hours and days on the net (on other pc) to find hints, but on ALL forums they spoke about “polymere virus” (or similar, my English is not the best, sorry) which is able to change all files itself by adding some 5 kb to exe/dll/scr/html/php files. According to all opinions it is NOT possible to “delete” this file because of its structure, only a full reformat/reinstall helps. Luckily my firewall alerted me that my IE checksum was changed and I disconnected immediately my LAN and all external USB HDDs, so most of my backups were clean. If you have a second HDD, you could add it as an external disk in a box via USB, let the AV remove all infected files and at least some files (doc/pdf/xls) which you hadnt updated yet could be rescued.

I think I got it by opening a crack which I checked with Antispyware, NOD32 and Sypbot and which was reported to be “clean”. Nb: torrents are said to be full of virut.xx the last time, so watch out please.

I wonder why I actually waste my memory by having all those “checkers” in my task bar (including firewall), if NONE of them finds the risky file while downloading or while checking after the download ended :(

A last note: DR WEB SOFTWARE did NOT delete these files, it only noticed that they were infected and wrote “files deleted”, but this was NOT true and my system was still messed up with this BS!! None of those free tools of the most know AV companies removed the virus EITHER! Will make even more backups in future and burn my files regulary - good luck for you all!

It seems like i’ve won the battle against win32.virut.56 (also known as win.virut.ce). Firstly like last comment says, i don’t have NEVER windows firewall on, i don’t have any antivirus installed, i don’t have automatic updates on. They have no point as “virut” case shows. The only thing that i have and recommend very highly is WINPATROL, which has saved my a** plenty of times, letting me know that something is going on in my computer. Before virut i managed to clean nasty things manually and with regedit and so on. As comment before mine says - even latest antivirus progs cannot detect nicely packed virutcontained exe’s, what you can download at cracksites. They show that its nicely clean. Thanks to Winpatrol I knew exactly when virut attacked my system. It flow up with READER_S.EXE file which was impossible to clean from registry. And strangely, in Program Files folder was created THUNMAIL folder with TESTABD.DLL and TESTABD.EXE inside. THUNMAIL content was hidden even after enabling all seeing settings. Op. sys. was loaded with strange .TMP files. In WINDOWS folder strange EXE files were created in System32 and Temp folder. After i tried to repair virut from inflected machine with all free virut removal tools you can get from internet, i gave up. I went to plan B. With clean computer at work i created bootable Dr.Web’s live cd and also Kaspersky bootable cd. I downloaded also miniPE (op. sys. which boots himself from cd). I scanned my harddisks with Dr.Web and Kaspersky live cd’s (I wanted no cure anymore) so i did set the settings so that inflected files were deleted. In this case there was over 4000 files deleted. After scanning i booted miniPE and discovered that THUNMAIL folder with its content has survived the scanning. So i deleted it along with content of System Volume Information and Temp folders, system folders (Documents and Settings, Windows, Program Files). Back at home i connected smaller harddisk and booted Dr.Web live cd for memory scanning, just for any case. After that i reinstalled windows. Strangely i had both of my external harddisks on my computer very long time when the machine was inflected, but Dr.Web or Kaspersky didnt detect any virut on them. So as i understand virut is growing after your program activity. For example it wrote himself very quickly to active programs like Opera, daemon tools, etc. Hope someone who’s desperate and ready to format valuable info will reconsider and try other options.

used F_secure, scans n shows that cleaned, but then pops up l8er esp. when executing windows progs. maybe my lapie will survive!!!!

Had the same problem and it was a doozy….this is so bad it infects flash drives and you may need to do a complete format on your HD…a quick one will leave enough to start it again…Mal…

ok, this virus seems to be very strong, but when i run kaspersky 7.0.1, only shows one infected file, under the name :virut.win32.virut, that’s the only notification, i’ll try to erase the file and the virus still there, if i reinstall windows xp the virus stay on my pc or something? and i try to back up some of mi data, such as games and programs, i mean this virus can really infect the games exe and apps too? should i use the back up on the clean os or they’re infected too? please, some help, this freaky thing is driving me crazy!!!!

try this one, a rescuedisk.
kaspersky give me i hope it helps let me know i didn’t used it yet

http://downloads.kaspersky-labs.com/devbuilds/RescueDisk/kav_rescue_2008.iso

been infected… and the main problem is im no tech savvy
im thinking of giving up T-T
can i just throw my lappy out the window?

This is one tough infection. Ive cleaned out well over 5000 files which were infected with vundo and rootkits etc and this virut is a pain in the &$^. I was able to remove a similar infection last year without anything suggested mentioned above in all posts. I will bookmark this page and get back in a few days. (I just started working on the pc “not mine” yesterday so give me some time and patience).

We’re approaching this whole malware issue from the wrong perspective.
We sit passively behind our little defensive wall of antiviral software
hoping they’ll be strong enough to protect our systems from the
inevitable attacks. We acquiesce to the malaicious code slinger’s
by accepting the reactive, passive and defensive role while leaving
them free to attack at will. It’s truely a cyber war where our enemy
has taken all of the inititive and holds the active, proactive offense.

Each piece of Malware has a source and some antiviral companies have been
able to islolate the countries of origin and occasionally even the cities
based upon outbreak concentrations, but so far no one has taken the fight
to the malicious codeslinger’s doorstep. Sure, Microsoft puts bounties on
the heads of some of the more talented malwareists, and while being better
than nothing, it certainly hasn’t seemed to reduce the new introductions
of ever more sophistocated malware. Malwareists are free to anomously
diseminate their wares from around the globe with virtually no fear
of reprecusions or reprisals.

This is a high stakes war. The cost of defending against malware attacks
is staggering, but when you factor in the even greater costs of lost
productivity it becomes clear that this is a war we can’t afford to
fight passively or on the defensive.

The Malwarists drew first blood and contiunue to attack our systems
daily without provocation and I, for one am more than sick and tired
of just taking it. Beyond the simple misenthropic, anti-social malicious
code-slingers, Malware is rapidly becoming the weapon of choice for
organized cyber-terrorists. The US government’s response to that threat
has been to pour more billions of dollars into passive, reactive and
defensive systems. How can you win a war by sitting behind a wall and
hoping no one figures out how to breach it?

We have to find a way of taking this war to the malwarists instead of
fighting every battle in our offices and homes. How is it that The
music recording industry and track down and prosecute a suburban single-mother
whose crime was the illegal dowloading of MP3’s, but no one can track
down the author of the Virut virus? The cost of that mother’s crime
only reflected a drop-in-the-bucket hit to the recording industry’s profits,
but Virut has, and will likely continue to cost the whole world untold
millions of dollars in lost productivity.

The days are gone when all we had to do was run a quick scan with
f-prot to eliminate all traces of malware from our computers.
The modern polymorphic malware strains require weeks-long or even
months-long efforts to clear, if they can be cleared at all.

Pumping money into ever more complicated defense walls only prolongs
the inevitable breach while sticking each of us with the bill. The only
logical solution is to eliminate the threat at its source…to apply at
least as many finacial and manpower resources to the task of tracking
down and eliminating malwarists as we currently do in building bigger
and supossedly better antiviral walls. If the MPAA and the Music Recording
Industry can track down copyright violators then surely the computer
industry and the world’s governments can track down malwarist.

The vigilante in me would love to see an application that could accurately
reverse track the origins of malware and then provide the names and
addresses of the malwarist. I’d enjoy expressing my frustration to them
personally, but I’d certainly settle for their prosecution and
punishment under the law.

I removed Virut (Win32.virut.AT) without formatting and it’s quite simple. Here the procedure:

Needed: Hiren’s Bootcd 9.9 (free).

1) Using a clean PC prepare a bootable Hiren Bootcd (i used a write protected USB stick, it’s yhe same)

2) Start windows in safe mode, create a new folder, find explorer.exe (c:\windows\explorer.exe) and copy it in the new folder. Do the same for c:\windows\system32\svchost.exe.

3) From control panel/System disable the ‘System restore’.

4) insert the Hiren Bootcd and start the Kaspersky antivirus tool (included in Hiren). It will find a lot of infected file; at the end it will prompt the action to do for infected files, choose ‘Disinfect’. It will disinfect all the files except the running explorer and svchost ( but that you copied in the new folder are disinfected).

5) Turn of your PC. Insert again the Hiren BootCD and turn On. Choose to bootstrap using Mini XP (from the main menu of Hiren bootcd).

6) From Mini XP access to C:, go to the new folder, copy the disinfected explorer.exe and paste it (replace) into the original folder (c:\windows). Do the same for svchost (into c:\windows\system32). Remove the Kaspersky folder from your c:\documents and settings\YourUserName\Settings\Temp folder.

7) Remove the Hiren Bootcd and reboot your pc from hard drive. Run again the Kaspersky from Hiren Bootcd. New infected files could be probably found, but after this the PC is cleaned.

Note that after the PC is cleaned you need to manually restore some registry entries (like SFCDisable and something else related to the firewall).

Enjoy and remember… never format, if you format the virus win !!!!!!!!!!!!!

Virus.Win32.Virut.ce

ZoneAlarm found the virus & deleted it even before I launched the downloaded *.exe that contained the virus…

Better to have your PC set-up correctly to “catch” or scan all downloads BEFORE you double-click on them…

The best tings in life are FREE, remember?

Hi guys & girls.

This is a mean ass virus

After reading the entire forum and all comments, downloaded the two scan engines from AVG and Symantec running the scans, I was left with 2 pc’s and my laptop strikingly rotten effected with the virus.win32.virut.ce.

Yes formatting the three machines would seem like the best way to go BUT unfortunately not all of us have the luxury of simply formatting and starting all over.

I followed the advice of Fabietto posted on July 8, 2009 . Re : the hiren’s bootcd and Kasperskey scans.

The only difference was that the scan detected the infected files but could not disinfect them, but only quarantine them. By the third scan on all 3 pc’s, they were clean. I even ran a fourth scan just to make sure the monster were slain. Unfortunately it did do a lot of serious damage to the .exe files in the \windows\system32 as wél as the explorer.exe and the scvhost.exe were smashed.

With these files quarantined and not disinfected my windows logon was lost. So the original XP cd was unleashes and a complete xp installation was repaired. (NOT the repair console/panel. It wont work ) Repairing the XP installation only deletes the windows dir and reinstalls it, thus not loosing any other info.

All three pc’s are as clean as can be, BUT unfortunately I can only access windows via safe mode. Normal boot only comes to the logon screen where one chooses a user, enters the password and then the blue screen of horror shows itself stating :

: Stop: c000021a {fatal System error} The windows logon process system process terminated unexpectedly with a status of 0xc000034 (0×00000000 0×0000000) The system has been shut down

This error can be looked up on the Microsoft site AND it explains how to fix it.
If only I could. For reasoning far beyond my years I simply can not do it.

In the mean time I have installed a second copy of XP on one of the pc’s so I can access my files on the other installation. Yes one might argue that ending up with these result I simply could of formatted, but what can you do if you don’t want to just chuck away your info and let the enemy win. Fight as hard as you can.

Hello everybody. Only became aware of this thing about 5 days ago when the computer started shutting down and various programs became unworkable. Also, all files on my key drive disappeared and the drive had to be reformatted. Can’t swear that the virus did this but I cnn’t think of anything else to explain it. Windows Firewall (I’m running XP Pro) reported that I had a Virtob infection but AVG, Zone Alarm, and Ad-aware reported nothing. So after a bit of researching, I found the Kaspersky online scanner. This revealed that quite a lot of files were infected with win32.virut.ce but these could not be deleted by the online scanner. However, Kaspersky are doing a Full 30 day trial of Kaspersky Internet Security 2010 and I installed this. On checking drives C, D, and External Drive F, Kaspersky found and disinfected, or deleted, about 700 infected files. Reran the program and a few more files were found and treated. I am completed my third scan and the infection seems to have gone. Can’t say this will work for everyone but it seems to have worked for me. Worth a try and good luck to you. This is one awkward sob. I will report back if the infection recreates itself in the next few days, but so far it’s looking good

Following on from earlier post, I found that a few vrt.tmp files were appearing in C:\Documents and Settings\LocalService\Local Settings\Temp but Kaspersky was preventing them loading or connecting to the net. I ran the scan next in Safe Mode and this disinfected the few files which could not be done in normal mode. As of this moment, this machine is now completely free, as far as I can see, of Virut and anything else. All programs and files seem to be working normally and the Kaspersky Network Monitor is showing that there are no suspect connections. Just for information, my operating system is XP Pro SP3. Kaspersky seems to have given me the complete solution to this pest. Well worth giving it a try. Free 30 day trial could rid you of this problem.

Seeing a second mention of Hiren’s Boot CD, I wanted to ask if anyone had encountered not being able to access the antivirus tools on this CD? I only get two pages of menus, and neither has the antivirus tools. Does anyone have an idea what I am doing wrong? Or is this virus smart enough to prevent them from loading? I am running on a 64-bit system, if that matters

Well, just to tie up the story on my experiences, I am now a week on from installing Kaspersky and ridding myself of Virut and it has not reappeared. That about says it all. Would highly recommend Kaspersky for ridding yourself of Virut

Bingo I hope youre right man cuz i dont want to reformat! Eset sucks didnt do a thing! Im trying Kas! Thanx for your info!

hello Lefteris. I hope Kaspersky worked for you in as straightforward a way as it worked for me. Now a fortnight on from the cleaning and no sign of reinfection. Everything, as far as I can see, is working normally. I may have just been lucky and had a variant of the virus which could be cleaned. Let us know if you’ve managed to get rid of it

hey…….friends i will tell how to remove this virus…its very easy
effects of this virus—…slows down ur pc….causes network error….formatting hdd does not remove this virus…ur comp automatically shut down after few days on start ups
precautions—dont ever download pirated software…cracks,patches,keys,untrusted toolbars….
how to remove it-
1- reformat ur pc
-install kaspersky latest version n first update it right to the day
2-scan ur full system..
3-now u will find that kaspersky will detect it bt will not disinfect or delete the file
4-now go to the reports of the scan…u will find that every partition of ur hdd had got the virus..
5-now go to the first detection..hit right mouse button …now go to ‘open files where……..’ u will find dtected files now go to back option…u will find folders like’RP1′ now select all and delete it..do this in every partition till kaspersky detects none……..
have a safe day.

update kaspersky 2010 to 12/08/2009 and do a full scan, that works for me, good luck

i used a linux boot cd to rescue my files(media files and office)
knows any one if pdf’s or .rar files are infected?
but is it possible that the virus is active if i run my pc with the linux cd( back track 3) ???

THAnks

I’ve removed this virus successfully without formatting. Email me thetechguytom@gmail.com for details, it’s a long hairy process but can be done. We had an outbreak within our internal network at my support office where a win2k3 server w/exchange and AD, tech machine, all computers that were on the bench etc. were infected by thumbdrives plugged in to machines when the virus first struck. Apparently it’s really really easy to spread it. Hit me up and I’ll paste my epic essay.

Hi there, my desktop has been infected with this virus and it is creating havoc . Casn’t even get online (I’m on my laptop atm!)
Please help!
Kind regards
Rob

This virus is a pain but I have it contained ,my router is a good firewall and I have it set to block all incoming connections on port 65520 and all outgoing connections to Proxima.ircgalaxy.pl so that means the attackers cant use it I have also found that using IRC to connect to my local machine on port 65520 gives you control of this virus so now I am able to change the options and on my machine it only infects explorer.exe too bad it dosent have a disinfect command

This virus infected my old HD, so I had no choice but to reinstall WinXP. Then today I accidently clicked an old executable on that HD and the virus is reinfected me. I was in no mood to reinstall so this is how I dealt with it.

DO NOT START ANY PROGRAMS YET, THEY WILL GET INFECTED

1. Pull the plug on your internet connection, because it will try to connect to its website (jL.chura.pl and maybe others) and download more crap to your PC

2. Go to Task Manager and kill ANY program that looks unfamiliar (this can be tricky, if you’re a not a computer geek)

3. Run services.msc and you’ll see at least 2 services running which have NO description. Stop them and then disable them (by right clicking). Also stop and disable Remote Access Connection Manager, and Background Intelligent Transfer System, if they are running. These are Windows processes, but I think the virus activates them.

4. Repeat step 2 just in case

5. Now you have a choice:
a)You can run restore, but you have to be very sure that the restore is clean
b) run your antivirus. A full scan is preferable, but at least C:\Windows\ and C:\Program Files\. The virus infected only logonui.exe in my case and changed the HOSTS file, and created a temporary file in the WINDOWS\TEMP directory, but nothing else. However, if you ran any program while the virus was loaded, that program will be infected too.

This is the stage on which I am myself. The virus is removed but my system is still a bit screwed up, because everytime I reboot a hidden process iexplore.exe is started, except it’s not connecting anywhere. I’m not sure what’s starting it, but I dealt with it by killing the process and moving iexplore.exe to a temporary folder.

This virus can get on compact flash sticks. You’ll need to be sure to wipe all those suckers clean or just throw them away if unsure..

i only used kaspersky 2010 and the avg link that was mentioned hxxp://www.avg.com/us.virus-removal.ndi-67762
and im done.
took me about 2 hours (because my pc was just rebooted there wasnt mutch to scan)

ow also cleaned my external hard drive no problems there. my friend however who apparently didnt have anti-virus. and who waited to long is completely screwed. he cant even dl the avg removal tool

This is a nasty virus! I got hit with it a couple of weeks ago from downloading programs. My antivirus at the time ( avast) detected it but couldn’t do nothing about it. So, I did some research on the net, and was told to download Kaspersky removal tool. It detected it, and was neutralizing it, but the virus was spreading like a forest fire. It got to about 3,000 files infected, and I said forget it. I ended up reformatting and reinstalling OS. It WORKED! What’s really interesting is that I didn’t know it at the time but my flashdrive was connected in the back of the tower, and it got infected. After reinstalling everything. I realized that my flashdrive was in too. I’m thinking oh no. I ran avast but nothing came up. I’ve now installed Vipre and ran scan on the flashdrive and it detected and neutralized the virus. Now I’m using Vipre. Been working well.

Confirmed. I agree with the first poster (and the most of you), it sneaked through avast’s protection, I fought this about a week long, that process let me figure out some important stuff.

This malware is probably added by Win32.Agent along with Win32.Delf and b.exe, just to mention the most critical ones and some others (3-4 more)

- It hides on your portable devices such as pendrives portable hard disk or other partitions.
- When you connect to the internet, this will download the whole pack again, causing you more trouble.
- These malware only works on 32-bit based Windows systems. You should consider updating to 64-bit (there are some drawback) or try Windows 7.
- Only Win32.Virut will infect files, others should create their own, which you can find in “C:\” and “C:\Windows\system32″ or in “Documents and Settings”

Note: A new version has come out in October 2009 and even Kaspersky Labs do not have an update for this infection yet. Although, Kaspersky is able to competely eradicate this virus, thanks to it’s more advanced and intelligent being, compered to other virusbusters.

Conclusion: I am now using Windows 7 x64, works quite well that far.

Hey.. I got these virus yeasterday (win32/virut and win32/heur) When i read about it that it infected all the .exe and possibly .jpg files i went nuts, turned of my computer unplugged my other 2 drives (D: and E:)on it and installed windows 7 64bit today. Downloaded avg free 9.0 and searched D: and it had 5 infected .exe files. wich it said that it was removed. So it hadn’t have the time to spread that far. Now i wonder if it still might spread into my C: where i have my windows or if it will continue to spread through my D: and E: (havn’t plugged E: in yet, so i don’t know how badly infected it is.) Or shall i just leave them unplugged until a bulletproof removal program for those viruses are released? Really don’t wanna mess up all my pictures and stuff there if it’s possible to avoid.. damn.. pics on there since 2002. :/ What to do? Any help would be mostly appreciated

I had a happy ending, I think.
I got this bug on my Vista laptop on Friday by being stupid. Kaspersky slows down my downloads, so I turned it off. I forgot it was off and tried to install an app from the newsgroups. The first thing Virute did was set my system clock forward to 2049, so Kaspersky thought it had expired 40 years ago! Then it started eating my executables.
I took the laptop HD out and put it in a SATA USB enclosure attached to a Kaspersky-protected desktop. I started moving all the files I wanted to save onto the desktop, and ran Kaspersky against the HD in enclosure. I initially thought I fixed it with Kaspersky and moved it back, but it was still infected. I then adjusted the Kaspersky setting to Maximum Protection and pointed it explicitly to the USB drive. It found and deleted a trojan and 216 files (mostly exe’s) that were infected.
This morning, Sunday, I put the HD back into the laptop and turned it on, fully expecting to have to recover and wipe the HD. Signon went well, but it couldn’t find two dll’s. Kaspersky was still working on the laptop, and found nothing during its startup procedure. The internet is working, I’m posting from the laptop now. Some applications aren’t working because the executables are gone, but others, including MS Office, are.
So it looks like a happy ending.
So for the previous poster and others… IF it’s a laptop that’s infected, it’s really easy to pop out a laptop hard drive, then go to Best Buy or something like it and buy a USB enclosure for it. (Warning, there are two types, SATA and another one.) Attach it to another PC that’s virus protected, and have it run a full maximum check against the drive that’s now via USB. Have it delete anything that’s infected. (Kaspersky does the deletions *after* it finished the full scan.) Then put it back into the laptop and see if it works.

Here’s a question for you tech-savvy guys:

What exactly is the danger of the port (65520) that this thing uses ? Assuming you are able to clear the infection from your system (disk & memory), then is there any chance that it can re-enter ? I am assuming not.

ive found that using hirens 10 both in windows and minixp and using the following apps - Kasperky, Malwarebyte, Superantipyware and smitfraudfx manages to get rid of the virus and then just going through the harddrive like c:, temp dirs, Windows, System32, Fonts, system volume information, recycler, Documents and Settings folders and deleting the weired files i find there such as Restorer_32a.exe and Reader_s.exe (Found a new one recently photo_id.exe) and also scanning the reg for them and removing them. This seems to be able to get rid of the virus but ive found a few times there are still bits and peices of it flying around so a few more scans and checking the folders and reg again pretty much cleared it up but Kaspersky can disinect the files but you will proably have to do a repair on you windows again.

In one of the earlier posts someone mentioned that he used a irc prog to connect to his computer and managed to ulter the options of the virus. Im curious to know if this is true.