Comments on: Virus.Win32.Virut.ce

By: pakcik

pakcik — Wed, 11 May 2011 14:19:41 +0000

Only one thing I have in my mind right now…..kill those son of a @&%**…….
I have 3 hd in my pc…..one of them is my system….others…all my works….and im already too late…everything must be reformat again…..include my works…cos, everything already infected….. in really crazy mad grrrrrr…….

By: Bipul

Bipul — Tue, 26 Apr 2011 14:29:45 +0000

Hello my pc infected with win32 virut.ce i have kaspersky antivirus. its detected the virus but results shows that postponed. please guide me how to clean the virus.

By: thon

thon — Tue, 26 Oct 2010 20:50:22 +0000

the best solution is to format and re install os,and try avira free anti virus,the virus will gone in 2 hours,

By: oh noes

oh noes — Wed, 09 Jun 2010 06:08:42 +0000

Captured new virut.ce variant; infected userinit.exe , control.exe and cmd.exe from /system32.. confirmed infected by jotti- AVG’s Win32/Virut tool does not detect these infected files. Malwarebytes doesn’t see them either. ~.~

By: seena seena

seena seena — Tue, 18 May 2010 04:23:47 +0000

Blogs are always a main source of getting accurate information and provide you the handy results; you can get instant and reliable information which surely helps you in any field of your concern. I am post graduate in IT and HR. These days I am doing preparation of different online certifications and I found mcdba is the best helping source which is providing 100% authentic material. I also spend my extra time in surfing internet, listening music and playing games. After my exams I would like to join your group.

By: Musik Anima

Musik Anima — Sat, 03 Apr 2010 08:11:22 +0000

this shity i got it from a crack …

yesterday i ran Kaspersky full scan and i got 12 infection of this virus.

And I think all is good now..

Kaspersky maybe has erased all the infections..

I have put the scan to “high”, and it took 12hrs to scan all..

i have no problem actually..but dunno if in future i will get problems..

I will do another scan, to stay assured that there is none of these infections…

this virus is owesome.. :) pc slows a lot during scan also..

pc started to lag…

1st thing to do: update Kaspersky
2nd: disconect from net
3rd: deep very deep scan
4th: restart pc
5th: again a deep deep scan..

then good.. I think problem solved..

By: Bingo

Bingo — Tue, 16 Feb 2010 12:04:19 +0000

Hello All.
I see this little bugger is still doing the rounds. Vicious little sod!
This is a repost of my messages from July 2009 detailing how I got rid of the problem. It is possible that new victims may not read that far back and I hope my experiences are helpful. Good luck! By the way, still free from this virus.

Bingo
July 22nd, 2009 at 1:28 pm 56

Hello everybody. Only became aware of this thing about 5 days ago when the computer started shutting down and various programs became unworkable. Also, all files on my key drive disappeared and the drive had to be reformatted. Can’t swear that the virus did this but I cnn’t think of anything else to explain it. Windows Firewall (I’m running XP Pro) reported that I had a Virtob infection but AVG, Zone Alarm, and Ad-aware reported nothing. So after a bit of researching, I found the Kaspersky online scanner. This revealed that quite a lot of files were infected with win32.virut.ce but these could not be deleted by the online scanner. However, Kaspersky are doing a Full 30 day trial of Kaspersky Internet Security 2010 and I installed this. On checking drives C, D, and External Drive F, Kaspersky found and disinfected, or deleted, about 700 infected files. Reran the program and a few more files were found and treated. I am completed my third scan and the infection seems to have gone. Can’t say this will work for everyone but it seems to have worked for me. Worth a try and good luck to you. This is one awkward sob. I will report back if the infection recreates itself in the next few days, but so far it’s looking good

Bingo
July 22nd, 2009 at 10:48 pm 57

Following on from earlier post, I found that a few vrt.tmp files were appearing in C:\Documents and Settings\LocalService\Local Settings\Temp but Kaspersky was preventing them loading or connecting to the net. I ran the scan next in Safe Mode and this disinfected the few files which could not be done in normal mode. As of this moment, this machine is now completely free, as far as I can see, of Virut and anything else. All programs and files seem to be working normally and the Kaspersky Network Monitor is showing that there are no suspect connections. Just for information, my operating system is XP Pro SP3. Kaspersky seems to have given me the complete solution to this pest. Well worth giving it a try. Free 30 day trial could rid you of this problem.

Bingo
July 31st, 2009 at 8:35 am 59

Well, just to tie up the story on my experiences, I am now a week on from installing Kaspersky and ridding myself of Virut and it has not reappeared. That about says it all. Would highly recommend Kaspersky for ridding yourself of Virut

By: ken.absolute

ken.absolute — Fri, 12 Feb 2010 21:34:53 +0000

I slaved a SATA drive via USB adapter to copy some data off of it…This som’bitch was on it and it jumped to the hosting PC!

It must get deep into all drives that it finds to make them autorun. Anyway – Sunbelts Vipre anti-malware caught it on the hosting computer and kept it from spreading.

The lesson anyway: be sure and hold down the shift key as you insert a USB drive (even if it’s a adapter for IDE/serial/SCSI) to keep it from auto-running.

wow – this thing… it gets deep into sysvol and even maintenance partitions.

I used Darik’s Boot and Nuke (http://sourceforge.net/projects/dban/) for the guest drive (inc maint partition) after reading about the issues here and I’ve not heard from it again.

My guess is people keep on getting reinfected by using their infected-auto-running USB drives or accessing infected .exe’s that they backed up – unless their is some bios component it can load into that I’ve been luckily enough not to have encountered.

By: AZ

AZ — Mon, 25 Jan 2010 08:19:26 +0000

THIS IS THE NASTIEST VIRUS HUMANS HAVE EVER FACED!!!!!!!!! 12 YEARS PC PROFICIENT HAS GIVEN UP AFTER REINSTALLING 64BIT VISTA, WIN 7 XP PRO 10 TIMES…..will completely format now. Installing new OS doesn’t help either, it infects the new OS as well..ANY SUGGESTIONS??????????

By: Liane

Liane — Mon, 18 Jan 2010 00:48:18 +0000

I found out I had this virus last night.
Kaspersky just detected backdoor.win32.papras.t
It’s go time. *-*

By: psog_choudai

psog_choudai — Tue, 12 Jan 2010 23:27:04 +0000

This stupid bugger’s put me a week of hard work into this computer.

I can’t say that I’m 100% free of the stupidity this thing does, but… I might have easy tips for getting rid of the virus, and some pointers to note for people who might be having issues:

1. The virus indiscriminantly infects all .exe and .scr files (even inside .zip, .rar, .7z, or any other kind of archive.) It also infects mostly system .dll files.

2. It does NOT infect any other “media” file. These include .mp3, .ogg, .wav, .avi, .mpg extensions and the like.

3. It doesn’t matter if you have more than one internal or external HDD or Flash drive (or any media that is rewritable), anything that meets the infection criteria WILL get infected.

4. Even if one file is already infected, the virus and any instances running WILL re-infect the same file in a different section of the coding. Thus, multiple scans are necessary to make sure the file is ABSOLUTELY clean.

So… I have a LOT of music and videos that I’m a little too attached to and that I don’t want to lose. When I noticed that this stupid thing targets executables, I realized that I needed to reformat the HDD carrying the OS. I did, and the virus came back.

I then noticed some strange occurrences. Obviously, port 65520 was being accessed by winlogon.exe and explorer.exe. Even though this was a fresh install, I needed to reformat again already.

So, I took up the task of arming myself to clear out this virus from my system with the following tools:

1. Windows XP CD
2. Hiren’s Boot CD v. 10.0
3. Ubuntu v. 8.04 Live CD

Here’s how that worked.

1. I turned off my computer and unplugged the power cord and the Ethernet cable. Left off for 30 min, then plugged the power cord (not ethernet) back in, then booted to Hiren’s Boot CD.
2. I used Hiren’s Boot CD’s partition tools to delete all partitions and destroy the data in the HDD carrying Windows XP.
3. I used the HDD Regenerator in the Hard Disk tools section to check for corrupted sectors. Usually this only applies to physical errors and not so much to data, but if a section has been damaged it’s good to know. Everything came back clean.
4. Went back to Partition Tools and formatted out an NTFS partition for Windows XP.

5. Rebooted and used the Ubuntu Live CD. Using this I was able to get the drivers for anything that I needed on the computer, and clean virus free copies of them because Linux doesn’t have these kinds of virus issues. I also downloaded Virut Removal Tools and Comodo Internet Security and Dr. Web Cure It!. This is good for people that have lost their recovery CDs or their motherboard or display drivers. I placed all these into a clean USB Flash drive. When I copied everything in, I ejected and disconnected the drive.

6. I rebooted into the Windows XP CD. When asked for the desired partition, I performed yet another Format (not quick) on the blank NTFS partition. Proceeded with installing Windows.

7. When Windows loaded, I connected the USB Flash drive and placed its contents on the desktop. Proceeded with installing everything, starting with the basic motherboard drivers all the way to the AV tools and Security software. Ethernet cable is STILL disconnected.

8. Here I noticed none of the system files were behaving erratically. When Comodo Internet Security asked me to update the Virus DB, I then connected the Ethernet cable. Connections were safe, and port 65520 was not being accessed by any program. Definitions were updated, and port 65520 was eventually blocked.

9. Used Dr. Web Cure It! and performed a complete scan of the computer and all disks connected (USB Flash disconnected) overnight. Found a ridiculous amount of instances of Win32.Virut.56. Also found a few miscellaneous backdoors and other trojans.

10. Removed all files mentioned by the Dr. Web scan. Proceeded to scan computer again with Comodo Internet Security AV scan. Few more infections came up, proceeded to remove those as well.

11. Noticed that none of the removed content was on C:\. Proceeded with a deep scan of both HDDs’ “System Volume Information” folder. Found another ridiculous set of instances of Win32.Virut.Ce. Removed them all.

12. This is where I find myself.

Every time I idle my computer and it accesses the screen saver, I notice that my computer has found yet another instance of Virut in the non-Windows HDD’s “System Volume Information” folder. I did just scan again and found more instances, so I removed those.

I just can’t seem to tell whether the virus is still active, or if it’s just remnants. When I use the system, Comodo does not alert me of anything. Also, websites are not blocked, and media files from that HDD do not further aggravate the system as I use them.

Though, I think I’m pretty clear! Hope this helps as another guide and alternative to clear out Virut.

By: zizo

zizo — Tue, 22 Dec 2009 08:28:17 +0000

helooooooooooooooooooooooooo

By: Maybe

Maybe — Tue, 15 Dec 2009 23:37:17 +0000

Hiya all. I don’t recommend this unless you are positive that you have the right firmware. Flash you BIOS. clean computer up, flash again, then clean again. Hope it helps a bit

By: eparico

eparico — Sat, 21 Nov 2009 16:23:24 +0000

I’ve been lucky so far but I’m working on a friends laptop, a mini with no CD ROM drive, that was/is infected with Virut & Delf…the bastards. I didn’t know much about this virus and was unaware it attached itself to flash drives. Lesson learned! My AV program picked up this virus on a flash drive I was moving between my comp and the laptop. I created a bootable USB XP installation, reinstalled the OS on the mini only to find out the flash drive I used was infected. Now, I have to go back and reinstall a second time.

After several scans using McAfee and Kaspersky online scanner (so far), luckily, my computer has not been infected. After doing a bit of research and reading a bunch of message boards, a lot of them say that the best resolution is to format and reinstall the OS. From what I’ve read (check out Spybot S & D message boards and search for Virut), this virus is said to attach itself to exe, scr, htm, html, asp, php, pdf, doc and even jpg files. There might be more that I’m unaware of but to say the least, this has to be one of the nastiest viruses I’ve ever run into.

Some people have said that this virus can be eliminated but I’m not willing to take this risk giving I transport some of my data between home and work with a flash drive. Good luck to anyone who spends days on end trying to fix instead of reinstalling their OS. Computers 101….ALWAYS back up your data in the event something like this should occur. You may spend several hours reinstalling all of your software but it beats spending days on end trying to fix a virus that might come back.

Microsoft has released a security bulletin (967940) with a patch (KB971029) that will disable the AutoRun feature for flash drives to prevent automatic installation of software included (U3, etc) and will help prevent the running of an infected exe file. Best of luck everyone…

By: soulless

soulless — Tue, 17 Nov 2009 11:28:19 +0000

ive found that using hirens 10 both in windows and minixp and using the following apps – Kasperky, Malwarebyte, Superantipyware and smitfraudfx manages to get rid of the virus and then just going through the harddrive like c:, temp dirs, Windows, System32, Fonts, system volume information, recycler, Documents and Settings folders and deleting the weired files i find there such as Restorer_32a.exe and Reader_s.exe (Found a new one recently photo_id.exe) and also scanning the reg for them and removing them. This seems to be able to get rid of the virus but ive found a few times there are still bits and peices of it flying around so a few more scans and checking the folders and reg again pretty much cleared it up but Kaspersky can disinect the files but you will proably have to do a repair on you windows again.

In one of the earlier posts someone mentioned that he used a irc prog to connect to his computer and managed to ulter the options of the virus. Im curious to know if this is true.

By: overkill

overkill — Tue, 10 Nov 2009 14:54:07 +0000

Here’s a question for you tech-savvy guys:

What exactly is the danger of the port (65520) that this thing uses ? Assuming you are able to clear the infection from your system (disk & memory), then is there any chance that it can re-enter ? I am assuming not.

By: Arsby

Arsby — Sun, 08 Nov 2009 17:13:58 +0000

I had a happy ending, I think.
I got this bug on my Vista laptop on Friday by being stupid. Kaspersky slows down my downloads, so I turned it off. I forgot it was off and tried to install an app from the newsgroups. The first thing Virute did was set my system clock forward to 2049, so Kaspersky thought it had expired 40 years ago! Then it started eating my executables.
I took the laptop HD out and put it in a SATA USB enclosure attached to a Kaspersky-protected desktop. I started moving all the files I wanted to save onto the desktop, and ran Kaspersky against the HD in enclosure. I initially thought I fixed it with Kaspersky and moved it back, but it was still infected. I then adjusted the Kaspersky setting to Maximum Protection and pointed it explicitly to the USB drive. It found and deleted a trojan and 216 files (mostly exe’s) that were infected.
This morning, Sunday, I put the HD back into the laptop and turned it on, fully expecting to have to recover and wipe the HD. Signon went well, but it couldn’t find two dll’s. Kaspersky was still working on the laptop, and found nothing during its startup procedure. The internet is working, I’m posting from the laptop now. Some applications aren’t working because the executables are gone, but others, including MS Office, are.
So it looks like a happy ending.
So for the previous poster and others… IF it’s a laptop that’s infected, it’s really easy to pop out a laptop hard drive, then go to Best Buy or something like it and buy a USB enclosure for it. (Warning, there are two types, SATA and another one.) Attach it to another PC that’s virus protected, and have it run a full maximum check against the drive that’s now via USB. Have it delete anything that’s infected. (Kaspersky does the deletions *after* it finished the full scan.) Then put it back into the laptop and see if it works.

By: DonkeyDolck

DonkeyDolck — Tue, 03 Nov 2009 00:10:16 +0000

Hey.. I got these virus yeasterday (win32/virut and win32/heur) When i read about it that it infected all the .exe and possibly .jpg files i went nuts, turned of my computer unplugged my other 2 drives (D: and E:)on it and installed windows 7 64bit today. Downloaded avg free 9.0 and searched D: and it had 5 infected .exe files. wich it said that it was removed. So it hadn’t have the time to spread that far. Now i wonder if it still might spread into my C: where i have my windows or if it will continue to spread through my D: and E: (havn’t plugged E: in yet, so i don’t know how badly infected it is.) Or shall i just leave them unplugged until a bulletproof removal program for those viruses are released? Really don’t wanna mess up all my pictures and stuff there if it’s possible to avoid.. damn.. pics on there since 2002. :/ What to do? Any help would be mostly appreciated

By: Szabolcs

Szabolcs — Sat, 31 Oct 2009 11:11:49 +0000

Confirmed. I agree with the first poster (and the most of you), it sneaked through avast’s protection, I fought this about a week long, that process let me figure out some important stuff.

This malware is probably added by Win32.Agent along with Win32.Delf and b.exe, just to mention the most critical ones and some others (3-4 more)

– It hides on your portable devices such as pendrives portable hard disk or other partitions.
– When you connect to the internet, this will download the whole pack again, causing you more trouble.
– These malware only works on 32-bit based Windows systems. You should consider updating to 64-bit (there are some drawback) or try Windows 7.
– Only Win32.Virut will infect files, others should create their own, which you can find in “C:\” and “C:\Windows\system32″ or in “Documents and Settings”

Note: A new version has come out in October 2009 and even Kaspersky Labs do not have an update for this infection yet. Although, Kaspersky is able to competely eradicate this virus, thanks to it’s more advanced and intelligent being, compered to other virusbusters.

Conclusion: I am now using Windows 7 x64, works quite well that far.

By: uuzoo

uuzoo — Sat, 10 Oct 2009 12:08:18 +0000

This is a nasty virus! I got hit with it a couple of weeks ago from downloading programs. My antivirus at the time ( avast) detected it but couldn’t do nothing about it. So, I did some research on the net, and was told to download Kaspersky removal tool. It detected it, and was neutralizing it, but the virus was spreading like a forest fire. It got to about 3,000 files infected, and I said forget it. I ended up reformatting and reinstalling OS. It WORKED! What’s really interesting is that I didn’t know it at the time but my flashdrive was connected in the back of the tower, and it got infected. After reinstalling everything. I realized that my flashdrive was in too. I’m thinking oh no. I ran avast but nothing came up. I’ve now installed Vipre and ran scan on the flashdrive and it detected and neutralized the virus. Now I’m using Vipre. Been working well.

By: itchy

itchy — Wed, 07 Oct 2009 23:06:14 +0000

ow also cleaned my external hard drive no problems there. my friend however who apparently didnt have anti-virus. and who waited to long is completely screwed. he cant even dl the avg removal tool

By: itchy

itchy — Wed, 07 Oct 2009 23:04:07 +0000

i only used kaspersky 2010 and the avg link that was mentioned hxxp://www.avg.com/us.virus-removal.ndi-67762
and im done.
took me about 2 hours (because my pc was just rebooted there wasnt mutch to scan)

By: SChalice

SChalice — Thu, 01 Oct 2009 02:34:44 +0000

This virus can get on compact flash sticks. You’ll need to be sure to wipe all those suckers clean or just throw them away if unsure..

By: Joe

Joe — Sun, 20 Sep 2009 22:01:07 +0000

This virus infected my old HD, so I had no choice but to reinstall WinXP. Then today I accidently clicked an old executable on that HD and the virus is reinfected me. I was in no mood to reinstall so this is how I dealt with it.

DO NOT START ANY PROGRAMS YET, THEY WILL GET INFECTED

1. Pull the plug on your internet connection, because it will try to connect to its website (jL.chura.pl and maybe others) and download more crap to your PC

2. Go to Task Manager and kill ANY program that looks unfamiliar (this can be tricky, if you’re a not a computer geek)

3. Run services.msc and you’ll see at least 2 services running which have NO description. Stop them and then disable them (by right clicking). Also stop and disable Remote Access Connection Manager, and Background Intelligent Transfer System, if they are running. These are Windows processes, but I think the virus activates them.

4. Repeat step 2 just in case

5. Now you have a choice:
a)You can run restore, but you have to be very sure that the restore is clean
b) run your antivirus. A full scan is preferable, but at least C:\Windows\ and C:\Program Files\. The virus infected only logonui.exe in my case and changed the HOSTS file, and created a temporary file in the WINDOWS\TEMP directory, but nothing else. However, if you ran any program while the virus was loaded, that program will be infected too.

This is the stage on which I am myself. The virus is removed but my system is still a bit screwed up, because everytime I reboot a hidden process iexplore.exe is started, except it’s not connecting anywhere. I’m not sure what’s starting it, but I dealt with it by killing the process and moving iexplore.exe to a temporary folder.

By: Fennec the sysop

Fennec the sysop — Sun, 20 Sep 2009 20:07:51 +0000

This virus is a pain but I have it contained ,my router is a good firewall and I have it set to block all incoming connections on port 65520 and all outgoing connections to Proxima.ircgalaxy.pl so that means the attackers cant use it I have also found that using IRC to connect to my local machine on port 65520 gives you control of this virus so now I am able to change the options and on my machine it only infects explorer.exe too bad it dosent have a disinfect command

By: Rob Cullum

Rob Cullum — Sun, 23 Aug 2009 13:30:06 +0000

Hi there, my desktop has been infected with this virus and it is creating havoc . Casn’t even get online (I’m on my laptop atm!)
Please help!
Kind regards
Rob

By: The Tech Guy Tom

The Tech Guy Tom — Fri, 21 Aug 2009 23:54:43 +0000

I’ve removed this virus successfully without formatting. Email me thetechguytom@gmail.com for details, it’s a long hairy process but can be done. We had an outbreak within our internal network at my support office where a win2k3 server w/exchange and AD, tech machine, all computers that were on the bench etc. were infected by thumbdrives plugged in to machines when the virus first struck. Apparently it’s really really easy to spread it. Hit me up and I’ll paste my epic essay.

By: i hat this virus

i hat this virus — Sat, 15 Aug 2009 12:30:12 +0000

i used a linux boot cd to rescue my files(media files and office)
knows any one if pdf’s or .rar files are infected?
but is it possible that the virus is active if i run my pc with the linux cd( back track 3) ???

THAnks

By: sephiroth

sephiroth — Thu, 13 Aug 2009 23:54:42 +0000

update kaspersky 2010 to 12/08/2009 and do a full scan, that works for me, good luck

By: Adnan Rulezzzzzzz

Adnan Rulezzzzzzz — Sun, 09 Aug 2009 04:53:32 +0000

hey…….friends i will tell how to remove this virus…its very easy
effects of this virus—…slows down ur pc….causes network error….formatting hdd does not remove this virus…ur comp automatically shut down after few days on start ups
precautions—dont ever download pirated software…cracks,patches,keys,untrusted toolbars….
how to remove it-
1- reformat ur pc
-install kaspersky latest version n first update it right to the day
2-scan ur full system..
3-now u will find that kaspersky will detect it bt will not disinfect or delete the file
4-now go to the reports of the scan…u will find that every partition of ur hdd had got the virus..
5-now go to the first detection..hit right mouse button …now go to ‘open files where……..’ u will find dtected files now go to back option…u will find folders like’RP1′ now select all and delete it..do this in every partition till kaspersky detects none……..
have a safe day.

By: Bingo

Bingo — Sat, 08 Aug 2009 13:04:24 +0000

hello Lefteris. I hope Kaspersky worked for you in as straightforward a way as it worked for me. Now a fortnight on from the cleaning and no sign of reinfection. Everything, as far as I can see, is working normally. I may have just been lucky and had a variant of the virus which could be cleaned. Let us know if you’ve managed to get rid of it

By: Lefteris

Lefteris — Tue, 04 Aug 2009 00:55:20 +0000

Bingo I hope youre right man cuz i dont want to reformat! Eset sucks didnt do a thing! Im trying Kas! Thanx for your info!

By: Bingo

Bingo — Fri, 31 Jul 2009 08:35:47 +0000

By: PaperTowelAddict

PaperTowelAddict — Thu, 23 Jul 2009 16:56:20 +0000

Seeing a second mention of Hiren’s Boot CD, I wanted to ask if anyone had encountered not being able to access the antivirus tools on this CD? I only get two pages of menus, and neither has the antivirus tools. Does anyone have an idea what I am doing wrong? Or is this virus smart enough to prevent them from loading? I am running on a 64-bit system, if that matters

By: Bingo

Bingo — Wed, 22 Jul 2009 22:48:40 +0000

By: Bingo

Bingo — Wed, 22 Jul 2009 13:28:57 +0000

By: LateNeo

LateNeo — Sat, 18 Jul 2009 00:43:42 +0000

Hi guys & girls.

This is a mean ass virus

After reading the entire forum and all comments, downloaded the two scan engines from AVG and Symantec running the scans, I was left with 2 pc’s and my laptop strikingly rotten effected with the virus.win32.virut.ce.

Yes formatting the three machines would seem like the best way to go BUT unfortunately not all of us have the luxury of simply formatting and starting all over.

I followed the advice of Fabietto posted on July 8, 2009 . Re : the hiren’s bootcd and Kasperskey scans.

The only difference was that the scan detected the infected files but could not disinfect them, but only quarantine them. By the third scan on all 3 pc’s, they were clean. I even ran a fourth scan just to make sure the monster were slain. Unfortunately it did do a lot of serious damage to the .exe files in the \windows\system32 as wél as the explorer.exe and the scvhost.exe were smashed.

With these files quarantined and not disinfected my windows logon was lost. So the original XP cd was unleashes and a complete xp installation was repaired. (NOT the repair console/panel. It wont work ) Repairing the XP installation only deletes the windows dir and reinstalls it, thus not loosing any other info.

All three pc’s are as clean as can be, BUT unfortunately I can only access windows via safe mode. Normal boot only comes to the logon screen where one chooses a user, enters the password and then the blue screen of horror shows itself stating :

: Stop: c000021a {fatal System error} The windows logon process system process terminated unexpectedly with a status of 0xc000034 (0×00000000 0×0000000) The system has been shut down

This error can be looked up on the Microsoft site AND it explains how to fix it.
If only I could. For reasoning far beyond my years I simply can not do it.

In the mean time I have installed a second copy of XP on one of the pc’s so I can access my files on the other installation. Yes one might argue that ending up with these result I simply could of formatted, but what can you do if you don’t want to just chuck away your info and let the enemy win. Fight as hard as you can.

By: Jack Legg

Jack Legg — Tue, 14 Jul 2009 14:06:20 +0000

Virus.Win32.Virut.ce

ZoneAlarm found the virus & deleted it even before I launched the downloaded *.exe that contained the virus…

Better to have your PC set-up correctly to “catch” or scan all downloads BEFORE you double-click on them…

The best tings in life are FREE, remember?

By: Fabietto

Fabietto — Wed, 08 Jul 2009 08:07:03 +0000

I removed Virut (Win32.virut.AT) without formatting and it’s quite simple. Here the procedure:

Needed: Hiren’s Bootcd 9.9 (free).

1) Using a clean PC prepare a bootable Hiren Bootcd (i used a write protected USB stick, it’s yhe same)

2) Start windows in safe mode, create a new folder, find explorer.exe (c:\windows\explorer.exe) and copy it in the new folder. Do the same for c:\windows\system32\svchost.exe.

3) From control panel/System disable the ‘System restore’.

4) insert the Hiren Bootcd and start the Kaspersky antivirus tool (included in Hiren). It will find a lot of infected file; at the end it will prompt the action to do for infected files, choose ‘Disinfect’. It will disinfect all the files except the running explorer and svchost ( but that you copied in the new folder are disinfected).

5) Turn of your PC. Insert again the Hiren BootCD and turn On. Choose to bootstrap using Mini XP (from the main menu of Hiren bootcd).

6) From Mini XP access to C:, go to the new folder, copy the disinfected explorer.exe and paste it (replace) into the original folder (c:\windows). Do the same for svchost (into c:\windows\system32). Remove the Kaspersky folder from your c:\documents and settings\YourUserName\Settings\Temp folder.

7) Remove the Hiren Bootcd and reboot your pc from hard drive. Run again the Kaspersky from Hiren Bootcd. New infected files could be probably found, but after this the PC is cleaned.

Note that after the PC is cleaned you need to manually restore some registry entries (like SFCDisable and something else related to the firewall).

Enjoy and remember… never format, if you format the virus win !!!!!!!!!!!!!

By: Dylanthehardway

Dylanthehardway — Sun, 05 Jul 2009 17:27:50 +0000

We’re approaching this whole malware issue from the wrong perspective.
We sit passively behind our little defensive wall of antiviral software
hoping they’ll be strong enough to protect our systems from the
inevitable attacks. We acquiesce to the malaicious code slinger’s
by accepting the reactive, passive and defensive role while leaving
them free to attack at will. It’s truely a cyber war where our enemy
has taken all of the inititive and holds the active, proactive offense.

Each piece of Malware has a source and some antiviral companies have been
able to islolate the countries of origin and occasionally even the cities
based upon outbreak concentrations, but so far no one has taken the fight
to the malicious codeslinger’s doorstep. Sure, Microsoft puts bounties on
the heads of some of the more talented malwareists, and while being better
than nothing, it certainly hasn’t seemed to reduce the new introductions
of ever more sophistocated malware. Malwareists are free to anomously
diseminate their wares from around the globe with virtually no fear
of reprecusions or reprisals.

This is a high stakes war. The cost of defending against malware attacks
is staggering, but when you factor in the even greater costs of lost
productivity it becomes clear that this is a war we can’t afford to
fight passively or on the defensive.

The Malwarists drew first blood and contiunue to attack our systems
daily without provocation and I, for one am more than sick and tired
of just taking it. Beyond the simple misenthropic, anti-social malicious
code-slingers, Malware is rapidly becoming the weapon of choice for
organized cyber-terrorists. The US government’s response to that threat
has been to pour more billions of dollars into passive, reactive and
defensive systems. How can you win a war by sitting behind a wall and
hoping no one figures out how to breach it?

We have to find a way of taking this war to the malwarists instead of
fighting every battle in our offices and homes. How is it that The
music recording industry and track down and prosecute a suburban single-mother
whose crime was the illegal dowloading of MP3′s, but no one can track
down the author of the Virut virus? The cost of that mother’s crime
only reflected a drop-in-the-bucket hit to the recording industry’s profits,
but Virut has, and will likely continue to cost the whole world untold
millions of dollars in lost productivity.

The days are gone when all we had to do was run a quick scan with
f-prot to eliminate all traces of malware from our computers.
The modern polymorphic malware strains require weeks-long or even
months-long efforts to clear, if they can be cleared at all.

Pumping money into ever more complicated defense walls only prolongs
the inevitable breach while sticking each of us with the bill. The only
logical solution is to eliminate the threat at its source…to apply at
least as many finacial and manpower resources to the task of tracking
down and eliminating malwarists as we currently do in building bigger
and supossedly better antiviral walls. If the MPAA and the Music Recording
Industry can track down copyright violators then surely the computer
industry and the world’s governments can track down malwarist.

The vigilante in me would love to see an application that could accurately
reverse track the origins of malware and then provide the names and
addresses of the malwarist. I’d enjoy expressing my frustration to them
personally, but I’d certainly settle for their prosecution and
punishment under the law.

By: Gmanson

Gmanson — Sun, 28 Jun 2009 18:41:48 +0000

This is one tough infection. Ive cleaned out well over 5000 files which were infected with vundo and rootkits etc and this virut is a pain in the &$^. I was able to remove a similar infection last year without anything suggested mentioned above in all posts. I will bookmark this page and get back in a few days. (I just started working on the pc “not mine” yesterday so give me some time and patience).

By: toy

toy — Mon, 15 Jun 2009 07:20:41 +0000

been infected… and the main problem is im no tech savvy
im thinking of giving up T-T
can i just throw my lappy out the window?

By: mastermind

mastermind — Fri, 12 Jun 2009 19:10:57 +0000

try this one, a rescuedisk.
kaspersky give me i hope it helps let me know i didn’t used it yet

http://downloads.kaspersky-labs.com/devbuilds/RescueDisk/kav_rescue_2008.iso

By: cristhian

cristhian — Sun, 31 May 2009 03:50:47 +0000

ok, this virus seems to be very strong, but when i run kaspersky 7.0.1, only shows one infected file, under the name :virut.win32.virut, that’s the only notification, i’ll try to erase the file and the virus still there, if i reinstall windows xp the virus stay on my pc or something? and i try to back up some of mi data, such as games and programs, i mean this virus can really infect the games exe and apps too? should i use the back up on the clean os or they’re infected too? please, some help, this freaky thing is driving me crazy!!!!

By: bamamal

bamamal — Wed, 27 May 2009 20:34:05 +0000

Had the same problem and it was a doozy….this is so bad it infects flash drives and you may need to do a complete format on your HD…a quick one will leave enough to start it again…Mal…

By: martine

martine — Thu, 07 May 2009 09:32:25 +0000

used F_secure, scans n shows that cleaned, but then pops up l8er esp. when executing windows progs. maybe my lapie will survive!!!!

By: Rico

Rico — Mon, 04 May 2009 08:14:31 +0000

It seems like i’ve won the battle against win32.virut.56 (also known as win.virut.ce). Firstly like last comment says, i don’t have NEVER windows firewall on, i don’t have any antivirus installed, i don’t have automatic updates on. They have no point as “virut” case shows. The only thing that i have and recommend very highly is WINPATROL, which has saved my a** plenty of times, letting me know that something is going on in my computer. Before virut i managed to clean nasty things manually and with regedit and so on. As comment before mine says – even latest antivirus progs cannot detect nicely packed virutcontained exe’s, what you can download at cracksites. They show that its nicely clean. Thanks to Winpatrol I knew exactly when virut attacked my system. It flow up with READER_S.EXE file which was impossible to clean from registry. And strangely, in Program Files folder was created THUNMAIL folder with TESTABD.DLL and TESTABD.EXE inside. THUNMAIL content was hidden even after enabling all seeing settings. Op. sys. was loaded with strange .TMP files. In WINDOWS folder strange EXE files were created in System32 and Temp folder. After i tried to repair virut from inflected machine with all free virut removal tools you can get from internet, i gave up. I went to plan B. With clean computer at work i created bootable Dr.Web’s live cd and also Kaspersky bootable cd. I downloaded also miniPE (op. sys. which boots himself from cd). I scanned my harddisks with Dr.Web and Kaspersky live cd’s (I wanted no cure anymore) so i did set the settings so that inflected files were deleted. In this case there was over 4000 files deleted. After scanning i booted miniPE and discovered that THUNMAIL folder with its content has survived the scanning. So i deleted it along with content of System Volume Information and Temp folders, system folders (Documents and Settings, Windows, Program Files). Back at home i connected smaller harddisk and booted Dr.Web live cd for memory scanning, just for any case. After that i reinstalled windows. Strangely i had both of my external harddisks on my computer very long time when the machine was inflected, but Dr.Web or Kaspersky didnt detect any virut on them. So as i understand virut is growing after your program activity. For example it wrote himself very quickly to active programs like Opera, daemon tools, etc. Hope someone who’s desperate and ready to format valuable info will reconsider and try other options.

By: dixie

dixie — Mon, 04 May 2009 00:01:10 +0000

Hi community, yes I got this damn virus too. Was spending hours and days on the net (on other pc) to find hints, but on ALL forums they spoke about “polymere virus” (or similar, my English is not the best, sorry) which is able to change all files itself by adding some 5 kb to exe/dll/scr/html/php files. According to all opinions it is NOT possible to “delete” this file because of its structure, only a full reformat/reinstall helps. Luckily my firewall alerted me that my IE checksum was changed and I disconnected immediately my LAN and all external USB HDDs, so most of my backups were clean. If you have a second HDD, you could add it as an external disk in a box via USB, let the AV remove all infected files and at least some files (doc/pdf/xls) which you hadnt updated yet could be rescued.

I think I got it by opening a crack which I checked with Antispyware, NOD32 and Sypbot and which was reported to be “clean”. Nb: torrents are said to be full of virut.xx the last time, so watch out please.

I wonder why I actually waste my memory by having all those “checkers” in my task bar (including firewall), if NONE of them finds the risky file while downloading or while checking after the download ended :(

A last note: DR WEB SOFTWARE did NOT delete these files, it only noticed that they were infected and wrote “files deleted”, but this was NOT true and my system was still messed up with this BS!! None of those free tools of the most know AV companies removed the virus EITHER! Will make even more backups in future and burn my files regulary – good luck for you all!

By: mantmya

mantmya — Thu, 30 Apr 2009 01:37:22 +0000

I NEED SOMEONE’S HELP! I have the generic pup.x program on my computer and Mcafee can’t remove all of it tried system restore, etc, nothing works any suggestions please reply will be greatly appeciated.

By: Rico

Rico — Wed, 29 Apr 2009 12:04:05 +0000

It whould be nice to hear if cleaned computers stayed clean. My virus win32.virut.ce is resurrected twice already. And I hope it does not blacklist IP-s somewhere, so that it could send new virus packages to cleaned and newly online computers.

By: Cobra

Cobra — Wed, 29 Apr 2009 07:32:12 +0000

Oh yeah, and DISABLE System Restore, it’s absolutely useless and most viruses just hide there to constantly return and cause problems.

Any questions, feel free to ask here.

By: Cobra

Cobra — Wed, 29 Apr 2009 07:25:34 +0000

I cured the Virut infection on my computer in a couple of days.

Here’s how:

#1: Create a Windows version of the UltimateBootCD using an XP CD’s files and slipstream SP1 and SP2 into the files before you burn the UBCD.

#2: Download DrWeb CureIt! and either configure it as a plugin on the UBCD or burn it to a separate CD to open after you boot the computer. Note: You’ll need two CD ROM drives to do this, as the UBCD takes up one.

#3: Boot up using the UBCD and run CureIt!, delete any files it cannot repair. Then, power down your computer for 5+ minutes after so the virus cannot hide in the memory.

#4: Repeat step 3 until CureIt! no longer detects the virus.

#5: Repair any damaged Windows files with the XP CD, don’t use recovery console, instead select repair installation.

That’s all there is to it, good luck.

By: cy

cy — Tue, 28 Apr 2009 08:46:55 +0000

Gosh, and I thought I was alone in facing this nightmare. It’s been screwing up my system for weeks now.
Have decided to reformat and start all over. Taking no chances…

By: Patrik

Patrik — Sun, 26 Apr 2009 13:07:47 +0000

Also, run the following line to restore your Windows default settings / Group Policies:

secedit /configure /db %temp%\temp.mdb /cfg “%systemroot%\inf\defltwk.inf

If you came so far and your windows is still not working perfectly, a repair might now do the job =)

By: Patrik

Patrik — Sat, 25 Apr 2009 23:07:18 +0000

Wow, what a mess!
I actually have no idea on how I got this virus, but I got it some 4 reboots ago.

I can’t say I fixed it, but I sure came a long way, so here’s what I did. [Ninja edit: Yep! it did work!!]

First of all, disconnect from the internet. Get another computer to download what you need (basically both virut removal tools linked in the comments, the AVG and the Symantec one, plus Kaspersky AV 2009 trial).

Get your XP CD you used for your installation.
Reboot your windows on safe mode and use the Administrator account.

Run “cmd”. From here, create a useful bat file (edit run.bat, for example) containing this 6 lines:

del /f /q C:\windows\explorer.exe
del /f /q C:\windows\taskmgr.exe
del /f /q C:\windows\system32\dllcache\explorer.exe
del /f /q C:\windows\system32\dllcache\taskmgr.exe
expand **YOURCDDRIVE**:\i386\explorer.ex_ C:\windows\explorer.exe
expand **YOURCDDRIVE**:\i386\taskmgr.ex_ C:\windows\taskmgr.exe

The virus doesn’t infect .bat files, so this will be your very useful utility to kill the virus.
So, with your XP CD on your drive, run the bat (always with cmd) and voila! now you have task manager.
Run the task manager (type taskmgr on your cmd prompt) and kill the explorer.exe running.
run your bat again, and now you have an uninfected explorer.exe

Using your task manager, run both virut removing tools AND your KAV09 installer, run them all, get something to drink and/or eat.

Reboot into SAFE MODE AGAIN (with the admin account, not your username), run your nifty .bat again, kill explorer.exe again, run .bat again, run all programs again and make sure that they are not finding anything.

I then realised the virus messed with your login and users, so I created another user from safe mode (called test), and run windows in debug mode, login in with the new user (test) and you’ll get fully working kaspersky. Run it again.

Here’s the part nobody know which fixes your XP installation (like a reinstall/ repair) but faster and better.
Always on debug mode, with your test user, XP CD on drive, run the following command:

sfc /scannow

It should take a while, so go get dessert.

What it does is it gets a clean copy of each system file that is not exactly the same as in the cd, so it basically gets your system to an almost new state.

It’s very possible that the virus FUBAR’d your main user account, but I can assume by now that that’s the least of your concerns.

Tips:
1) Always have an antivirus running: FFS, KAV2009 costs 13 euros if you buy with 2 other friends (3 licenses, 39 euros) for ONE FULL YEAR. That’s dirt cheap, don’t run cracked antivirus, they will stop working when you need them (Murphy’s law)

2) DON’T use System Restore. It’s useless and it helps most virii hide and reappear. Just have recent backups on a hard drive you DON’T use for any other reason than backups (1 terabyte external HD is around 70 euros now)

3) Use linux. Or mac. And stick to windows for games / 3D design / whatever you really need windows for.

By: Curt

Curt — Sat, 25 Apr 2009 06:11:29 +0000

Oh, by the way, don’t forget to turn off system restore. Other people seem to be able to remove this virus too with their own methods. I don’t guarantee my method will work on your system though. And I still don’t want to confirm that my system is already free of this virus as I think it’s still early to say so. I’m going to test my system for a week or more only then I can be sure of it. Cheers.

By: Curt

Curt — Sat, 25 Apr 2009 05:56:02 +0000

I managed to clean the virus as for now and still in testing stage to see if the virus really is gone. I’m in day 2 right now, and everything seems to be ok.

btw, these are the main tools i used:

kapersky 2009 (1 month trial key) + lastest virus definition
drweb cureit
fixvirut – symantec

Cleaning it was a pain in the ass though. Every 30 – 50 virut threats detected, i stopped the kapersky scan, & neutralize (disinfect & delete) before re-scanning again. About 400+ threats detected on my system. It’s advisable to disconnect your pc from the internet & any networks. After scan finished completely, I ran cureit (took about 3 hours). Then I used fixvirut, scan for another few hours. Then I turned off my pc, and went to sleep. It took me one whole day to do all these.

The next day, I repeat everything again. The virus subsequently disappeared as I repeat the steps, until all seems to be ok up to this day. I reinstalled damaged system files by running windows xp setup & choose to repair windows. Again, I’m in day 2 of testing stage. Hopefully the virus won’t resurface.

By: Virut Pwned Windows

Virut Pwned Windows — Sat, 25 Apr 2009 05:29:53 +0000

Thought I would provide an update, I doubt I’m out of the clear but the latest Kapersky trial version is at least able to display that it detects the damn thing, which is more than anything else I tried, inclusive of dr. web – maybe I just wasn’t able to get the dr. web to update properly. Perhaps I’ll follow up after I’ve either deployed devian or eradicated virut. The *easiest* way to see if you’re getting some kind of protection is whether the C:\windows\system32\drivers\etc\hosts file is getting that additional host entry after you reboot. You can also run netstat to observe whether port 65520 is open, and if it is you need to block it quickly (EMSA Port Blocker) or pull your cable (again) rofl Windows sucks

By: Rodrigo

Rodrigo — Thu, 23 Apr 2009 17:38:44 +0000

I suspect that I got that VIRUS at hxxp://www.xpcodecpack.com/download. I downloaded and intalled that codec pack and I got my avira antivir destroyed.
Think I will reformat.

By: Virut pwned Windows

Virut pwned Windows — Thu, 23 Apr 2009 05:55:46 +0000

No doubt, Virut walks all over MS and anti virus utilities. No point in re-installing Windows, it’s time to retire it and use Wine for anything I need that isn’t available in Linux.

By: Mordred

Mordred — Thu, 23 Apr 2009 01:02:04 +0000

Format HD, reinstall OS. The only guaranteed solution, at the moment.

By: Miranda

Miranda — Tue, 21 Apr 2009 09:54:21 +0000

I´ve had this virus for 2 weeks and my f-secure didn´t do anything! The final thing to do, after many experiments, was to format the whole harddrive (got the chance to split it to C: and D:) and re-installed EVERYTHING.
A good thing is that my computer is quite “un-personal” so I didn´t have to burn a lot of stuff to a cd. I use now Avira anti virus, it´s free, I lost my f-secure when I uninstalled and re-installed it. (I´ve paid for it til august!!) I got this bitch-virus when I was downloading games, stupid me!! Must remember not to try it again! It was a bitchy-bitch virus!! ;D

By: Jay Converse

Jay Converse — Sun, 19 Apr 2009 19:27:38 +0000

In regards to my PC that was reinfected three times, I figured out that I had never unplugged it. Powered off – yes, completely unplugged from the wall – no. What a freaking monster this thing is.

By: Kope

Kope — Thu, 16 Apr 2009 05:16:20 +0000

This is the worst virus I’ve ever had. It infects almost all exe file n consumes lot of bandwidth (both sent n received packets if u check in conn manager esp. if using dial up).
1. Reinstall windows
2. Install n ACTIVATE ZoneAlarm Sec.Suite
3. Block all port 65520
4. Look if winlogon try to access internet then u still infected!!
5. Block winlogon n win.explorer from accessing internet!!

By: Jay Converse

Jay Converse — Wed, 15 Apr 2009 14:59:16 +0000

I forgot to add, I couldn’t use safe mode because every single system, including the domain controller, blue-screened on any type of safe mode reboot. There are 6 different models of Dell, so the inability to safe boot has to be part of the primary infection.

By: Jay Converse

Jay Converse — Wed, 15 Apr 2009 14:51:43 +0000

I’ve been fighting this one for 5 days, it basically wiped out the network. I had to reformat the domain controller and three PCs. A few were able to be recovered with a system restore, but others were not because all the system restore executables were infected. It depended on how fast I caught it.

Regedit and Taskmgr disabled. Network shares attacked speedily. This thing is a bloody work of evil genius.

Symantec Corporate 9 and AVG didn’t detect it until too late. In other words, they missed the primary infection, and only woke up after the secondary packages were dropped.

And get this. One PC has been formatted and reinfected three times! I’m reinstalling the OS and drivers from the OEM Dell CDs, there’s no way they could be infected. Or is there?

By: laser23

laser23 — Wed, 15 Apr 2009 05:41:58 +0000

I have kapersky antivirus 7 MP1 I reloaded xp in safe mode then removed all threats possible in safe mode then reloaded in debugging mode and removed rest of threats. works because virus doesn’t operate in safe or debugging mode.

By: pedro

pedro — Tue, 14 Apr 2009 22:23:17 +0000

i know internet since the time of 28kbs modems when we connected over phone line and i never saw anything like this , my kaspersky can not fight this virus and it when it says that everything is clean and i try to execute one of the cleaned files (like : regedit.exe) it tells me again that file is infected !!!!!
the only possible thing i see here is that virus were already on system when i installed kaspersky , the original exe of instalation in hd of kaspersky is infected .
so when it says that all files are cleaned then it starts all over again because of kaspersky exe active file .
I believe that the only solution is install an antivirus and keep it active (even infected) then install another antivirus like avg free , in this way kaspersky wont let avg instalations files be infected and then avg can clean everything .
Other way is format the damm disk and install windows again .

By: Latvian.Geek

Latvian.Geek — Sun, 12 Apr 2009 00:47:58 +0000

P.S. Forget to mention. I had more than 700 Virus.Win32.Virut.ce, but after System restore- only 20.

But after System restore some viruses stay in folder System Volume Information.

Destroy them with Avira!

By: Latvian.Geek

Latvian.Geek — Sun, 12 Apr 2009 00:42:52 +0000

I REMOVED THIS VIRUS IN 2 HOURS!!!

Here is how:
1. Make System restore- choose day, when you did not have virus.

2.Uninstall your anti-virus program, if it is not Avira(it is free!)! (I used Kaspersky, but it is too weak for this virus!)

3. Install free Avira.
4.Scan all-complete system!
5.All viruses Avira will sent to quarantine.
6.Delete from quarantine ALL FILES (“delete selected object from quarantine…”), what is infected with W32/Cholera (Avira call this-Virus.Win32.Virut.ce- so).
7. Make more full scans, at least 4- so many, till your scans can not find any virus!
8.Thats all-your computer is clean now!

See my story-martyrdom here:
http://forum.avira.com/wbb/index.php?page=Thread&threadID=87809

By: Eneas

Eneas — Thu, 09 Apr 2009 16:00:04 +0000

I’m infected too. In my case, this virus puts a code on all my “footer.php” files too.

The includes the URL jL.chura.pl/rc/: a malware URL.

By: Martin

Martin — Tue, 07 Apr 2009 14:16:18 +0000

hxxp://www.avg.com/us.virus-removal.ndi-67762 did not found anything, but when i want to scan drive from OS – this utility tells me that there is active virus in the memmory.. what to do next?

By: Martin

Martin — Tue, 07 Apr 2009 12:22:09 +0000

I have been infected just 2 reboots ago so i suggest i’m in the same shit as everybody here… The fun is that i’m on huge LAN so i hope it wont come out of this PC. I’m not calling any procedure outside my PC except browser comming out of the HTTP proxy

By: sagato

sagato — Fri, 03 Apr 2009 22:50:17 +0000

i have yhis virus it gives a good figth i hope i can kill it defore gets to my archive drive i have use symantec virut cleaner avast antivirus goin to do a deep format on the drive yes the one that puts 0 to make sure there is no ghost data data it will take long but its the only thing left to do

By: Adi

Adi — Wed, 01 Apr 2009 18:05:30 +0000

I have Windows Vista; Kaspesky detected Virus.Win32.Virut.ce & It either disinfected or deleted few virus under C:\Windows\System32\ ….
eg. C:\Windows\System32\dfrgui.exe
next thing I know is files such as control.exe is deleted, system restore file is deleted. Yes, I was unable to do system restore from Start>Programs…….
I had to reboot with recovery option (F8) & was able to restore to previous point. However, I still have viruses & would be really nice if someone could help.

By: Anuj

Anuj — Wed, 01 Apr 2009 05:43:29 +0000

i have been fighting with this virus for 2 long months and now kaspersky has disinfected most of my files but the main problem is that after disinfection when we try to execute the repaired files it say that the files are not a valid win32 application…………………i am now geeting xp sp3 and vista ultimate and will reformat my pc next week.
god save my external hard drive and its data

By: Johnny

Johnny — Sat, 28 Mar 2009 22:26:17 +0000

Hi, is there any way to be sure I dont have got this virus in my computer? I’m sure I had it, RM Virut (removal tool by AVG) found and cleaned seven infected files. But then, I tried AVG full scan, CureIt, ComboFix, RSIT, AVPtool and i also scanned some .exe files on virustotal.com , didn’t find anything at all. I just can’t believe i would get rid of such a nasty virus only with some simple removal tool…

By: avakaba

avakaba — Fri, 13 Mar 2009 12:50:35 +0000

Neither Live cd or CureIt help. Just Kaspersky free utility recognize virus as “virus.win32.virut.ce”. Most progs were cured, but system resident ones are still infected. Fight continue…

(Thinking. if any reason in heuristics?…)

By: Pegas

Pegas — Thu, 12 Mar 2009 06:31:14 +0000

http://www.avg.com/us.virus-removal.ndi-67762

By: Wis,agaplek

Wis,agaplek — Thu, 05 Mar 2009 02:33:53 +0000

God damn it!!!!!!!

By: master037

master037 — Wed, 25 Feb 2009 09:08:20 +0000

Only way to cure sistem is to download live cd from dr.web (64MB) and to try to clean system from boot cd. That is only option. except of losing all files! I had such virus and fight it 3 days. I won. Now I installed kaspersky and hope ti will protect me in the future.

By: ho mna

ho mna — Tue, 24 Feb 2009 17:52:54 +0000

what a bad ass virus its killin me lol kaspersky its trying to delete it …. im still waitting …

By: yes i have a solution to remove this virus

yes i have a solution to remove this virus — Sat, 21 Feb 2009 13:22:17 +0000

my antivirus is ????? hahaha hope you know this

By: Steve Kingsley

Steve Kingsley — Sat, 21 Feb 2009 04:29:31 +0000

Wow.

I’m impressed. Pissed as hell, but impressed none the less.
My laptop is a total loss. I’m DBANing it & starting over.
Hope my backups are ok. This thing is the nastiest virus I’ve ever seen. Good luck all who get it. My advice?

Get a Mac.

By: asucme

asucme — Thu, 19 Feb 2009 07:30:30 +0000

Try this. It’s a free removal tool from AVG.
http://www.avg.com/us.virus-removal.ndi-67762

By: John

John — Wed, 18 Feb 2009 21:37:46 +0000

Yes this virus destroys your operating system. No need to try to fight it, use “ultimate boot cd” to recover your important data and to clean out the virus. Do not backup any executable files! Reformat the drives and reinstall Windows. Don’t try a “repair” installation, format and reinstall. Only sure way to get rid of it for good. Nasty sh*t!

By: Francois

Francois — Wed, 18 Feb 2009 00:17:42 +0000

WOW… awesome virus. Last time I saw a such cool virus was in DOS ! It’s a good programmer’s work. But.. it’s destroying our computers and it’s bad…

By: Ionut Decuseara

Ionut Decuseara — Mon, 16 Feb 2009 13:04:24 +0000

This is unbelievable !

Its really one of the great ones. Its spreading itself through executables, integrating itself and autoexecuting each time the procedure is being called. Its creating a network driver in c:\windows\system32\drivers\{random letters}.sys
The driver automatically detects network connection and downloads the rest of the malware from some other infected stations of headquarters servers. Its usually creating executable in C:\Documents and Settings\{username}\Local Settings\Temp or whatever your ~temp directive tell it to.
Its also creating c:\Documents and Settings\{username}\Local Settings\s_reader.exe
I’ve been able to seen it working when calling:
#> netstat -na
from the cmd console. It was connection itself on the web receiving http packets.
Even if you reinstall OS you will eventually call one of the infected executable which will execute the same procedure of makes sure the virus is already loaded into memory. The best method:
1| Use BARTPE along with Kaspesky Internet Security (I use 7.0.1.135 updated every few hours.) – have it updated to the latest as KAV would not know about the virus until Sunday Feb. 15 2009. After booting the BARTPE cd you would have full access to the infected hard drive. You’ll then be able to use KAV to desinfect.
2| Reinstall fresh copy of OS and make sure the first thing you do after being able to see the desktop is to install and update as fast as possible Kaspersky Antivirus of Kaspersky Internet Security (I use 7.0.1.135).
3| Have the hard drive moved to another working computer which has the latest antivirus database updated.

By: JPLnyc

JPLnyc — Sat, 14 Feb 2009 18:06:41 +0000

I’ve been working on a pc for 3 days. I’ve used a deep erase, reformat and it still comes back.
Kapersky finds the virus, but is usually unable to disinfect or delete.
The virus attaches to thousands or .exe and scr files, especially the windows system .exe’s. AV repair on these files usually results in a corrupted OS.
I’ve been using UBCD, TRK and puppy linux tools.

someone mentioned using UBCD and malwarebytes, then following with MS-MRT.

MS says:
Recovery Steps
To detect this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Note: Virus:Win32/Virut.BM’s method of infection may damage some infected files beyond repair. In these cases, in order to return a machine to its pre-infected state, it may be necessary to install a clean backup of the operating system and associated applications.

Bottom Line: FORMAT THE DISK with extreme prejudice.

By: zizo

zizo — Fri, 13 Feb 2009 20:25:04 +0000

I advise every body to use later version of Kaspersky and update it

By: Cliff Lunsford

Cliff Lunsford — Fri, 13 Feb 2009 15:06:52 +0000

This is the first hit on google when searching this. The security level on this virus should be extremely high. I have been fighting with it at an accounting firm for a week, after no help from any of the major ant virus sites, a bunch of tips that failed, this particular virus is much more than most think it is. Beware it not only attaches itself to basically anything, but it also keeps connections open after is “appears” to be cleaned, continues to eat bandwidth, and it WILL come back.