Just managed to catch a virus

[news.microsoft.com]

Just got a virus called Win32/Virut which AVG caught as it was coming in to
the computer: However, somehow it did manage to infect almost every exe file
in the system32 directory and lots of files in the ntuninstal directories,
all of which were caught and dealt with by AVG as they happened.

After that I ran AVG again a few times and now seem to have cleaned
everything up

However, I kinda need those exe files for all sorts of purposes

Tried to run SFC and discovered that even this application was infected, the
exe file corrupted and placed in the Virus Vault.

Does anyone know how to run SFC 'scannow from the install CD or from
UBCD4WIN please? Is there some special command line syntax I can use to
replace all those files? I cannot even run sysinfo at the moment although
the OS does seem to be OK. I don't however dare to shut down the computer
in case it wont open up again!

Should I run autopatcher on this computer after this virus to reinstall the
patches with the cleaned up ntuninstall directories where I suspect SFC gets
its updated files?

 

[Carey Frisch [MVP]]

Cleaning a Compromised System
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

--
Carey Frisch
Microsoft MVP
Windows Shell/User

---------------------------------------------------------------

Just got a virus called Win32/Virut which AVG caught as it was coming in to
the computer: However, somehow it did manage to infect almost every exe file
in the system32 directory and lots of files in the ntuninstal directories,
all of which were caught and dealt with by AVG as they happened.

After that I ran AVG again a few times and now seem to have cleaned
everything up

However, I kinda need those exe files for all sorts of purposes

Tried to run SFC and discovered that even this application was infected, the
exe file corrupted and placed in the Virus Vault.

Does anyone know how to run SFC 'scannow from the install CD or from
UBCD4WIN please? Is there some special command line syntax I can use to
replace all those files? I cannot even run sysinfo at the moment although
the OS does seem to be OK. I don't however dare to shut down the computer
in case it wont open up again!

Should I run autopatcher on this computer after this virus to reinstall the
patches with the cleaned up ntuninstall directories where I suspect SFC gets
its updated files?

 

[Leonard Grey]

Good link, Carey.

 

[Guest]

Just got a virus called Win32/Virut which AVG caught as it was coming in to
the computer: However, somehow it did manage to infect almost every exe file
in the system32 directory and lots of files in the ntuninstal directories,
all of which were caught and dealt with by AVG as they happened.

After that I ran AVG again a few times and now seem to have cleaned
everything up

However, I kinda need those exe files for all sorts of purposes

Tried to run SFC and discovered that even this application was infected, the
exe file corrupted and placed in the Virus Vault.

Does anyone know how to run SFC 'scannow from the install CD or from
UBCD4WIN please? Is there some special command line syntax I can use to
replace all those files? I cannot even run sysinfo at the moment although
the OS does seem to be OK. I don't however dare to shut down the computer
in case it wont open up again!

Should I run autopatcher on this computer after this virus to reinstall the
patches with the cleaned up ntuninstall directories where I suspect SFC gets
its updated files?

http://www.grisoft.com/doc/virbase/us/crp/0?nam=Win32/Virut

Win32/Virut - Virus Removal tool
http://free.grisoft.com/doc/virus-removal/us/frt/0/ndi/67762

Scan for malware from here:
Spybot Search & Destroy
http://www.safer-networking.org/en/download/index.html

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine (offline scanner):
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
Any error message, have a look in the event viewer and post them here.
HTH.
nass

 

[news.microsoft.com]

Good link, Carey.

Except that what it says is that you can never be aure you have cleaned up a
system after it has been compromised: By extension it also means that you
can never clean up a system after it MIGHT have been compromised. Let's
think for a moment about that statement in the light of never knowing FOR
SURE when your system might have been compromised because the writer of the
virus will have taken steps to ensure that his compromising your system will
have remained hidden?

This link (in the circumstances of my statementt that AVG had caught the
virus and dealt with all its effects) just says that everyone should flatten
and rebuild every Windows system every so often because no one can ever be
sure that their anti-virus software has always caught every virus as it has
come in or dealt with it successfully every time one did come in. (and of
course, you can never rely on backups)

If you assume the line of reasoning is reasonable, the only conceivable
meaning of this page (which is surprisingly on a Microsoft site!) is that
just to be on the safe side, all nervous users must go over to a Linux based
operating system immediately for fear [if nothing else] of someoen dreaming
up a virus and their catching it before A-V companies can detect it???
Then they will at least be sure in the knowledge that there simply AREN'T
any Linux viruses out there which could do what Windows viruses do (until
some are created).

I think I will try nass's references before I go over to Linux or whatever
new flavour of Darwin is out there.

 

[Guest]

Avast is a good Anti-Virus program. After installing it, I haven't had any
problems for several months. To make sure that your computer is safe after
you fix this problem, you could install other Anti-Malware programs like a
Firewall and Anti-Spyware.

 

[news.microsoft.com]

http://www.grisoft.com/doc/virbase/us/crp/0?nam=Win32/Virut

Win32/Virut - Virus Removal tool
http://free.grisoft.com/doc/virus-removal/us/frt/0/ndi/67762

Scan for malware from here:
Spybot Search & Destroy
http://www.safer-networking.org/en/download/index.html

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine (offline scanner):
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
Any error message, have a look in the event viewer and post them here.

Many thanks for your very complete answer (except that I have had a report
out there on BleepingComputer for over a week and no one has found anything
worth responding to in it). But what about my original question concerning
simply how to get those exe files back again and whether I should just
delete all of the ntuninstal directories and run AutoPatcher until I can run
SFC /scannow? Or how do I run SFC /SCANNOW from a CD please?

 

[news.microsoft.com]

Avast is a good Anti-Virus program. After installing it, I haven't had
any
problems for several months. To make sure that your computer is safe
after
you fix this problem, you could install other Anti-Malware programs like a
Firewall and Anti-Spyware.

One of the reason I wanted an answer to my question about making sure I had
the proper files on my computer identified by System File Checker is that
while this virus WAS caught by AVG, I do also have Spybot and Adaware on the
system.

Incidentally one of the properties of this particular virus is that it isnt
stopped by firewalls (I have a hardware one). No other computer on my
network shows any ill effects arising from infection.

 

[Guest]

Hi,
This Virus/Worm, create a Winlogon.exe which is difficult for the Firewall
or the AV to block as it think it is the real winlogon.exe for Windows and
located here:
C:\Windows\System32
also in the i386 directory .
If you searched for this process and right click on it, see the info
provided on the properties window?.

Try system Restore to an earlier Date before the infection took place
(hopefully the Restore Points not infected?).
When AVG detected the Files/.EXEs did you tell it to Delete or Fix/Repair
the files?.
This Virus is difficult to rid of , if it been duplicated on your system
and infecting the Very deep core of the system (exe.nls,ini etc), the NT$ are
the uninstaller for the updates if you delete them you will not be able to
remove any of the updates installed from MS.
System File Checker (SFC) will not help at this stage of disinfecting the
machine. Try the restore points and try other scanners and don't delete the
..EXEs for known applications/system files, select Repair/Restore or disinfect.
You may end up performing a Clean Install of the OS, please if you gone with
this option, make sure any CDs/DVDs or Removable storage scanned before
recopy the data to the system, also you will need a proper Firewall, why you
have only Hardware Firewall not a software as another line of defence,
hardware is difficult to set up and coup with new threat, unlike software
upd2date and easy to manage.
I cannot see your Log on bleepingcomputer to see what been done or tried!.
HTH.
nass

 

[Guest]

http://www.grisoft.com/doc/virbase/us/crp/0?nam=Win32/Virut

There is a repair utility. However this malware looks like a bad one, that
does extensive damage. Think my course of action with be a boot from DOS and
complete wipe. You could save data files first as it only attackcs .exes.

 

[Daave]

http://www.grisoft.com/doc/virbase/us/crp/0?nam=Win32/Virut

There is a repair utility. However this malware looks like a bad one,
that does extensive damage. Think my course of action with be a boot
from DOS and complete wipe. You could save data files first as it
only attackcs .exes.

Direct link:

http://www.grisoft.com/doc/63/us/crp/0/ndi/67762

But I agree a fresh start may be the best option. Boot from DOS is not
necessary; the CD-ROM should do the trick. But OP should definitely save
data and settings and make sure he has all necessary drivers and app
installers beforehand. Clean install instructions (assuming OP has an
installation disk):

http://www.michaelstevenstech.com/cleanxpinstall.html

But if you want to experiment, try the repair utility. Still, I would
back everything up first.

 

[news.microsoft.com]

Hi,
This Virus/Worm, create a Winlogon.exe which is difficult for the Firewall
or the AV to block as it think it is the real winlogon.exe for Windows and
located here:
C:\Windows\System32
also in the i386 directory .
If you searched for this process and right click on it, see the info
provided on the properties window?.

Try system Restore to an earlier Date before the infection took place
(hopefully the Restore Points not infected?).
When AVG detected the Files/.EXEs did you tell it to Delete or Fix/Repair
the files?.
This Virus is difficult to rid of , if it been duplicated on your system
and infecting the Very deep core of the system (exe.nls,ini etc), the NT$
are
the uninstaller for the updates if you delete them you will not be able to
remove any of the updates installed from MS.
System File Checker (SFC) will not help at this stage of disinfecting the
machine. Try the restore points and try other scanners and don't delete
the
.EXEs for known applications/system files, select Repair/Restore or
disinfect.
You may end up performing a Clean Install of the OS, please if you gone
with
this option, make sure any CDs/DVDs or Removable storage scanned before
recopy the data to the system, also you will need a proper Firewall, why
you
have only Hardware Firewall not a software as another line of defence,
hardware is difficult to set up and coup with new threat, unlike software
upd2date and easy to manage.
I cannot see your Log on bleepingcomputer to see what been done or tried!.
HTH.
nass

Thanks for the advice but I think that with this system, unless there is an
easy fix, this IS a case for system restore from the install discs: All exe
files have been somehow corrupted and SFC itself wont run, not to mention
CMD!

I thought I would give uninstalling IE7 a try (as the exe file was one of
those infected and moved to the Virus Vault) and reinstalling it and doing
some MicrosoftUpdates to see if that reinstalled all the exe files if the
virus had indeed been detected and deleted by AVG. But the Microsoft
malware checker on reinstall just spins around and around, which I guess has
to mean something.

In this instance there wasnt much on the system to start with as I had only
just started using it and was in the process of transferring my files to it
when the virus attacked. I can easily reinstall, even if that does 'go
against the grain'. I have always counselled to cure problems rather than
avoid them and cause someone untold trouble trying to rebuild their
computer. But in this instance, that seems warranted and reasonably easy.

There IS a mysterious tiny partition on the drive: I wonder what that is for
and if I should take a look at it with Partition Commander and install Mepis
or something in it?

 

[news.microsoft.com]

Direct link:

http://www.grisoft.com/doc/63/us/crp/0/ndi/67762

But I agree a fresh start may be the best option. Boot from DOS is not
necessary; the CD-ROM should do the trick. But OP should definitely save
data and settings and make sure he has all necessary drivers and app
installers beforehand. Clean install instructions (assuming OP has an
installation disk):

http://www.michaelstevenstech.com/cleanxpinstall.html

But if you want to experiment, try the repair utility. Still, I would
back everything up first.

Actually this whole computer was in effect a backup of another computer and
didn't have any particular configurations on it: Even with the repair
utility, one never quite knows which exe files aren't going to be there when
you need them so although I might soldier on with this installation, I have
just done a re-install while I was working on another computer and/or
watching telly.

I have to say, the AVG scan AFTER it had caught the virus (as it came in,
identified it and dealt with it), still identified over 1000 problems
arising with the system. Running it again still identified nearly 400 and
removed them as well.

Then while the Malware scan was just spinning, AVG caught yet another piece
of malware with this virus identification!

 

[Daave]

There IS a mysterious tiny partition on the drive: I wonder what that
is for

[snip]

Might it be a hidden recovery partition? What is your PC's make and
model?

 

[news.microsoft.com]

There IS a mysterious tiny partition on the drive: I wonder what that is
for

[snip]

Might it be a hidden recovery partition? What is your PC's make and model?

It is an HP zt3380US and I think the partition is empty: Don't think this
was a recovery partition?

 

[Daave]

There IS a mysterious tiny partition on the drive: I wonder what
that is for

[snip]

Might it be a hidden recovery partition? What is your PC's make and
model?

It is an HP zt3380US and I think the partition is empty: Don't think
this was a recovery partition?

If your HP came with a Windows XP installation disk, then I doubt it
also has a recovery partition. I wonder what it could be. Perhaps
diagnostics?