Just got a virus called Win32/Virut which AVG caught as it was coming in to
the computer: However, somehow it did manage to infect almost every exe file
in the system32 directory and lots of files in the ntuninstal directories,
all of which were caught and dealt with by AVG as they happened.
After that I ran AVG again a few times and now seem to have cleaned
everything up
However, I kinda need those exe files for all sorts of purposes
Tried to run SFC and discovered that even this application was infected, the
exe file corrupted and placed in the Virus Vault.
Does anyone know how to run SFC 'scannow from the install CD or from
UBCD4WIN please? Is there some special command line syntax I can use to
replace all those files? I cannot even run sysinfo at the moment although
the OS does seem to be OK. I don't however dare to shut down the computer
in case it wont open up again!
Should I run autopatcher on this computer after this virus to reinstall the
patches with the cleaned up ntuninstall directories where I suspect SFC gets
its updated files?
"news.microsoft.com" <fountainpen@amexol.net> wrote in message news:e$OuEeBHIHA.3400@TK2MSFTNGP03.phx.gbl...
Just got a virus called Win32/Virut which AVG caught as it was coming in to
the computer: However, somehow it did manage to infect almost every exe file
in the system32 directory and lots of files in the ntuninstal directories,
all of which were caught and dealt with by AVG as they happened.
After that I ran AVG again a few times and now seem to have cleaned
everything up
However, I kinda need those exe files for all sorts of purposes
Tried to run SFC and discovered that even this application was infected, the
exe file corrupted and placed in the Virus Vault.
Does anyone know how to run SFC 'scannow from the install CD or from
UBCD4WIN please? Is there some special command line syntax I can use to
replace all those files? I cannot even run sysinfo at the moment although
the OS does seem to be OK. I don't however dare to shut down the computer
in case it wont open up again!
Should I run autopatcher on this computer after this virus to reinstall the
patches with the cleaned up ntuninstall directories where I suspect SFC gets
its updated files?
> Just got a virus called Win32/Virut which AVG caught as it was coming in to
> the computer: However, somehow it did manage to infect almost every exe file
> in the system32 directory and lots of files in the ntuninstal directories,
> all of which were caught and dealt with by AVG as they happened.
>
> After that I ran AVG again a few times and now seem to have cleaned
> everything up
>
> However, I kinda need those exe files for all sorts of purposes
>
> Tried to run SFC and discovered that even this application was infected, the
> exe file corrupted and placed in the Virus Vault.
>
> Does anyone know how to run SFC 'scannow from the install CD or from
> UBCD4WIN please? Is there some special command line syntax I can use to
> replace all those files? I cannot even run sysinfo at the moment although
> the OS does seem to be OK. I don't however dare to shut down the computer
> in case it wont open up again!
>
> Should I run autopatcher on this computer after this virus to reinstall the
> patches with the cleaned up ntuninstall directories where I suspect SFC gets
> its updated files?
Re: All this link says is that no anti-virus software can ever be guaranteed to work?
"Leonard Grey" <Leonard@Grey.invalid> wrote in message
news:exDe56CHIHA.3956@TK2MSFTNGP04.phx.gbl...
> Good link, Carey.
Except that what it says is that you can never be aure you have cleaned up a
system after it has been compromised: By extension it also means that you
can never clean up a system after it MIGHT have been compromised. Let's
think for a moment about that statement in the light of never knowing FOR
SURE when your system might have been compromised because the writer of the
virus will have taken steps to ensure that his compromising your system will
have remained hidden?
This link (in the circumstances of my statementt that AVG had caught the
virus and dealt with all its effects) just says that everyone should flatten
and rebuild every Windows system every so often because no one can ever be
sure that their anti-virus software has always caught every virus as it has
come in or dealt with it successfully every time one did come in. (and of
course, you can never rely on backups)
If you assume the line of reasoning is reasonable, the only conceivable
meaning of this page (which is surprisingly on a Microsoft site!) is that
just to be on the safe side, all nervous users must go over to a Linux based
operating system immediately for fear [if nothing else] of someoen dreaming
up a virus and their catching it before A-V companies can detect it???
Then they will at least be sure in the knowledge that there simply AREN'T
any Linux viruses out there which could do what Windows viruses do (until
some are created).
I think I will try nass's references before I go over to Linux or whatever
new flavour of Darwin is out there.
Avast is a good Anti-Virus program. After installing it, I haven't had any
problems for several months. To make sure that your computer is safe after
you fix this problem, you could install other Anti-Malware programs like a
Firewall and Anti-Spyware.
"nass" wrote:
>
>
> "news.microsoft.com" wrote:
>
> > Just got a virus called Win32/Virut which AVG caught as it was coming in to
> > the computer: However, somehow it did manage to infect almost every exe file
> > in the system32 directory and lots of files in the ntuninstal directories,
> > all of which were caught and dealt with by AVG as they happened.
> >
> > After that I ran AVG again a few times and now seem to have cleaned
> > everything up
> >
> > However, I kinda need those exe files for all sorts of purposes
> >
> > Tried to run SFC and discovered that even this application was infected, the
> > exe file corrupted and placed in the Virus Vault.
> >
> > Does anyone know how to run SFC 'scannow from the install CD or from
> > UBCD4WIN please? Is there some special command line syntax I can use to
> > replace all those files? I cannot even run sysinfo at the moment although
> > the OS does seem to be OK. I don't however dare to shut down the computer
> > in case it wont open up again!
> >
> > Should I run autopatcher on this computer after this virus to reinstall the
> > patches with the cleaned up ntuninstall directories where I suspect SFC gets
> > its updated files?
>
> http://www.grisoft.com/doc/virbase/u...=Win32%2FVirut
>
> Win32/Virut - Virus Removal tool
> http://free.grisoft.com/doc/virus-re...rt/0/ndi/67762
>
> Scan for malware from here:
> Spybot Search & Destroy
> http://www.safer-networking.org/en/download/index.html
>
> Run a scan from here on-line:
> http://security.symantec.com/sscv6/d...d=ie&venid=sym
> http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
> Download Avast Cleaner (offline scanner) from here:
> http://www.avast.com/eng/avast-virus-cleaner.html
> Lots of tools to download and disinfect your machine (offline scanner):
> http://www.bitdefender.co.uk/site/Do...eeRemovalTool/
>
> 2- Download the Hijackthis and send the report to one of many
> forums for analysis and troubleshooting:
> http://www.merijn.org/index.php
> When all else fails, HijackThis v1.99.1
> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
> It will help you to both identify and remove any hijackware/spyware. Post
> your log to http://aumha.net/viewforum.php?f=30,
> http://castlecops.com/forum67.html,
> http://forums.subratam.org/index.php?showforum=7, or other appropriate
> forums for expert analysis, not here.
> Any error message, have a look in the event viewer and post them here.
> HTH.
> nass
> --------
> <www.nasstec.co.uk >
>
Hi,
This Virus/Worm, create a Winlogon.exe which is difficult for the Firewall
or the AV to block as it think it is the real winlogon.exe for Windows and
located here:
C:\Windows\System32
also in the i386 directory .
If you searched for this process and right click on it, see the info
provided on the properties window?.
Try system Restore to an earlier Date before the infection took place
(hopefully the Restore Points not infected?).
When AVG detected the Files/.EXEs did you tell it to Delete or Fix/Repair
the files?.
This Virus is difficult to rid of , if it been duplicated on your system
and infecting the Very deep core of the system (exe.nls,ini etc), the NT$ are
the uninstaller for the updates if you delete them you will not be able to
remove any of the updates installed from MS.
System File Checker (SFC) will not help at this stage of disinfecting the
machine. Try the restore points and try other scanners and don't delete the
..EXEs for known applications/system files, select Repair/Restore or disinfect.
You may end up performing a Clean Install of the OS, please if you gone with
this option, make sure any CDs/DVDs or Removable storage scanned before
recopy the data to the system, also you will need a proper Firewall, why you
have only Hardware Firewall not a software as another line of defence,
hardware is difficult to set up and coup with new threat, unlike software
upd2date and easy to manage.
I cannot see your Log on bleepingcomputer to see what been done or tried!.
HTH.
nass
"news.microsoft.com" wrote:
>
> "bscheibs" <bscheibs@discussions.microsoft.com> wrote in message
> news:454FA69A-654D-4638-B87B-622E4E80D83B@microsoft.com...
> > Avast is a good Anti-Virus program. After installing it, I haven't had
> > any
> > problems for several months. To make sure that your computer is safe
> > after
> > you fix this problem, you could install other Anti-Malware programs like a
> > Firewall and Anti-Spyware.
> One of the reason I wanted an answer to my question about making sure I had
> the proper files on my computer identified by System File Checker is that
> while this virus WAS caught by AVG, I do also have Spybot and Adaware on the
> system.
>
> Incidentally one of the properties of this particular virus is that it isnt
> stopped by firewalls (I have a hardware one). No other computer on my
> network shows any ill effects arising from infection.
> >
> >
> >
> > "nass" wrote:
> >
> >>
> >>
> >> "news.microsoft.com" wrote:
> >>
> >> > Just got a virus called Win32/Virut which AVG caught as it was coming
> >> > in to
> >> > the computer: However, somehow it did manage to infect almost every exe
> >> > file
> >> > in the system32 directory and lots of files in the ntuninstal
> >> > directories,
> >> > all of which were caught and dealt with by AVG as they happened.
> >> >
> >> > After that I ran AVG again a few times and now seem to have cleaned
> >> > everything up
> >> >
> >> > However, I kinda need those exe files for all sorts of purposes
> >> >
> >> > Tried to run SFC and discovered that even this application was
> >> > infected, the
> >> > exe file corrupted and placed in the Virus Vault.
> >> >
> >> > Does anyone know how to run SFC 'scannow from the install CD or from
> >> > UBCD4WIN please? Is there some special command line syntax I can use to
> >> > replace all those files? I cannot even run sysinfo at the moment
> >> > although
> >> > the OS does seem to be OK. I don't however dare to shut down the
> >> > computer
> >> > in case it wont open up again!
> >> >
> >> > Should I run autopatcher on this computer after this virus to reinstall
> >> > the
> >> > patches with the cleaned up ntuninstall directories where I suspect SFC
> >> > gets
> >> > its updated files?
> >>
> >> http://www.grisoft.com/doc/virbase/u...=Win32%2FVirut
> >>
> >> Win32/Virut - Virus Removal tool
> >> http://free.grisoft.com/doc/virus-re...rt/0/ndi/67762
> >>
> >> Scan for malware from here:
> >> Spybot Search & Destroy
> >> http://www.safer-networking.org/en/download/index.html
> >>
> >> Run a scan from here on-line:
> >> http://security.symantec.com/sscv6/d...d=ie&venid=sym
> >> http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
> >> Download Avast Cleaner (offline scanner) from here:
> >> http://www.avast.com/eng/avast-virus-cleaner.html
> >> Lots of tools to download and disinfect your machine (offline scanner):
> >> http://www.bitdefender.co.uk/site/Do...eeRemovalTool/
> >>
> >> 2- Download the Hijackthis and send the report to one of many
> >> forums for analysis and troubleshooting:
> >> http://www.merijn.org/index.php
> >> When all else fails, HijackThis v1.99.1
> >> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
> >> It will help you to both identify and remove any hijackware/spyware. Post
> >> your log to http://aumha.net/viewforum.php?f=30,
> >> http://castlecops.com/forum67.html,
> >> http://forums.subratam.org/index.php?showforum=7, or other appropriate
> >> forums for expert analysis, not here.
> >> Any error message, have a look in the event viewer and post them here.
> >> HTH.
> >> nass
> >> --------
> >> <www.nasstec.co.uk >
> >>
>
>
>
There is a repair utility. However this malware looks like a bad one, that
does extensive damage. Think my course of action with be a boot from DOS and
complete wipe. You could save data files first as it only attackcs .exes.
Anteaus wrote:
> http://www.grisoft.com/doc/virbase/u...=Win32%2FVirut
>
> There is a repair utility. However this malware looks like a bad one,
> that does extensive damage. Think my course of action with be a boot
> from DOS and complete wipe. You could save data files first as it
> only attackcs .exes.
But I agree a fresh start may be the best option. Boot from DOS is not
necessary; the CD-ROM should do the trick. But OP should definitely save
data and settings and make sure he has all necessary drivers and app
installers beforehand. Clean install instructions (assuming OP has an
installation disk):
"nass" <nass@discussions.microsoft.com> wrote in message
news:650713DD-6854-41F3-A00F-F986188DC6DB@microsoft.com...
>
> Hi,
> This Virus/Worm, create a Winlogon.exe which is difficult for the Firewall
> or the AV to block as it think it is the real winlogon.exe for Windows and
> located here:
> C:\Windows\System32
> also in the i386 directory .
> If you searched for this process and right click on it, see the info
> provided on the properties window?.
>
> Try system Restore to an earlier Date before the infection took place
> (hopefully the Restore Points not infected?).
> When AVG detected the Files/.EXEs did you tell it to Delete or Fix/Repair
> the files?.
> This Virus is difficult to rid of , if it been duplicated on your system
> and infecting the Very deep core of the system (exe.nls,ini etc), the NT$
> are
> the uninstaller for the updates if you delete them you will not be able to
> remove any of the updates installed from MS.
> System File Checker (SFC) will not help at this stage of disinfecting the
> machine. Try the restore points and try other scanners and don't delete
> the
> .EXEs for known applications/system files, select Repair/Restore or
> disinfect.
> You may end up performing a Clean Install of the OS, please if you gone
> with
> this option, make sure any CDs/DVDs or Removable storage scanned before
> recopy the data to the system, also you will need a proper Firewall, why
> you
> have only Hardware Firewall not a software as another line of defence,
> hardware is difficult to set up and coup with new threat, unlike software
> upd2date and easy to manage.
> I cannot see your Log on bleepingcomputer to see what been done or tried!.
> HTH.
> nass
>
> "news.microsoft.com" wrote:
>
>>
>> "bscheibs" <bscheibs@discussions.microsoft.com> wrote in message
>> news:454FA69A-654D-4638-B87B-622E4E80D83B@microsoft.com...
>> > Avast is a good Anti-Virus program. After installing it, I haven't had
>> > any
>> > problems for several months. To make sure that your computer is safe
>> > after
>> > you fix this problem, you could install other Anti-Malware programs
>> > like a
>> > Firewall and Anti-Spyware.
>> One of the reason I wanted an answer to my question about making sure I
>> had
>> the proper files on my computer identified by System File Checker is that
>> while this virus WAS caught by AVG, I do also have Spybot and Adaware on
>> the
>> system.
>>
>> Incidentally one of the properties of this particular virus is that it
>> isnt
>> stopped by firewalls (I have a hardware one). No other computer on my
>> network shows any ill effects arising from infection.
>> >
>> >
>> >
>> > "nass" wrote:
>> >
>> >>
>> >>
>> >> "news.microsoft.com" wrote:
>> >>
>> >> > Just got a virus called Win32/Virut which AVG caught as it was
>> >> > coming
>> >> > in to
>> >> > the computer: However, somehow it did manage to infect almost every
>> >> > exe
>> >> > file
>> >> > in the system32 directory and lots of files in the ntuninstal
>> >> > directories,
>> >> > all of which were caught and dealt with by AVG as they happened.
>> >> >
>> >> > After that I ran AVG again a few times and now seem to have cleaned
>> >> > everything up
>> >> >
>> >> > However, I kinda need those exe files for all sorts of purposes
>> >> >
>> >> > Tried to run SFC and discovered that even this application was
>> >> > infected, the
>> >> > exe file corrupted and placed in the Virus Vault.
>> >> >
>> >> > Does anyone know how to run SFC 'scannow from the install CD or from
>> >> > UBCD4WIN please? Is there some special command line syntax I can use
>> >> > to
>> >> > replace all those files? I cannot even run sysinfo at the moment
>> >> > although
>> >> > the OS does seem to be OK. I don't however dare to shut down the
>> >> > computer
>> >> > in case it wont open up again!
>> >> >
>> >> > Should I run autopatcher on this computer after this virus to
>> >> > reinstall
>> >> > the
>> >> > patches with the cleaned up ntuninstall directories where I suspect
>> >> > SFC
>> >> > gets
>> >> > its updated files?
>> >>
>> >> http://www.grisoft.com/doc/virbase/u...=Win32%2FVirut
>> >>
>> >> Win32/Virut - Virus Removal tool
>> >> http://free.grisoft.com/doc/virus-re...rt/0/ndi/67762
>> >>
>> >> Scan for malware from here:
>> >> Spybot Search & Destroy
>> >> http://www.safer-networking.org/en/download/index.html
>> >>
>> >> Run a scan from here on-line:
>> >> http://security.symantec.com/sscv6/d...d=ie&venid=sym
>> >> http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
>> >> Download Avast Cleaner (offline scanner) from here:
>> >> http://www.avast.com/eng/avast-virus-cleaner.html
>> >> Lots of tools to download and disinfect your machine (offline
>> >> scanner):
>> >> http://www.bitdefender.co.uk/site/Do...eeRemovalTool/
>> >>
>> >> 2- Download the Hijackthis and send the report to one of many
>> >> forums for analysis and troubleshooting:
>> >> http://www.merijn.org/index.php
>> >> When all else fails, HijackThis v1.99.1
>> >> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to
>> >> use.
>> >> It will help you to both identify and remove any hijackware/spyware.
>> >> Post
>> >> your log to http://aumha.net/viewforum.php?f=30,
>> >> http://castlecops.com/forum67.html,
>> >> http://forums.subratam.org/index.php?showforum=7, or other appropriate
>> >> forums for expert analysis, not here.
>> >> Any error message, have a look in the event viewer and post them here.
Thanks for the advice but I think that with this system, unless there is an
easy fix, this IS a case for system restore from the install discs: All exe
files have been somehow corrupted and SFC itself wont run, not to mention
CMD!
I thought I would give uninstalling IE7 a try (as the exe file was one of
those infected and moved to the Virus Vault) and reinstalling it and doing
some MicrosoftUpdates to see if that reinstalled all the exe files if the
virus had indeed been detected and deleted by AVG. But the Microsoft
malware checker on reinstall just spins around and around, which I guess has
to mean something.
In this instance there wasnt much on the system to start with as I had only
just started using it and was in the process of transferring my files to it
when the virus attacked. I can easily reinstall, even if that does 'go
against the grain'. I have always counselled to cure problems rather than
avoid them and cause someone untold trouble trying to rebuild their
computer. But in this instance, that seems warranted and reasonably easy.
There IS a mysterious tiny partition on the drive: I wonder what that is for
and if I should take a look at it with Partition Commander and install Mepis
or something in it?
Just managed to catch a virus 
Linear Mode
