All I have to say is, HOLY **** THAT IS NASTY MOTHERF**KER!! A small business call me in yesterday got there and it looked like a typical scareware program like AV360 or winantivirus. This paricular one was called Privacy Center. I removed that with ease but then memory fault errors kept popping up and I noticed a strange executable s_reader.exe in system32 and the user root and there were a bunch of tmp files. Ran Avira from UBCD, it deleted half the executable files on the system, eset got some more but not enough because that s_reader.exe kept respawning. Even combofix wouldnt run said the content of the package was comprimised. I tried a few virut removal tools from norton and avg. Finally I beat the virus into submission but the damage was done, and I'm sure theres a infected .exe lurking about just waiting to be clicked. Time for a nuke and pave. Oh and the other 2 computers, there infected too, it spread through the shared folders. Even my USB stick got nailed my eset detected it when I stuck it in my computer, got it before it could infect me.

Yep.... We saw this a few months ago. It prompted us to buy write protected usb sticks for virus scanning only.
Several others systems have been in and out of the shop that've had it, too. Format and reload jobs, all of them, because it infected so many different system files. I think the worst one had over 20,000 instances of Virut alone, along with a few other things.

All I have to say is, HOLY **** THAT IS NASTY MOTHERF**KER!! A small business call me in yesterday got there and it looked like a typical scareware program like AV360 or winantivirus. This paricular one was called Privacy Center. I removed that with ease but then memory fault errors kept popping up and I noticed a strange executable s_reader.exe in system32 and the user root and there were a bunch of tmp files. Ran Avira from UBCD, it deleted half the executable files on the system, eset got some more but not enough because that s_reader.exe kept respawning. Even combofix wouldnt run said the content of the package was comprimised. I tried a few virut removal tools from norton and avg. Finally I beat the virus into submission but the damage was done, and I'm sure theres a infected .exe lurking about just waiting to be clicked. Time for a nuke and pave. Oh and the other 2 computers, there infected too, it spread through the shared folders. Even my USB stick got nailed my eset detected it when I stuck it in my computer, got it before it could infect me.


Trust me.. as somebody who fought this stupid f**King virus for hours and in the end even after cleaning it out had issues with things like the print spooler "Breaking...".... JUST REINSTALL!

The worst part of it all was the last time I fought it it infected my usb drive just like you and then I went to another client and infected them unknowingly :(

Majestic

I just posted about this here (http://www.technibble.com/forums/showthread.php?t=6120).

I've had 3 computer (2 from the same person) infected with the junk poly. The first one also had the virut virus.

First computer: 140+ infected files. Attacked exe and sys files. Too many files infected to fix. Wipe and re-install completed. She got it from an email saying that she needed to upgrade to IE8 for Yahoo.

Second computer: Almost the same thing except worse. Attacked my USB drive and got my laptop. This thing is mean. It even got past my antivirus software. Wipe and re-install.

Third computer: Not as bad. I was able to save this one. No important files were attacked. Updated AVG, updated OS and updated explorer. Seems to be gone. Noticed Limewire had infected files in it. Probably the source of the virus.


The one on the second computer is called Win32:Junk Poly. It spreads pretty quick.

It spreads pretty quick. It seems that most of the Win32 viruses do the same thing.

"Win32" just refers to the way the virus runs. Win32 means that it's a natively run program in a Windows 32-bit OS. Yes, they tend to spread more easily if they're a "Win32" virus, but that doesn't tell you anything about how they spread or behave.

You've got viruses like VBS:SST that is a Visual Basic Script virus. It relies on the Visual Basic scripting engine, but isn't run natively.
Same with JS(whatever) virues. Javascript.
OS X viruses are typically labelled as "OSX(whatever)"

"Win32" just refers to the way the virus runs. Win32 means that it's a natively run program in a Windows 32-bit OS. Yes, they tend to spread more easily if they're a "Win32" virus, but that doesn't tell you anything about how they spread or behave.

You've got viruses like VBS:SST that is a Visual Basic Script virus. It relies on the Visual Basic scripting engine, but isn't run natively.
Same with JS(whatever) virues. Javascript.
OS X viruses are typically labelled as "OSX(whatever)"
Thanks for the info.

i had some computers i bought from a business that tanked and i was using my usb to wipe some files etc to prep for resale and one of them had the virut virus and it nuked my files on my usb i tried everything i knew to remove it , bootable cds etc but it still wouldnt come clean, ended up reinstalling after 2 days of wild west shootouts

It was the first virus infection that I had to nuke and pave since I opened. :(

I Noticed Limewire had infected files in it. Probably the source of the virus.


When I saw Virut a few weeks back, this was common amongst several of the machines; makes me wonder if this is really the source. This is definitely a mean virus, probably the first I've ever had to format for.

Wow... This thing is kicking everyone's butt. I'll have to be on the lookout. What should I be looking for?

Glad I just got a Write-Protect USB Drive.

Wow... This thing is kicking everyone's butt. I'll have to be on the lookout. What should I be looking for?

Glad I just got a Write-Protect USB Drive.

Keep an eye out for "reader_s.exe" in the task manager and usually in the %systemroot%\System32 folder.

On a side note, I'm currently trying to recover a computer from a virut infection now. I put the hard drive in a work computer and cleaned out all temp files, manually deleted all evident viruses in %systemroot%\System32, and deleted %root%\System Volume Information. Then I ran AVGs "rmvirut" and it didn't find any infections. I ran Dr. Web CureIt, and it it cured over 2100 files and deleted another 5 or so. Now the system boots but I lost all network connectivity. (All network adapters show code 39 in the device manager.) I'm currently running SFC /scannow.

yup reader_s.exe and also ntos.exe

Hello gang. New here just registered after lurking for the past week. Had two of my computers infected by working on clients laptop. Found FREE Dr Web CureIt ( do Google search since I cannot post links yet) which did a good job of finding and curing the Virut disease. I now have it in my toolkit.

The first computer had too many (over 3,000) bad files and of course once it deletes some that are system files, not worth the effort, had to wipe and reload.

The second I had more time. Pulled drive and ran CureIt from other computer, Malware-bytes and Avast. Could not boot but that was a userinit fix. It is now running although I think missing some files?? All told WAY too many hours trying to fix, but since they were my own :o

I also noticed Conficker like behavior. Tested with Eye Chart sites and it tested positive for variant C. Coincidence or dual infected?

Just my 2 cents and thanks for all the great info you all pump out .. love it ... keep it coming.

Hello gang. New here just registered after lurking for the past week. Had two of my computers infected by working on clients laptop. Found FREE Dr Web CureIt ( do Google search since I cannot post links yet) which did a good job of finding and curing the Virut disease. I now have it in my toolkit.

The first computer had too many (over 3,000) bad files and of course once it deletes some that are system files, not worth the effort, had to wipe and reload.

The second I had more time. Pulled drive and ran CureIt from other computer, Malware-bytes and Avast. Could not boot but that was a userinit fix. It is now running although I think missing some files?? All told WAY too many hours trying to fix, but since they were my own :o

I also noticed Conficker like behavior. Tested with Eye Chart sites and it tested positive for variant C. Coincidence or dual infected?

Just my 2 cents and thanks for all the great info you all pump out .. love it ... keep it coming.

Welcome to the forums!

I think the Conficker and Virut together may just be a coincidence, but who really knows!?

Dr. web really did a good job on this machine as well. I lost all network connectivity after running it though, but got it back by expanding ndis.sys from an XP disk as it was deleted in the removal process. I ran Avast and it cleaned up about 5 or so files. I'll probably run a few more scans then declare this computer healed.

Keep an eye out for "reader_s.exe" in the task manager and usually in the %systemroot%\System32 folder.

Ok, I think I saw it about 4 days ago. The laptop was slow as molasses and the HD seemed to be screwed too. Couldn't boot up without fixing errors with scandisk. Unless that's normal for this virus.

Lady chose to buy a new one instead of get a new HD. Did I misinform her? I will gladly go back to her with hew info if that is the case.

I've got a laptop in for virus removal, and ntos.exe was detected, so looks like I'll be fighting this one myself. Glad some of you have had some success, I'll try some of your suggestions.

-Rance

Ok, I think I saw it about 4 days ago. The laptop was slow as molasses and the HD seemed to be screwed too. Couldn't boot up without fixing errors with scandisk. Unless that's normal for this virus.

Lady chose to buy a new one instead of get a new HD. Did I misinform her? I will gladly go back to her with hew info if that is the case.

Tim, I haven't seen any correlation between Virut and HD issues. I have a feeling the two are unrelated.

Tim, I haven't seen any correlation between Virut and HD issues. I have a feeling the two are unrelated.

Thanks, I'm cool with not knowing everything, always learning... I just want to be as honest as I possibly can.

I came across this one today. threw everything at it, tried ever method of removing it. it just kept coming back. most scanners would not run, even in safe mode. and the scanners i have on PE couldnt even remove it. i finally had to do a windows reinstallation.

That Privacy Scanner virus is crazy. Want to know the funny thing. the customer admitted to visiting a porn site. he said he got a pop-up on the porn site. it told him the computer was infected. so he allowed the program to install. after the restart, he noticed that his desktop didnt load. and that he couldnt do anything.

anyhow now he is happy

PS The Main EXE for the program on this one was PC.exe

This is fixable. Here is an outline of what I did. May not be complete as it is from memory. And btw, even the customer can format a hard drive, our job is to fix the problem.

Presentation:

Cannot get online, no Ethernet connection at all (as if unplugged)
All network adapter including wan miniports show in DM with !
Drivers from all sources result in unable to start device error
Could not detect USB flash drive
Cannot create network connections

Procedure as I recall:

Ran all the normal tools which fixed nothing but named the bug. Still might be significant.

Combofix
Mbam
AVG


Read everything I could find on virut
To Google!
Ran virut.cf specific tool from AVG.
there is another from Symantec I have not used.
Removed SP3
which did evoke an uninstall failed error.
This brought back IE6
Ran SFC /PURGECACHE
Ran SFC /SCANNOW
Network connection automatically restored at this point
No internet browsing,though
Automatic Updates available
Shutdown with Install Updates Then Shutdown option.
automatic updates it got online but the browsers would not.
It installed updates and shutdown.
Installed SP3 and updates.
Installed IE7

Still testing the results but it is running fine and free of virut and other infections.

Were you able to surf after IE7 install ?

I've been having reasonable success with this thing. Random observations:

1. The AVG tool is better than the Symantec tool, but neither is great.

2. Scanning the drive attached via USB with AVG is, by far, the most effective. Scan twice.

3. Kaspersky boot disk not bad.

4. Surprisingly, Windows Live OneCare online scan works well. Obviously, you must be able to get online.

5. In all likelihood permissions will be screwed and need to be reset.

6. Don't underestimate the ability to crawl and infect your network.

7. Your USB key is infected - even if it stayed in your pocket the whole time.

Hope something here might help.

7. Your USB key is infected - even if it stayed in your pocket the whole time.

Damn, those coders are really good :D

7. Your USB key is infected - even if it stayed in your pocket the whole time..

Dang, those coders are good :D


Sorry Rusty, I was thinking the same as you but you beat me to it.

Dang, those coders are good :D


Sorry Rusty, I was thinking the same as you but you beat me to it.

Does that make it venereal?

Were you able to surf after IE7 install ?

Not done yet but no IE but have firefox working. Bad things keep happening when you try IE.

Had to return it incomplete so customer could do time sensitive work done. Problems remaining are BSOD with SP3 installed. I suspect version mismatches on system files. I have not had a CD key for it before so could not do the obvious repair install.

Odd behavior: On warm restart the system looses the boot drive on post.

Once I had a nasty virsus, well not really nasty but a nice trick though.

I was able to remove everything. The problem was that IE was actually injected with something. I never noticed it that each time I double clicked on it it would bring back all the nasties. I eventually noticed it when I have a folder open and things populated (not the the temp files either). Anyways, I ran SFC /scannow and it replaced IE with a refresh copy (I verified the event logs to which showed the replacement).

After all of that the PC was back to normal.

this virus is very simple to get rid of just load the hd and mount it linux rename the system folder then create a new system transfer the fill over that arent infected you might have to do a recovery then in the new folder you will see the virus place it self there cause it loads it self in the memory then scan the hd once cleaned boot safe mode and you should have a clean system. ive do this 4 times already no problems good thing i have a virusewall on my network that i use to detect the strings it executs

this virus is very simple to get rid of just load the hd and mount it linux rename the system folder then create a new system transfer the fill over that arent infected you might have to do a recovery then in the new folder you will see the virus place it self there cause it loads it self in the memory then scan the hd once cleaned boot safe mode and you should have a clean system. ive do this 4 times already no problems good thing i have a virusewall on my network that i use to detect the strings it executs

I don't understand about half of what you said, to be honest. Also, assuming that the Virut variant is active and running, it will patch itself to ANY and ALL executables that are accessed. That means copied, ran, check properties, etc. As such, you absolutely should not just copy the files and hope that all is good. AVG's Rmvirut tool works wonders...your typical scanner will just delete the files.

To be honest, your best bet (depending on how long you have been fighting this) is to nuke and pave. If data needs backed up, do it either from the infected machine to an external drive or on a *nix machine. Once that's done, RMVirut it to clean up the EXE files, otherwise you will just end up fighting it again.

EDIT:
Sorry if I repeated anything from the first page...my company's firewall didn't like something on that page and blocked it.

I consider myself ok at removing viruses but this is crazy i cant get the internet to work

i removed reader s & a whole bunch of other files

it started with all my devices having a code 39 error (fixed that manually)

but IE wont work

cant get online at all i have used a few virus scanners all coming clean the pc runs fine except for internet says can not connect (wireless connects to network) but IE fails i tried chrome to

i think there is some damage to system files is there anyway i can repair them

I consider myself ok at removing viruses but this is crazy i cant get the internet to work

i removed reader s & a whole bunch of other files

it started with all my devices having a code 39 error (fixed that manually)

but IE wont work

cant get online at all i have used a few virus scanners all coming clean the pc runs fine except for internet says can not connect (wireless connects to network) but IE fails i tried chrome to

i think there is some damage to system files is there anyway i can repair them

XP or Vista? Make sure the browsers are not trying to use a proxy server. (IIRC, Chrome uses IE's configured proxy srevers.) You can try sfc /scannow or do a repair install of Windows if things are still a muck.

Firefox should work. I had run ins with this virus, and by the time I got the machine, it was so messed up that during the removal process it took 1/2 the os with it. I then did a repair install, and everything was still bunked. The end result was a total reformat with deleting and creating the partitions over again.

Yeah, I have tried several times to remove Virut with no success. One time I thought I had it, only to come back to me office to see the machine blue screened and never to boot again. As soon as I see that it's virut now, I backup the drive and do a format. However, if you can get the machine working, and know that it's clean, all the more power to you.

I consider myself ok at removing viruses but this is crazy i cant get the internet to work

i removed reader s & a whole bunch of other files

it started with all my devices having a code 39 error (fixed that manually)

but IE wont work

cant get online at all i have used a few virus scanners all coming clean the pc runs fine except for internet says can not connect (wireless connects to network) but IE fails i tried chrome to

i think there is some damage to system files is there anyway i can repair them

May be corrupt winsock settings, if so you might try this:

http://www.snapfiles.com/get/winsockxpfix.html

I had another Virut case last week. It appears the virus will infect any exe file (as well as htm and some other file formats) it can. There is a 'bug'' in the virus that frequently causes infected exe files to be corrupted. Once that has happened no AV software can fix the file. If many files have been corrupted, the only sensible way forward is nuke/pave.

I know this thread is about a month old but wow. I ran into virut this week and it was not a good experience. This one beat me that is for sure, after throwing every tool in the book at it the bastard came back over and over. Not to mention the computer had traces of other downlaoders/rootkits/koobface/conficker that managed to make its way on the computer. Even saw the good old sassers "60 second countdown". Had to nuke and pave. Unfortunately I made the same mistake as many of you now and got my flash drive infected. Which resulted in me infecting one of my workstations......ended up formatting that beast too.

Anyone know what file types this thing affects? I have some pictures and important files on this flash drive I infected that I need to keep. I scanned it with avira, mbam, and drweb cure it. The drive came back clean. I removed all .exe files from it already.

I know this thread is about a month old but wow. I ran into virut this week and it was not a good experience. This one beat me that is for sure, after throwing every tool in the book at it the bastard came back over and over. Not to mention the computer had traces of other downlaoders/rootkits/koobface/conficker that managed to make its way on the computer. Even saw the good old sassers "60 second countdown". Had to nuke and pave. Unfortunately I made the same mistake as many of you now and got my flash drive infected. Which resulted in me infecting one of my workstations......ended up formatting that beast too.

Anyone know what file types this thing affects? I have some pictures and important files on this flash drive I infected that I need to keep. I scanned it with avira, mbam, and drweb cure it. The drive came back clean. I removed all .exe files from it already.

If I recall correctly Virut only infects exe and scr files. However, if there were other viruses/ trojans, you might want to delete bat & com files, and to be on the safe side, I would delete any files that you know you don't need.

Its a nasty one, I just saw it infect 17 computers, that were running eset. The client also runs a very strong firewall. The server didnt get infected. It jumped from a car computer to the main network VIA a usb drive.

My biggest question is the following; how exactly do you keep a thumb drive from becoming infected? I have used Panda's USB Vaccine so far, but don't know if that is only good on the PC I "vaccinated" the thumb drive on, or if it is now "vaccinated" for use on all PCs. Anyone know, or what are you doing to keep these USB keys clean?

My biggest question is the following; how exactly do you keep a thumb drive from becoming infected? I have used Panda's USB Vaccine so far, but don't know if that is only good on the PC I "vaccinated" the thumb drive on, or if it is now "vaccinated" for use on all PCs. Anyone know, or what are you doing to keep these USB keys clean?

Write-lock is the only thing. A physical write lock at that...which seem to be increasingly difficult to find in larger sizes for reasonable prices.

Write-lock is the only thing. A physical write lock at that...which seem to be increasingly difficult to find in larger sizes for reasonable prices.

True. I have dumped ALL of my USB thumb drives and replaced them with Kangurus. You can buy any brand, just make sure they have an actual switch to lock the thing. Software write protection is just begging to be defeated and you will never be sure with that.