System infected with W32.Virut!gen

H

htsource

Member
Reaction score
0
I got a job today to clean an infected PC, I pulled out the drive and it's now scanning with my other clean PC. So far it's heavily infected with W32.Virut!gen and W32.Virut.CF viruses. It picked up probably around 100 infected files so far, they're all exe's.

I was searching around and it looks like this is one of the worst ones to clean, and I hate so many infected exe files. What should I do? The client doesn't want me to wipe clean and start over.

Thanks for your suggestions.
 
When I get a machine that bad... I call the customer and tell them that I can't guarantee a clean machine without a nuke n pave... then if they don't want that I make them sign a waiver... :D
 
You might want to do a repair install just to try ensure all windows files are intact. From there you will have to reapply all updates and I would go through the system again with another malware scan. Remember to disable system restore before you scan if possible.

Depending on how you price and how good of a customer they are you might want to consider charging more. For example if you usually charge x amount for a virus removal and more for a reload you might want to charge them for a reload anyways and explain that you have to repair many operating system files which is a tedious task.

You should also reiterate that because of the condition of the system you can definitely not guarantee 100% removal and it may impact the system in various ways. Unless there is a good reason for not reloading the OS you might be able to convince them by letting them know it might not be safe to do things like online banking and accessing secure documents even when the virus removal is complete.
 
htsource said:
I got a job today to clean an infected PC, I pulled out the drive and it's now scanning with my other clean PC. So far it's heavily infected with W32.Virut!gen and W32.Virut.CF viruses. It picked up probably around 100 infected files so far, they're all exe's.

I was searching around and it looks like this is one of the worst ones to clean, and I hate so many infected exe files. What should I do? The client doesn't want me to wipe clean and start over.

Thanks for your suggestions.
Click to expand...

Are the infected files just virus files or infected system and application files ?.
 
I used the Dr. Web LiveCD to clean up a Virut infection. It only removes the infected portion of the files. The infected .exe files are genuine Windows files with the Virut code injected into them so you can't just delete the files.
 
Google a bit more on Virust, even on this site. You will find that there are people who have been able to remove Virut, HOWEVER, you will also find that they will say the PC was so screwed up afterwards, that they had to nuke and pave.

From my reading a Repair installation of windows will not do anything against Virut.
 
I had a machine with Win32.Virut, and a couple of other infections in the other day, it was amazingly horrible to get rid of (I did not have a Win MCE 2005 disc to N&P... customer was a friend though). I used Dr. Web's CureIT application (installed and ran from UBCD4Win) to detect and remove/cure the Virut infected files.

Since Virut copies itself onto all of the exe's running in the memory that startup after itself that's usually a LOT of exe's.

Following removal with CureIT, I scanned with Avast and Spybot S&D to remove anything else that was lurking.

Once that was repaired had a BSOD on boot, that was luckily fixed by a fixmbr. However, once booted into Windows... Internet Explorer needed a reinstall as did Firefox. I would suggest a nuke and pave really, as I had to inform the customer that I couldn't _guarantee_ the infection was 100% gone. She says she has her MCE 2005 disc somewhere and will return to me once found for a reformat just to be sure :)

Also, I would be wary of using your flash memory stick on an infected machine. Virut is amazingly good at copying itself onto removable drives and network drives so be careful... and good luck :)

EDIT...
You might also want to look at Symantec and AVG's Win32.Virut removal tools, although only the Symantec one worked for me.

ANOTHER EDIT...
Also, once back into the clean installation of Windows (in safe mode) I used HijackThis to remove any rogue registry startup entries (since the rogue EXE is missing these will not run, but best to get rid of them anyway) and hosts file entries (not sure if these were a result of Virut or some other malware). Finally, restarted, another virus scan with Avast and CureIT found nothing, check with HijackThis found nothing odd. Plugged the network cable in, checked internet connection and access to various websites, all okay no redirection. Done :)
 
Last edited:
1+ for slaving the drive and using DrWeb. I have had success this way. I think that you have to tell the client that this is a different type of virus and you cannot guarantee return to perfect operating condition.

IMHO: I we insist on anthropomorphizing computers, there are some viruses that should be reclassified as cancers because of their behavior of turning normal healthy cells and organs (exes and program files) into non functioning tumors (hijacked exes).
 
Slightly off-topic: AtlanticJim, I love that analogy and am quite tempted to use it to explain what's happened should another system come in with Virut or similar :)
 
These two rarely come only as a pair but are usually accompanied in particular by a myriad of stealth viruses that affect text and html files making even saved data hazardous.
In my experience even if you manage to eradicate everything, the system is so compromised, it will always be a case of fingers crossed and isn't worth doing.

If you do have success it would be brilliant if you could post a blow by blow description of how you did it.
 
atlanticjim said:
IMHO: I we insist on anthropomorphizing computers, there are some viruses that should be reclassified as cancers because of their behavior of turning normal healthy cells and organs (exes and program files) into non functioning tumors (hijacked exes).
Click to expand...

I used to say "It's not just a virus, it's Ebola", but I may have to steal this one. :)

As far as Virut goes - there comes a time when cleanup becomes less than cost-effective. If I've put 3+ hours into a machine, it's time to prepare them for a nuke-n-pave (we call it a "fleadip" around here).

For the record, I've never seen a virut infection on any machine running current virus protection.
 
Saw one of these and tons of rootkit detections as well, Sophos Rootkit Remover is being tested to see what it can do with such a mess, looks like it won't solve the problem though at this point. :(
 
If it's as bad off as you say then I think a nuke/pave is necessary. Like another member mentioned it comes down to what's cost effective. Personally I try to figure out in the first hour whether I'm going to continue to try and repair the machine or just back up the data and nuke/pave.
 
boot in administrator mode

run sfc /scannow (system file checker verifies integrity of the entire windows operating system using crc hashes and replaces any files modified by virus or trojan with the original including even DLL files...)

Some of the files might not have been replaced, to see which ones we need to sort
them out of the log and put them into a new file so we dont have to read a book to
find the right ones.

Right click command prompt in the start menu under accessories and click 'run as administrator' then if it asks for the admin password - give it to it.

Then type in this command to sort out the string to a new file.

findstr /C:"[SR] Cannot repair member file" %windir%\logs\cbs\cbs.log > c:\stuff.txt

that just put everything into a file called stuff.txt in the root of the c drive.
We have to fix these manually.

in your elevated command prompt just type: notepad.exe c:\stuff.txt

this will open notepad in windows with the list of the ones that sfc could not fix, which of course is the list of the ones we have to fix manually.

Let's say one of those files is named blackbox.dll (which is in every windows)

To replace it type this in your elevated prompt.
EDIT : USE CACLS IN WINDOWS XP NOT ICACLS...
takeown /f c:\windows\sytem32\blackbox.dll
icacls c:\windows\system32\blackbox.dll /grant Administrators:F
copy d:\temp\mywindowsgoodfiles\blackbox.dll c:\windows\system32\blackbox.dll

Do that with each one that windows could not replace in the list we made in the file and when you are done you have a 100% windows machine.
This procedure works on xp, vista, and windows 7.

Once you are done reboot the pc so that you are running a 100% verified authentic windows o/s and not one where any system files are infected by viruses or trojans. :)

i suggest you also run sigverif - it's used to verify the digitally signed critical files.

EDIT: sigverif and sfc are part of windows xp, vista, and 7.

*** it may also help you to run these: dial-a-fix, lspfix, and hijack this, along with a scanner like avast (which can do a preboot scan) and some antitrojan ware like malware bytes, spybot, or lavasoft's adaware. :)

**** If you use sfc /scannow or the boot option it will ask for your windows installation cd to get KNOWN good files from.
 
Last edited:
You must log in or register to reply here.

Similar threads

GTP
Building a new system...
Replies
10
Views
2K
Kitten Kong
Kitten Kong
britechguy
Windows 11 on Incompatible Hardware & with Local User - a new experience
Replies
17
Views
2K
britechguy
britechguy
britechguy
"Off-Brand" NUC Experiences
Replies
8
Views
569
britechguy
britechguy
Pork Chop
Second Monitor Doesn't Wake Up - Using DP to HDMI Adapter
Replies
8
Views
2K
Pork Chop
Pork Chop
callthatgirl
Outlook Classic Search vs New Outlook Search
Replies
0
Views
818
callthatgirl
callthatgirl
Back
Top