by   May 18 2011   
Virus found Win32 / Virut this Virut could lead to your first format and reinstall. For years we were able to remove just about all viruses without having to format and reinstall your operating system. Data encryption viruses were basically the only virus in our list of Reinstall. Now Virut viruses have joined the list.

Virus found Win32 / Virut this Virut could lead to your first format and reinstall.

Virus found Win32/Virut this is one bad virus type.

This is going to be a long post for two reasons.
I want to make sure hundreds of people read this and I want to make sure I give you all the information you need to make your life after Virut a little less stressful.

First of all you should read a little about the Virut Virus.
After you read about Virut viruses change your thinking about virus removal to Reinstalling your OS. fdisk /mbr , format and reinstall.

What you can do with a Virut Virus infected system.

1. You can save all your documents, data, mp3's, movies, pictures etc.
As long as the file isn't an .exe or .scr you are good to go.

Problem with the Virut Virus is you don't have many chances to play games with it.

Get your CD/DVD Burner going while you have a chance.

Here's how my evening went with a Acer Aspire One.

At first the system acted normally.
Everything was working just fine.
The Anti Virus and firewall from McAfee was running and not once gave notice to the Virut infecting every executable file it could find.

I knew there was a problem when Regedit was gone.
The file was in the directory but it opened up internet connection wizard and not the registry editor.

From that point I thought it might be good to scan the drive from a different computer.

Connected things up to the network and started a scan on the drive in the little Acer Aspire.

XtremeComputer.Com Technical Support Service

This is what the AVG Version 9 found.

(Look near the bottom of the post for the virus list. By the way McAfee Security Center was still running but must have been infected by the virus because it didn't detect any issues.... infected sure it was.. ha. It's about the worse AV you could find in my opinion and only second to Norton.

If you search you should find several good articles about this Virut type of virus.

Two articles I'll point out should help. I was never one to format and reinstall the OS because I seemed to always find a way to correct the virus issues. But this time it was beyond what I was willing to do.

Once I saw Regedit and Notepad infected and the downloader changed the Administrators Group Policy which locked me out of everything you would need to do to clean up a system I was convinced it was fdisk /mbr format install time.

After 3 hours of attempts that format cured things up just fine.

Reading:
(I don't link to blogs often but this one is easy to read and to the point.)
1. Miekiemoes Toss in the Towel when you see Virut.

2. Parasitic Infection

I'm sure there are other blogs and articles that are just as good if not better but there's no time.

Now the steps you can take and the methods I took.

I have a network computer designed to collect viruses and that's the one I used to create a backup of the My Documents Folder.

Copy everything you can in your My Documents Folder over to a CD/DVD or Flash Drive that you will later scan again after you setup your computer.

DO NOT PUT ANY FILE THAT WAS ON YOUR INFECTED COMPUTER ON ANOTHER SYSTEM!!

Not until you are 100% sure you didn't backup an infected file. This means you need to rescan the files with CA or AVG after you reinstall everything.

Like I said, I have a system that I use just for virus removal and it gets formatted every time I use it.

Once you have all your files including your Tax Returns, Quickbooks db and anything else that doesn't have an .EXE or .SCR you are set to go.

Start your format and install a fresh copy of windows.
Don't do anything with your system restore and chances are like I found the system restore .exe was infected.


DO NOT copy any ZIP,SCR,EXE file!!!

You might find a file in your My Documents folder called a.bat .
Or ??? .BAT
Don't even think about copying any .bat files to your backup and if you do delete it.

I found the a.bat in the My Documents folder and it was the manual launch vb script of yet another virus.


Below is a group of files that this virus (Virut) infected.
Yes, this system protected by McAfee allow the downloader to do it's thing.
It would have kept going if I didn't take it offline and scan it with AVG over my network.
(It allowed me to set the C: as a shared drive. I was lucky.)

 

--------------------------------------------------------------------------------

"Infection";"Virus found Win32/Virut";"C:\Acer\Empowering Technology\eRecovery\MBRwrWin.exe";"";"11/7/2009, 10:06:42 PM"
"Infection";"Virus found Win32/Heur";"C:\Pathways\WFMGR\BkupRest.exe";"";"11/8/2009, 12:11:39 AM"
"Infection";"Virus found Win32/Heur";"C:\Pathways\WFMGR\CustomProfile.exe";"";"11/8/2009, 12:12:00 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe";"";"11/8/2009, 12:33:42 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exe";"";"11/8/2009, 12:34:08 AM"
"Infection";"Virus found Win32/Virut";"C:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exe";"";"11/8/2009, 12:34:44 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\Internet Explorer\Connection Wizard\inetwiz.exe";"";"11/8/2009, 12:34:45 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\Java\jre1.5.0_09\bin\java.exe";"";"11/8/2009, 12:42:11 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\Microsoft Works\wksss.exe";"";"11/8/2009, 1:01:12 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe";"";"11/8/2009, 1:09:32 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe";"";"11/8/2009, 1:09:40 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe";"";"11/8/2009, 1:09:50 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe";"";"11/8/2009, 1:09:59 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe";"";"11/8/2009, 1:10:07 AM"
"Infection";"Virus found Win32/Virut";"C:\Program Files\Windows NT\hypertrm.exe";"";"11/8/2009, 1:28:07 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\Windows NT\Pinball\PINBALL.EXE";"";"11/8/2009, 1:28:08 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\Xactware\Xactimate25\CORE\timer.exe";"";"11/8/2009, 1:29:48 AM"
"Infection";"Virus found Win32/Heur";"C:\Program Files\Xactware\Xactimate25\CORE\x.exe";"";"11/8/2009, 1:29:57 AM"
"Infection";"Virus found Win32/Virut";"C:\WINDOWS\$NtUninstallKB942763$\tzchange.exe";"";"11/8/2009, 1:41:02 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\AMove.exe";"";"11/8/2009, 1:42:07 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\APanel.exe";"";"11/8/2009, 1:42:15 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\HideWin.exe";"";"11/8/2009, 2:04:14 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\ie7\ie4uinit.exe";"";"11/8/2009, 2:04:32 AM"
"Infection";"Virus found Win32/Virut";"C:\WINDOWS\ie7\mshta.exe";"";"11/8/2009, 2:05:43 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\ie7\spuninst\ieResetIcons.exe";"";"11/8/2009, 2:07:29 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\Installer\{6D52C408-B09A-4520-9B18-475B81D393F1}\_9FA356B1395F_4530_8CB3_946ED0B3291E.exe";"";"11/8/2009, 2:49:13 AM"
"Infection";"Virus found Win32/Parite";"C:\WINDOWS\isvchost.exe";"";"11/8/2009, 2:49:51 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\msb.exe";"";"11/8/2009, 3:00:32 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\regedit.exe";"";"11/8/2009, 3:02:16 AM"
"Infection";"Virus found Win32/Parite";"C:\WINDOWS\sv1.exe";"";"11/8/2009, 3:11:07 AM"
"Infection";"Trojan horse Downloader.Generic8.BZRC";"C:\WINDOWS\system32\10.tmp";"";"11/8/2009, 3:11:15 AM"
"Infection";"Trojan horse Downloader.Generic8.BZRC";"C:\WINDOWS\system32\21.tmp";"";"11/8/2009, 3:11:16 AM"
"Infection";"Trojan horse Downloader.Generic8.BZRC";"C:\WINDOWS\system32\23.tmp";"";"11/8/2009, 3:11:17 AM"
"Infection";"Trojan horse Downloader.Generic8.BZRC";"C:\WINDOWS\system32\4F.tmp";"";"11/8/2009, 3:11:17 AM"
"Infection";"Trojan horse Downloader.Generic8.BZRC";"C:\WINDOWS\system32\A3.tmp";"";"11/8/2009, 3:11:19 AM"
"Infection";"Trojan horse Downloader.Generic8.BZRC";"C:\WINDOWS\system32\C.tmp";"";"11/8/2009, 3:14:05 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\calc.exe";"";"11/8/2009, 3:14:18 AM"
"Infection";"Virus found Win32/Virut";"C:\WINDOWS\system32\charmap.exe";"";"11/8/2009, 3:15:35 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\clipbrd.exe";"";"11/8/2009, 3:16:13 AM"
"Infection";"Virus found Win32/Virut";"C:\WINDOWS\system32\control.exe";"";"11/8/2009, 3:18:01 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\DRVSTORE\SuYinCam_AEAE9A213C80BB325BA4C08C6A7AA35277D68680\M3000LAp.exe";"";"11/8/2009, 4:20:16 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\dwwin.exe";"";"11/8/2009, 4:21:21 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\freecell.exe";"";"11/8/2009, 4:23:29 AM"
"Infection";"Virus found Win32/Virut";"C:\WINDOWS\system32\fxsclnt.exe";"";"11/8/2009, 4:24:13 AM"
"Infection";"Virus found Win32/Virut";"C:\WINDOWS\system32\GPhotos.scr";"";"11/8/2009, 4:25:44 AM"
"Infection";"Virus found Win32/Virut";"C:\WINDOWS\system32\ie4uinit.exe";"";"11/8/2009, 4:27:21 AM"
"Infection";"Trojan horse BHO.JEW";"C:\WINDOWS\system32\iehelper.dll";"";"11/8/2009, 4:27:33 AM"
"Infection";"Virus found Win32/Virut";"C:\WINDOWS\system32\mshearts.exe";"";"11/8/2009, 4:37:28 AM"
"Infection";"Virus found Win32/Virut";"C:\WINDOWS\system32\mspaint.exe";"";"11/8/2009, 4:39:58 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\narrator.exe";"";"11/8/2009, 4:42:20 AM"
"Infection";"Virus found Win32/Virut";"C:\WINDOWS\system32\notepad.exe";"";"11/8/2009, 4:43:44 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\opeia.exe";"";"11/8/2009, 4:45:58 AM"
"Infection";"Virus found Win32/Virut";"C:\WINDOWS\system32\Restore\rstrui.exe";"";"11/8/2009, 4:51:21 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\Restore\srdiag.exe";"";"11/8/2009, 4:51:22 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\rundll32.exe";"";"11/8/2009, 4:51:55 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\runonce.exe";"";"11/8/2009, 4:52:04 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\sndvol32.exe";"";"11/8/2009, 4:54:25 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\sol.exe";"";"11/8/2009, 4:54:39 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\userinit.exe";"";"11/8/2009, 4:59:00 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\W1NL0g0.exe";"";"11/8/2009, 5:00:25 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\wbem\wmiprvse.exe";"";"11/8/2009, 5:02:13 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\wiaacmgr.exe";"";"11/8/2009, 5:02:42 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\system32\wmdtc.exe";"";"11/8/2009, 5:04:36 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\Temp\106464013.exe";"";"11/8/2009, 5:08:28 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\Temp\106648415.exe";"";"11/8/2009, 5:08:42 AM"
"Infection";"Trojan horse Generic14.CHCR";"C:\WINDOWS\Temp\106834317.exe";"";"11/8/2009, 5:08:42 AM"
"Infection";"Virus identified Win32/Parite";"C:\WINDOWS\Temp\dgbA8.tmp";"";"11/8/2009, 5:09:01 AM"
"Infection";"Virus identified Win32/Parite";"C:\WINDOWS\Temp\dpbC6.tmp";"";"11/8/2009, 5:09:02 AM"
"Infection";"Virus identified Win32/Parite";"C:\WINDOWS\Temp\fpa1.tmp";"";"11/8/2009, 5:09:04 AM"
"Infection";"Virus identified Win32/Parite";"C:\WINDOWS\Temp\gba12.tmp";"";"11/8/2009, 5:09:05 AM"
"Infection";"Trojan horse PSW.Generic7.AFSY";"C:\WINDOWS\Temp\gdifhd.dll";"";"11/8/2009, 5:09:06 AM"
"Infection";"Virus identified Win32/Parite";"C:\WINDOWS\Temp\jqa1.tmp";"";"11/8/2009, 5:09:14 AM"
"Infection";"Virus identified Win32/Parite";"C:\WINDOWS\Temp\lkbC5.tmp";"";"11/8/2009, 5:09:16 AM"
"Infection";"Virus identified Win32/Parite";"C:\WINDOWS\Temp\mrbC8.tmp";"";"11/8/2009, 5:09:29 AM"
"Infection";"Virus identified Win32/Parite";"C:\WINDOWS\Temp\sebC3.tmp";"";"11/8/2009, 5:09:39 AM"
"Infection";"Virus identified Win32/Parite";"C:\WINDOWS\Temp\vmb28.tmp";"";"11/8/2009, 5:10:40 AM"
"Infection";"Virus identified Win32/Parite";"C:\WINDOWS\Temp\zbe28.tmp";"";"11/8/2009, 5:10:59 AM"
"Infection";"Virus identified Win32/Parite";"C:\WINDOWS\Temp\ztb54.tmp";"";"11/8/2009, 5:11:01 AM"
"Infection";"Virus found Win32/Heur";"C:\WINDOWS\winhlp32.exe";"";"11/8/2009, 5:11:40 AM"
"Infection";"Trojan horse Downloader.Generic9.KMT";"C:\WINDOWS\isvchost.exe";"";"11/8/2009, 5:20:17 AM"
"Infection";"Trojan horse Downloader.Delf.DHP";"C:\WINDOWS\sv1.exe";"";"11/8/2009, 5:20:18 AM"


--------------------------------------------------------------------------------

 

iconicon

Some noteworthy comments:
The Group Policies were modified.
The Administrators account was nothing more than a USER but allowed some virus control enough that it was able to install and modify SYSTEM32 files.

Format this virus and don't think twice.

Follow the next threads on how to backup your system for a full reinstall.

One more note: Find a firewall like TinySoftware Personal Firewall.
I have yet to see it not stop a trojan downloader connection.
It would have warned you about the IRC channel connection which could have saved this system .. maybe.
But Personal Firewalls need to be better than the bundled security centers offer I'll be testing a few with this type of virus in the near future to test if any actually will block the downloaders.

 

Virus found Win32 / Virut this Virut could lead to your first format and reinstall. For years we were able to remove just about all viruses without having to format and reinstall your operating system. Data encryption viruses were basically the only virus in our list of Reinstall. Now Virut viruses have joined the list.