news.microsoft.com

Just got a virus called Win32/Virut which AVG caught as it was coming in to
the computer: However, somehow it did manage to infect almost every exe file
in the system32 directory and lots of files in the ntuninstal directories,
all of which were caught and dealt with by AVG as they happened.

After that I ran AVG again a few times and now seem to have cleaned
everything up

However, I kinda need those exe files for all sorts of purposes

Tried to run SFC and discovered that even this application was infected, the
exe file corrupted and placed in the Virus Vault.

Does anyone know how to run SFC 'scannow from the install CD or from
UBCD4WIN please? Is there some special command line syntax I can use to
replace all those files? I cannot even run sysinfo at the moment although
the OS does seem to be OK. I don't however dare to shut down the computer
in case it wont open up again!

Should I run autopatcher on this computer after this virus to reinstall the
patches with the cleaned up ntuninstall directories where I suspect SFC gets
its updated files?

carey frisch [mvp]

Cleaning a Compromised System
http://www.microsoft.com/technet/com...mt/sm0504.mspx

--
Carey Frisch
Microsoft MVP
Windows Shell/User

---------------------------------------------------------------

the computer: However, somehow it did manage to infect almost every exe file
in the system32 directory and lots of files in the ntuninstal directories,
all of which were caught and dealt with by AVG as they happened.

After that I ran AVG again a few times and now seem to have cleaned
everything up

However, I kinda need those exe files for all sorts of purposes

Tried to run SFC and discovered that even this application was infected, the
exe file corrupted and placed in the Virus Vault.

Does anyone know how to run SFC 'scannow from the install CD or from
UBCD4WIN please? Is there some special command line syntax I can use to
replace all those files? I cannot even run sysinfo at the moment although
the OS does seem to be OK. I don't however dare to shut down the computer
in case it wont open up again!

Should I run autopatcher on this computer after this virus to reinstall the
patches with the cleaned up ntuninstall directories where I suspect SFC gets
its updated files?

leonard grey

Good link, Carey.

---
Leonard Grey
Errare humanum est

http://www.grisoft.com/doc/virbase/u...=Win32%2FVirut

Win32/Virut - Virus Removal tool
http://free.grisoft.com/doc/virus-re...rt/0/ndi/67762

Scan for malware from here:
Spybot Search & Destroy
http://www.safer-networking.org/en/download/index.html

Run a scan from here on-line:
http://security.symantec.com/sscv6/d...d=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine (offline scanner):
http://www.bitdefender.co.uk/site/Do...eeRemovalTool/

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
Any error message, have a look in the event viewer and post them here. HTH. nass --------
<www.nasstec.co.uk >

news.microsoft.com

Except that what it says is that you can never be aure you have cleaned up a
system after it has been compromised: By extension it also means that you
can never clean up a system after it MIGHT have been compromised. Let's
think for a moment about that statement in the light of never knowing FOR
SURE when your system might have been compromised because the writer of the
virus will have taken steps to ensure that his compromising your system will
have remained hidden?

This link (in the circumstances of my statementt that AVG had caught the
virus and dealt with all its effects) just says that everyone should flatten
and rebuild every Windows system every so often because no one can ever be
sure that their anti-virus software has always caught every virus as it has
come in or dealt with it successfully every time one did come in. (and of
course, you can never rely on backups)

If you assume the line of reasoning is reasonable, the only conceivable
meaning of this page (which is surprisingly on a Microsoft site!) is that
just to be on the safe side, all nervous users must go over to a Linux based
operating system immediately for fear [if nothing else] of someoen dreaming
up a virus and their catching it before A-V companies can detect it???
Then they will at least be sure in the knowledge that there simply AREN'T
any Linux viruses out there which could do what Windows viruses do (until
some are created).

I think I will try nass's references before I go over to Linux or whatever
new flavour of Darwin is out there.

Avast is a good Anti-Virus program. After installing it, I haven't had any
problems for several months. To make sure that your computer is safe after
you fix this problem, you could install other Anti-Malware programs like a
Firewall and Anti-Spyware.

news.microsoft.com

Many thanks for your very complete answer (except that I have had a report
out there on BleepingComputer for over a week and no one has found anything
worth responding to in it). But what about my original question concerning
simply how to get those exe files back again and whether I should just
delete all of the ntuninstal directories and run AutoPatcher until I can run
SFC /scannow? Or how do I run SFC /SCANNOW from a CD please?

news.microsoft.com

One of the reason I wanted an answer to my question about making sure I had
the proper files on my computer identified by System File Checker is that
while this virus WAS caught by AVG, I do also have Spybot and Adaware on the
system.

Incidentally one of the properties of this particular virus is that it isnt
stopped by firewalls (I have a hardware one). No other computer on my
network shows any ill effects arising from infection.

Hi,
This Virus/Worm, create a Winlogon.exe which is difficult for the Firewall
or the AV to block as it think it is the real winlogon.exe for Windows and
located here:
C:\Windows\System32
also in the i386 directory .
If you searched for this process and right click on it, see the info
provided on the properties window?.

Try system Restore to an earlier Date before the infection took place
(hopefully the Restore Points not infected?).
When AVG detected the Files/.EXEs did you tell it to Delete or Fix/Repair
the files?.
This Virus is difficult to rid of , if it been duplicated on your system
and infecting the Very deep core of the system (exe.nls,ini etc), the NT$ are
the uninstaller for the updates if you delete them you will not be able to
remove any of the updates installed from MS.
System File Checker (SFC) will not help at this stage of disinfecting the
machine. Try the restore points and try other scanners and don't delete the
..EXEs for known applications/system files, select Repair/Restore or disinfect.
You may end up performing a Clean Install of the OS, please if you gone with
this option, make sure any CDs/DVDs or Removable storage scanned before
recopy the data to the system, also you will need a proper Firewall, why you
have only Hardware Firewall not a software as another line of defence,
hardware is difficult to set up and coup with new threat, unlike software
upd2date and easy to manage.
I cannot see your Log on bleepingcomputer to see what been done or tried!.
HTH.
nass

anteaus

http://www.grisoft.com/doc/virbase/u...=Win32%2FVirut

There is a repair utility. However this malware looks like a bad one, that
does extensive damage. Think my course of action with be a boot from DOS and
complete wipe. You could save data files first as it only attackcs .exes.