Hi emicivile,
Ir is a propagation manner, so use this:
http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/ and leave the file it makes there as a protection against re-infection,
Manual disinfection info I have dug up here, this may be your rescue:
http://www.threatexpert.com/report.aspx?md5=8dc6979d57e456fcd19b7a6d75a463f4 File System Modifications
* The following file was created in the system:
# Filename(s) File Size File MD5
1 [file and pathname of the sample #1] 32,768 bytes 0x8DC6979D57E456FCD19B7A6D75A463F4
* The following files were modified:
o %ProgramFiles%\Internet Explorer\IEXPLORE.EXE
o %System%\ctfmon.exe
o %System%\drivers\etc\hosts
* Notes:
o %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
o %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 45,056 bytes
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{540D8A8B-1C3F-4E32-8132-530F6A502090}\Implemented Categories
o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{540D8A8B-1C3F-4E32-8132-530F6A502090}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
o HKEY_CURRENT_USER\Keyboard Layout\Toggle
o HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies
o HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar
o HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr
o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP
o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}
o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile
o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409
o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB}
o HKEY_CURRENT_USER\Software\Microsoft\SAPI Layer
o HKEY_CURRENT_USER\Software\Microsoft\Speech
* The newly created Registry Values are:
o [HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB}]
+ Enable = 0x00000000
o [HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr]
+ ProfileInitialized = 0x00000001
o [HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar]
+ ExtraIconsOnMinimized = 0x00000001
+ ShowStatus = 0x00000004
o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
+ ctfmon.exe = "%System%\ctfmon.exe"
Other details
* To mark the presence in the system, the following Mutex object was created:
o oleacc-msaa-loaded
* The HOSTS file was updated with the following URL-to-IP mappings:
127.0.0.1 ZieF.pl
#
* The following Host Name was requested from a host database:
o irc.zief.pl
* There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
o %System%\MSCTF.dll
It modifies the registry at the following location to ensure its automatic execution at every Windows startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"TargetHost"
The above registry entry contains IP address and port number information. The virus may then use this information to open a back door on the compromised computer.
If the value in the above registry entry is not available, the virus may open a back door on TCP port 80 using the IRC server ircd.zief.pl.
Additional on Virut.U
The virus uses (Eight Random characters) on the above channel.
The back door allows a remote attacker to download files on to the infected computer and execute them.
This virus first appeared on September 06, 2007.
A rather nasty beast of crap, isn't it,
Ciao,
polonus