New to Avast - win32:junkpoly[cryp] and win32:virut

[essexboy]

Virut is now becoming rampant and in all honesty at this stage you must reformat the drive.  In the last two weeks I have seen 5 virut and about 12 Sality and the ratio is now increasing.  Favourite mode of infection - CRACKS and KEYGENS get them and you might as well reformat

HTML injects are now being seen, the bottom line is if you want to save anything you are in trouble.  And it must be a full format.  Keep secure backups but do not use incremental unless you are sure you know when you were infected

[polonus]

Hi essexboy,

Another observation should be made here: - arriving via the Internet, this new strain bypasses the Windows Firewall, infects using various infection types and using more than one layer of encryption. The US seems to be the most affected amongst all other regions as of this posting. (Bold by me).
We see a lot of users now going onto the Internet without an active software firewall. This seems to be a more recent trend, and this certainly is not helping here.
Insecure surfing habits and lifting in-browser security like NoScript in Fx or not scanning with link scanners (like scanning with http://linkscanner.explabs.com/linkscanner/default.aspx ) is also not helping the situation, VIRUX is indeed a notch higher than VIRUT in terms of complexity (which is the cybercriminals’ bid for malware persistence and increasing likelihood of reinfection), so forewarned is forearmed here, because these are rather nasty viruses and recovery stays problematic,

polonus

[essexboy]

Have just been informed of this elsewhere of a deliberate infection removal of Virut

I've had a bit more feedback from my two colleagues : the only way they've been able to get rid of it is by running CureIt from a Live CD + replacing files from Recovery Console + running CureIt again + more on the fly deletions, depending on what else was onboard (often some rootkits) and if/how reinfection occured. Both agreed it couldn't be done on forums. Not yet anyways and maybe never. Oh and now we've been told that Virut creates a few bogus network adapters that can't be removed..

If the infection is partially contained, who knows. If a user has backups and is willing to go a few rounds, maybe... as long as both parties know about the probable outcome.

[polonus]

Hi essexboy,

Here some manual removal recommendations, see attached virut manual removal.txt below
together with the DrWebCureIt removal routine with the settings for file-infector and restart to replace and quarantine:
Virus.Win32.Virut Symptoms:

    * Block bandwidth and internet accessibility
    * Virus.Win32.Virut sets the registry to resume itself automatically at start up
    * Can radically slow down the computer and cause system performance problems, data loss and "blue screen of death"
    * Can't change your desktop wallpaper
    * Unusual windows task manager system processes
    * Disables pop-up blockers
    * Pornographic, casino and other adult related ads

Virus.Win32.Virut Actions:

    * Connects to IRC servers, infects computer via security holes through e-mail attachments, freeware and messenger programs
    * Win32.Virut logs active security application, disable anti-virus and firewall
    * Records and sends surfing history and registry information to remote servers
    * Watches system activity



Virut is a file-infector, that is rather serious

1. Download Dr.Web CureIt to your Desktop: cureit.exe from ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
(Preferably from a pendrive/ usb-stick onto mentioned PC, after this has been downloaded using a non-infected PC)

2. Doubleclick cureit.exe and then click Start in order to start a Quick Scan.
This will first scan all those files that have been loaded into momentary memory and when something has been found up
have CureIt repair this.
- Then there appears a window with an offer to buy the software with 50% off, click to disappear through clicking X.

Now the main menu will be visable.
- Choose the language to use at the top if you want to use another language as English.
- Then choose Actions and set for the following options:
Adware: Replace
Dialers: Replace
Jokes: Report
Riskware: Report
Hacktools: Replace
Then take away the tag at Prompt at action.
Then click OK.
- Choose options - Change Settings and remove tag at Heuristic analysis.
- Then click OK.

3. Back in the main window you can select the drives that you want to be scanned.
- Select all drives here. Then a red ball will appear for the drives selected for scanning.
- Then click the green arrow to start the scan.
This will replace the infected files to the following folder %userprofile%\DoctorWeb\Quarantine\
whenever disinfection fails.
- If the scan has run then choose for File - save Report list. Save this log onto your desktop.
- Close Dr.Web Cureit.

4. Now restart your computer!! This is an important stage, because it may well be that DrWebCureIT like to replace/remove files during a restart.

After restart, copy and paste the contents of the log and attach to your next posting.
But sometimes there is no other option left as a reformat, alas,

polonus

[polonus]

Hi malware fighters,

New manual removal instructions for virut.u:
The following Files were created:
 
Name   Version   Publisher   Signature (MD5)   File Size (in KB)
..\SETUPWIN.EXE           EC89B7E67822BDD277EE71AF0D947B0A   8031
..\rastl.dll           D7276B3B0C28A687A174D27DDCBF1ED9   
..\MYBHO.DLL           C46335AE09A0CC20D9C21DE394DE7851   
..\neos.exe           2F405055E6C272EE3C6C2F4A9B418739   
 The following Registry Entries were created:
 
•   ..\Software\Classes\Typelib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}
•   ..\Software\Classes\BHO_MYJAVACORE.MJCORE
•   ..\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45080112-43D4-4B43-A8BC-7F1DFBFDCEAF}
•   ..\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}
•   ..\Software\Classes\BHO_MYJAVACORE.MJCORE.1
•   ..\Software\Classes\Clsid\{45080112-43d4-4b43-a8bc-7f1dfbfdceaf}
•   ..\Software\Classes\Appid\{80EF304A-B1C4-425C-8535-95AB6F1EEFB8}
•   ..\Software\Microsoft\Windows\CurrentVersion\Run\\"RUNNER1"\"%WIN%\FACEBACK.EXE "
•   ..\Software\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}
•   ..\Software\Classes\Clsid\{D88E1558-7C2D-407A-953A-C044F5607CEA}
•   ..\Software\Classes\Appid\BHO_MYJAVACORE.DLL

polonus

[waavlater]

Hi Polonus

You write:
New manual removal instructions for virut.u:
The following Files were created:
.....................
 
I have this virus, but I dont understand if I need to manual removal. like "Virut Manual Removal Instructions"

For now 3 day lost

[polonus]

Hi waavlater,

At the moment it is not very possible to repair the infected files, as soon as the infection is detected in SafeMode and with the prescribed method it still is very questionable if there is a solution beyond the FFR method, that means f-disk, format and re-install. The launching of a DrWeb recovery CD is promising, but I haven;t seen these results yet,

polonus

[MrPlod]

I have this virus on a laptop. It is a bitch. FFR did not work - is there somewhere on a seagate drive that exe files can be stored outside the partition? I disabled restore, did a cold boot to a boot disk and boom, back it came.

[killingtime]

I have this virus on a laptop. It is a bitch. FFR did not work - is there somewhere on a seagate drive that exe files can be stored outside the partition? I disabled restore, did a cold boot to a boot disk and boom, back it came.

You've got to unplug all your external drives.

I'm leaving system restore off and doing incremental disk images to a flash drive as I rebuild.