Win32.Worm.Viking.BU removal help

Hello,

I am using Bitdefender Antivirus Plus v10 wich keeps on detecting files getting created and infected with the virus name Win32.Worm.Viking.BU. I have searched on google about removal guides but in vain. I now hope that you guys could assist me in this.

What happened was that i tried to save some information from a dieing hard drive wich seemed to be infected with this worm. Now i can't get rid of it. It creates copies of allready existing exe files and tries to infect them. For example if i have foo.exe the worm creates foo.exe.exe and tries to inject it with the worm code. Bitdefender seems to block all of these attempts but is unable to find the host program that does this, so i am beeing nagged with the worm detection window over and over.

I have run the "READ & RUN ME FIRST Before Asking for Support" testing phases and will attach the logs i gained.

Please let me know if you need anything else from me in order to help me remove this nagger from my system.

thank you very much.

 

The BitDefender log is pretty much useless, it doesn't detect anything. Only when the host program becomes active and tries to infect files it blocks the infection. And it only infects unused executables. I haven't had any warnings of infections on the system partition ( C: ), only where i keep my junk ( D: ) Might it be a partition unaware worm? Don't know ... it's still active in the background, so it probably hides somewhere in the registry or is started by a system process. or maybe a hidden scheduled task. Anyways ... just thoughts.

I'll attach the Bitdefender scan log to this message, maybe i'm missing something. I scanned all drives with all the options, if there is a scan that can find something it's this one.

Regards.

P.S. Ignore the Keylogger "infections", and the Viking infection stated there is when bitdefenders active protection was disabled. Usually there is nothing found since every infection attempt is blocked

 

The problem is not the taskinfo program. It's a harmless process manager. I had it instaled long before the virus came up. And that exe is the installation kit from it that got infected while bitdefender was inactive.

Sometimes bitdefender acts very weird and i can't see the buttons correctly anymore and i have to kill the process and start it over again. During that time i'm vulnerable to infections ... that's when the taskinfo installation file got infected. But as you can see it has been disinfected. I will attach a new scan log so you can see that this time there are no infections, however from time to time the bitdefender alert keeps popping up about blocking the viking worm. So the host program is still in there and i don't know witch one it is...

You can check on taskinfo just to be on the safe side: http://www.iarsn.com/taskinfo.html

 

If you look carefully at the first bitdefender log you will see that the taskinfo got disinfected, hence, in the second log there is no more infection so no need to delete the kit.

I will attach some screenshots to show you what the active monitor of bitdefender is picking up.

All these *.exe.exe files are blocked so the infection isn't actually spreading. I am also attaching a print screen with total commander showing that these files have 0 bytes.

So the only conclusion i can come up with is that there's a "mother" process that spreads the worm witch is really really well hidden.

............... I just had a crazy idea. I read somewhere while googling that this worm can spread over network shares as well. So might it be that the "mother" process isn't actually on my computer but on my parents one? It is pretty plausible since only files from partition D: (witch is shared) get infected.

I will make a test by putting some executables into a folder on drive c and share it. if those start getting attacked as well i think it's obvious isn't it?

 

and two other screens

 

I did not create those exe files. This is what i've been talking about the whole time. There is a process that creates these files, witch are copies of the original exe files, then probably tries to infect them with the Looked trojan, delete the original then rename the copy to the original name, however since Bitdefender detects the infection process it denies access to the file and it remains with a size of 0 bytes.

I ran a full system scan, (C and D) and Bitdefender couldn't detect anything (except the keylogger).

I also copied some executables into a folder on my desktop to test the network shares infection theory and it seems correct. Suddenly i get infection attempts on those executables as well. In consequence i will attach to this post the logs gathered during the "READ & RUN ME FIRST Before Asking for Support" tests on my parents computer. Maybe the host program is over there (allthough i scanned it with Bitdefender and i still get no results).

I also checked for the specific filenames in that report from symantec however i didn't find them either on my, nor on my parents computer. I'm totally in the dark of what's going on