Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What is best tool to remove Virus:Win32/Virut.EPO


  • Please log in to reply
8 replies to this topic

#1 subby6

subby6

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 12 February 2014 - 04:37 AM

What is the best way or removal tool to clean a computer that has the virus "Virus:Win32/Virut.EPO".  Customer won't let me take his computer off site to diagnose. I've done a quick search, some sites/forums suggest format and reinstall. Some suggest avg removal tool or eset online scan.

I've tried the eset online scan, but cannot get it to update. AVG is the current AV atm on his PC. it disinfects hundreds of *.exe files on startup of windows each time. But doesn't find the file spreading the virus. 

 

Bascially need a tool or programs that can detect this virus, clean the infections, and remove the file causing it.



BC AdBot (Login to Remove)

 


m

#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:40 AM

Posted 12 February 2014 - 05:29 AM

Hello -

This is the Microsoft version -

 

From F-Secure Anti-Virus age, This is the Virus:W32/Virut family description.
Variants in the Virut family are polymorphic, memory-resident, appending file infectors that have Entry Point Obscuring (EPO) capabilities.
Viruses belonging to this family infect files with .EXE and .SCR extensions. All viruses belonging to the Virut family also contain an IRC-based backdoor that provides unauthorized access to infected computers.

 

 

And this is the version from AVG -
If the infected computer is connected to LAN, disconnect it and re-connect only after all other computers have been checked and cleaned.

Download the executable file rmvirut.exe
Then run the tool for removal of infected files. The tool will automatically scan all available discs and will try to heal the infected files. If an active virus is found in memory, the tool will ask the user to reboot the computer. Healing will be performed during operating system boot-up sequence, so any active virus cannot interfere with the healing process.

Update you AVG after restart and run a complete test.

 

I would not do this personally, but leave it up to our Experts to handle it fully.

It is not just a simple one step operation -

 

Any other information, you can only Google it -



#3 subby6

subby6
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 12 February 2014 - 05:49 AM

Thank you for your quick response. I will try the avg removal tool, while disconnected from the Internet. And see if it clears it. If seems fine, will then do some online scans to make sure is clean, before reconnecting to the Internet.



#4 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:10:40 PM

Posted 12 February 2014 - 07:44 AM

More info!!


IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan.

Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password before connecting again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:

  • Reimaging the system
  • Restoring the entire system using a full system backup from before the backdoor infection
  • Reformatting and reinstalling the system
Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.


The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:40 PM

Posted 12 February 2014 - 10:24 AM

What is the best way or removal tool to clean a computer that has the virus "Virus:Win32/Virut.EPO"...Bascially need a tool or programs that can detect this virus, clean the infections, and remove the file causing it.

I do not know of any security vendor who will guarantee complete removal of file infectors since they cannot ensure that some files will not get corrupted during the disinfection process. This means that infected executables and system files can become unusable after attempting to repair them and afterward, there is still no guarantee the virus is really gone. Since many of the affected files are legitimate critical files required by the operating system, deletion is not a viable option. Even many anti-virus vendors admit that some malicious programs like file infectors cannot be properly disinfected by their products.
 

File infectors are not on the top of their popularity nowadays (theres not a wide variety of them ITW, but the few active such as Sality or Virut are difficult to defeat). One reason is the frequency of their updates and the complexity of their polymorphism, another reason is the fact, that these viruses are not perfectly tuned. If the file infector should be successful (and transparent to the normal system behavior), it simply should not produce corrupted files (the process crashes will quickly point out whats going on). I will show you some examples of bugs in file infectors (below in this article). The problem is that these bugs often make the infected binaries uncurable...

avast: Buggy file infectors


...You can see some tools claiming theyre able to clean even the most complex infections, but believe me, theres no guarantee to restore the system to its original state. A cleaned file (in my opinion) means a file that has no malicious functionality and does not contain any (even inactive) traces of the infection. My daily practice offers me many files cleaned from the Virut infection with some 3rd party tools, but they still contain significant parts of the infection and are thus detected by our engine....

avast: File infectors part 2


...it is quite interesting to look at modern day polymorphic viruses and whether their propensity to junk files is wholly by accident or whether there is the occassional element of intent involved...a mass infection that leaves behind a large number of irreparably corrupt files can still be very damaging. Some members of the Virut/Vetor family will randomly choose not to leave an infection marker after infection. This leaves the way open to multiple infections (more headaches for anti virus companies) but also increases the chances that the end file will be corrupt...

Sophos: To Junk Or Not To Junk


...In many cases, files cannot simply be deleted as this would affect the stability or even basic functionality of the operating system and other software. Instead, the infected host program must be disinfected by removing the virus code from it and by carefully restoring the original contents and file structure if possible. This means detection and removal are still an issue for antivirus software....

Avira: Cleaning polymorphic infected files


The suggestions in this article are not intended to 100% guarantee removal of all threats...The file infector employs a technique to make sure its corrupted .DLL format will replace the targeted extensions found within the system. When the computer is rebooted it incidentally boots the infected file and continues its advancement throughout the system...

Norton (Symantec): File infector


There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files...it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. Undetected, corrupted files (possibly still containing part of the viral code) can also be found. This is caused by incorrectly written and non-function viral code present in these files.

AVG: polymorphic infector


...you can try via rescue cd, or slave mounted hard drive. but there's no guarantee that some files won't get corrupted through the disinfection process.

Kaspersky: file infector


...for infected users we have to offer no hope - fdisk - format and re-install is the only solution open to them...

avast: a file infector and why we cannot give false hope!

There are no guarantees when it comes to malware removal and dealing with file infectors as severity of damage will vary. In my experience, users may find their system performing better for a short time after attempted disinfection only to have it become progressively worst again as the malware continues to reinfect thousands of files. Some folks will try every tool or rescue disk they can find in futile attempts to repair critical system files. If something goes awry during the malware removal process the computer may become unstable or unbootable and you could loose access to all your data. In the end most folks end up reformatting out of frustration after spending hours (and days) attempting to repair and remove the infected files.

That's why most security experts say the best course of action is to wipe the drive clean, reformat and reinstall the OS.

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

miekiemoes' Blog: Virut and other File infectors - Throwing in the Towel?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 subby6

subby6
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 12 February 2014 - 06:50 PM

Interesting Read.... If it was my computer I would format and reinstall, as i have a backup of my personal files already. I've suggested to the customer a format and reinstall will work best. But he does not want to do that, he has got in his head from friends that infected files can be cleaned and restored back to original condition.

 

My plan is to backup the contents of his drive, maybe thru a clone disc.  Then run avg's virut removal tool on his HD, check the log file to see which files were cleaned and see if any files removed or quarantined. Reboot the Computer and see if windows will still load and then run the scan again. Then perform some malware checks and run a couple online scanners.   If working well then, and no personal files removed, format the backup drive

 

Customer thinks its a fake virus, and has since uninstalled his AV and continued to work on his PC and says its running smoothly.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:40 PM

Posted 12 February 2014 - 07:44 PM

"You can enlighten someone with knowledge but you can’t make them use it."

You did your job doing that....Good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:40 AM

Posted 13 February 2014 - 02:16 PM

Hello - 

 

  • If you need assistance, please fully read and follow the instructions in the Preparation Guide starting at Step #6.

     

     

  • When you have done that, start a new topic and post the required logs to  Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. They may be able to help you to remove most of the infection.
  • NOTE :If you are unable to complete any step, just post the topic and leave a full description of your problems

     

     

  • Please Use Copy / Paste for your responses, and Do Not Attach them unless your helper requests this.

     

     

  • If Help Bot responds to your topic, please follw his Step #1 so the team will be notified.

     

     

  • After adding your new topic, please reply back in this thread with a link to the new topic so we can close this one.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:40 PM

Posted 13 February 2014 - 03:45 PM

We are not going to spend out time in the Malware Removal Logs forum trying to disinfect Virut. As miekiemoes' states dealing with such infections is a waste of time.

Users who do post there generally receive a varation of the canned reply posted by DASOS which I specifically created for our MRT when addressing file infectors.

subby6 suggested his customer format and reinstall. Since they are unwilling to listen to him, I doubt they will listen to us when we tell them the same thing.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users