Almost got rid of it

[cpmer]

I've been working on getting rid of the virut/reader_s virus for a few days now. So far i have removed all the reader_s files, all the weird .exe files in the system32 and temp folders. These haven't come back. My last remaining problem is that the explorer.exe is infected. I tried doing a repair install but it just came back again using 50 plus megs of memory.

Also when I boot up my pc just before i get the welcome screen i get this error message http://imagebin.org/46427 I have no idea what svchost.exe is causing that. I got like 6 or 7 of them running. Im using process explorer but im new to it and dont know what im doing.

 

[Blain]

Google

 

[Slugbait]

You may never succeed. Virut is the consummate parasite...as long as it exists, its symbiote corrupted EXE will exist. But if Virut is expunged, the corrupted EXE is simply corrupted...and explorer.exe IS Windows. Once it's dead, your machine is dead.

Try this. But don't spend too much more time on it. Time is money. And in the back of your mind (and your registry...), you'll always wonder if it's still lurking, waiting, salivating...an image drop will save you tons of time and give you peace of mind.

 

[Slugbait]

Originally posted by: Blain
Google

Blain, your simplicity knows no bounds.

 

[cpmer]

Slugbait yeah ive tried that. Was pretty much worthless. The rmvirut didn't find one infected file lol. The best part was watchingit scan the temp folder which at one time was filled with virut files. Right now my machine is far better off than it was. Its just this last strectch of trying to find the remaining culprit files which is proving to be tough. My line of thinking was some how examine the explorer.exe and find where its receiving its commands from. If someone can help find how to do that then I think I could knock this thing out.

 

[Slugbait]

Originally posted by: cpmer
...and find where its receiving its commands from.

It's polymorphic; what works for one will not work for another. I hate to say it, but everyone is on their own with this one. You can spend days in regedit and still have it. Seriously, save yourself time by dropping an image. If you don't have an image, get all of your install discs and do it all again.






...then make an image.

 

[WT]

So what are the telltale signs to let you know you have this beast on your PC ?

 

[Slugbait]

Originally posted by: WT
So what are the telltale signs to let you know you have this beast on your PC ?

None, it's the same old stuff: performance drop, RAM hog, disk thrashing, occasional BSOD, etc. Nothing unusual. The primary function of Virut is to allow the author to remotely install other malware to your machine, and those infections would have telltale signs, but of course you're chasing the wrong duck...getting rid of those doesn't stop them from being re-installed.

If your HOSTS file contains a URL like ircd.zief.pl using port 80, that's a dead giveaway. You can probably see it at work in NetMon. The only way to know for certain that you have Virut is to look for reader_s.exe in your HijackThis results.

 

[hrlow2]

Have you tried running your scans in Safe Mode? They always work better there and more can be found.

 

[Blain]

Bruce Harrison, lead researcher, of MalwareBytes says "safe mode" scanning is unnecessary.

 

[TurtleCrusher]

Originally posted by: Blain
Bruce Harrison, lead researcher, of MalwareBytes says "safe mode" scanning is unnecessary.

The only time i've ever had a virus or a trojan my cleaners would only detect in safe mode.

Whoever Bruce Harrison is, he's a fucking idiot.

 

[Blain]

Originally posted by: Scholzpdx

Whoever Bruce Harrison is, he's a fucking idiot.

Listen to him here

 

[JEDIYoda]

Originally posted by: cpmer
I've been working on getting rid of the virut/reader_s virus for a few days now. So far i have removed all the reader_s files, all the weird .exe files in the system32 and temp folders. These haven't come back. My last remaining problem is that the explorer.exe is infected. I tried doing a repair install but it just came back again using 50 plus megs of memory.

Also when I boot up my pc just before i get the welcome screen i get this error message http://imagebin.org/46427 I have no idea what svchost.exe is causing that. I got like 6 or 7 of them running. Im using process explorer but im new to it and dont know what im doing.

I have found that it is easier to get rid of viruses if you disconnect your computer from the internet and possibly even go into SAFE mode.

Good Luck!!

 

[JEDIYoda]

Originally posted by: Blain

Originally posted by: Scholzpdx

Whoever Bruce Harrison is, he's a fucking idiot.

Listen to him here

He is still a fucking idiot!!

 

[TurtleCrusher]

Originally posted by: JEDIYoda

Originally posted by: Blain

Originally posted by: Scholzpdx

Whoever Bruce Harrison is, he's a fucking idiot.

Listen to him here

He is still a fucking idiot!!

Exactly. Listen to that podcast. I sat in for about 5 minutes and its clearly just PR bullshit.

 

[Blain]

Originally posted by: Scholzpdx

Whoever Bruce Harrison is, he's a fucking idiot.

I give up :roll:

 

[JackMDS]

It so much an issue of detection but rather an issue of removal.

Some files are easy (or only possible) to remove in safe mode when there is less chance of being locked by processes that are Not running in safe mode.

 

[TurtleCrusher]

Originally posted by: Blain

Originally posted by: Scholzpdx

Whoever Bruce Harrison is, he's a fucking idiot.

I give up :roll:

Lol.

Obviously it was a joke.

 

[oynaz]

Couldn't you simply extract explorer.exe from your Windows disc (or copy it from a friend), boot a live-version of an OS (the Linux version from ultimatebootdisc.com or Ubuntu, for instance), and simply delete the infected file and replace it with the new one?

 

[WT]

My current method of shitware removal is as follows:

Run the malware script batch file from Schaedenfroh's thread, then if any remaining crap is still hanging around and not being removed, I boot to an Ultimate Boot CD and manually remove the file. They almost always hang out in the Windows/System32 folder as a rogue .DLL file with an oddball name, so after years of cleaning these things, they aren't getting any easier to disinfect, but I am getting it down to a science on what to do to make them disappear.

I work on an average of three PCs a week, and its nice side income for buying PC hardware, so I guess the better I get at cleaning a PC, the less business I will create for myself. Damn, that right there is a catch-22 !!

 

[Slugbait]

Originally posted by: oynaz
Couldn't you simply extract explorer.exe from your Windows disc (or copy it from a friend), boot a live-version of an OS (the Linux version from ultimatebootdisc.com or Ubuntu, for instance), and simply delete the infected file and replace it with the new one?

Nope. Whereas Virut has disabled System File Protection in order to make that possible, it will simply re-corrupt explorer.exe on the next boot.