Wednesday, May 11, 2011

How to disinfect a PC from Virus.Win32.Virut.ce, q

How to disinfect a PC from Virus.Win32.Virut.ce, q

In this section you will find recommendations how to fight malicious programs which cannot be disinfected by Kaspersky Lab's products. In order to disinfect/remove malicious programs you may have to modify the system registry or use an additional utility. If you failed to find the necessary information or you find these recommendations too complicated or inadequate, please send a request to the Technical Support service via the HelpDesk form.

Main function of Virus.Win32.Virut.ce, q is a botnet client which is used by the virus to transmit data from an infected PC.
Here you can read more about botnets and their usage.

To disinfect a system infected with malware Virus.Win32.Virut.ce, q use the tool VirutKiller.exe.

Disinfection of an infected system

WarningThe System restore function should be disabled before attempting to disinfect a system.

* Download the archive and extract it into a folder on the infected (or potentially infected) PC using an archiver program (for example, WinZip).

* Run the file VirutKiller.exe.

* Wait for the scan and disinfection to finish. A reboot might require after disinfection.

If started without switches, the tool will:

* Seek and terminate malicious threads.

* Seek hooked functions and unhook them:
o NtCreateFile;
o NtCreateProcess;
o NtCreateProcessEx;
o NtOpenFile;
o NtQueryInformationProcess.
* Scan and disinfection of files on all hard disk drives.
* While scanning hard disk drives, the tool will also perform a check of executable files of all running processes every 10 seconds.
Terminate detected infected processes and disinfect infected files.

Optional switches to run the tool from command prompt:

-l <file_name> - write log to the file.

-v - detailed logging (must be used in combination with the parameter -l).
-s ;- scan in “silent” mode (without opening console box).
-y - when the utility finishes, its window will be closed.
-p <folder_path> – scan a specific folder.
-r - scan removable drives (flash), external USB and FireWire hard disks.
-n - scan network drives.

Symptoms of infection:

* Infected computers keep trying to access the following addresses to receive administration commands:


* An experienced user can track hooks of the following functions in almost all processes (these hooks are used by the virus to infect all executable files a process is trying to access, and introduce its code into all newly started processes):

o NtCreateFile;
o NtCreateProcess;
o NtCreateProcessEx;
o NtOpenFile;
o NtQueryInformationProcess.

You might use the Rootkit Unhooker utility, for example:

Or Gmer:

No comments:

Post a Comment