Saturday, May 14, 2011

How to disinfect a PC from Virus.Win32.Virut.ce, q


( Original article from kaspersky )
Main function of  Virus.Win32.Virut.ce, q is a botnet client which is used by the virus to transmit data from an infected PC. Here you can read more about botnets and their usage.
To disinfect a system infected with malware Virus.Win32.Virut.ce, q use the tool VirutKiller.exe. 




Disinfection of an infected system

WarningThe System restore function should be disabled before attempting to disinfect a system.

  • Download the archive VirutKiller.zip and extract it into a folder on the infected (or potentially infected) PC using an archiver program (for example, WinZip).
  • Run the file VirutKiller.exe.
  • Wait for the scan and disinfection to finish. A reboot might require after disinfection.
If started without switches, the tool will:
  • Seek and terminate malicious threads.
  • Seek hooked functions and unhook them:
    • NtCreateFile;
    • NtCreateProcess;
    • NtCreateProcessEx;
    • NtOpenFile;
    • NtQueryInformationProcess.
  • Scan and disinfection of files on all hard disk drives.
  • While scanning hard disk drives, the tool will also perform a check of executable files of all running processes every 10 seconds.
    Terminate detected infected processes and disinfect infected files.
Optional switches to run the tool from command prompt:


-l <file_name> - write log to the file.
-v - detailed logging (must be used in combination with the parameter -l).
-s ;- scan in “silent” mode (without opening console box).
-y - when the utility finishes, its window will be closed.
-p <folder_path> – scan a specific folder.
-r - scan removable drives (flash), external USB and FireWire hard disks.
-n - scan network drives.

Symptoms of infection:
  • Infected computers keep trying to access the following addresses to receive administration commands:
    • irc.zief.pl;
    • proxim.ircgalaxy.pl.
  • An experienced user can track hooks of the following functions in almost all processes (these hooks are used by the virus to infect all executable files a process is trying to access, and introduce its code into all newly started processes):
    • NtCreateFile;
    • NtCreateProcess;
    • NtCreateProcessEx;
    • NtOpenFile;
    • NtQueryInformationProcess.
You might use the Rootkit Unhooker utility, for example:





Or Gmer:

Posted by Rahul (R.N.V.) at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)