Cleaning fails using the trend command line scanner, and the secondary action is to quarrantine the file. Thanks for the information
Main Topics
Browse All Topicsone of our pc's has every .exe file infected with the virus, when I run a trend micro scan it attempts to quarrantine all of these files including things like notepad, explorer, iexplore etc. this is obviously not a good solution. does anyone know what this virus does and or a better way to remove it?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Virux or Virut is a buggy file infector that infects every .exe and .scr files. Antivirus can't cure the file so the infected files are getting corrupted and deleted. So the user would need to replace all deleted files. If the system has been infected for a while, so many files have been infected/deleted, it's a wise decision to just a reformat the drive and start from scratch.
If the system hasn't been infected that long which means only a few files needs to be replaced, then DrWebCrueIt is a good scanner to use, or the online Panda scanner.
Combofix will detect the critical infected system files but i doubt it will delete them as infected system files are whitelisted.
If you reformat and reinstall, you can't back up any .exe and scr files as they could be infected.
This virus can be removed with a bit of difficulty, as advised above the format & reinstall is the safer option, but it can still be done if you remove the hard drive & atach it elsewhere , then try using the Specific cleaner by GRISOFT
http://www.softpedi
the trick is not to use the infected operating system to boot up
and the tool does fix most of the infected files , the ones that it can't clean should be deleted & restored from backup or by reinstalling the associated application(s).
hope this helps.
Our network was hit by this virus last friday night and quickly spread to about 20 machines in 3 different locations. My fix was as follows;
1) I disabled system restore via group policy,
2) Booted the machines off a Bart PE CD with Trend Micro Sysclean with the latest signature DAT file and a copy of regedit.
3) I used regedit to connect to the infected machine and checked any dodgy entries in HKLM\Softw\microsft\window
4) used sysclean to scan for the infected files which were deleted by sysclean.
5) If the machine only had a few infected files I copied over a good copy of the files. really badley affected machines will be rebuilt.
This got the crisis under control. In the medium term i will rebuild all machines that were infected.
Hope this helps.
I have been fighting the same problem at a client's site for 3 days now. It was not until McAfee released DAT version 5519 that McAfee was able to clean the virus from infected files. So if you scanned prior to that update it is likely a large number of important files were moved to quarantine.
From McAfee's website:
W32/Virut.n connects to the following domains or IP addresses:
irc.zief.pl
proxim.ircgalaxy.pl
horobl.cn
goasi.cn
setdoc.cn
209.205.196.18
66.232.126.195
It can connect to an IRC server to receive commands.
Emails are harvested from the infected machine and posted to the following server:
69.46.16.191
I would recommend doing a fresh install of the OS. Even after getting a clean scan with McAfee and Malwarebytes, the infected PC's had connected to servers in Turkey (seen using Active Ports 1.4) and downloaded several rootkits and backdoors. I only found those using Combofix.
Good Luck
have you tried he solution in my earlier post ? Post ID 23580183
After so much trouble with this virus, we managed to clean a heavily infected system , and restored about 80% of the executables to a clean functional state, however as mentioned above , due to some bad coding fon he virus author end , some of the executables were damaged after cleanup, so we had to reinstall the associated applications.
Given the choice I would have wiped the machine clean on the spot after backing up critical files, but this was not an option at the time, however after reinstalling the affected programs & a repair install , the machine appears to be stable & in good shape.
I did buy and download the Bart PE CD but after reading through all the steps needed and now seeing that someone got only 80% of their executables, I would rather got for a clean sweep. So my question still is: If I do not copy any EXE or SCR files to a USB drive, can I be sure the virus is not on the USB drive when I go to put on the files I backed up prior to the rebuild?
The best solution for Virut infection is a reformat and reinstall of the OS.
Depending on how long the system has been infected, it is VERY irresponsible of us techs to advise on cleaning a virut-infected machine. Virut infection is the case of where "virus wins" and we lose.
The new variant now also infects htm. and html files, so when you backup files remember not to back up all executables, .scr, dowloaded archives .zip or .rar, and htm, html files. All these have to go as these could be infected and you'll just be risking a newly reformatted system..
>>>can I be sure the virus is not on the USB drive when I go to put on the files I backed up prior to the rebuild?<<<
You need to scan the USB on a clean machine make sure the USB is clean, and don't backup those files I listed above.
I've discovered an interesting trend, or maybe just a coincidence, today. Has anyone else seen this specifically target businesses that deal with Tax software?
The two clients I have seen infected with this were both using the same software. It has been reported to that company so I do not wish to name them. I just would like to know if anyone has seen the same thing.
Thanks.
@rpggamergirl: sometimes in a business environment , rebuilding the machine is not an option, it may be easy for a home user to rebuild a machine & start from scratch, but we have to put into consideration specific scenarios where formatting is not an option, e.g. (legacy applications where installation disks are not available, very complex setup that could not be rebuilt easily, and if the user opted for a rebuild, they may be looking forward at business down time ).
my initial advice is to rebuild, but the solution I proposed will fix the machine long enough for system admin to be able to backup critical configuration & files (not Programs) , then go for the rebuild solution just to be safe, regardless of how the machine is performing, which is basically what we have done in our case.
it does not have anything to do with being responsible or irresponsible , these cases should be dealt with on a case by case basis , what works for home users & SMB , does not neccessarily work for another client / setup.
After getting myself infected, I was on situation that reformating C didn't worked... Well, because almost every .exe and .scr files was infected on ALL drives.
I did spend 3 days for testing all kind of cures, learning what to do... Until I did found ONE AV-program that DID cured my exe files, without destroying them. I was bit suprised of that, it was from Microsoft ... Until this day, I have thinked that Defender and others are just joke... But This, Windows Live OneCure did job for me.
I think that people would like to know that there is many programs that tries to do something, usually BAD (remove/quarantize)... Wel, Norton did say 'clean' and didn't found that virus again... but it just hide that from itself :) ... virustotal.com helped me a lot, and I did see that virus was there, even Norton didn't see it.
After OneCare virustotal.com didn't see any virus on my files, but I'm yet trying to get rock solid solution.
Next I try restore 'infected' system and then I would try what OneCare would do on that.
Well, I must correct myself. Today I ran scan+clean with Norton AntiVirus 2009 from clean system, to infected partition. And I'm glad to inform that cleaning seems to be working.
Cleaning with Norton or OneCare does not return files to exact state before infection, and it seems that infection+cleaning will left some 'signatures' that would trigger some other AV programs.
I'm not sure if you can call these as 'false-positive', but my system seems to be running just fine, without problems. (Now I have also outgoing firewall, so I can see if there is unknown traffic from my system).
New trend blog on the issue http://blog.trendmicro.com
As far as infecting a USB stick, Virut infected the two .exe files I ran on that infected computer. Since I have about 20 exe's in the root of my USB stick and only the two I ran were infected I would assume just copping documents and data files should be fine. You can tell the AVG removal tool to scan your memory stick in command prompt. ex. "rmvirut.exe E:" (E=usb drive letter)
Business Accounts
Answer for Membership
by: tercex11Posted on 2009-02-06 at 16:26:06ID: 23575696
Can you choose to clean the files instead of quarrantining them? That may help. If some files can't be cleaned, you can try another AV or you may have to quarrantine the files.
curity_res ponse/writ eup.jsp? do cid=2009-0 20411-2802 -99&tabid= 3 vinfo/viru sencyclo/d efault5.as p? vname=PE _VIRUX.A&v sect=Sn
Here are some specifics on the virus and a link to cleaning insructions from both Trend and Symantec
Discovered: February 4, 2009
Updated: February 4, 2009 6:14:14 PM
Also Known As: W32/Virut.n [McAfee], PE_VIRUX.A [Trend]
Type: Virus
Infection Length: 17,044 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
When the virus executes, it attempts to infect any file accessed with the following extensions:
.exe
.scr
http://www.symantec.com/se
http://www.trendmicro.com/