Formerly (up until yesterday) I had AVG running. I received some virus warnings that upon restart wouldn’t allow the internet explorer and AVG to work. Today I installed Avast from friends recommendations. I did a boot time scan with avast and it came up with 273 infected files. All the infected files were .exe files. I moved all to the vault except one. For explorer.exe it wouldn’t allow me move,repair or delete. I had to ignore it. Almost all the virus names were win32:junkpoly[cryp] and a couple were win32:virut.
Now when starting Windows it gets to just after the Windows xp splash screen and then to where explorer desktop should be but the screen stays black with the cursor visible. I’m able to move the cursor. I can type in ctrl-alt-delete and start different programs from File-New Task(Run…).
Considering you have a Virut infection going on i suggest you re-install entire OS from scratch as you can never be sure if all files are really cleaned when file infectors are involved.
Thank you.
I feared that would be the only solution. Is it safe, to save all documents, pictures, video’s and music so that I can use them after I re-install operating system. I have over 100gig of family photo’s and video’s. They are very important to me. I have some of them on a seperate hard drive in the computer and some on a seperate partition on the same hard drive as c: drive. When scanning it looks as though viruses are contained within c:. Can I be sure?
It could be that your system is so badly compromised backing up what you can, data files, etc and starting from scratch, format and reinstall windows may realistically be your only option.
I’m New at this forum stuff but i seem to be having the same problem recently i downloaded a “key generator”. Then i started noticing systems not responding and google chrome not working. Then i got spyware doctor and it detected a bunch of adware,spyware…ect, so i deleted them. But then the same stuff started happening again and now i cant even login to normal mode (vista) and haved to run in safemode with networking. So after searching around a bit i found Avast and ran a boot scan which detected Junkpoly[cryp], I deleted all files which was stupid of me i guess because i basically deleted vital system 32 files and now i cant login at all. Plz respond with an easy tutorial. (im desperate)
There is no way to restore these deleted files… sorry… the better would be having sending them to Chest.
Can you boot in Safe Mode (pressing F8 while booting)?
Overinstallation can solve the problem and you won’t lose your programs, settings, data, files, etc.
Just choose ‘Repair’ installation of Windows and install ‘over’ the old installation.
OLDMAN, would mp3 be affected possibly? If I scanned my mp3’s with Avast would it detect the virus or are they hidden until played? Might sound like a stupid question and probably is.
No such thing as a stupid question. Stupid is not asking if you’re not sure.
MP3 files are on the list of files that Virut can infect. If Avast is capable of detecting the variant, then scanning the file will reveal if it’s clean or not. If it were me and I suspected virut, I wouldn’t even bother trying to save any mp3 files.
Here’s the log of a Kaspersky online scan of an infected computer that I came across. They probably will flatten this one.
MP3 files cannot be infected as it is. It can only either convert them to WMA as some malware does or just corrupts them.
Just copy all your images, music or videos to external disk, scan them all just to be sure and re-install system.
However avoid copying any EXE, SCR, PIF or any kind of other executable files.
A little conflicting info. They flattened the computer I linked to earlier.
These need to be wiped : all programs, all .exe + .scr executables, downloaded archives (.zip + .rar) and now, according to a very trustworthy colleague, this newer variant injects all .htm + .html files
Virut is now becoming rampant and in all honesty at this stage you must reformat the drive. In the last two weeks I have seen 5 virut and about 12 Sality and the ratio is now increasing. Favourite mode of infection - CRACKS and KEYGENS get them and you might as well reformat
HTML injects are now being seen, the bottom line is if you want to save anything you are in trouble. And it must be a full format. Keep secure backups but do not use incremental unless you are sure you know when you were infected
Another observation should be made here: - arriving via the Internet, this new strain bypasses the Windows Firewall, infects using various infection types and using more than one layer of encryption. The US seems to be the most affected amongst all other regions as of this posting. (Bold by me).
We see a lot of users now going onto the Internet without an active software firewall. This seems to be a more recent trend, and this certainly is not helping here.
Insecure surfing habits and lifting in-browser security like NoScript in Fx or not scanning with link scanners (like scanning with http://linkscanner.explabs.com/linkscanner/default.aspx ) is also not helping the situation, VIRUX is indeed a notch higher than VIRUT in terms of complexity (which is the cybercriminals’ bid for malware persistence and increasing likelihood of reinfection), so forewarned is forearmed here, because these are rather nasty viruses and recovery stays problematic,
Have just been informed of this elsewhere of a deliberate infection removal of Virut
I've had a bit more feedback from my two colleagues : the only way they've been able to get rid of it is by running CureIt from a Live CD + replacing files from Recovery Console + running CureIt again + more on the fly deletions, depending on what else was onboard (often some rootkits) and if/how reinfection occured. Both agreed it couldn't be done on forums. Not yet anyways and maybe never. Oh and now we've been told that Virut creates a few bogus network adapters that can't be removed..
If the infection is partially contained, who knows. If a user has backups and is willing to go a few rounds, maybe… as long as both parties know about the probable outcome.
Here some manual removal recommendations, see attached virut manual removal.txt below
together with the DrWebCureIt removal routine with the settings for file-infector and restart to replace and quarantine:
Virus.Win32.Virut Symptoms:
* Block bandwidth and internet accessibility
* Virus.Win32.Virut sets the registry to resume itself automatically at start up
* Can radically slow down the computer and cause system performance problems, data loss and "blue screen of death"
* Can't change your desktop wallpaper
* Unusual windows task manager system processes
* Disables pop-up blockers
* Pornographic, casino and other adult related ads
Virus.Win32.Virut Actions:
* Connects to IRC servers, infects computer via security holes through e-mail attachments, freeware and messenger programs
* Win32.Virut logs active security application, disable anti-virus and firewall
* Records and sends surfing history and registry information to remote servers
* Watches system activity
Virut is a file-infector, that is rather serious
Download Dr.Web CureIt to your Desktop: cureit.exe from ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
(Preferably from a pendrive/ usb-stick onto mentioned PC, after this has been downloaded using a non-infected PC)
Doubleclick cureit.exe and then click Start in order to start a Quick Scan.
This will first scan all those files that have been loaded into momentary memory and when something has been found up
have CureIt repair this.
Then there appears a window with an offer to buy the software with 50% off, click to disappear through clicking X.
Now the main menu will be visable.
Choose the language to use at the top if you want to use another language as English.
Then choose Actions and set for the following options:
Adware: Replace
Dialers: Replace
Jokes: Report
Riskware: Report
Hacktools: Replace
Then take away the tag at Prompt at action.
Then click OK.
Choose options - Change Settings and remove tag at Heuristic analysis.
Then click OK.
Back in the main window you can select the drives that you want to be scanned.
Select all drives here. Then a red ball will appear for the drives selected for scanning.
Then click the green arrow to start the scan.
This will replace the infected files to the following folder %userprofile%\DoctorWeb\Quarantine\
whenever disinfection fails.
If the scan has run then choose for File - save Report list. Save this log onto your desktop.
Close Dr.Web Cureit.
Now restart your computer!! This is an important stage, because it may well be that DrWebCureIT like to replace/remove files during a restart.
After restart, copy and paste the contents of the log and attach to your next posting.
But sometimes there is no other option left as a reformat, alas,
New manual removal instructions for virut.u:
The following Files were created:
Name Version Publisher Signature (MD5) File Size (in KB)
…\SETUPWIN.EXE EC89B7E67822BDD277EE71AF0D947B0A 8031
…\rastl.dll D7276B3B0C28A687A174D27DDCBF1ED9
…\MYBHO.DLL C46335AE09A0CC20D9C21DE394DE7851
…\neos.exe 2F405055E6C272EE3C6C2F4A9B418739
The following Registry Entries were created:
Stupid is not asking if you’re not sure. 
