# -=virut.cf=-



## SammyFox (Jul 23, 2009)

I caught that crap once and there are others who keep catching it.

that virus is a buggy worm that infects exe,scr and html files and can also infect archived files that contains the aforementioned file types.

So basically, if you catch it, your only recourse is to wipe your hard disk clean and reinstall everything.

not all is lost, however.

you can keep your image files as well as all your music, your text files, and files proprietary to apps you are using (madtracker, photoshop, open office, for exemple) and if your archived files are password-encrypted, there is a chance they won't be touched at all.

still, for archived files, the best thing to do is to get rid of them unless they don't have html, exe or scr files.

the problem with virut.cf is that it's so buggy as a virus that it basically breaks everything it touches. in only two weeks, you won't even be able to log on your windows account.

so be safe. scan every files you think are suspect.


----------



## rawrsome wolf (Jul 23, 2009)

ummmm... thanks?

if i had to write a thread for every virus i have caught on my laptop, i would have, ermmmm, 0 threads.

yes, i have never had a virus. woo


----------



## SammyFox (Jul 23, 2009)

rawrsome wolf said:


> ummmm... thanks?
> 
> if i had to write a thread for every virus i have caught on my laptop, i would have, ermmmm, 0 threads.
> 
> yes, i have never had a virus. woo



I did it because virut.cf is more dangerous than your usual worm. that one both sends info on your computer to hackers and destroys your data doing it.


----------



## ArielMT (Jul 23, 2009)

W32.Virut.CF - Removal - Symantec Virus Database, Symantec Corp.

W32.Virut Removal Tool - Ibid.


----------



## Aurali (Jul 23, 2009)

*laughs* I almost caught a virus a month ago. A friend got infected with something nasty and every computer using outdated antiviruses got hit.. 

Vista protected me though... asked me if I wanted to run the auto run...
Which Reminds me...

PEOPLE TURN AUTO RUN OFF!
It's dumb.


----------



## Runefox (Jul 23, 2009)

There's no such thing as a virus that absolutely requires a hard drive wipe anymore. Those things went out long ago with DOS; Nowadays, virus writers want your computer to stay online, infected, for as long as possible, to undergo data mining (bank account info/credit card info) or to use as a zombie in a botnet for DDoS attacks. There's a lot more value in that (and money!) than just wiping peoples' hard drives.

A virus is nothing more than a program. Find where it's hidden, nuke it from orbit (Recovery Console or similar), and you're golden - Clean up the mess and continue. Nearly every virus falls the same way, except for the oddity that is a boot sector virus - Those can be toasted by rewriting the MBR (again, Recovery Console).


----------



## rawrsome wolf (Jul 23, 2009)

does having my email hacked count as a virus? because i didnt do something stupid and enter my details on a phishing website. it just.... happened *confused*

they didnt change any of my details... just sent a message out from my email to all my contacts telling them to go on a website (which coincidently had viruses)

i want to know now


----------



## Runefox (Jul 23, 2009)

rawrsome wolf said:


> does having my email hacked count as a virus? because i didnt do something stupid and enter my details on a phishing website. it just.... happened *confused*
> 
> they didnt change any of my details... just sent a message out from my email to all my contacts telling them to go on a website (which coincidently had viruses)
> 
> i want to know now



Actually, that's not your e-mail getting hacked - That's either your computer, already infected, or someone who has you on their address book with an infection. It's actually quite trivial to spoof e-mail addresses; For the most part, you can enter anything as an e-mail address. You might not get any replies, but you can send all you want.

Of course, newer SMTP servers have authentication requirements... But there are still plenty of places where that's not necessary.

Ahh, how much fun I had sending e-mail on behalf of Mr. Peter Iracy from Microsoft.


----------



## pixthor (Jul 23, 2009)

It is a worm. My friend's dad is fixing a PC that got infected with it. It embedded itself into the system restore. Now he has to wipe the entire HDD. Which really sucks because he has no install disks to reinstall xp. Anyways, don't you mean w32. virut.cf? That thing is NASTY!!!!! My friend's dad is going through hell right now trying to get rid of the damn thing!!! When he tried plugging in his flash drive. It got infected the second he plugged it in. If you get that virus you are screwed! You will need to wipe the entire HDD. You should also zero out the HDD also. Just to be safe.


----------



## rawrsome wolf (Jul 23, 2009)

Runefox said:


> Actually, that's not your e-mail getting hacked - That's either your computer, already infected, or someone who has you on their address book with an infection. It's actually quite trivial to spoof e-mail addresses; For the most part, you can enter anything as an e-mail address. You might not get any replies, but you can send all you want.
> 
> Of course, newer SMTP servers have authentication requirements... But there are still plenty of places where that's not necessary.
> 
> Ahh, how much fun I had sending e-mail on behalf of Mr. Peter Iracy from Microsoft.



if a friend was infected, surely he would have to send something to me, then i click on it for me to be infected too?

I know it wasnt a spoof, because it was in my 'sent messages' folder. :S

I used to do the spoof emails too. Did one to my teacher once, that didnt go as funny as i had planned XD


----------



## SammyFox (Jul 23, 2009)

ArielMT said:


> W32.Virut.CF - Removal - Symantec Virus Database, Symantec Corp.
> 
> W32.Virut Removal Tool - Ibid.


you think that helps but it doesn't.

before I was resigned to format my hard drive, I tried these tools as well, without results.

just because there's a removal tool doesn't mean it'll work.


----------



## SammyFox (Jul 23, 2009)

pixthor said:


> It is a worm. My friend's dad is fixing a PC that got infected with it. It embedded itself into the system restore. Now he has to wipe the entire HDD. Which really sucks because he has no install disks to reinstall xp. Anyways, don't you mean w32. virut.cf? That thing is NASTY!!!!! My friend's dad is going through hell right now trying to get rid of the damn thing!!! When he tried plugging in his flash drive. It got infected the second he plugged it in. If you get that virus you are screwed! You will need to wipe the entire HDD. You should also zero out the HDD also. Just to be safe.


Exactly. you can try to remove it if you want but in the end you'll only waste your time.


----------



## Runefox (Jul 23, 2009)

rawrsome wolf said:


> I know it wasnt a spoof, because it was in my 'sent messages' folder. :S



If it's in your sent messages folder (assuming this is on your computer, not something like Hotmail/Live Mail), then you're infected with something, either by clicking on something, or browsing to a site that exploits some vulnerabilities in your browser, or something like that.

Also, automated tools rarely work - A manual approach is usually best, though MalwareBytes' Anti-Malware is one of the most effective tools I've used as far as the automatics go.


----------



## rawrsome wolf (Jul 23, 2009)

Runefox said:


> If it's in your sent messages folder (assuming this is on your computer, not something like Hotmail/Live Mail), then you're infected with something.



sorry, i meant on my live mail sent messages folder.


----------



## ElizabethAlexandraMary (Jul 23, 2009)

Buggy virus :|

Did the developers release a patch?


----------



## ArielMT (Jul 23, 2009)

There are always repair and recovery options for any malady that doesn't nuke the registry.  Prepare for similar events in the future now.

Install the Recovery Console as a Windows boot option, and/or download BartPE or UBCD4Win and build a Live Windows CD based on a good environment.  Booted into that, _no_ malware can run at start-up, and any infection that might happen can't survive reboot.

Also, protect your data by making backup copies on external drives.  Plug in, copy, eject, unplug.  USB hard drive enclosures can be had for as little as $10 and take standard internal hard drives.


----------



## Carenath (Jul 23, 2009)

Eli said:


> PEOPLE TURN AUTO RUN OFF!
> It's dumb.


I find it pretty useful actually, reminds me though of my Win95 box.. the CDROM drive never showed up in Device Manager, so I couldnt enable Autorun, yet the drive worked just fine in spite of it.



Runefox said:


> Actually, that's not your e-mail getting hacked - That's either your computer, already infected, or someone who has you on their address book with an infection. It's actually quite trivial to spoof e-mail addresses; For the most part, you can enter anything as an e-mail address. You might not get any replies, but you can send all you want.
> 
> Of course, newer SMTP servers have authentication requirements... But there are still plenty of places where that's not necessary.
> 
> Ahh, how much fun I had sending e-mail on behalf of Mr. Peter Iracy from Microsoft.


^ This

There are still plenty that dont, a lot of them just use IP whitelisting, and only relay mail from hosts on the same network, in my experience. Its the default on most mail server configurations too.

I used to just send people email from themselves, much more fun.


FrancisBlack said:


> Buggy virus :|
> 
> Did the developers release a patch?


Wont be out until the first Tuesday of August 

Seriously guys.. install a decent Antivirus package, and keep it updated, and you'll be fine for the most part. I myself use Eset NOD32 and find it fantastic and unobtrusive.


----------



## Shino (Jul 23, 2009)

Remember the old saying: an ounce of prevention is worth a pound of cure.

I don't understand what's so hard about having up-to-date antivirus. Most are set-and-forget anyways...

Besides, most infections happen because the user did something "hur, duh" or they were somewhere they shouldn't be. *cough*porn*cough*

Thanks for the heads up. If I'm ever stupid enough to get my compy infected, I'll keep that in mind.


----------



## Runefox (Jul 23, 2009)

The problem with most people and antivirus packages nowadays is that they either:

1) Purchase it once and then never renew, meaning they have definitions from five years ago and can't understand why they're getting viruses now nor why their PC is so slow.

2) Get a light, watered-down version from their ISP that looks like it's doing something, but isn't.

3) Turn it off because it slows the system down too much.

4) Download a copy of XP "Antivirus" 2009 and wonder where the ads are coming from.

That said, I find myself recommending Norton 2009 for an antivirus (NOT for firewall/etc in the Internet Security package; That still sucks) and strongly looking at it for my own machine. I've tested it to take up virtually no extra resources (around 5-15MB of RAM), slow the system down by nothing, and have a pretty quick and effective scanner. Complete reversal from their 2003~2007 editions. I guess they were losing ground because of the bad reputation they were getting from the techie crowd.

Oh, and corporate Symantec (Norton) works great, too. No frills or extras, just pure antivirus. They don't like to piss off their corporate customers.


----------



## rawrsome wolf (Jul 23, 2009)

I bought Norton Anti-Virus a while back, and it literally turned my computer into a snail. It totally took over my PC, and running more than 2 programs made my PC unusable.

So i removed it and replaced it with AVG Anti-Virus Free. Hasn't put a foot wrong, ever.


----------



## Runefox (Jul 23, 2009)

rawrsome wolf said:


> I bought Norton Anti-Virus a while back, and it literally turned my computer into a snail. It totally took over my PC, and running more than 2 programs made my PC unusable.
> 
> So i removed it and replaced it with AVG Anti-Virus Free. Hasn't put a foot wrong, ever.



That'd be the older version; 2009 really fixes a lot of those problems. Coming from someone who's detested Norton for years, it's much faster and lighter than pretty much anything else out there. There's also a gaming edition with "Gamer Mode" which turns off the scanner during gameplay.


----------



## Aurali (Jul 23, 2009)

Carenath said:


> I find it pretty useful actually, reminds me though of my Win95 box.. the CDROM drive never showed up in Device Manager, so I couldnt enable Autorun, yet the drive worked just fine in spite of it.



I had to disenfect 12 (not to mention 140 USB drives ><) project computers because of that incident with autorun in Windows XP... Plug in and your dead.


----------



## rawrsome wolf (Jul 23, 2009)

Runefox said:


> That'd be the older version; 2009 really fixes a lot of those problems. Coming from someone who's detested Norton for years, it's much faster and lighter than pretty much anything else out there. There's also a gaming edition with "Gamer Mode" which turns off the scanner during gameplay.



i just dont see the point in spending money on it if you can get a free one which does the same job equally as well? Indeed, it doesnt have the gamer mode bit,  but are there any other differences?


----------



## Runefox (Jul 23, 2009)

rawrsome wolf said:


> i just dont see the point in spending money on it if you can get a free one which does the same job equally as well? Indeed, it doesnt have the gamer mode bit,  but are there any other differences?



Well, AVG on my system takes up about 50-70MB of RAM, and tends to slow things down a lot. It's not typical; Normally the performance impact isn't that great with AVG - I put it down to running x64. Other things include a more accurate and most importantly for me speedy scanner. It's not really a sell if you're fine with AVG, and I wouldn't really recommend dropping it, but since AVG tends to hate my system for whatever silly reason, Norton worked rather well, and the new version is actually worth buying.


----------



## rawrsome wolf (Jul 23, 2009)

also... back on topic

why dont virus writers use names like itunesplayer.exe or whatever? not promoting it but it if your trying to infiltrate someones pc it sounds much more legitimate than virut.cf


----------



## Runefox (Jul 23, 2009)

People got wise to that trick a long time ago, so since Windows system executables use weird names like CSRSS.EXE, SMSS.EXE, SVCHOST.EXE, etc, and a lot of them actually _do_ use those names. You can also bet that more people have CSRSS.EXE on their system than itunesplayer.exe - I know I don't have iTunes.


----------



## rawrsome wolf (Jul 23, 2009)

ive never seen a virus which has a name like the windows executables have, am i behind time here? lol

its just that a friend recently had a virus and he only knew he had it because he looking in the running processes on the task manager and there was one called xvirusx.exe.

well duhhh


----------



## Runefox (Jul 23, 2009)

XD I haven't really seen one _that_ obvious before. Usually they're silly names like 01fjassrv.exe or something random that _looks_ like it could be legit (I've seen HP's/Compaq's with similar-looking service names running that were actually HP/Compaq-related).


----------



## rawrsome wolf (Jul 23, 2009)

oh right. its just the ones you see in the media and what not have really obvious names.

damn media confusing me again


----------



## Aurali (Jul 23, 2009)

It's not their file name that's obvious. What you see is a code name. 



Runefox said:


> XD I haven't really seen one _that_ obvious before. Usually they're silly names like 01fjassrv.exe or something random that _looks_ like it could be legit (I've seen HP's/Compaq's with similar-looking service names running that were actually HP/Compaq-related).



Viruses use weird names... and live in wierd locations.. like the temp directory or system restore. and sometimes the virus will out and out replace some files. though you usually can boot up into some non win and clean those out.


----------



## pixthor (Jul 23, 2009)

A little update. My friend's dad who is trying to disinfect the PC. Infected his main PC. But the second norton got shut off on him. He unplugged his network cable so the virus was not able to download anything. Or install itself. So he got off REALLY lucky. The reason why his main PC almost got infected was because he used his flash drive to transfer spybot, and a couple of other AV removal tools to the infected PC.


----------



## rawrsome wolf (Jul 23, 2009)

pixthor said:


> A little update. My friend's dad who is trying to disinfect the PC. Infected his main PC. But the second norton got shut off on him. He unplugged his network cable so the virus was not able to download anything. Or install itself. So he got off REALLY lucky. The reason why his main PC almost got infected was because he used his flash drive to transfer spybot, and a couple of other AV removal tools to the infected PC.



damnnn. hope it all goes ok ^_^


----------



## pixthor (Jul 23, 2009)

rawrsome wolf said:


> damnnn. hope it all goes ok ^_^


Hopefully. lol If that virus were to actually infect his PC. He would be screwed for life. Because that PC has all of his bank info on it.


----------



## Runefox (Jul 23, 2009)

pixthor said:


> The reason why his main PC almost got infected was because he used his flash drive to transfer spybot, and a couple of other AV removal tools to the infected PC.



Hence why everyone should disable autorun for removeable media (CD-based autorun is OK, since you can't really (at least, reliably) add files to a CD)


----------



## pixthor (Jul 23, 2009)

Runefox said:


> Hence why everyone should disable autorun for removeable media (CD-based autorun is OK, since you can't really (at least, reliably) add files to a CD)


Yeah.


----------



## AshleyAshes (Jul 24, 2009)

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Give ComboFix a shot.


----------



## Shino (Jul 24, 2009)

Back when I was still in college, for a class project I tried script-kiddie-ing a botnet-style virus (this is back when broadband was just becoming popular) on my laptop, which was isolated and firewalled.

Somehow (I think it was my roomie playing a practical joke gone bad) it got off the machine and infected everyone in my dorm running an XP home system. All of a sudden, everybody's computer had _rundll32.exe ~RedQueen01.dll_ (or whatever the syntax was back then) in their process list, and all of the switches in the building spiked to 98% bandwidth use. (On a 10/100 network.)

My boss (the IT manager) was not happy. Luckily, I hadn't given it any actual malicious function, and it wasn't my fault it got out, so I didn't take any heat for it, but I found it kinda creepy that no one's antivirus picked it up.


----------



## ChaoticSpark (Jul 24, 2009)

Runefox said:


> If it's in your sent messages folder (assuming this is on your computer, not something like Hotmail/Live Mail), then you're infected with something, either by clicking on something, or browsing to a site that exploits some vulnerabilities in your browser, or something like that.
> 
> Also, automated tools rarely work - A manual approach is usually best, though MalwareBytes' Anti-Malware is one of the most effective tools I've used as far as the automatics go.



Big +1 concerning MalwareBytes' Anti-Malware.

It came in very handy when I was removing Antivirus2009 off some poor sods computer.


----------



## Runefox (Jul 24, 2009)

It pretty much eats AV2009 and its derivatives alive. I was impressed; Normally you need to do a lot of manual work to rip that thing out a the root. I find MalwareBytes' Anti-Malware is pretty much able to deal with most of the common one-shot infections, though I've seen it choke on computers with a lot of different infections. Specifically, I believe some malware authors are beginning to target MBAM as a process to auto-terminate. Some of the less careful malware will just terminate the process by name - Renaming the EXE will do the trick in those cases (same with Spybot and Autoruns). Others, you'll have to terminate the malicious process first, which may sometimes not be possible.

There's one program that I've found works rather well for terminating rogue processes, and that's IceSword. It doesn't work on every computer (I'm not quite sure what does and doesn't work and why), but when it does, you can terminate processes like SMSS.exe and CSRSS.exe. Sometimes it'll bluescreen, and I can't remember which ones are do-not-touch, but you can essentially bring Windows XP down to around 3-4 processes, which basically means it's as close to the recovery console as you'll get. Shutdown no longer works like that, though - you need to hard-reboot it. IceSword also lets you zoom in on a lot more than any other program I've used.


----------



## SnowFox (Jul 24, 2009)

rawrsome wolf said:


> if a friend was infected, surely he would have to send something to me, then i click on it for me to be infected too?
> 
> I know it wasnt a spoof, because it was in my 'sent messages' folder. :S
> 
> I used to do the spoof emails too. Did one to my teacher once, that didnt go as funny as i had planned XD



It wasn't one of those "Hey check out this block checker program and see who's blocking you on msn" emails was it? I got so sick of getting spam like that from idiots on my contact list. I even had one of my friends recommend that to me IN PERSON! I was like "lol you know that's a virus right?" and he tried to convince me it wasn't. Get off my contact list.



Runefox said:


> 4) Download a copy of XP "Antivirus" 2009 and wonder where the ads are coming from.



I often see "Antivir2009" as part of the user-agent in my access logs. I'm curious as to why it would want to advertise itself like that. I suppose the same goes for "FunWebProducts". :?


----------



## pixthor (Jul 24, 2009)

There are a LOT of fake Anti viruses out there.


----------



## Runefox (Jul 24, 2009)

pixthor said:


> There are a LOT of fake Anti viruses out there.



Usually, they're all based on AV2009.


----------



## SammyFox (Jul 24, 2009)

ArielMT said:


> There are always repair and recovery options for any malady that doesn't nuke the registry.  Prepare for similar events in the future now.
> 
> Install the Recovery Console as a Windows boot option, and/or download BartPE or UBCD4Win and build a Live Windows CD based on a good environment.  Booted into that, _no_ malware can run at start-up, and any infection that might happen can't survive reboot.
> 
> Also, protect your data by making backup copies on external drives.  Plug in, copy, eject, unplug.  USB hard drive enclosures can be had for as little as $10 and take standard internal hard drives.


Ok, how can I make it clear without sounding too aggressive?

that virus clings to important system files such as winlogon.exe and svchost.exe, and being the buggy pile of crap virut.cf is, it corrupts the files.

it will render restore points unusable, will infect all drives it can have access to, and in the end WILL force you to format everything.

you get it? no matter what you do, even if you boot the computer with an anti virus boot cd and you wipe out the virus, you'll still end up having an operating system that will basically implode soon or later.

get that? if you catch w32.virut.cf, you *WILL* end up formatting.


----------



## pixthor (Jul 24, 2009)

SammyFox said:


> get that? if you catch w32.virut.cf, you *WILL* end up formatting.


Not really, if your anti virus catches it before it can download. You should be fine.


----------



## Runefox (Jul 24, 2009)

SammyFox said:


> that virus clings to important system files such as winlogon.exe and svchost.exe, and being the buggy pile of crap virut.cf is, it corrupts the files.



No, it doesn't. It runs inside these programs. If you had something like Autoruns, you'd be able to drill down and see what's running in the Winlogon process, what's running that may or may not be svchost.exe (some viruses will actually use this filename, placing it outside the normal path), and so on. It doesn't corrupt the files, and if it did, pop open a run box and type _sfc /scannow_ and be done with it.



> it will render restore points unusable, will infect all drives it can have access to, and in the end WILL force you to format everything.


Most viruses do, actually. Restore points are rather useless as a precaution against viruses - Only useful as a precaution against user error or installing a new piece of software that makes changes to the system files that need to be reversed. Viruses usually attach themselves to the system restore data cache.

Oh yeah, and delete any autorun.ini files you see on your other drives - That's how it "infects" them.



> you get it? no matter what you do, even if you boot the computer with an anti virus boot cd and you wipe out the virus, you'll still end up having an operating system that will basically implode soon or later.
> 
> get that? if you catch w32.virut.cf, you *WILL* end up formatting.



I could have fixed this in an hour.


----------



## ArielMT (Jul 24, 2009)

SammyFox said:


> Ok, how can I make it clear without sounding too aggressive?



No offense taken.



SammyFox said:


> get that? if you catch w32.virut.cf, you *WILL* end up formatting.



Nothing I can do, then.  Keep your Windows disk and key handy, and buy a stack of DVD/Rs for backup.



Runefox said:


> I could have fixed this in an hour.



I'm a bit rusty, I hate to admit.  It'd take me two.


----------



## Runefox (Jul 24, 2009)

It'd probably take me two if I were to do it over a remote link, if possible (like using UltraVNC SC, which I'm prone to doing). Of course, something like this would require me to take note of filenames and nuke 'em from orbit, so... I probably couldn't really do it remotely, though I could do the detective work and tell whoever's on the other end what to delete from the Recovery Console/LiveCD/whatever they have available.


----------



## AshleyAshes (Jul 24, 2009)

SammyFox said:


> Ok, how can I make it clear without sounding too aggressive?
> 
> that virus clings to important system files such as winlogon.exe and svchost.exe, and being the buggy pile of crap virut.cf is, it corrupts the files.
> 
> ...


 
Just run a repair installation afterwards.  It'll replace all primary system files without replacing settings and accounts.


----------



## Runefox (Jul 24, 2009)

AshleyAshes said:


> repair installation



Yes, this (well, if SFC fails and/or Windows is unbootable).

To clarify, if you have an original Windows XP/Vista disc, and assuming it's the same general revision as what's already installed (OEM versus Retail versus Corporate; Home versus Pro versus Media Centre Edition), the installer will actually check for installed copies of Windows and prompt you to run a repair installation just before you get to the partition selection screen (XP). Choose to run the repair, and it'll go through the motions as usual; However, your drivers, user accounts, settings, and files will be untouched - Though you _will_ need to activate again and download your updates again.

For Vista, I haven't done it in a while, but I believe it also prompts you at some point (or it's in the Recovery Options menu). Ah, found some info -  Here are detailed instructions for doing a Vista repair installation.


----------

