Re: Cannot remove this virus which started with Win32:JunkPoly [Cryp]

[sxkorn]

Hi, I have the same problem... My question is:
What are my chances to rescue my system if it was on for let's say....10-30 minutes after infected, and after detected by avast, brutally shutdown my pc, restarted in safe mode and scheduled an on-boot scan with avast?
I have moved to chest all the files found infected, system or not, and going for a new on-boot scan. Rapiring a system will do for me... hopefully...
So, do you think there would be a chance to rescue my system?
Thank you in advance.

Edit: only exe files found so far by avast....

[evilfantasy]

This is a Virut/Sality infection. Virut is a virus that infects all executable files and screensavers. Virut also opens a back door providing the attacker with unauthorized remote access to the infected computer. Definition: Polymorphic virus.

There is no way to cure this infection. Your only option is to perform a full reformat. Do NOT attempt a repair install. Trying to fix this infection will only leave the computer unusable. See Virut on the Rise and Virut and other File infectors - Throwing in the Towel? for more information. 

Note that if you decide to try and clean this you must be extremely careful on what is backed up as these new infections can get into many different file extensions ( DLL, EXE, SCR, HTM, HTML, MP3, AVI, WMV, PDF.....etc). A complete reformat and reinstall is highly suggested! Avoid backing up compressed files (zip/cab/rar.....etc). Virut can also penetrate compressed files that have .exe or .scr inside them.

If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace!

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third.
 
-) Dr.Web CureIt!
-) AVG Win32/Virut Removal Tool
-) Symantwc W32.Virut Removal Tool
-) McAfee Avert Stinger
-) Microsoft Windows Malicious Software Removal Tool

If you do not know how to perform a fresh install, use this website -> http://www.windowsreinstall.com/

[sxkorn]

One more question: when infection happened, I had a network drive mapped, but didn't open any file on that drive. Please tell me It did not get on that drive, as there would be All I Have [the drive it's not on my laptop, currently infected, and I didn't access it]...

[evilfantasy]

I would use Dr Web to scan any drive that might have been infected.

[Helpmeh]

This is a Virut/Sality infection. Virut is a virus that infects all executable files and screensavers. Virut also opens a back door providing the attacker with unauthorized remote access to the infected computer. Definition: Polymorphic virus.

There is no way to cure this infection. Your only option is to perform a full reformat. Do NOT attempt a repair install. Trying to fix this infection will only leave the computer unusable. See Virut on the Rise and Virut and other File infectors - Throwing in the Towel? for more information. 

Note that if you decide to try and clean this you must be extremely careful on what is backed up as these new infections can get into many different file extensions ( DLL, EXE, SCR, HTM, HTML, MP3, AVI, WMV, PDF.....etc). A complete reformat and reinstall is highly suggested! Avoid backing up compressed files (zip/cab/rar.....etc). Virut can also penetrate compressed files that have .exe or .scr inside them.

If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace!

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third.
 
-) Dr.Web CureIt!
-) AVG Win32/Virut Removal Tool
-) Symantwc W32.Virut Removal Tool
-) McAfee Avert Stinger
-) Microsoft Windows Malicious Software Removal Tool

If you do not know how to perform a fresh install, use this website -> http://www.windowsreinstall.com/

Wow...if this got as much hype as conficker, we would have another Y2K incident (mass hysteria), except something actually happens...

[sxkorn]

Okay, updates on my situation:
I have scanned both my laptop and my server with Dr.Web latest version, AVG Win32/Virut Removal Tool and McAfee Avert Stinger, as advised [my server only with Dr.Web, as it is on Debian and partitions on ext3, so my winxplive cd didn't help me]. These tools did NOT find anything, not a trace, everything was "clean".
I found on another forum a similar topic with "JunkPoly" [http://www.thetechguide.com/forum/lofiversion/index.php/t80497.html] and the victim was advised to use http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/.
Scanned my whole laptop with the tool from kaspersky and it found some 400 files infected with the Kaspersky's name of the virus: Virus.Win32.virut.ce. It's the same. All files found were .exe and .dll and I instructed the tool to delete them all. Ran another scan with all options on, [in depth, and other options can't remember them] and after several hours it found nothing.
I did all this with a BartPE Live CD and didn' start my system until was clean, hopefully. Moved all files I needed to DVDs, moved other files less important but not unimportant to second partition, installed Vista, did another scan with kaspersky's tool for removing virut [nothing, again], installed avast, scanned the whole drive, again, with avast updated [which found nothing]. I guess that would be all.

I think I managed to get rid of my "friend" JunkPoly.
Maybe becouse the system ran just about 30 minutes [cumulated] after infection. Maybe becouse my system was installed on another partition than C:\. I don't know. I'm glad I still have the files I need and still got rid of the virut.
Thanks for tips everyone. 

[evilfantasy]

Try scanning again tomorrow with Dr Web and the Kaspersky AVP tool.

Virut is polymorphic meaning it never stops spreading. The only way to remove it is by deleting all of your System Files like the winlogon.exe, Internet Explorer and so on. In other words to completely remove it means that the computer is left unuseable.

[sxkorn]

Just said:
I used BartPeLive CD so I didn't have to use the infected system [there was no way to infect the system on the CD]. All files found infected by kaspersky were deleted, so I could not use the infected system, and all the file saving/moving was done from live CD. This is the third day with Vista 64, no sign yet of any virus and I will scan right now, again, with kaspersky and post the answer after it finishes. Hopefully there will be no infection.
I'll keep you updated.

[evilfantasy]

Could you post the log it creates please. I'm interested in seeing what it finds (if anything)

Be sure to download a new copy. It updates daily without notice.

Download the latest version of the Kaspersky AVP Tool to your desktop.

* Double click the setup file to run it.
* Click Next to continue.
* It will by default install it to your desktop folder.Click Next.
* Click OK at the prompt for scanning in Safe Mode.
* It will then open a box There will be a tab that says Automatic scan.
* Under Automatic scan make sure these are checked.

# System Memory
# Startup Objects
# Disk Boot Sectors.
# My Computer.
# Also any other drives (Removable that you may have)

* Then click on Scan at the to right hand Corner.
* It will automatically Neutralize any objects found.
* If some objects are left unneutralized then click the button that says Neutralize all
* If it says it cannot be Neutralized then choose The delete option when prompted.
* After that is done click on the reports button at the bottom and save it to file name it Kas.
* Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

[sxkorn]

Thank you for trying to believe me.
Did all you said just before you posted. I have used the tool for more than 5 times, two times on my wife's computer just to be sure. I have downloaded the today's version and now is scanning. It's gonna finnish [it says] tomorrow at about 03.00, but it will finish at about 06-07.00. I also have set high security in settings, including "hostile environment" [I guess it can be only better].
I'll post the log after it finishes.

[liamb123]

If this works do you think it could work with other win32 viruts??

[evilfantasy]

I can't say for sure. It depends on your knowledge of computers. I've only heard of it removed a few times and it was never easy.

[sxkorn]

I'm posting part of the log Kasperky's tool created, removed the events section out of two reasons: huge and contains all filenames present on my computer. As I expected, it finished at about 06.30 [or maybe just waited for me to wakeup to delete the only threat it found].

Here it the log:
======================================================================================
Scan
----
Scanned:   495220
Detected:   1
Untreated:   0
Start time:   4/22/2009 10:19:07 PM
Duration:   08:15:39
Finish time:   4/23/2009 6:34:46 AM


Detected
--------
Status   Object
------   ------
deleted: Trojan program Trojan-Downloader.MSIL.Agent.dz   File: D:\Downloads\Antivirus\ESET Smart Security 4 + NEW PATCH !\Marsu-fix.EXE/p.exe


Events
------
Time   Name   Status   Reason
----   ----   ------   ------
*************************************************************************************************


Statistics
----------
Object   Scanned   Detected   Untreated   Deleted   Moved to Quarantine   Archives   Packed files   Password protected   Corrupted
------   -------   --------   ---------   -------   -------------------   --------   ------------   ------------------   ---------


Settings
--------
Parameter   Value
---------   -----
Security Level   Recommended
Action   Prompt for action when the scan is complete
Run mode   Manually
File types   Scan all files
Scan only new and changed files   No
Scan archives   All
Scan embedded OLE objects   All
Skip if object is larger than   No
Skip if scan takes longer than   No
Parse email formats   No
Scan password-protected archives   No
Enable iChecker technology   No
Enable iSwift technology   No
Show detected threats on "Detected" tab   Yes
Rootkits search   Yes
Deep rootkits search   No
Use heuristic analyzer   Yes


Quarantine
----------
Status   Object   Size   Added
------   ------   ----   -----


Backup
------
Status   Object   Size
------   ------   ----

======================================================================================

That's it. No sign of Virus:win32.virut.ce.
BTW, this tool was the only that found it on my computer, others, like I have said, did not find anything except some "harmless" [from my point of view], easy to remove threats, which were packed inside some patches/keygens. The file mentioned above, found by this tool, was downloaded by me and I knew about it, like i know almost all the infected files on my system.
Also, last night I have scanned my wife's computer, same situation there: one threat, somewhere in an old recycle bin, but was not virut and was deleted eventually.
I wish I would have saved one copy of junkpoly/virut on a CD for testing it in a virtual machine and findout what else could remove it, if kaspersky really cleans it without needing to delete the files [couse it gave me that option but prefered to delete all infected files] and if the infection comes back later on that virtual system. This way one could know if a disinfection removes the virus leaving clean files behind. I would do that in a virtual system only  .
So far so good, no alarms, no unusual behaviour.

[evilfantasy]

deleted: Trojan program Trojan-Downloader.MSIL.Agent.dz   File: D:\Downloads\Antivirus\ESET Smart Security 4 + NEW PATCH !\Marsu-fix.EXE/p.exe

You do know that Virut and it's offspring are spreading through warez, or patches, whatever they are calling them now. Kind of ironic that you likely got infected by downloading an antivirus...

[sxkorn]

Yeap, it's ironic. But, like I said, usually I'm carefull with patches and other suspicious files. Not the time I got infected with junkpoly/virut, unfortunately.
Didn't run that file kaspersky found infected, as eset found it too and I didn't want to take any risks with the new system installed.
Also some other download with an antivirus was infected with some virus, but that was nothing I'd say comparing with my previous experience [got rid of that really quick].
So, in your opinion, what do you think? Do I still have it?

Edit:
BTW, I believe it's spreading a lot, becouse some virus alert appeared on my wife's computer [after a kaspersky scan]. Avast found something on a site [wich should be clean] and it was something about iFrame. I have read that virut can infect webpages inserting a tag with iFrame or something. Hope I'm wrong, but I will think twice before beeing sure it's a false alarm. Or maybe three times... Anyway, I guess one should be carefull when the antivirus says "it might be infected".