WSA cannot clean Win32.Virut

Discussion in 'Prevx Releases' started by volvic, Oct 19, 2013.

Thread Status:
Not open for further replies.
  1. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    Absolutely flabergasted.

    Called support. Waited in a queue for over an hour + (c).

    To be told:

    log needed
    So saved log and sent it - but because of the silly upload system did not upload properly apparently

    They wanted me to run wsalog generator that would crash at the point of packaging the data.

    I appreciate that not every thing can be detected but here it can detect it but not clean it.
     
  2. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    I should add that this particular junk blocks the owner out of PC in safe mode also. It allows logging in and a few seconds later it logs back off. In normal mode, WSA kicks in, turns red, and then the system logs off again, this happens within seconds.
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We have several tools to aid in the cleanup of Virut but WSA does detect it and instructs the user to contact support as file infectors are difficult to deal with. The support team has offline tools to aid in cleanup if needed - I suggest continuing to work with them to get it resolved ASAP.
     
  4. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    My q remains unanswered.......why does WSA not clean it up itself?
     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    he just answered above... for the safety of your files and system is better you contact support :)
     
  6. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    Support cannot remotely access the machine. And net access is not working presumably because of the virus). Support also could not help me unless I could get them logs using a wsalog collector which crashes so what to do?
     
  7. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    If possible, I would remove the HDD and set it up in another PC as a slave and let support get in that way.
    But then again, I do not know if the virus would spread that way to the new host PC, maybe Joe knows?
    Usually this approach works for these kind of scenarios.

    /E
     
  8. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    did you report to them about it? What did they say? No panic... Relax :)
     
  9. GreekGuy

    GreekGuy Registered Member

    Joined:
    Oct 6, 2011
    Posts:
    41
    Location:
    Toronto, CANADA

    Try using another vendor's cleanup tool like this one from Kaspersky....http://support.kaspersky.com/2735

    It worked for me when Webroot let through a Sality virus on my system and couldn't clean it (https://www.wilderssecurity.com/showthread.php?t=339589)
     
  10. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Yes, support can remotely access the machine. They have offline remote access tools as well.

    Here's a better question for you:
    What AV -can- be installed on a machine that is infected with Virut, while Virut is running, and successfully disinfect it? Remember, you can't run anything to install it, and you can't access the network to get definitions.

    Here's an even better, better question:
    How did you manage to get Virut on there when WSA was running? I have not been able to find a live Virut sample that causes uncleanable damage with WSA installed first unless it is specifically allowed by the user or WSA is shut down.

    Are you seriously claiming that Support said "We cannot help you unless you run WSALogs successfully"? Or are you just assuming that is the case to make controversy?
     
  11. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    Please inform the Support that the collector crashes. They'll instruct you to use other ways like offline removal tools. You can carry the conversation with the support through another pc or phone and follow the instructions with the pc and a usb drive which would contain the tools. No worries.;)
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Exactly. I think this is the fourth thread where this same conversation about this same threat is taking place now - volvic, can we keep it in this thread just so that we don't have to try to follow it in so many places? The support team will be able to help you with cleanup scripts and the cleanup tool we've written; WSA just prompts to contact support as file infectors are notoriously difficult to clean even when we have journaled the changes (as it will likely require using safemode or offline access because of the difficulties getting to the OS).
     
  13. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    It makes complete sense.:thumb:
     
Thread Status:
Not open for further replies.