In
this section you will find recommendations how to fight malicious
programs which cannot be disinfected by Kaspersky Lab's products. In
order to disinfect/remove malicious programs you may have to modify the
system registry or use an additional utility. If you failed to find the
necessary information or you find these recommendations too complicated
or inadequate, please send a request to the Technical Support service
via the [You must be registered and logged in to see this link.].

Main function of Virus.Win32.Virut.ce, q is a botnet client which is used by the virus to transmit data from an infected PC. [You must be registered and logged in to see this link.] you can read more about botnets and their usage.
To disinfect a system infected with malware Virus.Win32.Virut.ce, q use the tool VirutKiller.exe.


Disinfection of an infected system

The [You must be registered and logged in to see this link.] should be disabled before attempting to disinfect a system.

• Download the archive [You must be registered and logged in to see this link.] and extract it into a folder on the infected (or potentially infected) PC using an archiver program (for example, WinZip).
  
• Run the file VirutKiller.exe.
  
• Wait for the scan and disinfection to finish. A reboot might require after disinfection.
  

If started without switches, the tool will:

• Seek and terminate malicious threads.
  
• Seek hooked functions and unhook them:
  
  
  
  • NtCreateFile;
    
  • NtCreateProcess;
    
  • NtCreateProcessEx;
    
  • NtOpenFile;
    
  • NtQueryInformationProcess.
    


• Scan and disinfection of files on all hard disk drives.
  
• While scanning hard disk drives, the tool will also perform a check
  of executable files of all running processes every 10 seconds.
  Terminate detected infected processes and disinfect infected files.
  

Optional switches to run the tool from command prompt:

-l - write log to the file.
-v - detailed logging (must be used in combination with the parameter -l).
-s ;- scan in “silent” mode (without opening console box).
-y - when the utility finishes, its window will be closed.
-p – scan a specific folder.
-r - scan removable drives (flash), external USB and FireWire hard disks.
-n - scan network drives.

Symptoms of infection:

• Infected computers keep trying to access the following addresses to receive administration commands:
  
  
  
  • irc.zief.pl;
    
  • proxim.ircgalaxy.pl.
    


• An experienced user can track hooks of the following functions in
  almost all processes (these hooks are used by the virus to infect all
  executable files a process is trying to access, and introduce its code
  into all newly started processes):
  
  
  
  • NtCreateFile;
    
  • NtCreateProcess;
    
  • NtCreateProcessEx;
    
  • NtOpenFile;
    
  • NtQueryInformationProcess.
    
  
  

You might use the [You must be registered and logged in to see this link.] utility, for example:




Or [You must be registered and logged in to see this link.]: