Got this from here:

Virut as it has other ways to propel its vector, also injects an invisible IFRAME into each HTML file that points to the domain. DO NOT visit these domains unless you enjoy backups, reformats, and reinstallations). SiteAdvisor mapped-out the target file as another Virut copy. There is another file infecting domain that is re-directed through SPAM. This virut strain can manage to infect a thumbdrive image. Write-protected thumbdrives are vastly underrated.
Virus:Win32/Virut.BM

Win32/Virut.BM disables Windows System File Protection (SFP) by injecting code into the in-memory-version of WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP.

The virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from machine to machine.

The codex infecting variety removal is described here as Virut Q:
http://novirusthanks.org/blog/2009/02/viruswin32virutq-analysis-and-removal-instructions/

Also does the same infection: And using the dropped DLL file named sfc_os.dll the malware disabled the Windows File Protection by changing the value SFCDisable to ffffff9d:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable

There is where the hardening should be concentrated at,

The removal instructions for the virut.q that changes explorer.exe and removes the original explorer.exe,
could be summoned up as:
To remove this kind of malware I can suggest you to do this:

1) Boot windows in SafeMode

2) Update and scan your computer with DrWebCureIt from a clean source on pendrive

3) Delete infected files except the infected C:\WINDOWS\explorer.exe.
They are:
C:\DOCUME~1\jimmy\LOCALS~1\Temp\381562351.exe
C:\DOCUME~1\jimmy\LOCALS~1\Temp\311188061.exe
C:\DOCUME~1\jimmy\LOCALS~1\Temp\csrssc.exe
C:\DOCUME~1\jimmy\LOCALS~1\Temp\7hjhffd.bat
C:\Documents and Settings\jimmy\__rar_00.000
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
C:\Documents and Settings\jimmy\__rar_00.100
C:\Documents and Settings\jimmy\svchost.exe
C:\WINDOWS\system32\sfc_os.dll

4) Copy from your Windows OS CD-ROM the file explorer.exe in C:\WINDOWS\system32\dllcache\explorer.exe overwriting the original explorer.exe. Then you will need to re-enable the Windows File Protection (that was originally disabled by the malware) by editing the registry key as follow:

Set the value as “0″ to SFCDisable in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisabled

Now find the file named explorer.exe that is present in your OS CD-ROM and copy it under C:\WINDOWS\explorer.exe (overwriting the original infected one).
Now your explorer.exe should be the original file, to be sure of this just scan these files in our Virus Scanner:

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllcache\explorer.exe

You must have as report 0 detections for both files.

After, you can restart your computer and see if the malware is gone.

Alternatively you can boot a windows OS LIVE from a CD-ROM and repair the infected explorer.exe.



> Someone planted this motherfucker into my network.
> I can't find the origin.
>
> Anyone has any idea on how to remove this motherfucking thing ?
> And how to find and remove the injector ?
>
>
> Any help is appreciatted, i tried googling, but no luck.
> I REALLY don't know what do.
>
>
>
> one can never destroy the power of evil
>