Win32 Virtob/Virut removal

Today I got handed a machine riddled with a virus that avast! detects as “Win32 Virtob“, also known as “Win32 Virut“.

Virtob is a worm that spreads around your system on the back of executable files (.exe and .src), once the virus is running in the system memory, every executable you run after that will consequently be infected with the virus.

Once a system is infected it becomes very difficult to remove.

I discovered the system was infected with this worm when I installed avast! on the system. Avast! soon identified the virus in the infected files offering me a choice to repair, delete or move to chest.

I very quickly found that “repair” never worked, delete was a bad choice as they could be system executables that are needed, and so move to chest would also be a bad choice.

I had to find another approach.

There were two options, I learned that Dr Web CureIT was able to “cure” the files. I was also told that AVG offered a Virut Removal Tool.

  • Download the above files (on a clean system).
  • Create a boot CD, using Bart’s PE builder, or download miniPE (on a clean system) and put them on the CD
    • or on a memory stick (preferably as read only).
  • Reboot into the CD.
  • Run the downloaded software against the infected hard drives.

Once the system is disinfected reboot normally, then:

  • Go to Start -> Run, type: sfc /scannow
    • Note: This may require your Windows CD, or an i386 directory.
  • Run a full system scan using at least two up-to-date antivirus applications. (List of antivirus software)
  • Reinstall any software that appears to be corrupt or missing.
  • Ensure your windows updates are up-to-date (Especially ensure you have this one).
  • I also recommend you delete your “Temporary Internet Files” and delete all content from your %tmp% directory.

Related posts:

  1. Cannot delete Folder No doubt at some point you will have experienced this...
  2. What is the best antivirus software? This is a question that I get asked very often....
  3. So how did I get infected in the first place? People often ask me how their system got infected in...
  4. Windows Genuine Advantage Removal First of all for those that don’t know, Windows Genuine...

51 Comments »

  1. René said,

    December 3, 2007 @ 10:34 am

    Hi
    how do I get rit of the virus win32.virtob?
    I have read all that in this site, and I cant delete the virus :(
    I dont know what to do anymore. I have tryed servial times booting my windows and everytime I finished reinstall windows the virus is coming back.
    Can anyone help me. Please.
    send msg to my e-mail

    >René

  2. Paul Derbyshire said,

    January 8, 2008 @ 8:10 pm

    – Just for info for other people finding this —

    Dr Web CureIT worked for me whereas the AVG removal tool did not.

    Also instead of using BartPE an alternative way to do this is to take out the hard drive from the infected machine and connect it to another computer. From there you can scan it with your own AV software knowing that none of the potentially infected files are in use and therefore unfixable.

    To the website creator:
    Great site and many thanks. How the feck do you get the time to fix stuff AND do this?
    Paul
    Alpha PC

  3. Chris said,

    January 23, 2008 @ 6:43 am

    It workt beautifully the BARTPE and CUREIT combo thanx a lot!!!!!

  4. Bernd said,

    February 26, 2008 @ 9:47 am

    I also got infected by doing a “dumb” thing … executing some weird file coming
    from a weird source on my home system.
    AVG , Avira and other scanners found some of the virtob/Virut variants but only were
    doing their “rename/move” or “quarantining” things.
    Dr. Web’s “CureIT” did a great job instead , also for my system. Most of the files
    (except those with newest variants) reappear clean after a full volume scan.
    Insofar the virtob/virut infection is easy to identify since the virus attaches itself
    into empty spaces at the end of the executables (in most cases) and redirects the
    entry vector to itself, the ending vector of the viral code then points to the original
    entry of the host executable.
    Because there are many variants around, it is recommended to re-scan a
    previously infected system, although even cleaned up with tools, repeatedly,
    from time to time as there are post-cleaning detections possible due to continued
    signature updates by the scanners as well as for cleaning tools.

    My tips are: keep installed virus scanners, Anti Spy- and Anti- Malware programs
    updated daily if possible.
    A non-updated scanner is like a nonexistent scanner running out of date
    very quickly and just consuming system time for no sense.
    (Against new infections appearing after the last update,
    there won’t be any protection).

  5. J.W. Bush said,

    March 15, 2008 @ 6:49 am

    Thnx GOD.. you publish this paper.. All american will be thank to you! DONT FORGET to vote OBAMA!

  6. sure-blophy said,

    May 10, 2008 @ 8:05 pm

    Last year I used Dr Cure-it to get rid of w32.virut.w. Had to scan several times to do this because it w32v would move around I guess. This last month I made the mistake of downloading Googols free antispyware (Norton)etc. Guess what? My PC was immediately infected with w32v. This showed up the first scan. On the second scan about 5 more showed up and was eliminated but one of the w32v resisted being deleted or wipe off.

    I almost believe that Norton did this deliberately, ie, introduce w32v, to motivate the user to buy their non-free anti-spyware.

    ANYWAY AS YOU MIGHT GUESS DR. CURE-IT WAS UNABLE TO GET RID OF IT … EVEN A NEWLY UPDATED ONE!!!

    if you know what to do besides reformatting my HD please let me know.

    TIA ;=)

    Meanwhile I’m going to download an Update of Dr CureIt again and re-scan.

  7. akk234 said,

    May 13, 2008 @ 6:52 am

    i am no geek and could not exactly follow the steps .
    it will be very kind of u to just elaborate the steps a bit more.
    i really appreciate ur effort but i am sorry i have to ask u 4 a little more effort.
    hope to get a reply soon.

  8. hm2k said,

    May 13, 2008 @ 7:28 am

    Which part did you find difficult to follow?

  9. silu said,

    July 22, 2008 @ 6:54 am

    my pc was goin pity fine . till yeserday. then sudenly a toolbar came int o the screen sayin that the system will be shut down in 15 mins. the bit defenmder is sayin its a win32.virtob virus. i havnt got a updated version . i am gonna try this out. mean while i am using th epc in safe mode. dont know what to do . some people told me that the virus would defragment the hard drive leadin to its crash. can you give a suggestion as what to do

  10. mikkypops said,

    August 16, 2008 @ 11:40 am

    thanks hm2k – i been looking for a solution to this for days and now that other useful info helps with other things too now

    for the people who dont have the computer knowledge, unplug your hard drive out of your computer, put it in an external drive or just plug it in on the inside of a non-infected computer, make sure all the antivirus programs are up to date and scan it, especially with the cure-it. then when you plug it back into the original machine, install windows repairing it, then you should be able to install all your other programs
    knowing that the possibility you dont have all the programs that are on your computer because most likely source for this bug is from illegal software installations from certain websites and torrents. music downloading included. funny enough that is the easiest way to do it, so hope that could help a little further

  11. Syam said,

    September 18, 2008 @ 5:21 pm

    If you still ahve teh issue, Use avast and do a scan at boot time. You will have no option but to delete the exe files effected by the damn thing. Once done use the sfc /scannow and use Xp CD whena sked for. This is what i did and it did solve.
    Avira and avast detects it and warns, I ddinot pay heed and had to pay a huge price…

  12. joneywalker4u said,

    October 26, 2008 @ 9:41 am

    Thanks man it worked somewhat to cure w32.virut but too many files were infected and symantec antivirus deleted them before I could recover them via cure it.
    Thanks once again.

  13. fekalierex said,

    October 29, 2008 @ 4:01 pm

    i have same problem. i found that it’s very suspicious when many programs that self crc-check wont run. Then i found that my programs after compilation and renaming from .ex_ to .exe grows up for about 50 kb. Today i had idea to check one of programs with content comparator. First file had non-exe extension and second was exe file of same program. It found 3 diffirencies. One in begin of file (i think it is like code call procedure used to execute viral code. Second was in middle and last was big code block that is actual virus. Some programs works with this append good, some checks crc and wont launch and sometimes (this was on patch-crack programs) can be unrecoverable corrupted (virut.b have problem infecting my gamecam crack so it began growing till it became 2 gb big.

  14. Blacksmith said,

    November 13, 2008 @ 8:47 am

    Alright, I’ve grown extremely frustrated at this point. Considering that the company that sent me my computer did NOT give me a disc of my OS, I pretty much can’t do what you’re saying. As such, would that count as me being fucked? Seriously, I can’t get rid of this damn annoying virus.

  15. FekalieRex said,

    December 29, 2008 @ 8:35 pm

    Well, i now completely removed this virus. I used DR. WEB CureIt! Firstly i started with fast scan, to leave my system folders clean from that shit. Then i rebooted my PC, so my PC can’t have viruses loaded in it’s memory. After i loaded CureIt! i selected in options only to check executable program structures: Exes, DLLs, SCReensavers, since i have too many files on PC and i won’t to spend 5 hours to just check my downloaded HTML materials and for example office 2003 help files. Then i ran full check. I also found some little shit and another serious virus that infects DLLs – win32.besso. It healed all my infected programs (only original “source” virus exe wasn’t healed – it been removed). Now my PC is clean. I also heard rumor that Virut will reappear after healing. I say: it will not reappear. If some apps says that they corrupted probably by a virus, it may be probably due to inaccurate virus removal – just reinstall app. Second thing is that CureIt! is free tool, and so it have limitations, like no archive healing, so don’t think your archives are clear. You better re-check them after unpack (I unpacked my old file wiper project from ZIP and when i ran it (i lost that it was compiled when PC was infected) my whole disk was reinfected.) And your PC will be OK!

  16. guruman said,

    January 6, 2009 @ 2:26 pm

    virut has a lot of variants dr.web can cure few of them not all

    but it.s good to now that there.s some ppl tryin to get a cure for this infection

    btw it spreads very fast and once if your pc is infected it pose a threat always

    new
    it comes through msn

    old
    it exist for a long long time still no cure and microsoft doesent try to get some firewall protection against this infection
    or they can.t

  17. Stew said,

    February 6, 2009 @ 7:03 am

    By the way, that BartPE crap, failed to produce an ISO or burn a disc 5 times in a row. It’s kept muttering something about being able to delete log files???

    Another hour of my life I’ll never get back after trying to fix Bill Gates’ crap!

  18. Naz said,

    February 6, 2009 @ 2:33 pm

    Hi, I was wodnering if someone knows about W32.virut.cf !!! please help me to remove this virus from my system.
    Thanks

  19. Blu3hand said,

    February 10, 2009 @ 7:40 pm

    I must say that dr Web CureIT solved my problem. It infected almost every .exe files I have in system32. So it was a nasty thing to remove.
    But not everything was cured. avast still showed one or two files with it (it was still spreading).
    But no worries; a full system scan and a reboot will solve that problem.
    ^^

  20. Xedecimal said,

    February 17, 2009 @ 10:23 pm

    This is absolutely wonderful, after I let AVG tear the crap out of files until a reinstall of operating system, only to get affected again the moment microsoft’s side let it right back in as always, I was kinda caught either deleting anything in my backup that was executable or just archiving it away and picking out files that weren’t executable. This Dr. Web Scanner actually FIXES the files, not just deletes them. And I wouldn’t have found it if it wasn’t for you. Thank you very very much.

  21. Centspud said,

    February 21, 2009 @ 3:09 am

    This infection is nearly impossible to remove- If you have the latest variant that I got couple days ago….you cannot download or install anything. I’ve run Combofix, Malwarebytes, AVG, Spyware Doctor, Avira, Dr Web Cureit, plus a few more. Each found some but not all of the infection….after each reboot- It just stated over with infecting files and spewing TCP traffic. Because it infects system files, these need to be cleanly replaced.

    This infected a totally up to date machine with the latest MS Updates and a full AV & Spyware package running- If I ever get a few clean scans…this machine will be wiped. Why would you want to trust the system anyway after such an ordeal?

  22. Try this removal method, WORKED FOR ME said,

    March 3, 2009 @ 8:19 pm

    Like many of you who posted here, I’ve been affected by this nasty virus for some time now and it has been a real headache trying to eradicate it from my system. Even though I was able to restore my system to working condition, the virus remained on my system constantly attempting to connect to the internet (luckily my BitDefender Firewall was usually able to block it).

    After doing a bit of research, I was able to find and run a series of tools that so far APPEAR to have eradicated the virus from my system. As many of you know this is a very tricky virus that appears to infect everything it touches so try to follow my directions as closely as possible.

    Note: My system is running Windows XP Service Pack 3, so those using other operating systems may have to tweak these directions slightly.

    1. Firstly, download these free tools from the internet and move them to the infected machine.

    Symantec Virut Removal Tool – http://www.softpedia.com/progDownload/W32-Virut-Removal-Tool-Download-121930.html

    Dr. Web CureIt Scanner – http://www.freedrweb.com/

    ATF Cleaner – http://www.download.com/ATF-Cleaner/3000-18512_4-89432.html?tag=mncol

    2. You want to disable System Restore on your computer. This can be done by viewing the System Restore tab in your System Properties. Next you want to disconnect your computer from any network cables it may be connected to. Make sure to disable any means your computer may have of connecting to the internet (such as disabling any wireless network adapters).

    3. Start your computer in Safe Mode (login to the account with the highest administrative privileges, of course).

    4. You want to open the file DrWeb.exe which you downloaded. As soon as it opens, it will run a quick system scan which won’t take very long (a few minutes). If you are indeed infected with this virus, the scanner will detect some of your infected files during this scan. Allow the scanner to cure/repair the files it finds (on my machine, the virus came up as “Win32.Virut.56″). When the quick scan completes, minimize the Dr. Web scanner for now.

    5. THIS IS IMPORTANT: Like I said, this virus can spread onto other computers and devices quite easily, so you want to plug in any removable flash drives or hard drives that may have been connected to the infected computer while it was infected. Make sure you have plenty of time to allow your computer to sit idle while additional scans are performed with these peripherals connected (like 6 hours).

    6. If Dr.Web managed to find some of the “Virut” infected files on your machine, you want to now go on to open the file FixVirut.com which you downloaded. It is a tool I found online which was recently released by Symantec to repair files infected by this virus. This tool is quite self-explanatory and simple to use, just run it. It may take a few hours. The tool may ask you to reboot when it finishes, but do not reboot yet(When i ran the tool it found 2700+ infected files on my system, mostly .exe files, and terminated two process threads running in my winlogon.exe file. The tool creates a simple log of infected files within the same folder the tool is run from.)

    7. After FixVirut.com finishes running, you want to return to Dr.Web to run a complete system scan. Before you start the complete system scan, enter Dr.Web’s settings configuration (do this by pressing F9, not hard to find) go to the File Types tab and uncheck “Files in archives” (If you leave this setting checked, Dr.Web will take forever unpacking and scanning inside all the archive-type files on your computer. This virus doesn’t appear to attack the CONTENTS of archives in any case. If you think you need it and have the extra time to burn, you can leave it checked).

    8. Running the Dr.Web complete virus scan is very important. It will pick up any infected files the Symantec tool may have missed. Also, it picked up a couple of Trojan downloaders and suspicious files I believe were affiliated with this virus. In addition, those connected peripherals that may have been infected as some time will be scanned and cured during this complete scan. Click “Yes to all” the first time this program asks to cure an infected file and it will basically do the rest. Be aware that the scan will pause and ask you what to do if it comes across a file it cannot cure. This entire process will take several hours.

    9. When the scan finishes, go through the list of infected and suspicious files. Manually quarantine (move) or delete any suspicious files Dr.Web may have left alone, just to be on the safe side, unless those files are VERY important on your particular computer.

    10. Be happy, because most of the hard work is done. When you are done with Dr.Web you can close it and open the ATF-Cleaner.exe file you downloaded. Click “Select All” at the bottom to select every category then click “Empty Selected” to begin the deletion process. This will basically remove all the TEMP files from your computer, which is OK because you really don’t need them. This step may not be necessary but I did it simply as a precaution.

    11. Next I went into my systemroot TEMP folder and manually deleted all the files inside. (For me, the file path was “C:\WINNT\Temp”. For others it may be “C:\WINDOWS\TEMP”) Again this may not be necessary, but I did it as a precaution to be on the safe side.

    12. And now you’re done. You can run another quick express scan in Dr.Web to double check if you want, but right now your computer should be clean. Restart your computer normally. If you don’t already have one, I recommend getting some sophisticated Antivirus and Firewall software (ie. not Windows Firewall). It was the lack of such software that got me in this mess in the first place.

    I hope this information helps some of you clean your computers of this nasty virus. It was by reading a variety of other people’s posts that eventually allowed me to figure out how to get rid of Virut, and stay better protected in the future.

  23. Chanlô said,

    March 5, 2009 @ 3:42 pm

    Dr Web now offers to download a free Live CD with the Dr Web CureIT tool on it. So you can download it, burn it on a CD, then boot on the CD and launch the scan & repair. This is the best solution because like this the system files can also be repaired because they aren’t in use.

  24. Stephen said,

    April 3, 2009 @ 9:30 pm

    The Dr Web live CD gives me hope but, can someone please tell me how to keep the scanning engine running? I have this running on two systems. The scanning engine runs until the CD drive, or something else decides to sleep. A key stroke or mouse movement awakens the Linux OS but, the Dr Web scan refuses to continue.
    Any suggestions?

  25. Virus Attack Virtob…….(Critical) — Adil Fahim’s Blog said,

    April 13, 2009 @ 7:10 am

    [...] http://hm2k.com/posts/win32-virtob-virut-removal [...]

  26. Nicolas said,

    April 15, 2009 @ 9:00 am

    Very helpful! solved my problem with this post, instead of using a WinPE bootdisk, I booted from a USB live linux (Ubuntu) and installed WINE (to run windows programs) then executed CureIT on the mounted windows volume. Thinking on ditching windows altogether now ; )

  27. Grunge said,

    April 16, 2009 @ 12:47 pm

    mate i have 1 comment about virut

    Y can.t never clean virut infection

    dr.web is a good av and yes he can repair files infected with virut
    but while scanning if u recieve virut.51 (= no cure)
    virut.5 cure totaly
    virut.15 cure totaly

    i just met this virut codes for 51 repartitioning full disk save only txt and .doc files
    couse any file can be infected

  28. Gabriel said,

    April 16, 2009 @ 9:07 pm

    Hello, I got infected with Virut when my antivirus was uninstalled. I’m not an expert, I’d say I’m very familiar with computers and Operating systems.

    I don’t recall wich version of Virut it was but I can tell you the latest tools (April 2009) and removals didn’t work:

    Symantec, Avira, AVG, Trend Micro, Dr web, and a few other tools – All Failed. I kept cleaning the registry and I had system restore off, I even restored windows system files over and over from my other pc, but no luck.

    After losing a week over this I decided to take some experts advise (who already had told me I was wasting my time) and backed up my data and formated.

    So, what I can tell you is:

    All Antivirus companies say Virut risk is LOW but take the experts advise, if you get infected, don’t bother, backup and format.

    The only way to remove it is to simultaneously clean all the infected and that’s currently impossible I belieave.

  29. Gabriel said,

    April 16, 2009 @ 9:12 pm

    I forgot to mention, I blocked the connections to the Polish IRC server from the virus backdoor, but that only prevented it from spread faster and from allowing someone to access my computer.

    In safe mode with network it was hard to stop it without a firewall program it allways acessed the IRC server. This is the ONLY malware/virus I ever got in 20 years that forced me to format an HD. I had never needed to format a computer due to errors or virus, this was the first time.

    Basicly, you get Virut, you format.

    Cheers

  30. Paril said,

    April 18, 2009 @ 4:55 am

    I’ve got some new information about the virus I just picked up while infected with it myself.

    Here’s a piece of fun info: Virut infects AVG’s cleanup tool when you run it, it will be picked up by AVG after it :p

    Some variants, like the one I have, will do a few things too:

    1) Change several policies that make it very difficult, if not impossible, to change specific settings:
    a) Disabling Folder Options
    b) Allowing hidden files
    c) Removing extensions for known types
    2) Creates a hidden log file in root with information on files downloaded to your computer and where they are gotten from!
    If you can access this log, you will see several lists of links such as (made up) ://64.35.11.562:7000/bababa.exe and a bunch of chinese host redirection services (such as 6688.org). If you can, submit this list to your favored site or as many anti-virus sites as possible and list this as possible sources for the Virut virus. Hopefully we can get some of these hosts blocked!

    Also, I found out with the Group Policy editor in Windows XP Pro, you can actually PREVENT reader_s from opening, by adding a policy to disallow the following program names:
    *reader_s*
    *TEMP/*.exe
    *TEMP/*.tmp

    Of course this may just impede the virus from going anywhere, you still have the damn thing.

    Currently doing a second run on my hard drive to rid of Virut.

    I’ve also noticed that it doesn’t just target ran executables but will also find it’s way to executables in the same FOLDER as the ran executable (one example is MSN Messenger: it loaded it with MsgPlus (an addon), but it also targetted the uninstallers for the specific software).

    Hopefully we can rid ourselves of this (likely) Chinese pest.

    -Paril

  31. norman said,

    April 18, 2009 @ 11:51 pm

    i’ve been infected with the win32.virut virus. im not sure which version i have but for some reason its caused me to lose all administrative access to my computer, no explorer.exe, and it actually blocks certain websites (especially virut removal sites) from being accessed. it says that my web browser cant connect. i’ve tried it from multiple web browsers too. i dont have my xp disc to format and reboot from either. does this mean my system is completely screwed? please help.

  32. buttkick said,

    April 20, 2009 @ 6:32 pm

    I’m a geek, and very experienced with computers. This is the second virus I get, that is annoying to deal with, the first was the famous CIH. Both are masterpieces.

    Gabriel: It’s possible to clean this virus.
    It’s a very hard work, but it is possible, I have done it in my PC with windows 2003. Took me almost 2 days to fully clean, this past weekend.

    This virus is so clever, that it doesn’t let you access any antivirus URL to download any tool, so you have to find another way, like a
    Linux Live CD, Bart PE, or an uninfected windows on another drive, partition or folder; it doesn’t infect the boot of the pc or MBR, but once it touches any infected .exe, it starts all over again. In fact, the windows boot is infected only when windows starts, not before that, because it puts some .sys files on \windows\system32\drivers. not outside of windows. If somebody knows better, correct me.
    You can install another windows system on the same drive, and then put an antivirus there in the new windows, to start the removal. It’s important to make this with a resident in memory antivirus to work. I had to use avast, because it was the only one that I could download to run on windows 2003, kaspersky and dr web, dont have a way to download their “servers” product. I sent e-mail, but it was a weekend, and nobody answered. On XP it’s possible to try kaspersky kav or kis 2009, or dr web full product. It’s a license problem only.
    Once you have the memory resident antivirus that detect it, you can start the removal or cleaning with avptool or dr web.

    I had to run Linux Live CD (PClinuxOS MiniME) to download dr web and kaspersky and others antivirus that didn’t work, Bart PE (that is very slow…) and later use AVPTOOL from kaspersky and Dr. Web.
    The worst was F-PROT, it never detected anything, making me reinstall and clean everything again, c’mon guys, you were good on old dos days… get yourself together.

    The only antivirus programs that clean 100% this virus, that I know are, Dr. Web and Kaspersky. Some others detect but don’t clean it.

    It’s very important to say that, RMVIRUT.EXE from AVG, and SYMANTEC free TOOLS to remove it, are from 2007, THEY DON’T WORK ON NEW VARIANTS, they don’t even detect it.

    Both have FREE TOOLS that are capable of doing that.
    http://avptool.virusinfo.info/en/
    http://www.freedrweb.com/download+cureit/

    Dr Web Live cd could do the trick too, but I haven’t tried.
    I think Kaspersky is a better solution, I trust it more, but it is slower. Kaspersky seems to be the best antivirus out there, now in 2009, you know this things change.
    Some files gonna be corrupted, but that’s a minority. if need them rescue the backups made by the antivirus, and try to clean with different tools, or reinstall the programs.

    It’s good that this antivirus is very “loud” you notice right away when it infects, because it puts .exes and programs in memory all over the place, otherwise, it could be much more dangerous, but the .exe infection is very fast. I had almost 13000 .exes infected. in few hours.

    That’s it. What a painful thing it was :)

  33. An Idiot said,

    April 27, 2009 @ 2:06 pm

    I am such a dumbshit when it comes to Windows anymore… I too, have contracted this virus and have elected to go the format route. However, I was curious as to what danger infected files on backup drives would pose to a fresh installation of XP on the main drive? The installation/main drive is fodder with all replaceable data, however, I have an internal drive and external drive with irreplaceable infected data, what should I do with those?

  34. Lekan said,

    April 28, 2009 @ 8:18 am

    I dont know who can help. My pc is infected with the win32 Virut. I have tried several times but unable to clean it. My biggest problem is that I have another 2 hard drives connect to my pc which are very important. Anytime I reformat my pc, installed CA Antivirus update it and do a full scan on those harddrive before accessing them. But as soon as I tried installing softwares or programs that asrre saved on them the virus will be back again causing me to reformat again and again. I am now looking for a tool or antivirus that can remove the virus from the hardrives as i have done a full system scan and waiting now

  35. Deslin said,

    May 3, 2009 @ 11:28 pm

    To answer the question about what danger the infected files on backup drives pose to a fresh XP install, a BIG danger. If the backup drives are connected to the computer with a clean XP installed, once the infected files are accessed, they will cause the virus to start spawning itself again and infect the winlogon.exe and other files as the virus did at first infection. The safest bet is to completely wipe all drives and start over. Also don’t forget to first delete all partitions and then recreate them and from there formatting and installing XP can continue. Many people have had reinfection occur after several formats/XP installs because of failing to TOTALLY wipe the drive. If files are needed from an infected drive after a new install on a clean drive, using an Ubuntu LiveCD can be an option to safely attach the infected drive(s) as Windows viruses simply cannot operate in a Linux environment. If you decide to go this route, be EXTREMELY careful that you do not simply transfer every file from the infected drive or EXE/SCR/PHP/HTML files from it as they may be infected and you will have to start all over again with wiping everything clean. Only backup files that are not targeted types by Virut.
    As to the previous question about reinfection and CA Antivirus scans, there again the drive(s) need to be completely wiped clean before attempting to install Windows again. As I mentioned before, a deletion of ALL partitions and recreation of them before formatting to NTFS/FAT32 and Windows installation is done. Also, AV scans can only make things worse if the program being used doesn’t have real-time scanning enabled as files that are accessed by the scan can become infected faster as they are being called into the API. Doing any online scans is also ill-advised as other malware can be downloaded by Virut when an infected machine is connected to the internet. Firewalls can help prevent this, but keep in mind Virut also attempts to kill firewalls, leaving you wide open to more downloads or even remote access to your machine through the virus’s IRC bot feature. Keep in mind while there are tools out there that are designed to remove Virut, they will not work on every version of the virus as there are many variants and the latest ones have had more layers of encryption added to them, making them more difficult to detect and clean. Even if infected programs (MSN Messenger for example, any user installed software) are deleted as are files created by Virut (other malware and the .tmp.exe files it creates), the infection will almost certainly still remain as it’s first moves after infection are to attach itself to system critical files that cannot be deleted by AV scanners. As much as I hate to say it, at this point the best solution to getting rid of Virut infections is a total hard drive wipe and starting over. If you have another computer you can use for now and you are a strong believer in miracles, you can try waiting out on Microsoft/AV companies to see if in the future they figure out a removal/repair method and leave your infected machine off as much as possible to prevent further infection and destruction of Windows (eventually Virut will make windows inaccessable in most cases).
    I hope I cleared up a few questions asked on this forum. To anyone infected and reading this, I feel your pain as my main computer is currently infected. I’ve backed up files I don’t want to lose and disconnected it from the internet and have been trying many unconventional methods of removal as I have nothing to lose on that computer anymore. I doubt I’ll be successful in removing it completely, but I figured I’d try anyway. It took a lot of out of the box thinking to create this nasty virus and it will take the same to kill it.

  36. lekan said,

    May 14, 2009 @ 5:34 pm

    FOUND A SOLUTION THAT WORKED FOR ME.I still can’t believe that all of this big guys Norton, CA and the rest cannot provide a simple removal of virus that was created by a single hacker. It’s really as big shame on Microsoft and this big guys if all exe files that run on windows can be modified easily by this virus which means windows is not safe. Pls before you go ahead with this my simple instruction that help me removed the virus completely from my pc. Copy all you important files and back them up on a removable media be it a flash disk or external hardrive. Do not run any scan with any antivirus program at this moment as you might risk infecting more files. Uninstall you antivirus from your pc as the scanning will corrupt more files. Once you are done backing up your files. Unplug or disconnect from the internet. I must tell you that it’s only Avira that can remove this virus. I have reinstall windows more than 10 times and my pc keep getting infected after I connect my external hardrive which contained my backup files after fully reformating my pc and updating my antiviru. So it’s very useless paying for subscription for an Antivirus software if they cannot protect or clean your pc. A free Avira was able to clean what a paid version of AVG, Kasperky and CA cannot clean. The worst out of the 3 antivirus was CA which get disable automatically after reboting with my external hardrive connect. Here is the simple instruction you dont have to reformat your pc

    Download Dr.web cure it (Free)
    Avira Antivir (Free)
    Win Xp (if your not reformat) which means the damage is not too much

    Keep this two files on a clean storage media and make sure you download them from a computer that is not infected with this virus. Write them on a CD or a flash drive that can be locked (readonly) so that the files are not corrupted.

    After backing up your important files, do a reformat. Not the quick one but a full reformat. once done with reformating. Or if you feel you dont want to reformat you pc you can now run dwebcureit and let it run to remove the virus from the memory. Now right click on my computer and click on properties, select system restore and turn it off. After that is done, press F9 and file type and click on user masks add .exe to it and unchecked Files in archives apply and click ok and run the scan. Let drwebcure cure the files and delect the ones that cannot be delete. After the scan. Restart in safemode and scan with drwebcure it. Run windows normally and run drwebcureit again following the sames procedure. After the 3rd scan install Avira run a scan with it. You dont have to update it. After the scan with Avira, restart again in safemode and run another scan with avira. The run windows normally, update avira and run another scan. After the scan is done and windows is clean, connect you external or backup drive. DO NOT RUN OR TRY TO OPEN THE EXTERNAL DRIVE. scan all the drives with avira. if some windows files are currupted or missing you can now run Go to Start -> Run, type: sfc /scannow

    And that’s all

    Step by Step
    (1) Download Dr.web cure it (Free)
    (2) Avira Antivir (Free)
    (3) Win Xp (if your not reformat) which means the damage is not too much
    (4) Run drwebcureit (normal windows) to check for virus in memory
    (5) Disable system restore
    (6) Run drwebcureit (normal windows) full scan
    (7) Run drwebcureit (safe mode) full scan
    (8) Install Avira and run Avira (normal windows)
    (9) Run Avira (safe mode)
    (10) Update and run Avira again (Normal windows)
    (11) Connect your back up drives and run a scan

    Pls if this help you post a comment back to help other. I have battle with this virus for a week now

  37. Chris F said,

    June 12, 2009 @ 3:20 pm

    I have an even eaiser fix for Virut. Backup Important documents and do a fresh install of windows. Microsoft has made windows so disposable, its almost eaiser to reformat and reinstall than it is to repair. Especially when you are fighting a nasty worm.

  38. lekan said,

    June 23, 2009 @ 3:48 pm

    What about infected backup documents? End up reinfecting windows.

  39. blues said,

    July 6, 2009 @ 11:09 am

    I’ve managed to clean my machine.
    Bart-PE with various anti-virus solutions failed, symantec fremoval tool ailed, Dr web failed. Another weekend lost. The cure is below:
    – Switch off system restore.
    – Download Avira boot disk (linux based, with their anti-virus), and run a scan from this (found 1600 files)
    – Boot from XP disk, into windows console, do fixmbr and fixboot.
    – Re-load windows (I did a clean install). Means I have all my clean files though.
    - Re-run both symantec and AVG anti-virus (found nothing with wither).

    Good luck!

  40. jambangracun said,

    July 12, 2009 @ 5:16 pm

    huuuuufff……… thanks alot…….
    i’ve been hopeless and helpless for 2 weeks.
    thanks again

  41. Andry said,

    July 17, 2009 @ 7:52 am

    I manage to fix few computers infected by VIRTOB with bitdefender, But you must have a clean computer running bitdefender and scan the infected harddrive on that computer, You might need to do an inplace repair of windows after the scan. BITDEFENDER rocks because it disinfect the files instead of deleting or moving it to the quarantine.

    Peace

  42. Gary Osterholt said,

    August 1, 2009 @ 5:30 am

    What’s the best way to get the virus off an external hard drive with the Virus on it?

    Thanks
    Gary

  43. Jin kazuma said,

    August 5, 2009 @ 10:01 am

    I did exactly as you said now my computer wont log on when i log on it syas its missing windows components and just restarts

  44. JsBc said,

    September 4, 2009 @ 4:50 am

    I really need some quick help here please. I’ve got this awful virus. Does this work if I have Vista installed on the infected pc? I don’t know if bart’s pe will work, if not is there something for Vista?. Thanks

  45. Steven said,

    September 14, 2009 @ 4:08 pm

    This will fix the virut virus and you will need to install a 2nd windows on a seperate partition if you dont already have it (dw if you dont want it afterwards just remove it)

    1. go to a proxy site then from there go to the avg site to download their
    virut remover put this in your c drive
    2. Run msconfig
    3. Change Boot tab to safe boot & alternate shell (doesn’t load explorer and
    leaves it free to repair)
    4. Reboot
    5. When dos box type “cd c:\”
    6. Type “rmvirut (all your drive letters ie: C:\ D:\ etc)”
    7. Let it run through.
    8. Scan any folder it finds the virut again
    9. Then Scan all your windows folders (depends on how many multiboots you have
    and its pays to have at least 2 with this virus)
    10. Lastly Scan C:\windows\explorer.exe (the evil heart of the virus)
    11. Then type msconfig
    12. Change Boot tab to remove safe boot
    13. Reboot
    14. Then boot into another boot of windows and open cmd.exe scan everything
    again paying particular attention to folders with the virus in it

    All done, can now go to antivirus & mircrosoft websites

    PS I dont deserve credit for this my mate found/tweaked this fix in the 1st place and I just tweaked it a bit further to help out the noobs

  46. simon said,

    October 17, 2009 @ 10:40 pm

    Hi all

    For the last week i have been dealing with this Virut and what a nightmare it has been. Previously decided to follow a sequence of anti virus programs…1. Malwarebytes, 2. Superantispware,3. Combo fix, 4. Root repeal, 5. Mgtools. All free downloads. 1 and 2 went ok but when i got to installing 3 it informed me the virut had infected set up file. So here i am about to try the advise on this page. Normally I would just format and carry on but it is not my computer and there is alot of personal programs and data. Fingers crossed, will let you know of progress. Learning alot!!!!!!

    PS. This was virus was originally downloaded as a Heur virus i beleive.

  47. jim said,

    October 24, 2009 @ 1:52 am

    I found TRUE information here: http://www.jeann2.com/blog/index.php?post_id=154
    The article does not advertise any AV, i believe this guy is fighting against it.
    One good point i did not find in any other site: he proved the virus self installed in the master boot record.

  48. Win32 Virtob/Virut removal « Klikdids' Blog said,

    April 3, 2010 @ 3:31 am

    [...] http://hm2k.com [...]

  49. P*ssed off Teenager said,

    April 7, 2010 @ 9:09 am

    GUYSS hello.
    Basically, i have the same problem with my brothers computer – i tried to download a PC game from an internet site. [yesterday.]
    Once the file had finished downloading, the computer immediately detected it, and shut off, with a warning screen. Turning the computer back on, I realised something was wrong when three links to porno sites had shown up on the computer. i deleted them, and the file that i originally downloaded, emptied the recycle bin, and hoped it ended at that.
    However, this morning, my brother told me the links had returned to his desktop. I ran a system scan, and yes, the computer detected several different viruses, but said i had to PAY TO ACTIVATE THE SCANNER. SO I COULD NOT REMOVE THE VIRUS. or malware, whatever the heck they are. now, for some reason, i cannot open internet explorer on the computer anymore, so either its been moved, removed, or infected.
    The virus had five parts to it, but i could delete the first four, but left me with one which i could not access, because ‘the file was in use’. Someone mentioned that there are multiple instances – they are correct. They were named VT_1, VT_2 …
    Im actually really annoyed, i cannot get rid of this virus and i cannot download any virus scanner because the internet explorer is gone.
    HELP.

  50. Blakey said,

    April 18, 2010 @ 8:27 pm

    BIG BRAINS WANTED:
    Please if you are a super smart geek please help me find a way to use windbg.exe (microsoft file via filestube) to reset the Kernel.
    Win32 VIRUT patches the Kernel, (IMO) and this makes it imposable to delete/fix. Help us use a Kernel Debugger and prevent this evil crap fuck of a patching virus from repatching our Kernel on every reboot.

    To find WinDbg.exe: Google ” Filestube WinDbg_20v6.6.07.5.exe” – to download a legit copy of MicroSoft’s WinDbg Kernel Debugger.

    Questions I have are:
    In WinDbg.exe, I will use command, ‘!chkimg -f nt’, without quotes,
    and need to know if “symbols are required for this action? Symbols are data sets for the debugger, and are like 650Mb.
    Are they needed for an !chkimg command?

    Is there a way to run WinDbg.exe in DOS before WinXP boots up? If so, How?

    You see, I know alot, but I’m also missing basic PC programming fundamentals. HELP US!!!
    I KNOW THIS WILL WORK, I JUST DON’T KNOW HOW TO IMPLEMENT THE PROCEDURES.

    REFORMATTING IS NOT AN OPTION, IT”S FAILURE!
    HELP US BRAINIACS!!!!
    Nerds Unite!

    Blakey

  51. Demonwolf said,

    June 2, 2010 @ 6:49 am

    Hey all.

    I am a network admin at two schools. Schools prove to be extremely difficult to handle because we all know what young students are like, they don’t want to read a virus warning and go ahead anyway because they want the program they created at home to run and show their friends. Virtob/Virut have proven to be a formidable nightmare to deal with. Especially when coupled with a Mabezat infection that creates .exe duplicates of itself, even over networks.

    But I have found a solution. I use Hiren 10.4 and boot into the MiniXP. It boots pretty quickly and works like a charm. With the MiniXP, I run Dr. Web (Included on Hiren) and it clears out the majority of the infections. Then I enable the network shares with the useful network function on the desktop. Then I connect into the PC using the c$ network share (preferably from a notebook directly to the infected PC through LAN) and do a full scan with an up-to-date antivirus. I used BitDefender 2010. This finds a few more infections but clears 99% of them and asks what to do with the other 1% if there are any. Generally deleting them isn’t an issue because of what I plan next.

    Once I have checked through everything, I do a Windows XP Repair to fix and/or replace damaged files. Thereafter, ensuring the BitDefender Client Security was updated to the newest version (Which includes a forced USB scan WMI script that is amazing) and that it has been set up correctly. Then it is just a case of repairing a few installations of applications (Nero, Pastel, Office) and all works wonderfully again.

    The catch comes in that you have to make 100% sure the computer is clean before reattaching it to a network. If any PC on the network has even one infection of either, you have to redo the entire network within 48 hours. If you work for schools, use school holidays to your advantage. 4-5 hours at each machine generally works beautifully. If you have multiple machines that are almost identical, Hiren does have cloning software.

    Recap:
    1) Hiren 10.4 (One released each month so it might be on 10.6 now. Newer is generally better)
    2) MiniXP
    3) Dr. Web full scan
    4) Enable Network in MiniXP
    5) Scan remotely with updated decent antivirus (BitDefender, Kasperski. Norton is NOT decent)
    6) Repair Windows
    7) Check Antivirus and Firewall installed correctly and up to date
    8) Repair any applications that won’t work
    9) Attach to clean network

    And it is that simple.

    I hope this alternative helps some people. It couples together many of the various other ideas on the website above and I have had a 90% success rate with most virus infections, not just Virtob/Virut or Mabezat.

    One last thing to watch out for, one of the telltale signs you have a serious problem is that when Login in, before you get to a desktop it logs you back out. This is a problem with the registry (HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\UserInit should read “C:\WINDOWS\system32\userinit.exe,” without quotes) and/or the userinit.exe file in %systemroot%\System32. If someone manages to login but doesn’t get icons and start bar, Explorer.exe and/or Explorer.scf are corrupt. You might also want to check the Shell entry under the same key of the registry above. It should read “Explorer.exe” without quotes.

RSS feed for comments on this post · TrackBack URL

Leave a Comment