Win32 Virtob/Virut removal

November 8, 2007 at 7:54 pm · Filed under Windows

Today I got handed a machine riddled with a virus that avast! detects as “Win32 Virtob“, also known as “Win32 Virut“.

Virtob is a worm that spreads around your system on the back of executable files (.exe and .src), once the virus is running in the system memory, every executable you run after that will consequently be infected with the virus.

Once a system is infected it becomes very difficult to remove.

I discovered the system was infected with this worm when I installed avast! on the system. Avast! soon identified the virus in the infected files offering me a choice to repair, delete or move to chest.

I very quickly found that “repair” never worked, delete was a bad choice as they could be system executables that are needed, and so move to chest would also be a bad choice.

I had to find another approach.

There were two options, I learned that Dr Web CureIT was able to “cure” the files. I was also told that AVG offered a Virut Removal Tool.

  • Download the above files (on a clean system).
  • Create a boot CD, using Bart’s PE builder, or download miniPE (on a clean system) and put them on the CD
    • or on a memory stick (preferably as read only).
  • Reboot into the CD.
  • Run the downloaded software against the infected hard drives.

Once the system is disinfected reboot normally, then:

  • Go to Start -> Run, type: sfc /scannow
    • Note: This may require your Windows CD, or an i386 directory.
  • Run a full system scan using at least two up-to-date antivirus applications. (List of antivirus software)
  • Reinstall any software that appears to be corrupt or missing.
  • Ensure your windows updates are up-to-date (Especially ensure you have this one).
  • I also recommend you delete your “Temporary Internet Files” and delete all content from your %tmp% directory.

14 Comments »

  1. René said,

    December 3, 2007 @ 10:34 am

    Hi
    how do I get rit of the virus win32.virtob?
    I have read all that in this site, and I cant delete the virus :(
    I dont know what to do anymore. I have tryed servial times booting my windows and everytime I finished reinstall windows the virus is coming back.
    Can anyone help me. Please.
    send msg to my e-mail

    >René

  2. Paul Derbyshire said,

    January 8, 2008 @ 8:10 pm

    – Just for info for other people finding this —

    Dr Web CureIT worked for me whereas the AVG removal tool did not.

    Also instead of using BartPE an alternative way to do this is to take out the hard drive from the infected machine and connect it to another computer. From there you can scan it with your own AV software knowing that none of the potentially infected files are in use and therefore unfixable.

    To the website creator:
    Great site and many thanks. How the feck do you get the time to fix stuff AND do this?
    Paul
    Alpha PC

  3. Chris said,

    January 23, 2008 @ 6:43 am

    It workt beautifully the BARTPE and CUREIT combo thanx a lot!!!!!

  4. Bernd said,

    February 26, 2008 @ 9:47 am

    I also got infected by doing a “dumb” thing … executing some weird file coming
    from a weird source on my home system.
    AVG , Avira and other scanners found some of the virtob/Virut variants but only were
    doing their “rename/move” or “quarantining” things.
    Dr. Web’s “CureIT” did a great job instead , also for my system. Most of the files
    (except those with newest variants) reappear clean after a full volume scan.
    Insofar the virtob/virut infection is easy to identify since the virus attaches itself
    into empty spaces at the end of the executables (in most cases) and redirects the
    entry vector to itself, the ending vector of the viral code then points to the original
    entry of the host executable.
    Because there are many variants around, it is recommended to re-scan a
    previously infected system, although even cleaned up with tools, repeatedly,
    from time to time as there are post-cleaning detections possible due to continued
    signature updates by the scanners as well as for cleaning tools.

    My tips are: keep installed virus scanners, Anti Spy- and Anti- Malware programs
    updated daily if possible.
    A non-updated scanner is like a nonexistent scanner running out of date
    very quickly and just consuming system time for no sense.
    (Against new infections appearing after the last update,
    there won’t be any protection).

  5. J.W. Bush said,

    March 15, 2008 @ 6:49 am

    Thnx GOD.. you publish this paper.. All american will be thank to you! DONT FORGET to vote OBAMA!

  6. sure-blophy said,

    May 10, 2008 @ 8:05 pm

    Last year I used Dr Cure-it to get rid of w32.virut.w. Had to scan several times to do this because it w32v would move around I guess. This last month I made the mistake of downloading Googols free antispyware (Norton)etc. Guess what? My PC was immediately infected with w32v. This showed up the first scan. On the second scan about 5 more showed up and was eliminated but one of the w32v resisted being deleted or wipe off.

    I almost believe that Norton did this deliberately, ie, introduce w32v, to motivate the user to buy their non-free anti-spyware.

    ANYWAY AS YOU MIGHT GUESS DR. CURE-IT WAS UNABLE TO GET RID OF IT … EVEN A NEWLY UPDATED ONE!!!

    if you know what to do besides reformatting my HD please let me know.

    TIA ;=)

    Meanwhile I’m going to download an Update of Dr CureIt again and re-scan.

  7. akk234 said,

    May 13, 2008 @ 6:52 am

    i am no geek and could not exactly follow the steps .
    it will be very kind of u to just elaborate the steps a bit more.
    i really appreciate ur effort but i am sorry i have to ask u 4 a little more effort.
    hope to get a reply soon.

  8. hm2k said,

    May 13, 2008 @ 7:28 am

    Which part did you find difficult to follow?

  9. silu said,

    July 22, 2008 @ 6:54 am

    my pc was goin pity fine . till yeserday. then sudenly a toolbar came int o the screen sayin that the system will be shut down in 15 mins. the bit defenmder is sayin its a win32.virtob virus. i havnt got a updated version . i am gonna try this out. mean while i am using th epc in safe mode. dont know what to do . some people told me that the virus would defragment the hard drive leadin to its crash. can you give a suggestion as what to do

  10. mikkypops said,

    August 16, 2008 @ 11:40 am

    thanks hm2k - i been looking for a solution to this for days and now that other useful info helps with other things too now

    for the people who dont have the computer knowledge, unplug your hard drive out of your computer, put it in an external drive or just plug it in on the inside of a non-infected computer, make sure all the antivirus programs are up to date and scan it, especially with the cure-it. then when you plug it back into the original machine, install windows repairing it, then you should be able to install all your other programs
    knowing that the possibility you dont have all the programs that are on your computer because most likely source for this bug is from illegal software installations from certain websites and torrents. music downloading included. funny enough that is the easiest way to do it, so hope that could help a little further

  11. Syam said,

    September 18, 2008 @ 5:21 pm

    If you still ahve teh issue, Use avast and do a scan at boot time. You will have no option but to delete the exe files effected by the damn thing. Once done use the sfc /scannow and use Xp CD whena sked for. This is what i did and it did solve.
    Avira and avast detects it and warns, I ddinot pay heed and had to pay a huge price…

  12. joneywalker4u said,

    October 26, 2008 @ 9:41 am

    Thanks man it worked somewhat to cure w32.virut but too many files were infected and symantec antivirus deleted them before I could recover them via cure it.
    Thanks once again.

  13. fekalierex said,

    October 29, 2008 @ 4:01 pm

    i have same problem. i found that it’s very suspicious when many programs that self crc-check wont run. Then i found that my programs after compilation and renaming from .ex_ to .exe grows up for about 50 kb. Today i had idea to check one of programs with content comparator. First file had non-exe extension and second was exe file of same program. It found 3 diffirencies. One in begin of file (i think it is like code call procedure used to execute viral code. Second was in middle and last was big code block that is actual virus. Some programs works with this append good, some checks crc and wont launch and sometimes (this was on patch-crack programs) can be unrecoverable corrupted (virut.b have problem infecting my gamecam crack so it began growing till it became 2 gb big.

  14. Blacksmith said,

    November 13, 2008 @ 8:47 am

    Alright, I’ve grown extremely frustrated at this point. Considering that the company that sent me my computer did NOT give me a disc of my OS, I pretty much can’t do what you’re saying. As such, would that count as me being fucked? Seriously, I can’t get rid of this damn annoying virus.

RSS feed for comments on this post · TrackBack URL

Leave a Comment