Win32 Virtob/Virut removal
Today I got handed a machine riddled with a virus that avast! detects as “Win32 Virtob“, also known as “Win32 Virut“.
Virtob is a worm that spreads around your system on the back of executable files (.exe and .src), once the virus is running in the system memory, every executable you run after that will consequently be infected with the virus.
Once a system is infected it becomes very difficult to remove.
I discovered the system was infected with this worm when I installed avast! on the system. Avast! soon identified the virus in the infected files offering me a choice to repair, delete or move to chest.
I very quickly found that “repair” never worked, delete was a bad choice as they could be system executables that are needed, and so move to chest would also be a bad choice.
I had to find another approach.
There were two options, I learned that Dr Web CureIT was able to “cure” the files. I was also told that AVG offered a Virut Removal Tool.
- Download the above files (on a clean system).
- Create a boot CD, using Bart’s PE builder, or download miniPE (on a clean system) and put them on the CD
- or on a memory stick (preferably as read only).
- Reboot into the CD.
- Run the downloaded software against the infected hard drives.
Once the system is disinfected reboot normally, then:
- Go to Start -> Run, type: sfc /scannow
- Note: This may require your Windows CD, or an i386 directory.
- Run a full system scan using at least two up-to-date antivirus applications. (List of antivirus software)
- Reinstall any software that appears to be corrupt or missing.
- Ensure your windows updates are up-to-date (Especially ensure you have this one).
- I also recommend you delete your “Temporary Internet Files” and delete all content from your %tmp% directory.
Warning: Declaration of Social_Walker_Comment::start_lvl(&$output, $depth, $args) should be compatible with Walker_Comment::start_lvl(&$output, $depth = 0, $args = Array) in /Users/wade/Sites/hm2k.org/wp-content/plugins/social/lib/social/walker/comment.php on line 18
Warning: Declaration of Social_Walker_Comment::end_lvl(&$output, $depth, $args) should be compatible with Walker_Comment::end_lvl(&$output, $depth = 0, $args = Array) in /Users/wade/Sites/hm2k.org/wp-content/plugins/social/lib/social/walker/comment.php on line 42
Hey all.
I am a network admin at two schools. Schools prove to be extremely difficult to handle because we all know what young students are like, they don’t want to read a virus warning and go ahead anyway because they want the program they created at home to run and show their friends. Virtob/Virut have proven to be a formidable nightmare to deal with. Especially when coupled with a Mabezat infection that creates .exe duplicates of itself, even over networks.
But I have found a solution. I use Hiren 10.4 and boot into the MiniXP. It boots pretty quickly and works like a charm. With the MiniXP, I run Dr. Web (Included on Hiren) and it clears out the majority of the infections. Then I enable the network shares with the useful network function on the desktop. Then I connect into the PC using the c$ network share (preferably from a notebook directly to the infected PC through LAN) and do a full scan with an up-to-date antivirus. I used BitDefender 2010. This finds a few more infections but clears 99% of them and asks what to do with the other 1% if there are any. Generally deleting them isn’t an issue because of what I plan next.
Once I have checked through everything, I do a Windows XP Repair to fix and/or replace damaged files. Thereafter, ensuring the BitDefender Client Security was updated to the newest version (Which includes a forced USB scan WMI script that is amazing) and that it has been set up correctly. Then it is just a case of repairing a few installations of applications (Nero, Pastel, Office) and all works wonderfully again.
The catch comes in that you have to make 100% sure the computer is clean before reattaching it to a network. If any PC on the network has even one infection of either, you have to redo the entire network within 48 hours. If you work for schools, use school holidays to your advantage. 4-5 hours at each machine generally works beautifully. If you have multiple machines that are almost identical, Hiren does have cloning software.
Recap:
1) Hiren 10.4 (One released each month so it might be on 10.6 now. Newer is generally better)
2) MiniXP
3) Dr. Web full scan
4) Enable Network in MiniXP
5) Scan remotely with updated decent antivirus (BitDefender, Kasperski. Norton is NOT decent)
6) Repair Windows
7) Check Antivirus and Firewall installed correctly and up to date
8) Repair any applications that won’t work
9) Attach to clean network
And it is that simple.
I hope this alternative helps some people. It couples together many of the various other ideas on the website above and I have had a 90% success rate with most virus infections, not just Virtob/Virut or Mabezat.
One last thing to watch out for, one of the telltale signs you have a serious problem is that when Login in, before you get to a desktop it logs you back out. This is a problem with the registry (HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\UserInit should read “C:\WINDOWS\system32\userinit.exe,” without quotes) and/or the userinit.exe file in %systemroot%\System32. If someone manages to login but doesn’t get icons and start bar, Explorer.exe and/or Explorer.scf are corrupt. You might also want to check the Shell entry under the same key of the registry above. It should read “Explorer.exe” without quotes.