Virut is a patching virus. This means that Virut will inject malicious code into your computers existing executable programs (.exe’s and .scr’s). The malicious code can be used to do anything; it’s up to the malware author.
The problem with Virut lies in the quality of the code…it’s very buggy and can cause programs to run extremely slow and randomly crash. The longer Virut is present on your computer the more exe’s it will infect.
If you’ve been infected with W32.Virut then you’ve probably been told that the only way to get rid of Virut completely is to reformat your PC. This is simply NOT TRUE!
It’s true that this is the easiest way, but what if you can’t reformat (as in your client says NO WAY!!!)? Do you just say “Sorry Sir, Have A Nice Day” … You won’t hear that from me, I just can’t say no to my clients (i need the money 
).
Anyway, here is how you can get rid of W32.Virut using free software. Please keep in mind that the technique I’ll be teaching you below is get’s rid of Virut and lot’s of other nasties that usually go hand in hand with Virut.
Downloads Sources:
Relevant Articles that can help you complete the steps listed below are:
Step By Step Instructions for cleaning Virut without having to reformat the target PC.
- On a computer NOT infected with Virut download Ultimate Boot CD 4 Win (version 3.50 or higher) from ubcd4win.com.
- Install UBCD4WIN to a new folder (c:\ubcd4win35 for example).
- Download Dr. Web’s Cure IT and save it to c:\DrWeb (or whatever folder you want).
- Launch the UBCD4Win PE Builder. Configure the plugins you’d like to use. I suggest Avira 9 and SAS (click the config button to update them).
-
For the custom directory choose the folder that contains your Dr. Web Cure IT (launch.exe). Your PE Builder window should look like the one below. Source contains all the files from your windows xp disc, Custom contains the folder to Dr. Web’s launch.exe, output should be BartPE, Media output can be whatever path and filename you want.
- Burn the .iso you just created in step 5 to a DVD or CD. (how to burn an .iso)
- Boot your computer from the UBCD4WIN disc that you just burned in step 6. (how to boot a computer from a bootable disc)
- Once you’re booted into the UBCD4WIN environment open My Computer – then explore your CD/DVD – then Double click your Dr Web folder – double click Launch.exe.
- Once Dr. Web starts it will want to do a quick scan. You can cancel this once it starts (by clicking the stop button on the right). Check out the settings below and start scanning. Be prepared to wait ALONG time. Once Virut is found Dr. Web will ask you what you want to do. Select “Cure All”.
10. Dr. Web will probably find a lot of other infections. As long as they are not Windows system files you can probably just delete them. I know, I know…”but Matt…how do I know if it’s a legit Windows system file”….Google is your friend, research it. Just right click the file and click properties. If the file does NOT have a version tab there is a really great chance it’s NOT legit. Also, if you think a file is suspicious then upload it to Virustotal.com for analysis (requires internet connection in the UBCD4WIN environment).
This concludes my tutorial on how to clean Virut from a PC. I truly hope it helped ya!
{ 1 trackback }
{ 25 comments… read them below or add one }
…and what if the infected file IS a Windows system file? Also, why Dr. Web Cure-it? Does SAS, MBAM, and Avira not clean virut?
@john
it probably has blocked access to those sites and apps
dr-web is after the ubcd, which removed most super-nasties, enough to let you run another one
@John – if it is a Windows system file Dr Web will mostly disinfect it (cure it). If it cannot be “cured” then you can take note of the file version, delete it and grab a good copy of the file.
SAS, MBAM and Avira tend to do more deleting than cleaning/curing.
Thanks… I was just curious about the promotion of Dr. Web over the other solutions. Some days I really get sick of viruses. I just worked on someone’s PC and nothing…AVG, Avira, SAS, MBAM…could find the virus. After hours of research I found the single file that was wrecking havoc! After deleting it, all was perfect. Virus removal services are getting to be way too time consuming to be profitable!
FYI – If you use the Avira Live Linux CD, you can update aswell and you don’t have to wait for a prompt.
@john I agree about profitability vs time when it comes to malware. We used to be able to remove malware and tuneup the computer onsite in about an hour and a half. Now we’re seeing new aggressive malware appearing almost weekly. And since it’s becoming so difficult for the anti-malwares to catch up, our techs are spending far too much time having to dig around the hard drive for 0-day rootkits. We’ve implemented a policy now to reformat any infested XP machines. We make more money on reformats anyway because the customer almost never has their data backed up and we charge extra to backup data before the reformat. We still attempt malware removal on Vista machines, however, since the rootkits have a much more difficult time infiltrating those systems.
Matt (malwarekilla) is a great technician, but it’s getting to the point that malware removal on XP’s is becoming academic instead of practical.
@RescueNerds – I agree…kinda.
Almost every client that needs a reformat gets pretty pissy about it. I have a 3 hour rule, meaning that I’ll never charge more than 3 hours.
So, if they need a reformat and windows load it’s 3 hours @ 60/hour.
If they do NOT want a reformat then it’s 3 hours of malware removal at OUR location…I’m not sitting around their house for 3 hours.
Your right about things getting bad…it’s getting flat out ugly out there now…of course I’m not complaining
There are some variants of virut can’t be cured because they just f*** up files with random code ( I think .Q is a perticularly nasty variant ). I use ERD Commander 2007 for xp, which has a ‘System File Repair’. Takes like 5 minutes and best of all it actually works….
I contacted Sunbelt Software about removal of W32.Virut Run a deep scan in Safe Mode and reboot,If the threat is not removed for any reason please email us here at support@sunbeltsoftware.com so that we can open a support ticket for you, and help get the threat removed from the infected machine. Now that service is priceless.
Most variants (actually all of them) of Virut just can’t be cured in any way, period.
It’s just a waste of time trying to fight against it, because after “desinfection” of Virut’s code most executables won’t work the way they are supposed to (if they work at all…)
And .exe’s & .scr’s aren’t only filetypes that Virut infects
And there is more: Virut is also a backdoor
Format system-drive, there’s no other way.
Does this way can remove the Win32/Sality.Q virus?
@AZLAN96 – sure does (at least for me).
@atanos – guess I’ve just been lucky then.
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html
Mieke is one of highly appreciated fixer who knows what he’s talking about, and I’ve seen alot of attemps trying to clean Virut various techniques, and they have all been just good attemps, all of them have ended up to formatting drives.
I’m sorry about this, but this is just a way it is, so no offence
I’ve seen about 20 virut infections and have been able to fix all of them apart from 1. The reason that one fails was because I used Kaspersky which didn’t detect that sample, but got it as Win32.Genetic.Modification and deleted it.
I can vouch for this, Boot into a pre-installed environment. Let Dr. Web CureIT do it’s majick…
“Why Dr. Web CureIT and not …”
because the others don’t work. Symantec’s removal tool is a joke followed in close second by AVG’s removal tool and Avast!’s pre boot scan. PE’s are the only way to get around these kind of kits. period.
truthfully I’d probably just reformat for a client… but on my workstation I got too much time invested in patches, tweaks, hacks and customizations…it’d take days to rebuild after a format, nevermind that the chances of pulling over an infected file from backup or an injected html (some strains inject the IFrame exploit as well into htm and asp/php files.)
Good article I’m glad someone else is level headed about the threat.
If system exe’s or dll’s do get mangled during a Cure, it’s easy enough to run an in place repair or sfc /scannow
@junkbox – awesome comment man, thanks for being in agreement.
Hi, i wanted to ask a question about this… i started with ubcd (downloaded and created on a new clean computer) and i ran dr web, the program finds virut.56 infections and starts curing those, but after a couple of hours the program closes without any notice, i don’t think this is normal, is it?
thanks!
@Warlock – you booted the PC from the UBCD disc right?
yes, i found out that the troubling file that made dr web to close was an update for farcry 2, really weird, i deleted it and it completed the scan with no problems…
the only trouble now is that i enter windows, install comodo, let the first scan run (some long hours), and then when i restart windows, comodo warns that there’s a problem with firewall configuration, i try activating windows firewall and it says that the service can’t be started…
Thanks, this does work, but Windows Xp is so screwed up afterwards that it is faster to reload it rather than repair the install.
On the infected computer, when I turn it on, it loops ;-;
It goes from the motherboard profile to the setup, to “Windows is Loading”, to Welcome, then it suddenly goes completely black and asks for the login information. When the correct password (which in this case is nothing) is put in, it goes to the motherboard profile, and continues to setup and so on.
The infected computer is a Windows XP with a ASUS something-X motherboard. (I’m at a different computer right now)
Hello. My laptop has been totally screwed over by win32.virut.
I really want to try your method but I dont have a windows xp os disk. Does this mean I wont be able to setup an appropriate bootable disk to tackle virut?
Thanks for the lesson on how to remove W32.Virut.
I followed your instructions very closely and was easily able to remove Virut using Dr Web running in the pre-installed environment. Using Avira, as you had recommended detected 708 Trojans and deleted them. Super Anti-Spyware found 2 more patched Trojans and even more importantly, 3 infected registry entries which needed to be removed.
Running all of these programs again yielded no detections.
The only problem now is the same one that Aaron S. had experienced. That is, now that I try to reboot the PC using the Hard Disk, I get the Windows XP login dialog box and when I enter my password (which is, exactly like Aaron S., no password, the login process just loops and again asks for a password. Note, my user name appears automatically, but I cannot login and normally, I do not login with a password since I am the only one that uses the PC.
Can anyone explain what happened here or what to do to solve this problem. Any help would be greatly appreciated!
Once again, thanks for the rather ingenius solution for the removal of this miserable virus and its associated malware.
You are truly helping make the computing world a better, safer place!
All i wanted to say is my deepest heartfelt thanks to you for the instructions on removing virut. I’ve followed all your steps as stated above and all goes perfectly well for me. I’ve been infected by Virut for about six whole months now and i’ve tried using many MANY anti virus and anti spyware programs such as Norton, Spybot, MBAM, Kapersky, Avira, AVG, Avast… etc but all of them has virtually failed to clean the virus (Virut comes back as VTR5.TMP after a period of time and began infecting my computer all over again…*sigh*…). I’ve also tried searching the Internet for months now on how to remove that nasty virus but to no avail. Now thanks to you, my comp is finally virus-free from Virut and all i really wanted to say is that all of the above steps truly works wonders for me in removing Virut once and for all!
Thanks again malwarekilla!