Win32 Virtob/Virut removal
Today I got handed a machine riddled with a virus that avast! detects as “Win32 Virtob“, also known as “Win32 Virut“.
Virtob is a worm that spreads around your system on the back of executable files (.exe and .src), once the virus is running in the system memory, every executable you run after that will consequently be infected with the virus.
Once a system is infected it becomes very difficult to remove.
I discovered the system was infected with this worm when I installed avast! on the system. Avast! soon identified the virus in the infected files offering me a choice to repair, delete or move to chest.
I very quickly found that “repair” never worked, delete was a bad choice as they could be system executables that are needed, and so move to chest would also be a bad choice.
I had to find another approach.
There were two options, I learned that Dr Web CureIT was able to “cure” the files. I was also told that AVG offered a Virut Removal Tool.
- Download the above files (on a clean system).
- Create a boot CD, using Bart’s PE builder, or download miniPE (on a clean system) and put them on the CD
- or on a memory stick (preferably as read only).
- Reboot into the CD.
- Run the downloaded software against the infected hard drives.
Once the system is disinfected reboot normally, then:
- Go to Start -> Run, type: sfc /scannow
- Note: This may require your Windows CD, or an i386 directory.
- Run a full system scan using at least two up-to-date antivirus applications. (List of antivirus software)
- Reinstall any software that appears to be corrupt or missing.
- Ensure your windows updates are up-to-date (Especially ensure you have this one).
- I also recommend you delete your “Temporary Internet Files” and delete all content from your %tmp% directory.
René said,
December 3, 2007 @ 10:34 am
Hi
how do I get rit of the virus win32.virtob?
I have read all that in this site, and I cant delete the virus
I dont know what to do anymore. I have tryed servial times booting my windows and everytime I finished reinstall windows the virus is coming back.
Can anyone help me. Please.
send msg to my e-mail
>René
Paul Derbyshire said,
January 8, 2008 @ 8:10 pm
– Just for info for other people finding this —
Dr Web CureIT worked for me whereas the AVG removal tool did not.
Also instead of using BartPE an alternative way to do this is to take out the hard drive from the infected machine and connect it to another computer. From there you can scan it with your own AV software knowing that none of the potentially infected files are in use and therefore unfixable.
To the website creator:
Great site and many thanks. How the feck do you get the time to fix stuff AND do this?
Paul
Alpha PC
Chris said,
January 23, 2008 @ 6:43 am
It workt beautifully the BARTPE and CUREIT combo thanx a lot!!!!!
Bernd said,
February 26, 2008 @ 9:47 am
I also got infected by doing a “dumb” thing … executing some weird file coming
from a weird source on my home system.
AVG , Avira and other scanners found some of the virtob/Virut variants but only were
doing their “rename/move” or “quarantining” things.
Dr. Web’s “CureIT” did a great job instead , also for my system. Most of the files
(except those with newest variants) reappear clean after a full volume scan.
Insofar the virtob/virut infection is easy to identify since the virus attaches itself
into empty spaces at the end of the executables (in most cases) and redirects the
entry vector to itself, the ending vector of the viral code then points to the original
entry of the host executable.
Because there are many variants around, it is recommended to re-scan a
previously infected system, although even cleaned up with tools, repeatedly,
from time to time as there are post-cleaning detections possible due to continued
signature updates by the scanners as well as for cleaning tools.
My tips are: keep installed virus scanners, Anti Spy- and Anti- Malware programs
updated daily if possible.
A non-updated scanner is like a nonexistent scanner running out of date
very quickly and just consuming system time for no sense.
(Against new infections appearing after the last update,
there won’t be any protection).
J.W. Bush said,
March 15, 2008 @ 6:49 am
Thnx GOD.. you publish this paper.. All american will be thank to you! DONT FORGET to vote OBAMA!
sure-blophy said,
May 10, 2008 @ 8:05 pm
Last year I used Dr Cure-it to get rid of w32.virut.w. Had to scan several times to do this because it w32v would move around I guess. This last month I made the mistake of downloading Googols free antispyware (Norton)etc. Guess what? My PC was immediately infected with w32v. This showed up the first scan. On the second scan about 5 more showed up and was eliminated but one of the w32v resisted being deleted or wipe off.
I almost believe that Norton did this deliberately, ie, introduce w32v, to motivate the user to buy their non-free anti-spyware.
ANYWAY AS YOU MIGHT GUESS DR. CURE-IT WAS UNABLE TO GET RID OF IT … EVEN A NEWLY UPDATED ONE!!!
if you know what to do besides reformatting my HD please let me know.
TIA ;=)
Meanwhile I’m going to download an Update of Dr CureIt again and re-scan.
akk234 said,
May 13, 2008 @ 6:52 am
i am no geek and could not exactly follow the steps .
it will be very kind of u to just elaborate the steps a bit more.
i really appreciate ur effort but i am sorry i have to ask u 4 a little more effort.
hope to get a reply soon.
hm2k said,
May 13, 2008 @ 7:28 am
Which part did you find difficult to follow?
silu said,
July 22, 2008 @ 6:54 am
my pc was goin pity fine . till yeserday. then sudenly a toolbar came int o the screen sayin that the system will be shut down in 15 mins. the bit defenmder is sayin its a win32.virtob virus. i havnt got a updated version . i am gonna try this out. mean while i am using th epc in safe mode. dont know what to do . some people told me that the virus would defragment the hard drive leadin to its crash. can you give a suggestion as what to do