Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1853
  • Last Modified:

How to I clean a system of win32.virut.cf?

I've been running into systems that have been infected with win32.virut.cf. Some systems have been cleanable because they were barely hit but some systems not so lucky. Does anyone have a good methodology for cleaning a system? These systems have the following files get infected: services.exe, svchost.exe, explorer.exe, etc. What I did was:

1. disable system restore, reboot into safe mode.
2. Run Spybot, immunize and clean, Use autoruns to cleanup the system and process explorer to end anything that may be running.
3. Clean temp files locations and C:\, C:\windows, C:\windows\system32, C:\windows\system32\drivers of fake files (I usually organize the date fields and can find newer files and get rid of the suspicious items)

Reboot and the system is still infected. I've also tried this again but also ran the removal tool for Virut.cf from symantec. Still infected. I've had it 99% clean and then it starts blue screening. I've tried scf /scannow to repair system files and a Windows repair. System is still infected and unstable.

Is the best option a system reinstall? I want to know the best ways to combat spyware. Reinstalls suck to do compared to being able to save a system.

NOTE: Currently I don't have a system to test this on, I'm looking for good suggestions for combating these threats, good guides or best practices, etc...
3 Solutions
Symantec developed a tool here to remove this infection. Give it a try to see if it's successful.

After that I suggest running the below scans also:

Download Malwarebytes ' Anti-Malware at http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
Virut could be very difficult to remove because this specific variant will infect .exe, .htm, .html, .php, .asp and .scr files (http://www.symantec.com/security_response/writeup.jsp?docid=2009-020411-2802-99&tabid=2). If it has affected all the exe files within Windows OS (and other exes which have been used), then it would be a big job to actually replace each and every file. Re-install might be your easiest option.

Always keep your antivirus and OS files up-to-date and give limited access to all users to be able to only do their work. That might help limit the infections to a minimum.
If the system has only just been infected and not many files needs to be replaced then also use DrWebCureIt which is good for removing virut.


But if the system has been infected for a while, my suggestion is a reformat and reinstall. A virut infected system even after all scanners came up clean we still can not guarantee that the system is virus-free or error-free afterwards. The safest solution(and the quickest) in a virut-infected system is to reformat and reinstall.
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

danbnotmeAuthor Commented:
Again, I don't have a system to try this on. But in the future I will try these suggestions and you let know how they workout.

Greyknight someone else suggested Combofix before. Is it just a scanner like Hijackthis?
ComboFix is a tool that removes the common infections that we've seen. It also displays files that were created recently so we can trace them easier. It's not a tool we recommend using yourself unless you are familiar using it.

So in a sense, it's much more powerful than HijackThis. We usually like to see a HijackThis log first as it doesn't make any changes and does give us a general overview of what's currently running.
danbnotmeAuthor Commented:
Thanks for the info!

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now