W32.Virut.CF

W32.Virut.CF is one threat that uses advanced techniques to infect a computer. It requires systematic removal procedure to get rid of this Trojan.

W32.Virut.CF is a virus that can hide itself from antivirus program detection and invade the scanning process by using Entry Point Obfuscation (EPO). W32.Virut.CF will modify Windows registry to add itself on start-up items. Another functionality of this virus is to look for and infect executable files with extensions such as .exe, .scr. This worm injects i-frame into the body of the web-related files such as .html, .php and .asp. to further harm computer and redirect the homepage to unwanted websites. 

W32.Virut.CF file infector can compromised large networks rapidly through unsecured network shared devices. Of all its variants, W32.Virut.CF is the hardest one to remove. It uses advanced techniques which older versions are incapable of. The virus attempts to infect almost every executable format available on latest Windows systems. This process makes the infection variable results which makes removal more complicated.

Alias: W32/Virut.n, PE_VIRUX.A

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP

How to Remove W32.Virut.CF

Systematic procedures to get rid of the threat are presented on this section. Make sure to scan the computer with suggested tools and scanners.

NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

Optional : Scan and remove W32.Virut.CF with this special tool

1. Download the tool FixVirut from Symantec web site. Click here to download
2. Save it to a desired location.
3. After download completes, disconnect the computer from Internet.
4. Computers who are running under operating system Windows ME and Windows XP must disable System Restore.

5. Reboot Windows in Safe Mode.
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.

6. Go to FixVirut.com download location on your hard drive.
7. Double click FixVirut.com to run the tool.
8. Thoroughly scan the computer and carry out another scan after rebooting Windows in normal mode.

Virut Removal Tool

Step 1 : Run a scan with your antivirus program

1. Remove all media such as Memory Card, cd, dvd, and USB devices. Then, restart the computer and please do the following:

Boot in Safe Mode on Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode.

Start computer in Safe Mode using Windows 8 and Windows 10
a) Close any running programs on your computer.
b) Get ready to Start Windows. On your keyboard, Press and Hold Shift key and then, click on Restart button.
c) It will prompt you with options, please click on Troubleshoot icon.
d) Under Troubleshoot window, select Advanced Options.
e) On next window, click on Startup Settings icon.
f) Lastly, click on Restart button on subsequent window.
g) When Windows restarts, present startup options with numbers 1 - 9. Select "Enable Safe Mode with Networking" or number 5.

Startup Options

h) Windows will now boot on Safe Mode with Networking. Proceed with virus scan as the next step.

2. Once Windows is running under Safe Mode with Networking, open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of W32.Virut.CF.

Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.

3. Once updating is finished, run a full system scan on the affected PC. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.

Step 2: Run another test with online virus scanner

Another way to remove W32.Virut.CF without the need to install additional antivirus software is to perform a thorough scan with free online virus scanner. It can be found on websites of legitimate antivirus and security provider.

1. Click the button below to proceed to the list of suggested Online Virus Scanner. Choose your desired provider. You can run each scan individually, one at a time, to ensure that all threats will be removed from the computer. This may require plug-ins, add-on or Activex object, please install if you want to proceed with scan.

Online Virus Scan

2. After completing the necessary download, your system is now ready to scan and remove W32.Virut.CF and other kinds of threats.
3. Select an option in which you can thoroughly scan the computer to make sure that it will find and delete entirely all infections not detected on previous scan.
4. Remove or delete all detected items.
5. When scanning is finished, you may now restart the computer in normal mode.

Alternative Removal Procedures for W32.Virut.CF

Option 1 : Use Windows System Restore to return Windows to previous state

During an infection, W32.Virut.CF drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore.

To verify if System Restore is active on your computer, please follow the instructions below to access this feature.

Access System Restore on Windows XP, Windows Vista, and Windows 7

a) Go to Start Menu, then under 'Run' or 'Search Program and Files' field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.

rstrui-win7

Open System Restore on Windows 8 and Windows 10

a) Hover your mouse cursor to the lower left corner of the screen and wait for the Start icon to appear.
b) Right-click on the icon and select Run from the list. This will open a Run dialog box.
c) Type rstrui on the 'Open' field and click on OK to initiate the command.

rstrui-win8

If previous restore point is saved, you may proceed with Windows System Restore. Click here to see the full procedure.

Avatar

About Marco Mathew

Marco Mathew works as Windows Network administrator before establishing precisesecurity.com. Now, Marco is dedicating full-time to help computer users' fight viruses, malware, trojan, worms, adware, and potentially unwanted programs.

50 Comments

  1. AvatarDavisMcCarn

    Everybody is way behind on this new flavor of an old attack and nothing short of partition deletion and powering off before re-creating will kill it. Symantec, McAfee, Microsoft etc… haven’t caught on in over a week and their cures will not work.
    Want a sample to try for yourself?

  2. AvatarTanya

    Apparently whomver wrote this virus report is referring to another Win32.Virut.CF infection than I have on my computer because the one that has tormented me for the last week before finally making my computer inoperable wouldn’t let me run a complete virus scan, even if if it did it would come back when the computer is rebooted. My antivirus (CA Security) didn’t even detect it until I had it for a few days, then when it did it didn’t clean or delete any of the files. I infected all html files as well as .exe. I had a 20Gb hard drive I used as a boot drive and a 140 GB hard drive (divided into 4 partitions) I used for data and also to run programs off of (but all system files were on the C: drive) and this Virut virus took out my C: Drive and infected all the exe and html files on my D: drive as well. I couldn’t boot into WIndows at all so I did a clean install of Windows on the boot drive and that worked, however, now that I realize my D: drive is polluted too, I am sure that the C: drive will also be infected by the time I am done with this post. Please, does anyone have a program that cleans these files without having to delete them, and makes this beast stay DEAD? Who ever developed this virus should be shot, a bunch of times, seriously!

  3. AvatarKumar

    Hi Tanya,
    I had the same problem. Just try installing Norton 2009 trial. Update. Restart in safe mode. Do a complete scan. Just follow the Norton removal instructions.

  4. AvatarKelbyE

    I too have this beast of a virus. It has overtaken my whole computer. I cannot disable system restore because I can’t get to it. Not even in safe mode. I have Symantec installed but can only access it out of safe mode. My computer freezes up before I can scan.

  5. AvatarDavid

    Have the same worm. I have Norton Internet security 2009, it detects the virus but cant handle it.
    I tried to put my hdd in a external case, and to plug it by usb to another computer. Then I ran Kaspersky Internet security 2009. It found a lot of infected files, but it could only delete, not repair.
    Please respond if there is a cure.

  6. AvatarUlrich

    I’m glad to see I’m not the only person wanting to burn my HDD to get rid of this thing. Only way I found to fix it is to do a clean install of Windows. Install and update Kaspersky (or any other antivirus that detects it) and delete all the infected files on any other partitions or drives you might have. Seems after a while the virus also tries to infect Windows files that are in use such as logonuiu.exe etc…

  7. AvatarRik

    I have yet to be able to clean a system with any antivir vendor’s “solution”. When I last dealt with this Symantec Endpoint Protection would pick up on an attempt by Virut to hook onto Winlogon.exe, but by Virut and SEP fighting over the critical system file the computer would end up BSOD and reboot. Upon reboot Virut had successfully hooked onto Winlogon.

    Once it had done this, SEP did not detect anything wrong with Winlogon and the system briefly appeared clean. But by adding SEP firewall rules to block access to the sites Virut tries to contact I was able to see constant blocks in the FW logs all showing Winlogon.exe as the source. After letting the system run for about 5-10 minutes you could hear the hard drive activity crank up and SEP started going berserk as Virut began doing its thing going through all the .exe files on the drive.

    SEP not even picking up on the hook into Winlogon, combined with the fact that Winlogon is a necessary Windows process even in Safe Mode, made the all-too-typical solution of “Update Defs, Disable SysRestore, Scan” a complete waste of time.

    The only way we got rid of virut was pulling all the systems off the network and reimaging. Although I’ve read that some people have had success removing the infected drive and attaching it to another machine for scanning. But from what I saw, there were so many .exe files in quarantine that SEP was incapable of repairing that a reload would likely be needed for applications or Windows to work correctly anyway.

  8. Avatarjocce98

    I fixed it yesterday! Installed Windows again. And now it works. Can’t find a single virus. I’m so happy!

  9. Avatarkreepykrawly

    This thing wasted 3 days of my life. Did everything. Still comes back.
    Windows tells me that original files have been replaced and that I need to install windows XP pro service pack 3. I bought Windows XP pro when it was service pack 1 and it tells me its the wrong disc.
    Can’t solve it. I can feel a reformat coming on.

  10. Avatarprakash

    Hi,
    First try doing a system restore.
    If that fails, then restart the computer in safe mode with networking.
    Run Norton Security scan which you can get that from ftp. symantec.com.
    That will fix this problem.

    Thanks

  11. Avatarkreepykrawly

    Prakash
    You’ve gotta be kidding. This thing embeds itself in deep in memory. System restore reactivates this virus. This thing spreads also via flash drives/external drives. So beware transferring data from a working computer to an infected one via flash drives. Scanned 3 of my flash drives and all had this virus.
    Helpful tools to get system working again.
    1)Download latest software(free) from malwarebytes and run scan
    2)Download rmvirut and run
    3)Download Flash Disinfector and run with flash hardware
    4)Download latest virus definitions for your anti virus software and run
    5)Delete any programs/software you’ve recently downloaded
    6)Don’t use p2p for a while
    7)Run all antivirus programs in safe mode
    8) Run autorun (free download) to see all system processes and disable those you don’t recognize
    9) msconfig (start>run> type ‘msconfig’)at the start-up tab disable all no essential start up items. DONT be fooled ….i recognized start up programs such as winlogonn.exe, etc. These are start up bugs
    10) of course you can run Spybot(free) do a scan and immunize your system from bugs.

  12. AvatarHouston'sBestTech

    This is a nasty virus. My first user was infected on Feb 2 and on the 4th, half of my systems were infected. By the 6th I was clean on the network, but I had irreparable damage to several machines. If you think you have this virus, turn off that computer until you are ready to take the effort to recover it.

    To fix this using Symantec/Norton: remove all known infected machines from your network. This machines OS’s are gone, but the data can be salvaged. On the remaining machines, make sure you have latest virus definitions, turn off all shares (even admin shares), Isolate all of the machines, and run full virus scans. For now, make sure your virus protection software is set to “leave alone” if it cannot repair the file. Scan continually until all runs clean. Verify the registry is clean (look in run and winlogon keys for each user and delete the garbage lines). After this, the network portion will be clean.

    To salvage your workstations: If you can boot into safe mode, load new virus definitions and scan – this takes a long time. Whethere or not, afterwards boot with UBCD and move all of your data off to an external drive. Without being connected to a network or the Internet, format your drive and reinstall your operating system. Install your anti-virus software with latest definitions, connect to the Internet and run Windows update. Next, plug in your external drive and scan it immediately. You are now ready to load your programs and move on to the next infected machine.

    I found that the majority of the damage that I received was not from the virus itself, but the way the anti-virus software responded to the threat making my systems non-bootable. This took over 2 weeks for me to get completely past this virus, and the support I received from Symantec in the beginning was amateurish at best. It was not until day 3 (about 15 hours on the phone later) that I felt I was getting somewhere with this. This did not come in through email, but came from the web and it appears that it came from a link from a well known news site.

    Good luck and I hope this helps those still battling this. Today, we are virus free. Tomorrow…who knows?

  13. Avatarlasera

    OK. I have this thing. Is there something easy I can do to get rid of it? It is slowing my computer, way down. I’m not that computer savvy so everything I read so far was complicated. Is there something I can download (or purchase) that will just get rid of this thing?

  14. Avatarprakash

    Hi,
    Even in some cases i tried all the above steps, but the issue was not resolved. But i ran combofix in some cases and that helped me in fixing this virus. Main thing this tool automatically replaces the userinit file. i have come across lot of customers who use malwarebytes and they do still have the same issue even after running this program in safe mode.

    I think there is not antivirus software that has come out fixing this virus. (sorry, correct me if i am wrong)

  15. Avatarkreepykrawly

    Actually I actually got rid of this virus without having to reimage/reformat my hard drive by doing all of the above.
    I also used Symantec client security and it picked up over 2000 instances of this bug.
    I had to reinstall most of the software I had on my system but at least I didn’t have to reinstall windows (and believe me….my whole computer was completely stuffed).

    Don’t worry about needing registration details for the software you had to reinstall. Most of that is retained on your system. Even after a complete uninstall. The bug doesn’t attach itself to that info.

    It’s also important to run Chkdsk

    P.S its also important not to use only Malwarebytes but to throw a combination of bombs at this bug. Malwarebytes picked up 3 bugs when all other virus removal/detection programs cleared me.

  16. AvatarJHillmer

    I just reformatted and then re-installed XP on a laptop. and crap… it’s back! I’m guessing the external USB drive that I used to back some files up to before the reformat must have been infected too… and when I hooked up that drive up to get my drivers and such back, the v-thing crept across the USB cable and bit me again. I hope someone does find that hacker, and that they will pay dearly for this.

  17. AvatarJHillmer

    Why in the world didn’t all thew anti-everything software that we all use, not stop this. Maybe we need to fry the anti-virus people too for not doing their jobs well. I keep my virus signature updated every 2 hours! And this thing snuck in still. I want a refund from the anti-virus people too. Anyone recommend a product that did stop this?? I was using a paid for product called Vipre

    Really Mad

  18. AvatarCheekyBum

    They reckon this thing is a LOW threat?I picked up this thing or SOME virut virus two days ago and it’s really no joke fighting it.
    May look like it disappears but it comes back, don’t even think you’ll remove it without doing some serious work in your registry and by that I mean I haven’t slept for two days.
    Using antivirus scanners won’t help you. SAS and Malwarebytes will tell you there are new threats every time you connected to the Internet, so STAY OFF THE NET! It downloads more and more malware and Trojans.
    I’m actually typing this from my mobile phone because I even discovered software was downloaded to my PC that was disabled in the registry but used to download more crap.
    You’re being hacked so be carefull. Not just by one hacker, by a few.
    I know this because I’ve been working on this thing bit by bit as I refuse to re-install but if you don’t know how to do this, accept it now that you will have to format and re-install.
    Don’t make back-ups coz it’s too late for most of your software.
    This thing even hid itself in SuperAntiSpyware and Nero on my PC.
    You’ll have to find the connection it’s making to the Internet through your updates and through Windows Live Messenger.
    Using RMVirut won’t help much. Can tell you which files are infected as it can’t open those files but that’s about it.
    Stop wasting your time using antivirus programs.
    This thing even edited your registry to turn off your firewall and antivirus AND prevent Windows from notifying you about it.
    I haven’t ever been infected this badly but this really is no joke.
    I could murder the person who wrote this right now.

  19. Avatarkreepykrawly

    The best thing to do is to insert all external drives into all free USB ports and perform a full scan on them. By default your antivirus software might only include drive C ….so customize it to include all drives.

  20. AvatarAnotherVictim

    We were also infected by this Feb 2-4. Any info as to what sites/email may have cause the initial infection would be greatly appreciated. Were currently investigating.

    As far as removal goes…Just format machines. If a server is infected remove all infected exe’s in safe mode, keep a list and restore from tape. If this virus is hitting your network hard, it is because you have shared executable on the Network that are infecting machines. Ours was embedded in a Zenworks exe that ran at log-on which was injected with the virus when one of our techs logged in with permissions over the network share to address a spyware problem. These need to be your first target for cleaning. Also Have all users bring in Jump drives etc. because I can infect the exe’s there as well.

    As a side note, on our site the initial encrypted portion of the virus appears to reside in c:\windows\temp and launches under the name “winlogonn.exe” along with a couple randomly named files. If you are going to attempt cleanup you’ll need to take care of this file in safe mode along with deleting registry keys corresponding to the random names of DLL’s.

  21. AvatarWindows

    You want a solution to this problem, use Mac or Unix. Windows is the lousiest piece of sh*t operating system I have ever used. I was tired of fighting virus after virus, so I switched to Fedora OS. You should seriously consider trying another OS – “Free at last, free at last (from Windows), praise Unix we are free at last!”

  22. AvatarTry this removal method, WORKED FOR ME

    Like many of you who posted here, I’ve been affected by this nasty virus for some time now and it has been a real headache trying to eradicate it from my system. Even though I was able to restore my system to working condition, the virus remained on my system constantly attempting to connect to the Internet (luckily my BitDefender Firewall was usually able to block it).

    After doing a bit of research, I was able to find and run a series of tools that so far APPEAR to have eradicated the virus from my system. As many of you know this is a very tricky virus that appears to infect everything it touches so try to follow my directions as closely as possible.

    Note: My system is running Windows XP Service Pack 3, so those using other operating systems may have to tweak these directions slightly.

    1. Firstly, download these free tools from the Internet and move them to the infected machine.

    Symantec Virut Removal Tool – hxxp://www.softpedia.com/progDownload/W32-Virut-Removal-Tool-Download-121930.html

    Dr. Web CureIt Scanner – hxxp://www.freedrweb.com/

    ATF Cleaner – hxxp://www.download.com/ATF-Cleaner/3000-18512_4-89432.html?tag=mncol

    2. You want to disable System Restore on your computer. This can be done by viewing the System Restore tab in your System Properties. Next you want to disconnect your computer from any network cables it may be connected to. Make sure to disable any means your computer may have of connecting to the Internet (such as disabling any wireless network adapters).

    3. Start your computer in Safe Mode (login to the account with the highest administrative privileges, of course).

    4. You want to open the file DrWeb.exe which you downloaded. As soon as it opens, it will run a quick system scan which won’t take very long (a few minutes). If you are indeed infected with this virus, the scanner will detect some of your infected files during this scan. Allow the scanner to cure/repair the files it finds (on my machine, the virus came up as “Win32.Virut.56”). When the quick scan completes, minimize the Dr. Web scanner for now.

    5. THIS IS IMPORTANT: Like I said, this virus can spread onto other computers and devices quite easily, so you want to plug in any removable flash drives or hard drives that may have been connected to the infected computer while it was infected. Make sure you have plenty of time to allow your computer to sit idle while additional scans are performed with these peripherals connected (like 6 hours).

    6. If Dr.Web managed to find some of the “Virut” infected files on your machine, you want to now go on to open the file FixVirut.com which you downloaded. It is a tool I found online which was recently released by Symantec to repair files infected by this virus. This tool is quite self-explanatory and simple to use, just run it. It may take a few hours. The tool may ask you to reboot when it finishes, but do not reboot yet(When i ran the tool it found 2700+ infected files on my system, mostly .exe files, and terminated two process threads running in my winlogon.exe file. The tool creates a simple log of infected files within the same folder the tool is run from.)

    7. After FixVirut.com finishes running, you want to return to Dr.Web to run a complete system scan. Before you start the complete system scan, enter Dr.Web’s settings configuration (do this by pressing F9, not hard to find) go to the File Types tab and uncheck “Files in archives” (If you leave this setting checked, Dr.Web will take forever unpacking and scanning inside all the archive-type files on your computer. This virus doesn’t appear to attack the CONTENTS of archives in any case. If you think you need it and have the extra time to burn, you can leave it checked).

    8. Running the Dr.Web complete virus scan is very important. It will pick up any infected files the Symantec tool may have missed. Also, it picked up a couple of Trojan downloaders and suspicious files I believe were affiliated with this virus. In addition, those connected peripherals that may have been infected as some time will be scanned and cured during this complete scan. Click “Yes to all” the first time this program asks to cure an infected file and it will basically do the rest. Be aware that the scan will pause and ask you what to do if it comes across a file it cannot cure. This entire process will take several hours.

    9. When the scan finishes, go through the list of infected and suspicious files. Manually quarantine (move) or delete any suspicious files Dr.Web may have left alone, just to be on the safe side, unless those files are VERY important on your particular computer.

    10. Be happy, because most of the hard work is done. When you are done with Dr.Web you can close it and open the ATF-Cleaner.exe file you downloaded. Click “Select All” at the bottom to select every category then click “Empty Selected” to begin the deletion process. This will basically remove all the TEMP files from your computer, which is OK because you really don’t need them. This step may not be necessary but I did it simply as a precaution.

    11. Next I went into my systemroot TEMP folder and manually deleted all the files inside. (For me, the file path was “C:\WINNT\Temp”. For others it may be “C:\WINDOWS\TEMP”) Again this may not be necessary, but I did it as a precaution to be on the safe side.

    12. And now you’re done. You can run another quick express scan in Dr.Web to double check if you want, but right now your computer should be clean. Restart Windows normally. If you don’t already have one, I recommend getting some sophisticated Antivirus and Firewall software (i.e. not Windows Firewall). It was the lack of such software that got me in this mess in the first place.

    I hope this information helps some of you clean your computers of this nasty virus. It was by reading a variety of other people’s posts that eventually allowed me to figure out how to get rid of Virut, and stay better protected in the future.

  23. AvatarLightwave

    @WindowsS – Go put on some socks to go with your sandals. If you haven’t anything useful to say other than “I love shiny macs” then you’re wasting every one’s time…. And enjoy your rainbow wheel of death when the Mac decides its had enough playing with big buttons today.

  24. AvatarTo: "Try this removal method, WORKED FOR ME"

    Well,
    I will try this out. if it works, I will post again. If not…
    Well I will see.
    But thanks so much for this info. It’s better than other posts that complain about the unlocatable virus creator and money-hungry antivirus software companies. It’s better than wasting time.

    Thanks.
    will try it.

  25. AvatarSteverino

    Thanks to everybody here. I thought I was going nuts. Fingers crossed.

  26. AvatarTry this removal method, WORKED FOR ME

    Definitely let me know whethere or not the removal method I posted works for you.

    Also I just noticed that the moderator of this forum changed the download links I posted from “http” to “hxxp” rendering the links effectively unclickable. The link will still work if you copy and paste it into your address bar, just manually change the “hxxp” back to “http”.

    Since running the removal method I posted nearly a month ago, my computer still shows no signs of being infected. Even after the virus is removed though, settings that were changed in your System Registry by the virus may still need to be changed back (things such as re-enabling your folder options, check online for the appropriate fixes).

  27. Avatarstill infected

    To: Try this removal method, Worked for me,

    I tried your method, (to the very tee), still didn’t work.

    On reboot (again after i tried your removal method). The DAMN w32 virus appeared again under the name reader_s.exe in the background.

    After a week trying different methods, and spending countless hours, i am just going to do a fdisk, deep reformat, and install.

    I’ll post if this works.

    Thanks for trying to help, and i am glad that this worked for you.

    -Chris

  28. AvatarBeCe

    I tried yesterday the following steps:

    1. Disable System Restore.
    2. Boot in safe mode
    3. Run Fixvirut.com by Symantec.

    It does not pick up anything except it terminates two instances of Winlogonn.exe.

    However I know from scanning the computer with Antivir and uploading a few .exe files to virustotal.com that I am in deep with the Virut virus. Explorer.exe, notepad.exe just to mention a few of the files that are infected.

    My question is how can it be that the Fixvirut.com does not repair/delete any of the .exe files that are infected? Is it already outdated?

    I have XP but SP2. I can not update to SP3.

  29. AvatarTry this removal method, WORKED FOR ME

    Chris,

    Sorry to hear that the removal didn’t work for you. I have a six-year old computer with a lot of irreplaceable content so the option of reformatting was unacceptable to me.

    Just a few final suggestions:

    There is a free program online called Process Explorer, which is like a more advanced version of your Task Manager. You can use this program to get a better sense of how your virus-related files are activating themselves on your computer.

    Second, if you have been able to identify certain files that you know to be affiliated with the virus (like reader_s.exe) I suggest you type “msconfig” in your Run prompt, go to the Startup tab, uncheck all the processes you think are suspicious and click Apply (for example, you may find reader_s.exe there). See how this affects your computer’s behavior.

    Best of luck, hopefully something will work.

  30. AvatarWorked for me too!!!

    It works for me using Dr. Web.. however, it need to be patience..
    I did run Dr. Web, and cure those infected file,(make sure you are not connected to Internet), after running Dr web. I run the Norton full scan( make sure you have the latest definition.) in my case I still see W32.virut.CF virus upon Norton..

    So did run Dr Web again and subsequently the Norton anti virus..

    I did this sequence for about 3 times.. finally my PC works fine..

  31. AvatarTry this removal method, WORKED FOR ME

    I should have included one more program in my extensive virus removal post.

    I also used the free program Malwarebytes Anti-Malware to combat the Virut virus. This program is particularly effective at identifying and eliminating malicious registry entries. It can play a critical role in cleansing your system of this virus.

    Search for and download this program from the Internet, update it, and run a Full Scan for best results.

    I forgot to include Malwarebytes Anti-Malware in my original removal post because I ran the program well before I was able to eventually eliminate the virus, and so I had forgotten about the critical virus elements this program was able to get rid of beforehand.

  32. Avatarsoutz

    Thanks for all the posts which are very helpful. my Symantec antivirus recognized this as W32.Virut.CF and my problem is (from what i can tell) that the antivirus quarantines every file which is infected, cause I’ve got the option “repair, then quarantine” by default. so, explorer.exe is quarantined and inaccessible, rundll32.exe(so i can’t disable system restore, as far as i know) and a bunch of other files(not many though cause after being infected I’ve worked on the PC for just 15-20 Min’s trying to find a solution). in safe mode,the symantec removal tool finds my system clean and now of course i try to find a solution trough safe mode and only with command prompt (i don’t have explorer), by running “cmd.exe”trough the task manager-which by the way is not infected, luckily-. any suggestions? should i restore the files missing and try the steps mentioned in other posts? Thanks

  33. Avatarray

    Well,
    After 3 days my focus went from cleaning this thing to preventing it from reappearing. I was infected again within the minute after completely reinstalling fresh windows. AVG didn’t notice it untill half the system was gone again. So anyone with a good advice on that…
    Indeed it doesn’t seem to “harm” your system, its the cleaning that makes it unusable.
    Way back when i cleaned sasser manually in 5 days ,i had no other option at that time, but i don’t believe i can get rid of Virut, let alone manually.
    It will affect virtually any of your executables and be embedded in any type of update (i got it through update by the way), and if you attack it your system will become inaccessible (or very difficult to access) In my case Internet connections became unusable first and then windows explorer died after which I couldn’t get to system anymore (directly anyway).
    All of this is very easy to repair, and even if you clean and replace everything, and your Antivirus comes up with clean sheet, and everything works like a charm… Don’t believe its gone!
    I found it again, seemingly inactive, but when i tried to manually clean it, the system-meltdown started all over again.

    So after my own cleaning, manually cleaning and reinstalling my recommendation is: hard format.

    After installation make sure your well protected before connecting to the net, or any net. Off course windows protection isn’t well-protected (never was and will be) and from my experience neithere are Norton and AVG. I have yet to try Norman…
    On another system however i have a combo of avg, spybot S&D, and scotty (winpatrol) running for years now with no mentionable problems.

    And oh yeah my experience is also, if you can use a different OS than windows, and at least: don’t use IEplorer but try firefox or opera instead, Way less attacks!

  34. Avatarby jeroen

    Hello there,

    Just like all the others, my PC is also infected by this virus.
    First I couldn’t logon, but this problem I could fixed.
    After this, I used the recovery disc from XP, and used the repair function, but the virus is still there.

    Now is my question, when I reinstall my PC completely, am I rid off of this virus or is it still there?

  35. AvatarZhecky

    I only need to save my music on an external hard drive, so i can reformat. I also have some programs that i would like to transfer on the HDD but I think it’s too late for them (R.I.P.). As I see the virus does not effect MP3 and and other music files, but I’m not too sure…
    Can someone please answer?

  36. AvatarCurt

    I will try all the methods given here, and see if I’m lucky to get rid of this little monster… completely.

  37. Avatarprakash N

    Hi,

    Can anyone let me know, how to identify a rootkit virus using regedit, without running a free tools or software programs (Including process explorer)

    Thanks and Regards
    Prakash.N

  38. AvatarCurt

    Seems like I’m clean of Virut virus (as for now) after days of battling it. I mixed all the methods here plus few of my own, except for the format & install. I’m testing my system now, hopefully it won’t resurface again. By the way, Kaspersky 2009 + its latest virus definition update disinfects most of the virus, and deletes those which are incurable. Thanks for the info…

    P.S: I am not sure if my system is really free from this Virut virus yet. I’m in ‘testing’ stage. Really hope it won’t appear again.

  39. AvatarLeo

    If you spotted “W32.Virut.CF” in your PC right after infection, and you have a firewall, it won’t be that hard to get rid of it. I used Norton anti-virus to locate and clean infected files (a lot, more than 1000 files in a few minutes). Then I followed the steps:
    1- Disable System Restore
    2- Boot in safe mode
    3- Run Fixvirut.com by Symantec
    After that my system appears to be clean. But that virus did something that I couldn’t repair yet. It has blocked the Symantec site, so I cannot access it, no matter what browser I’m using. Still looking for a solution. Any ideas?
    Since this virus can download other files to the infected machine, if you have it for days before finding it, you certainly have a lot of other problems to fix too. I think that’s the case of many people here.

  40. Avatarsamyak

    @leo
    I have experienced the same problem and did exactly what you did.
    Even I could not access Symantec site when my machine was infected, rathere all websites having keywords like, anti-virus, virus, etc.

    I assume my system is clean now, with some after-effects, I can access all the websites now.
    My suggestion: Clean all the cookies and temp. Internet files from your system. there are few good tools to properly clean em, use that. hope that solves the prob.

    Also, I downloaded trial version of Norton 2009 and scanned the whole system, which is showing my system has no threat anymore. You may also use that.

    ______________

    Q: After this virus has gone, i am not being able to find my msconfig and regedit. Somebody help me !

  41. Avatarbriankl

    I followed instructions, and I’m at the part where I have to delete/whatever the registry key. I went to the designated sub-folder, but instead of being

    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParameters
    FirewallPolicyDomainProfileAuthorizedApplicationsList

    It was …FirewallPolicyStandardProfileAuthorizedAPplicationsList

    Not from DomainProfile, but from StandardProfile. DomainProfile had a folder called “Logging”… do I still delete

    ??%System%winlogon.exe = “??%System%winlogon.exe:*:enabled:@shell32.dll,-1”

    ?

    Help please. By the way, I’m running on Vista 32bit.

    -Briankl

  42. Avatarpreaxz

    I’m commenting from a clean PC right now, I have to do clean install on my drive to get rid of the virus.
    Beware, no one provide a working solution for this one. Don’t try to download anything offering a virut removal. They are scam ..
    It’s not that easy, and soon after you finished installing a new Windows system.

  43. Avatarslasherrhonx

    Thanks for all the tips. But I got something fishy going on here, my PC is working properly but I don’t have any anti virus installed. When I installed Symantec anti virus my system goes slowly and it take time to open a program. When Symantec begins to scan that virut thing it does something bad really really bad to my system. Because it has totally damages/corrupted – disables programs and all files with extensions .exe, .scr, and even web related files such as .html, .asp and .php. So I decided to repair it using my Windows setup program and install everything from scratch.

  44. Avatarslasherrhonx

    In Addition to my post, the thing I just did is uninstall Symantec, fix the registry using Ccleaner and there it goes. My system goes well. All my programs runs properly.

    That’s it. Just try it and see it for yourself.

  45. AvatarGopi

    After all the failed attempt to remove this virus, I tried the exact steps it is outlined in “Try this removal method, WORKED FOR ME” post, and finally it worked. Thank you very much.

  46. AvatarPwnguins

    So I just spent all day combating this thing. At the end of the day, 4 virus scans don’t pick it up. I am not entirely sure that it is gone though. Is there anyway to make sure it is off my system for good?

  47. Avatarahura mazda

    I’ve managed to stop the infection after 3 days of research and testing.

    Here is a summary of what I think is happening:
    My user account has Administrator rights. I ran an infected program with the Virut virus.
    The virus patches the windows Kernel and thereafter has access to all processes and access to very important functions on the OS.Thereafter it probably infects the programs that start with Windows (mouse, keyboard tools such as Microsoft Intellimouse, Graphics card helpers, Acrobat, etc).
    Every time your PC starts, any of the applications started will attempt to reinfect the Kernel and the same infection process continues.
    It also adds a line in your Windows Host file (this file is a shortcut for Internet connections) 127.0.01 jl.chura.pl
    It also adds an hidden ‘ File -> Kernel Debug
    2.1 Select Tab ‘Local’, click OK.
    3. In the command box at the bottom, type ‘!chkimg -f nt’, without quotes
    3.1 This will replace the Kernel in memory with a fresh copy of the Kernel from disk, thereby removing any changes the virus may have made to the Kernel in memory
    3.2 Note: this may cause issues with your system as there may be legitimate kernel patches (anti-virus software normally patches the kernel)

    *Steps I took to stop the infection*
    0. For peace of mind, once Windows restarts (make certain always in Safe Mode), immediately stop the kernel patches.
    0. Stay disconnected from the Network/Internet
    0. Always log in as the Administrator or use an account that has administrator rights
    0. If you have to use the Internet, configure your hardware router to block outbound calls to port 65520.

    1. Disabling System Restore – Your system restore files are most likely infected and may undo any fixes of Dr. Web
    1.1. Boot up in Safe Mode
    1.2. Stop the Kernel Patch (see above)
    2. Turn off System Restore
    2.1 Right-click on ‘My Computer’
    2.2 Select Properties
    2.3 Select Tab ‘System Restore’
    2.4 Check ‘Turn Off system Restore on all Drive’
    2.4.1 You may have to reboot, so reboot and go back into Safe Mode
    2.4.2 Stop the Kernel Patch again

    3. Run Dr. Web and Cure any viruses on your machine
    3.0.1 Because the Kernel Patch is stopped, Dr. Web should be able to see all files/processes/registries including the virus’s
    3.0.2 As well, the Virus is no longer accessing the files of the processes, so should not be infecting the files that Dr. Web is scanning
    3.1 Once Dr. Web has finished, save the log for to know later which files were infected (I had 1800+ executable files infected).
    3.2 Restart in Safe Mode

    *Checking if the Virus has stopped*
    4.0.1 On my machine, Winlogon.exe and Lsass.exe where actively infected
    4.0.2 Although 1800+ files were infected, they were not running in memory. Winlogon and Lsass are Window files and are difficult to contain as you cannot easily stop them as

    they are processes required by Windows

    4.1 Start Process Explorer (procexp)
    4.2 Double-click on lsass.exe, which will bring up the Properties dialog
    4.3 Click Tab ‘Strings’
    4.3.1 By default, the strings (text) will be shown from the disk file for lsass.exe
    4.4 If you scroll all the way to the bottom, you should noticed quite a few lines of garbaged text. This is the encoded data the virus infects executables with.
    4.5 Select the radio button ‘memory’ and this will show you the text from the memory of the running process of lsass.exe
    4.6 Scroll to the bottom, and if the text is still garbage/nonsense, then Dr. Web has ‘cured’ this file/
    4.6.1 On my machine, before the fixes, the running process of Lsass.exe has the following text at the bottom: microsoft, windowsupdate, avast, 127.0.0.1 jl.chura.pl, <iframe,

    etc
    4.6.2 The virus stops you visiting websites (such as *microsoft.*, *.avast.*, etc).
    4.6.3 It also updates the Windows Hosts file with ‘127.0.0.1 jl.chura.pl’
    4.6.4 It also updates all htm, php, asp files with an hidden iframe, so that the next time you open the file, your browser will connect to the site where the virus resides
    4.6.5 All these actions are controlled by the text found at the bottom of lsass.exe

    *Another method of checking if the virus has stopped*
    5.1 Start TCPView
    5.1.1 Connect to the Internet (make absolutely certain that your hardware router blocks outbound calls to Port 65520)
    5.2 Once connected, check in winlogon.exe is attempting an Internet connection to Port 65520.
    5.2.1 When infected, Winlogon.exe will attempt to contact an IRC site (I believe) on port 65520 and will try to download more viruses or updates to itself
    5.2.2 If I did not block Port 65520, I will see other processes (in my case Vrt9.tmp) running on my machine making Internet calls thereafter.

    My machine is no longer infected, but the 1800+ executables still have the encrypted garbage left over and my web files all have the hidden .
    When I start up Firefox, Avast Free Edition block attempts to ‘http://jl.chura.pl’. I don’t think Firefox is infected; probably Firefox uses a local html file which has the hidden

    Please note that the steps may or may not work for you and also may cause you PC to stop working, esp. if Dr Web repairs a critical file required for Windows to run correctly. What works on my machine may not work on yours.

    I do hope it works for you, though,
    ahura mazda

  48. AvatarSoumajit

    guys.. i m also hit by this crap…. in my office laptop… and while taking backup my external hdd also got affected…. so it came back while I am restoring my data after our it support guys formatted the laptop… my laptop has a fully updated symantec anti-virus and firewall…. but it failed to detect the intrusion… later while I am doing a full system scan… my friend attached the affected hdd to his laptop which has a mcafee in it….. and as soon as he did that… mcafee detected and blocked the intrusion… so what I am going to do is scanning the external hdd with mcafee…. and parallely running the symantec scan in my laptop… after both finished i will reinstall the os… and will attach the hdd (I will like to check it again with mcafee before doing this) and then again a full system scan by symantec…. will let u guys know if it works…

  49. AvatarTry this removal method, WORKED FOR ME

    I haven’t checked this forum for quite some time but I’m happy to see that at least a few people have been helped by the removal method I posted earlier.

    For the record, since removing the Virut virus several months ago my computer has shown no signs of reinfection.

  50. Avatardavid watson

    well, i had something similar – and it was a nightmare, as two times, the service provider cut me off, as too much spam was emanating from my computer. a very long story, but i seem to have solved the problem, by running two firewalls ( sygate personal firewall, and tiny personal firewall). the problem seems to have been contained – eg the other day, there was a request to connect to some site, through port 65520 – si i blocked all traffic through that port. all udp stuff has been blocked etc etc

Leave a Comment

Your email address will not be published. Required fields are marked *