Like many of you who posted here, I’ve been affected by this nasty virus for some time now and it has been a real headache trying to eradicate it from my system. Even though I was able to restore my system to working condition, the virus remained on my system constantly attempting to connect to the internet (luckily my BitDefender Firewall was usually able to block it).
After doing a bit of research, I was able to find and run a series of tools that so far APPEAR to have eradicated the virus from my system. As many of you know this is a very tricky virus that appears to infect everything it touches so try to follow my directions as closely as possible.
Note: My system is running Windows XP Service Pack 3, so those using other operating systems may have to tweak these directions slightly.
1. Firstly, download these free tools from the internet and move them to the infected machine.
Symantec Virut Removal Tool -
http://www.softpedia.com/progDownload/W32-Virut-Removal-Tool-Download-121930.html
Dr. Web CureIt Scanner -
http://www.freedrweb.com/
ATF Cleaner -
http://www.download.com/ATF-Cleaner/3000-18512_4-89432.html?tag=mncol
2. You want to disable System Restore on your computer. This can be done by viewing the System Restore tab in your System Properties. Next you want to disconnect your computer from any network cables it may be connected to. Make sure to disable any means your computer may have of connecting to the internet (such as disabling any wireless network adapters).
3. Start your computer in Safe Mode (login to the account with the highest administrative privileges, of course).
4. You want to open the file DrWeb.exe which you downloaded. As soon as it opens, it will run a quick system scan which won’t take very long (a few minutes). If you are indeed infected with this virus, the scanner will detect some of your infected files during this scan. Allow the scanner to cure/repair the files it finds (on my machine, the virus came up as “Win32.Virut.56″). When the quick scan completes, minimize the Dr. Web scanner for now.
5. THIS IS IMPORTANT: Like I said, this virus can spread onto other computers and devices quite easily, so you want to plug in any removable flash drives or hard drives that may have been connected to the infected computer while it was infected. Make sure you have plenty of time to allow your computer to sit idle while additional scans are performed with these peripherals connected (like 6 hours).
6. If Dr.Web managed to find some of the “Virut” infected files on your machine, you want to now go on to open the file FixVirut.com which you downloaded. It is a tool I found online which was recently released by Symantec to repair files infected by this virus. This tool is quite self-explanatory and simple to use, just run it. It may take a few hours. The tool may ask you to reboot when it finishes, but do not reboot yet(When I ran the tool it found 2700+ infected files on my system, mostly .exe files, and terminated two process threads running in my winlogon.exe file. The tool creates a simple log of infected files within the same folder the tool is run from.)
7. After FixVirut.com finishes running, you want to return to Dr.Web to run a complete system scan. Before you start the complete system scan, enter Dr.Web’s settings configuration (do this by pressing F9, not hard to find) go to the File Types tab and uncheck “Files in archives” (If you leave this setting checked, Dr.Web will take forever unpacking and scanning inside all the archive-type files on your computer. This virus doesn’t appear to attack the CONTENTS of archives in any case. If you think you need it and have the extra time to burn, you can leave it checked).
8. Running the Dr.Web complete virus scan is very important. It will pick up any infected files the Symantec tool may have missed. Also, it picked up a couple of Trojan downloaders and suspicious files I believe were affiliated with this virus. In addition, those connected peripherals that may have been infected as some time will be scanned and cured during this complete scan. Click “Yes to all” the first time this program asks to cure an infected file and it will basically do the rest. Be aware that the scan will pause and ask you what to do if it comes across a file it cannot cure. This entire process will take several hours.
9. When the scan finishes, go through the list of infected and suspicious files. Manually quarantine (move) or delete any suspicious files Dr.Web may have left alone, just to be on the safe side, unless those files are VERY important on your particular computer.
10. Be happy, because most of the hard work is done. When you are done with Dr.Web you can close it and open the ATF-Cleaner.exe file you downloaded. Click “Select All” at the bottom to select every category then click “Empty Selected” to begin the deletion process. This will basically remove all the TEMP files from your computer, which is OK because you really don’t need them. This step may not be necessary but I did it simply as a precaution.
11. Next I went into my systemroot TEMP folder and manually deleted all the files inside. (For me, the file path was “C:\WINNT\Temp”. For others it may be “C:\WINDOWS\TEMP”) Again this may not be necessary, but I did it as a precaution to be on the safe side.
12. And now you’re done. You can run another quick express scan in Dr.Web to double check if you want, but right now your computer should be clean. Restart your computer normally. If you don’t already have one, I recommend getting some sophisticated Antivirus and Firewall software (ie. not Windows Firewall). It was the lack of such software that got me in this mess in the first place.
I hope this information helps some of you clean your computers of this nasty virus. It was by reading a variety of other people’s posts that eventually allowed me to figure out how to get rid of Virut, and stay better protected in the future.
I'm out of ideas, please suggest something.
