I am a network admin at two schools. Schools prove to be extremely difficult to handle because we all know what young students are like, they don’t want to read a virus warning and go ahead anyway because they want the program they created at home to run and show their friends. Virtob/Virut have proven to be a formidable nightmare to deal with. Especially when coupled with a Mabezat infection that creates .exe duplicates of itself, even over networks.

But I have found a solution. I use Hiren 10.4 and boot into the MiniXP. It boots pretty quickly and works like a charm. With the MiniXP, I run Dr. Web (Included on Hiren) and it clears out the majority of the infections. Then I enable the network shares with the useful network function on the desktop. Then I connect into the PC using the c$ network share (preferably from a notebook directly to the infected PC through LAN) and do a full scan with an up-to-date antivirus. I used BitDefender 2010. This finds a few more infections but clears 99% of them and asks what to do with the other 1% if there are any. Generally deleting them isn’t an issue because of what I plan next.

Once I have checked through everything, I do a Windows XP Repair to fix and/or replace damaged files. Thereafter, ensuring the BitDefender Client Security was updated to the newest version (Which includes a forced USB scan WMI script that is amazing) and that it has been set up correctly. Then it is just a case of repairing a few installations of applications (Nero, Pastel, Office) and all works wonderfully again.

The catch comes in that you have to make 100% sure the computer is clean before reattaching it to a network. If any PC on the network has even one infection of either, you have to redo the entire network within 48 hours. If you work for schools, use school holidays to your advantage. 4-5 hours at each machine generally works beautifully. If you have multiple machines that are almost identical, Hiren does have cloning software.

Recap:
1) Hiren 10.4 (One released each month so it might be on 10.6 now. Newer is generally better)
2) MiniXP
3) Dr. Web full scan
4) Enable Network in MiniXP
5) Scan remotely with updated decent antivirus (BitDefender, Kasperski. Norton is NOT decent)
6) Repair Windows
7) Check Antivirus and Firewall installed correctly and up to date
Repair any applications that won’t work
9) Attach to clean network

And it is that simple.

I hope this alternative helps some people. It couples together many of the various other ideas on the website above and I have had a 90% success rate with most virus infections, not just Virtob/Virut or Mabezat.

One last thing to watch out for, one of the telltale signs you have a serious problem is that when Login in, before you get to a desktop it logs you back out. This is a problem with the registry (HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\UserInit should read “C:\WINDOWS\system32\userinit.exe,” without quotes) and/or the userinit.exe file in %systemroot%\System32. If someone manages to login but doesn’t get icons and start bar, Explorer.exe and/or Explorer.scf are corrupt. You might also want to check the Shell entry under the same key of the registry above. It should read “Explorer.exe” without quotes.

To find WinDbg.exe: Google ” Filestube WinDbg_20v6.6.07.5.exe” – to download a legit copy of MicroSoft’s WinDbg Kernel Debugger.

Questions I have are:
In WinDbg.exe, I will use command, ‘!chkimg -f nt’, without quotes,
and need to know if “symbols are required for this action? Symbols are data sets for the debugger, and are like 650Mb.
Are they needed for an !chkimg command?

Is there a way to run WinDbg.exe in DOS before WinXP boots up? If so, How?

You see, I know alot, but I’m also missing basic PC programming fundamentals. HELP US!!!
I KNOW THIS WILL WORK, I JUST DON’T KNOW HOW TO IMPLEMENT THE PROCEDURES.

REFORMATTING IS NOT AN OPTION, IT”S FAILURE!
HELP US BRAINIACS!!!!
Nerds Unite!

Blakey

For the last week i have been dealing with this Virut and what a nightmare it has been. Previously decided to follow a sequence of anti virus programs…1. Malwarebytes, 2. Superantispware,3. Combo fix, 4. Root repeal, 5. Mgtools. All free downloads. 1 and 2 went ok but when i got to installing 3 it informed me the virut had infected set up file. So here i am about to try the advise on this page. Normally I would just format and carry on but it is not my computer and there is alot of personal programs and data. Fingers crossed, will let you know of progress. Learning alot!!!!!!

PS. This was virus was originally downloaded as a Heur virus i beleive.

1. go to a proxy site then from there go to the avg site to download their
virut remover put this in your c drive
2. Run msconfig
3. Change Boot tab to safe boot & alternate shell (doesn’t load explorer and
leaves it free to repair)
4. Reboot
5. When dos box type “cd c:\”
6. Type “rmvirut (all your drive letters ie: C:\ D:\ etc)”
7. Let it run through.
8. Scan any folder it finds the virut again
9. Then Scan all your windows folders (depends on how many multiboots you have
and its pays to have at least 2 with this virus)
10. Lastly Scan C:\windows\explorer.exe (the evil heart of the virus)
11. Then type msconfig
12. Change Boot tab to remove safe boot
13. Reboot
14. Then boot into another boot of windows and open cmd.exe scan everything
again paying particular attention to folders with the virus in it

All done, can now go to antivirus & mircrosoft websites

PS I dont deserve credit for this my mate found/tweaked this fix in the 1st place and I just tweaked it a bit further to help out the noobs

Thanks
Gary