How to Get Rid of Virut without Reformatting

How to Get Rid of Virut without Reformatting

[ad name=”Google Adsense”]

Ms. Ducktoes did it! I beat the dreaded Virut without reformatting. This is how I did it.

  1. The Dr. Web Cureit Live CD I spoke of in the last post didn’t work. At the beginning of the scan, it stopped everytime. So instead:
  2. I created an Ultimate Boot CD for Windows. I downloaded the image from the UBCD website and burned it to cd. There are detailed instructions on the site on how to do this.
  3. I booted off the cd and went on the Internet through the UBCD interface. I downloaded Dr. Web Cureit to the Ram drive.
  4. Then from the “Run” option off the start menu I browsed to the B: Ram drive and opened cureit.exe.
  5. Dr. Web Cureit started. I had to stop the Express scan and run the Custom scan and select the C drive or the C and D drives since I had more than one hard drive. Otherwise Dr. Web Cureit just scanned the CD.
  6. I cured the files instead of deleting them. The Virut virus changes the system files and your computer system needs them.
  7. I scanned a three times this way.
  8. I rebooted but the computer wouldn’t start. So I did a “repair install” with my Windows Xp cd.
  9. After the Repair Install, it booted, but after the logon, the logon kept returning. I couldn’t get past it.
  10. So I booted off the UBCD and replaced the Userinit.exe file in the System32/dllcache folder. I found another copy of it in the 1386 folder and copied and pasted. You can search using the Windows Explorer on the UBCD disk.
  11. Then I ran regedit (still off UBCD) and searched for userinit. I found the registry keys related to userinit. One of them was set for the logon to repeat over and over, so I changed it from “1” to “0”.
  12. Then I rebooted and the computer started and the logon didn’t repeat!!
  13. Immediately I went into Safe Mode and started running virus scans like crazy. I ran Malwarebytes, AVG, SuperAntiSpyware and Dr. Web Cureit again. And found more trojans and viruses.
  14. After all the scans ran clean. I rebooted.
  15. The Virut was removed!!! And I didn’t reformat.

[ad name=”Google Adsense”]

6 Responses

  1. Interesting. Thanks for the method. I am trying it now for a friend. Had to download a file called drweb-cureit.exe – the cureit.exe file wouldn’t unzip/install in ram.

    Having a few problems getting the scan to finish – the Ramdisk is only 95MB and the log it creates gets to around 45MB before it crashes the program. So putting the logfile on the drive you are scanning seems sensible. And yet it still crashed on me.

    Another thing, I think it might be wise to stop access to the web after the file drweb-cureit.exe is downloaded.

    I think I might have to do as many scans as there are C: drive main folders. Plus a gallant try to do the lot at the end in one scan.

    As a preventative measure, – and I have read a lot about this virus and no one has mentioned it – it is just crazy these days not to do a Norton Ghost of your drive to a hard disk once a week. Then you can always go back instantly to at least a machine that was functioning well a week ago. And how do you know when a machine starts to malfunction? Webpatrol. Perfect solution in these days of truly bad virii.

  2. Sorry – that should have read “WinPatrol”- it’s free too…

    One other thing – be sure to set up Dr Web in settings to investigate archives and move them if necessary..

  3. Thanks, Terry, for your comment and ideas. They’re great! I have thought about Norton Ghost lately too, although I don’t have it, I mean haven’t purchased it yet. I’ll look into the WinPatrol. I didn’t have the problem you mentioned with the log file. Is there a setting to turn it on? I wish there was a way to have a larger Ram disk. You can also take the hard drive out and attach it to another computer and run antispyware against it. About disconnecting, I don’t think a virus can run off a boot disk, even though this Virut is one powerful virus, so maybe it can. I’ve heard it coming back from a reformatted disk. Thanks again for your comment.

  4. I can report that your method – and your method alone – worked for me. Thanks so much – you don’t know how much!

    You can enlarge the Ram disk. But it means rebuilding the UBCD disk according to their instructions. Google it if you need to…

    Yes, I have read it can come back from a reformatted disk…IF you have not turned the machine off completely before the reformat (what a virus!).

    BTW: do the Repair Install even if you think you don’t have to at first. I eventually had to…

    You might still have some files that are wobbly; so over time it would be best if you can re-install any and every (.exe and .scr) “program” you have on your machine. Trash the .scr files (you can always get them again…)

    I’m investigating “Rollback” as an alternative to Ghosting. I have learnt recently that Norton Ghost really came to an end in 2003 (with version 793 – all the versions beyond that are not based on the same great program and are Symantec rebrands of (I believe inferior) software).

    It really is terrible that we have no up-to-date and perfect way to “ghost” our machines any more (unless Norton Ghost v793 still works for you – it should, but it’s an old program – who knows unless you test it?).

    Everything I have read about ghosting software beyond (the true) Norton Ghost is somewhat negative.

    It is almost as if the powers that be want you to reinstall/reformat Windows for the rest of your life.

    Anyhow, you saved the day! You and you alone. (Trust me – I tried around a dozen other methods online before yours.)

    Thanks so much again! You are the one!

  5. You’re very welcome. Thanks for your comments. We just got another computer with Virut. But it is going to have to wait until Monday. It presented as a computer that wouldn’t fully boot and memory error messages.

    I looked at Rollback on-line after you mentioned it. It looks wonderful. It would be great if it worked. The website says it is a more robust type of System Restore. I wonder though that like System Restore, it would not work with viruses, I mean the viruses would persist. Do you know anything about that?

    Have you tried Acronis as an imaging software? It’s rated highly on one site. I thought I might try it.

    I’ve also been reading about Sandboxing, where you have a “Sandbox” into which all programs and software are downloaded and if something is causing a problem you can delete the Sandbox.

    You say it tells you how to increase the Ram size on the UBCD disk site. How exciting. I’ll look into it.

    Nice talking to you. We should start a “I Fixed Virut without Reformatting Club!” We could even get t-shirts. Bye.