W32.Virut.CF Removal Tool

Download Removal Tool|Printer Friendly Page

Discovered: February 04, 2009
Type: Removal Information

This tool is designed to remove infections of W32.Virut.CF.


  • If you are on a network or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and Internet. Disable or password-protect file-sharing, or set the shared files to Read-Only, before reconnecting the computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with Read-Only access or by using password protection.

    For instructions on how to do this, refer to your Windows documentation, or the document: How to configure shared Windows folders for maximum network protection.

  • If you are removing an infection from a network, first make sure that all of the shares are disabled or set to Read-Only.

  • This tool is not designed to run on Novell NetWare servers. To remove this threat from a NetWare server, first make sure that you have the current virus definitions, and then run a full system scan with the Symantec antivirus product.

How to download and run the tool

Important: You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, Windows XP, Windows Vista, or Windows 7.

Note for administrators: If you are running MS Exchange 2000 Server, we recommend that you exclude the M drive from the scan by running the tool from a command line with the Exclude switch. For more information, read the Microsoft knowledge base article: XADM: Do Not Back Up or Scan Exchange 2000 Drive M (Article 298924).

Follow these steps to download and run the tool:
  1. Download the FixVirut.exe file from the following location:
    FixVirut.CF Removal Tool
  2. The FixVirut.exe file is a self-extracting archive file that contains FixVirut32bit.com and FixVirut64bit.com. Double-click the FixVirut.exe file to extract these files on to your computer.
  3. Optional: To check the authenticity of the digital signature of the FixVirut32bit.com or FixVirut64bit.com files, refer to the "Digital signature" section later in this writeup.

    Note: If you are sure that you are downloading this tool from the Security Response Web site, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the "Digital signature" section before proceeding with step 4.

  4. Close all the running programs.
  5. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
  6. If you are running Windows Me, XP, Vista or 7, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

  7. Turn System Restore on or off (Applies to Windows 7)
  8. Double-click the appropriate version (FixVirut32bit.com or FixVirut64bit.com) for your operating system to start the removal tool.
  9. Click Start to begin the process, and then allow the tool to run.

    Note: If you have any problems when you run the tool, or it does not appear to remove the threat, restart the computer in safe mode and run the tool again.

  10. Restart the computer.
  11. Run the removal tool again to ensure that the system is clean.
  12. If you are running Windows Me/XP/Vista/7, then re-enable System Restore.
  13. If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.
  14. Run LiveUpdate to make sure that you are using the most current virus definitions.

When the tool has finished running, you will see a message indicating whether the threat has infected the computer and if any files were not repaired. The tool writes a summary of its operation to a log file, named either FixVirut32bit.log or FixVirut64bit.log with results similar to the following:
  • List of detected files
  • List of repaired files
  • List of unrepairable files
  • List of terminated viral processes

What the tool does

The removal tool does the following:
  • Ends the associated processes
  • Repairs the associated files
  • Deletes the registry values added by the threat


The following switches are designed for use by network administrators:
  • /HELP, /H, /?
    Displays the help message.
  • /SILENT, /S
    Enables the silent mode.
    If silent mode is enabled, no reboot will occur.
    Creates a log file where [PATH NAME] is the location in which to store the tool's output. By default, this switch creates the log file, either FixVirut32bit.log or FixVirut64bit.log, in the same folder from which the removal tool was executed.
    Scans the mapped network drives. (We do not recommend using this switch. See the following Note.)
    Disables scanning of removable drives.

Important: Using the /MAPPED switch does not ensure the complete removal of the virus on the remote computer, because:
  • The scanning of mapped drives scans only the mapped folders. This may not include all of the folders on the remote computer, which can lead to missed detections.
  • If a viral file is detected on the mapped drive, the repair may fail if a program on the remote computer uses this file.
  • On Windows Vista/7 scanning mapped drives may fail if the user account running the removal tool is not the Administrator account, even if it is a member of the Administrator group. In these cases the mapped drive will appear as disconnected after scanning with the removal tool. Please see the following article for more information:

    Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or newer operating systems
Therefore, you should run the tool on every computer.

Digital signature
For security purposes, both of the removal tools (FixVirut32bit.com and FixVirut64bit.com) are digitally signed. Symantec recommends that you use only copies of the removal tool that have been directly downloaded from the Symantec Security Response website.

If you are not sure, or are an administrator and wish to authenticate files before deployment, you should check the authenticity of the digital signature.

Follow these steps:
  1. Navigate to the folder where the files were extracted to.
  2. Open the relevant folder for your operating system (either 32bit or 64bit).
  3. Right-click the file and select Properties.
  4. Select the "Digital Signatures" tab.
  5. Select the digital signature for the file.
  6. Click "Details".
    Note: A message should state that "This digital signature is OK."

Note: The date and time shown in the above image is for illustrative purposes only. The actual date and time will vary according to the version of the tool.

The FixVirut32bit.com file has the following details in the "Signer information" section:
Name: Symantec Corporation
Signing time: 27 June 2013 08:40:59

The FixVirut64bit.com file has the following details in the "Signer information" section:
Name: Symantec Corporation
Signing time: 27 June 2013 08:42:48

Note: The date and time in the digital signatures above are based on UTC. They will be adjusted to your computer's time zone and Regional Options settings.