Avast 7 found "Win 32:Rustock-AY [Rtk]" on file "C:\Users\CBM\ntuser.dat".
upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners
when you have the result, copy the URL in your addressbar and post it here for us to see
The Rustock botnet was a botnet that operated from around 2006[1] until March 2011.
So in theory it (rustock botnet) shouldn’t be an active botnet if what is mentioned in wikipedia is correct.
I have checked my win7 system and I can’t see any copy of my user\name\ntuser.dat which is even close to the 1.5MB that mine is. I even right clicked on it and there is no copy listed under the Previous Versions tab. That said do you do regular backups ?
I’m just wondering if you might be able to use system restore to go to a point before this was an issue, though I’m loath to go down that route just yet.
@DavidR
My ntuser.dat is about 5,5 mb. I don’t have any previous version of this file. And no, sorry, but I don’t do regular system backup, only personal file.
@Pondus
How can I scan the ntuser.dat? Is blocked by windows. How can I copy the file in a different position?
I take it that you aren’t getting a detection in normal windows running, as I asked before as I’m not convinced it is a good detection ?
Which is why we are dancing around this trying not to get too radical. scans on my ntuser.dat files don’t turn up anything, which isn’t unusual as it is a pretty unique file.
The first time I ran a scan on startup, and when it showed me that ntuser.dat file was infected, i deleted it. BIG MISTAKE!
Then, like a miracle, I don’t know exactly how, I restored the ntuser.dat file by a system restore, I don’t know the english name, I restarted and told windows to restore previous version or similar.
Then I tried to rescan on startup and repair the file, with no result.
I tried also to scan the file with normal avast scan in windows and avast said the file is infected but it can’t be repaired (because I know it’s used by the system).
Now, I would like to take this file and scan it with http://www.virustotal.com/, but I can’t copy this file. I tried also in safe boot, but nothing.
How can I copy this ntuser.dat file in a different location to scan it?
The link from Reply #2 outlines the way to create a temporary folder suspect and exclude it from scans.
As to how you would copy it, you don’t say why it couldn’t be copied, errors, etc. (may be UAC blocking, but probably file in use, see image) ?
If file in use, I’m at a loss as to how it might be copied.
EDIT: Though if you log on as the administrator, your users\cbm\ntuser.dat file shouldn’t be in use, so you should be able to navigate to its location and copy it to the suspect folder.
ntuser.dat is a registry hive file (stores the per user part of the registry) and it is (for obvious reasons) locked by the system. Generally, if it’s in the user profile folder, where it belongs, don’t try to do anything stupid with it, or you will break your system EXTREMELY BADLY, seriously, don’t touch it and don’t let avast touch it either (put it into exclusions).
As I wrote, I know that ntuser.dat is an important file that can seriously compromise the system if deleted, but what can I do if avast7 tells me that it is infected?
How can disinfect it?
If the ntuser.dat is the registry, is it possible to scan the registry for viruses?
@ cbmrulez
I thought right from the start it was possibly an FP, that and because of its importance was why we were dancing around avoiding doing anything to the actual file in its original location.
Hopefully, sending it to avast for analysis should resolve this detection, though each ntuser.dat file is pretty unique as it reflects the users system and what they have installed. This is no doubt why I didn’t find anything wrong on mine and why we didn’t have a flood of similar topics in the forums.