Infected ntuser.dat

Hi,

I’ve done a scan on startup of my Windows 7 system and Avast 7 found “Win 32:Rustock-AY [Rtk]” on file “C:\Users\CBM\ntuser.dat”.

I tried to repair the file but it can’t be repaired by avast.

I know that I can’t delete the ntuser.dat file, because i would lost all my account information.

What can I do to disinfect the ntuser.dat file?

Is it a way to delete or regenerate it, without lost of data?

Is Rustock a dangerous treat?

Please help me.

Thanks,
Mario

Avast 7 found "Win 32:Rustock-AY [Rtk]" on file "C:\Users\CBM\ntuser.dat".
upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners when you have the result, copy the URL in your addressbar and post it here for us to see

alternative
Jotti - http://virusscan.jotti.org/en
VIRScan - http://virscan.org/
Metascan - http://metascan-online.com/

Is Rustock a dangerous treat?
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fRustock http://en.wikipedia.org/wiki/Rustock_botnet http://www.securelist.com/en/analysis/204792011/Rustock_and_All_That

start a new topic in the virus and worms section where you attach the logs requested

Follow this guide and attach logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

if you have problems attaching the logs…upload to www.mediafire.com and post the download link

Only true virus infections can be repaired and this is being reported as a Rootkit [Rtk], which is strange to me. How big is this file ?

Presumably this file isn’t detected as infected during normal running, the reason I ask is that avast runs an anti-rootkit scan 8 minutes after boot ?

So if it were a true rootkit I would expect it to have been detected on that scan.

There are many variants of Rustock so I don’t know the difference in the -ay [Rtk] is from the general rustock botnet is:
http://en.wikipedia.org/wiki/Rustock_botnet

The Rustock botnet was a botnet that operated from around 2006[1] until March 2011.

So in theory it (rustock botnet) shouldn’t be an active botnet if what is mentioned in wikipedia is correct.

I have checked my win7 system and I can’t see any copy of my user\name\ntuser.dat which is even close to the 1.5MB that mine is. I even right clicked on it and there is no copy listed under the Previous Versions tab. That said do you do regular backups ?

I’m just wondering if you might be able to use system restore to go to a point before this was an issue, though I’m loath to go down that route just yet.

Thanks for replies.

@DavidR
My ntuser.dat is about 5,5 mb. I don’t have any previous version of this file. And no, sorry, but I don’t do regular system backup, only personal file.

@Pondus
How can I scan the ntuser.dat? Is blocked by windows. How can I copy the file in a different position?

Thanks,
Mario

@Pondus How can I scan the ntuser.dat? Is blocked by windows. How can I copy the file in a different position?
See how to in last post by DavidR here http://forum.avast.com/index.php?topic=87295.msg701625#msg701625

OBS… do you have the file in chest?

No, my ntuser.dat file isn’t in the chest.

Thanks,
Mario

I take it that you aren’t getting a detection in normal windows running, as I asked before as I’m not convinced it is a good detection ?

Which is why we are dancing around this trying not to get too radical. scans on my ntuser.dat files don’t turn up anything, which isn’t unusual as it is a pretty unique file.

@DavidR

The first time I ran a scan on startup, and when it showed me that ntuser.dat file was infected, i deleted it. BIG MISTAKE!

Then, like a miracle, I don’t know exactly how, I restored the ntuser.dat file by a system restore, I don’t know the english name, I restarted and told windows to restore previous version or similar.

Then I tried to rescan on startup and repair the file, with no result.

I tried also to scan the file with normal avast scan in windows and avast said the file is infected but it can’t be repaired (because I know it’s used by the system).

Now, I would like to take this file and scan it with http://www.virustotal.com/, but I can’t copy this file. I tried also in safe boot, but nothing.

How can I copy this ntuser.dat file in a different location to scan it?

Thanks,
Mario

The link from Reply #2 outlines the way to create a temporary folder suspect and exclude it from scans.

As to how you would copy it, you don’t say why it couldn’t be copied, errors, etc. (may be UAC blocking, but probably file in use, see image) ?

If file in use, I’m at a loss as to how it might be copied.

EDIT: Though if you log on as the administrator, your users\cbm\ntuser.dat file shouldn’t be in use, so you should be able to navigate to its location and copy it to the suspect folder.

ntuser.dat is a registry hive file (stores the per user part of the registry) and it is (for obvious reasons) locked by the system. Generally, if it’s in the user profile folder, where it belongs, don’t try to do anything stupid with it, or you will break your system EXTREMELY BADLY, seriously, don’t touch it and don’t let avast touch it either (put it into exclusions).

@warlock

As I wrote, I know that ntuser.dat is an important file that can seriously compromise the system if deleted, but what can I do if avast7 tells me that it is infected?

How can disinfect it?

If the ntuser.dat is the registry, is it possible to scan the registry for viruses?

Thanks,
Mario

if you think you are infected…read my reply #2

Ok guys, after a lot of thinking and searching, I’ve done myself the first step: to copy the ntuser.dat in a different location.

It was very simple to do, because I need only to activate Administrator account, log-in as Admin and copy the user ntuser.dat in a different location.

Now I have the file to make tests.

Here is the scan by virustotal.com:
https://www.virustotal.com/file/d06b2b7f13f066c3e8dd8ce174b75bde984f282ba6c5b3fe0a6782df3c748ea8/analysis/1332661264/

Thanks,
Mario

It seems that only Avast detects this threat…

Mario

http://virusscan.jotti.org/en/scanresult/85c7bcc470a0acd9e95924b2caedda68e6eba565

Another time it’s only avast…

You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles

http://r.virscan.org/report/9641b803815b3600266015c728b613c8.html

Another avast-only detection…

@Asyn
I’ll do it, but I don’t know if it’s a false positive. I hope so, but I don’t really know it.

Well, if it’s no FP, it wont be removed anyway. :wink:

@ cbmrulez
I thought right from the start it was possibly an FP, that and because of its importance was why we were dancing around avoiding doing anything to the actual file in its original location.

Hopefully, sending it to avast for analysis should resolve this detection, though each ntuser.dat file is pretty unique as it reflects the users system and what they have installed. This is no doubt why I didn’t find anything wrong on mine and why we didn’t have a flood of similar topics in the forums.