Author Topic: Infected ntuser.dat (Read 13166 times)

cbmrulez · « **on:** March 23, 2012, 04:27:09 PM »

Hi,

I've done a scan on startup of my Windows 7 system and Avast 7 found "Win 32:Rustock-AY [Rtk]" on file "C:\Users\CBM\ntuser.dat".

I tried to repair the file but it can't be repaired by avast.

I know that I can't delete the ntuser.dat file, because i would lost all my account information.

What can I do to disinfect the ntuser.dat file?

Is it a way to delete or regenerate it, without lost of data?

Is Rustock a dangerous treat?

Please help me.

Thanks,
Mario

Pondus · « **Reply #1 on:** March 23, 2012, 04:51:21 PM »

Quote

Avast 7 found "Win 32:Rustock-AY [Rtk]" on file "C:\Users\CBM\ntuser.dat".

upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners
when you have the result, copy the URL in your addressbar and post it here for us to see

alternative
Jotti - http://virusscan.jotti.org/en
VIRScan - http://virscan.org/
Metascan - http://metascan-online.com/

Quote

Is Rustock a dangerous treat?

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fRustock
http://en.wikipedia.org/wiki/Rustock_botnet
http://www.securelist.com/en/analysis/204792011/Rustock_and_All_That

Pondus · « **Reply #2 on:** March 23, 2012, 04:53:11 PM »

start a new topic in the virus and worms section where you attach the logs requested

Follow this guide and attach logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

if you have problems attaching the logs...upload to www.mediafire.com and post the download link

DavidR · « **Reply #3 on:** March 23, 2012, 05:09:04 PM »

Only true virus infections can be repaired and this is being reported as a Rootkit [Rtk], which is strange to me. How big is this file ?

Presumably this file isn't detected as infected during normal running, the reason I ask is that avast runs an anti-rootkit scan 8 minutes after boot ?

So if it were a true rootkit I would expect it to have been detected on that scan.

There are many variants of Rustock so I don't know the difference in the -ay [Rtk] is from the general rustock botnet is:
http://en.wikipedia.org/wiki/Rustock_botnet

Quote

The Rustock botnet was a botnet that operated from around 2006[1] until March 2011.

So in theory it (rustock botnet) shouldn't be an active botnet if what is mentioned in wikipedia is correct.

I have checked my win7 system and I can't see any copy of my user\name\ntuser.dat which is even close to the 1.5MB that mine is. I even right clicked on it and there is no copy listed under the Previous Versions tab. That said do you do regular backups ?

I'm just wondering if you might be able to use system restore to go to a point before this was an issue, though I'm loath to go down that route just yet.

cbmrulez · « **Reply #4 on:** March 23, 2012, 05:20:15 PM »

Thanks for replies.

@DavidR
My ntuser.dat is about 5,5 mb. I don't have any previous version of this file. And no, sorry, but I don't do regular system backup, only personal file.

@Pondus
How can I scan the ntuser.dat? Is blocked by windows. How can I copy the file in a different position?

Thanks,
Mario

Pondus · « **Reply #5 on:** March 23, 2012, 05:27:27 PM »

Quote

@Pondus
How can I scan the ntuser.dat? Is blocked by windows. How can I copy the file in a different position?

See how to in last post by DavidR here http://forum.avast.com/index.php?topic=87295.msg701625#msg701625

OBS....... do you have the file in chest?

cbmrulez · « **Reply #6 on:** March 23, 2012, 05:33:39 PM »

No, my ntuser.dat file isn't in the chest.

Thanks,
Mario

DavidR · « **Reply #7 on:** March 23, 2012, 05:38:18 PM »

I take it that you aren't getting a detection in normal windows running, as I asked before as I'm not convinced it is a good detection ?

Which is why we are dancing around this trying not to get too radical. scans on my ntuser.dat files don't turn up anything, which isn't unusual as it is a pretty unique file.

cbmrulez · « **Reply #8 on:** March 23, 2012, 07:07:46 PM »

@DavidR

The first time I ran a scan on startup, and when it showed me that ntuser.dat file was infected, i deleted it. BIG MISTAKE!

Then, like a miracle, I don't know exactly how, I restored the ntuser.dat file by a system restore, I don't know the english name, I restarted and told windows to restore previous version or similar.

Then I tried to rescan on startup and repair the file, with no result.

I tried also to scan the file with normal avast scan in windows and avast said the file is infected but it can't be repaired (because I know it's used by the system).

Now, I would like to take this file and scan it with http://www.virustotal.com/, but I can't copy this file. I tried also in safe boot, but nothing.

How can I copy this ntuser.dat file in a different location to scan it?

Thanks,
Mario

DavidR · « **Reply #9 on:** March 23, 2012, 07:22:59 PM »

The link from Reply #2 outlines the way to create a temporary folder suspect and exclude it from scans.

As to how you would copy it, you don't say why it couldn't be copied, errors, etc. (may be UAC blocking, but probably file in use, see image) ?

If file in use, I'm at a loss as to how it might be copied.

EDIT: Though if you log on as the administrator, your users\cbm\ntuser.dat file shouldn't be in use, so you should be able to navigate to its location and copy it to the suspect folder.

warlock · « **Reply #10 on:** March 23, 2012, 09:20:11 PM »

ntuser.dat is a registry hive file (stores the per user part of the registry) and it is (for obvious reasons) locked by the system. Generally, if it's in the user profile folder, where it belongs, don't try to do anything stupid with it, or you will break your system EXTREMELY BADLY, seriously, don't touch it and don't let avast touch it either (put it into exclusions).

cbmrulez · « **Reply #11 on:** March 24, 2012, 12:51:38 PM »

@warlock

As I wrote, I know that ntuser.dat is an important file that can seriously compromise the system if deleted, but what can I do if avast7 tells me that it is infected?

How can disinfect it?

If the ntuser.dat is the registry, is it possible to scan the registry for viruses?

Thanks,
Mario

Pondus · « **Reply #12 on:** March 24, 2012, 01:40:59 PM »

if you think you are infected....read my reply #2

cbmrulez · « **Reply #13 on:** March 25, 2012, 09:46:21 AM »

Ok guys, after a lot of thinking and searching, I've done myself the first step: to copy the ntuser.dat in a different location.

It was very simple to do, because I need only to activate Administrator account, log-in as Admin and copy the user ntuser.dat in a different location.

Now I have the file to make tests.

Here is the scan by virustotal.com:
https://www.virustotal.com/file/d06b2b7f13f066c3e8dd8ce174b75bde984f282ba6c5b3fe0a6782df3c748ea8/analysis/1332661264/

Thanks,
Mario

cbmrulez · « **Reply #14 on:** March 25, 2012, 09:47:41 AM »

It seems that only Avast detects this threat...

Mario

Author Topic: Infected ntuser.dat (Read 13166 times)

cbmrulez

Infected ntuser.dat

Pondus

Re: Infected ntuser.dat

Pondus

Re: Infected ntuser.dat

DavidR

Re: Infected ntuser.dat

cbmrulez

Re: Infected ntuser.dat

Pondus

Re: Infected ntuser.dat

cbmrulez

Re: Infected ntuser.dat

DavidR

Re: Infected ntuser.dat

cbmrulez

Re: Infected ntuser.dat

DavidR

Re: Infected ntuser.dat

warlock

Re: Infected ntuser.dat

cbmrulez

Re: Infected ntuser.dat

Pondus

Re: Infected ntuser.dat

cbmrulez

Re: Infected ntuser.dat

cbmrulez

Re: Infected ntuser.dat