How To Remove - Rootkit virus "ctu8r.exe', Trojan horse "Herss.exe"

Symptoms:-

1. You cannot enable "Show Hidden Files and Folders". Even if you do, it is reverted to the disabled state. (Even if you try to change the registry keys which govern this, those values are automatically reverted to the disabled state).
2. When you try to open any harddisk partition/external harddisk/pendrive by double clicking the corresponding icon in My Computer, a new windows opens asking you which program to use to open the drive. But you can open the drives from the drop down menu of the address bar of windows explorer.
   
3. If you are using Avast! antivirus, you keep getting alerts from its Heuristic Scanner about a rootkit virus named "ctu8r.exe". You schedule a boot time scan in which no infections are found. Problem persists after the restart.

Causes:-
Most probably your pc has caught this infection from a pendrive. Do you remember trying to open a pendrive recently which rather than opening asked you which program to use to run that drive? The autorun.inf file on that pendrive causes the virus file "ctu8r.exe" to run immediately once you double click/autorun the pendrive. If your antivirus is not yet equipped with the definition of this virus (as it was happening with Avast! antivirus on 7 October 2009), it will freely install itself and associated trojan horses on your pc. The trojan horse Herss.exe is stored in "Documents and Settings/UserName/Local Settings/Temp" folder which is a hidden folder. Virus blocks viewing of hidden files and folders so you cannot manually delete the trojan horse files.

How To Remove:-
I tried many things to do this. I am going to list those which worked.
All the softwares used are freewares.
(As on 7 October 2009, the free root-kit scanners from F-Secure and Panda are not able to detect this virus. So even if you see "No infections found" in their results, your system may still be infected).

1. First download and run Sysinternals Autoruns from HERE. Run the autoruns.exe file. Click on File>Find. Type "Herss.exe". It will highlight a key which you should delete (Right Click>Delete). Restart you pc. (If you don't find such an entry in Autoruns, proceed to step 2).
   
2. Download and install Malwarebytes' Anti-Malware from HERE or HERE. Update its virus definitions as soon as you install and then run a Full Scan of your system. It will detect the trojans (but not the rootkit virus "ctu8r.exe"). You should remove all the trojans. See what it found on my system (Click on the image to enlarge it):-
3. Once you ask it to remove the trojans, it will most probably ask you to reboot which you should do. Once you restart the pc, all the trojans will be gone. Now you have to take care not to double click on any drive (like C:/, D:/ or pendrives etc.) as it will reactivate "ctu8r.exe". Instead, just open My Computer, click on Tools>Folder Options and under View tab, check "Show Hidden Folders and Files" as well as uncheck "Hide Protected Operating System Files".
   
4. As all the trojans are deactivated, you'll be able to see hidden files again. Now, from the drop down menu of the address bar, choose to open C:/ (you have to repeat this process for all the partitions you may have like D:/, E:/ and so on. DON'T DOUBLE CLICK ON THE DRIVE ICON, OPEN IT FROM THE DROP-DOWN LIST).
5. Follow this procedure for every drive/partition/pendrive:- Find and delete whichever of the following files you can see in the root directory of the drive (Like in the C:/ directory or the D:/ directory and so on). The files to be deleted are "ctu8r.exe", "autorun.inf" and "sp1jensi.exe". Take care not to run them accidentally. Just delete them. (If you are not able to delete them, use a software called Unlocker. GET IT HERE. Install it, then right click on above mentioned files, choose Unlocker. Select "Unblock All" if the file is locked and then delete it manually, otherwise choose "Action>Delete"). Delete these file from all partitions, drives by following the same procedure. I repeat, DON'T OPEN THE DRIVES BY DOUBLE CLICKING ON THEIR ICONS. Choose them from the drop-down menu.
6. Once you have deleted these files, your system is most probably clean. You may want to re-hide the protected operating system files by checking the option for the same under Tools>Folder Options>View Tab.
7. Just to be sure that you don't have any remnants of these or any other viruses/trojans lurking around, I would recommend running a Combofix scan. For more information about how to get and use it, CLICK HERE. It is an extremely powerful trojan remover, so use it with caution and read all the instructions before using it. Here's the warning posted on their website:- "Due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer."

If you have followed all the steps, you most probably have got rid of this virus by now. If you are still experiencing problems with "Show Hidden Files and Folders" option (like, both Show and Hide options are shown to be selected or none of them is shown to be selected) do the following:-

1. Click Start>Run. Type regedit and click OK.
2. Navigate to the following keys:-

• HKEY_LOCAL_MACHINE\SOFTWARE\
  Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

on the right side for both the above keys, there will be a value called "CheckedValue". You should right click on them and delete both of them.
Now right click on the right side for SHOWALL key, choose new>DWORD value, name it "CheckedValue". Enter its value as "1".
Again follow the same procedure for NOHIDDEN key but enter the value as "2".
The value of DWORD DefaultValue for both the keys should be "2". If it's not, change it accordingly.
This should solve your problem.

Preventive Measure:-
Think about completely disabling autorun for all drives/cd-roms etc. You can set up a group policy to do this for one and all. Advantages are, even if you come across a pendrive with such an infection, when you open it by double clicking on its icon, the virus file will not run automatically. In fact, it won't run unless you yourself try to open the infected *.exe file. You should consider doing this even if you are using a very good paid antivirus as new viruses can come out any time and if your antivirus is not equipped with the definition of a new virus, it can do pretty much nothing about it. The only disadvantage is that you will have to search and run the appropriate file from the CD/drive manually in order to open it. Like, if you have a software disk, then you will have to open it from My Computer and run Setup.exe or any such executable (which you can trust and scan with your antivirus before running) to install the software. It does not take a huge effort to do this and it's totally worth considering the advantages. CLICK HERE to read how to do this.