PDA

View Full Version : Attacked by Virut and Refpron



Gpooj
2009-03-09, 23:32
Well, I've finally reached a point where I think I'm ready to connect my PC back to the net, which means I'll be able to follow standard advice.

If you want the full background on what I've been battling see this topic:
http://forums.spybot.info/showthread.php?t=46356

Anyway, long story short:
The Refpron Trojan somehow teleported itself into my system and began downloading whatever virus it could get its hands on. Most notably: Virut, which forced its way into all of my executables.

I was running ZoneAlarm and AVG8.0, but they were more reactive than preventative somehow. Before they realized what was going on my system was maaaassively compromised.

I tried multiple times to use web-based virus scanners to no avail. I unplugged the system from the network for the rest of my "trials". The next day I got an e-mail from my service provider telling me that it detected bulk spam being sent from my IP, and to desist or I'd be cut off. Ooh, ok, so no connecting that system to the net after all...

Using a combination of Knoppix, BartPE, Avast, Spybot, AVG Virut Remover Tool, Dr Web Cureit, Malware Bytes AntiMalware, sfc /scannow, and two repair installs I'm finally in a situation where I *think* I'm safe to go online again to further troubleshoot this disaster.

Spybot, Avast, Dr Web, and Malwayre Bytes Anti-Walware say I'm clear of all detectable threats. .......I don't trust any of them any more.

So, any expert who wants to tackle this one, I'd be much obliged. I'll post whatever log you want me to post, just keep in mind I'd prefer to know I'm safe to go online before I do so.

Blade81
2009-03-10, 19:43
Hi,

Sorry to say but if your system is hit by Virut variant, then there's no other way than reformat the system :sad: Repair install is not enough.

Gpooj
2009-03-10, 21:38
Ooh, well that sucks.

Do I really have no other options? AVG made a custom application to remove Virut and it reported to have cleaned around 1200 infections.

Now, if I run the tool again I get no reports of infected files, plus my system *seems* to run well.

Gpooj
2009-03-10, 21:58
I guess depending on your response my follow-up question might be:

How can I safely backup my files without compromising my current archives. How can I be sure that anything I want to archive is clean if none of my current scan-engines are detecting any malware?

...and as a side-side note, if nothing is currently detecting any malware, does that mean I'm safe, would it be good enough to move my important files to my 2nd hard drive and just do a format/reinstall on windows itself?

Blade81
2009-03-11, 07:53
Hi,

Virut is buggy file infector meaning that though it may look infections were cleaned the symptoms will probably occur. If it was my system in question I would reformat.

You may use external usb drive for backuping after you've first made sure it doesn't carry Virut.

1. Download Flash_Disinfector (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) and save it to your desktop.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.

After that run Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/us/languages/english/check.html?n=1225554235248) to check your USB drive.

If Kaspersky doesn't find anything bad on USB drive then you can use it to backup stuff from infected system keeping in mind that these filetypes are not allowed:
-.exe
-.scr
-all web page files (.htm, .html, .asp, .aspx etc.)
-archive files (.zip & .rar) with any of above mentioned file types

Gpooj
2009-03-11, 15:46
If I load Knoppix, and use Kaspersky to scan all my hard drives and USB drive, then delete all exe, dll, scr, html, asp.... etc files, I should be safe to backup anything else to my usb drive?

Grr... what a ridiculous virus.

Blade81
2009-03-11, 18:27
Hi

By following instructions in my previous reply you should be safe :)

Gpooj
2009-03-11, 21:14
Thanks.

Blade81
2009-03-12, 18:05
No problem. Let me know if there's anything unclear :)

Blade81
2009-03-19, 21:35
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.