PDA

View Full Version : [Virut] HJT, Spybot S&D, Kaspersky '09, No safe mode booting



Blankman69
2009-09-02, 01:25
Ok well I am trying to fix a computer for a friends mother. Trying to run Spybot, HJT, or even running Kaspersky will work the first time around. Spybot will shutdown after it starts the scan. Files set to hidden, read only, access denied after spybot shuts down. Tried installing into different folders, renaming the main exe files. Still the same. I can get tea timer to run but that's about all. That solved a couple problems with the malware popping up and drowning the computer. I can run HJT after I copy fresh to the drive under a different name. After scan it shuts down and saves no logfile for me to post. Also access restricted after it shuts down. Kaspersky goes a little further. I can install it, run it, update it, even scan. But it will not repair any malware problems or anything. Just says it's possible the disk is full (50GB free isn't full to me), or items are password protected, or I don't have access as the Admin. Upon reboot, I can no longer run Kaspersky as it tell's me I don't have access just like Spybot, and HJT. Also tried safe Mode booting, to run everything and the system reboots on TDI.sys, even after expanding it over and over from the i386 directory. I've dealt with a lot of malware and everything else for people but no trouble like this before.

Matt

Ok, well it seems that her computer has been overtaken by Virut Virus. Searched for some solutions. Considering I can't boot into safe mode because of automatic reboot on TDI.sys, symantec's removal tool can't run. Decided to backup all her documents, not including exe , and do a destructive repair, from what I've read it seems like a removal tool is not always 100% effective.

katana
2009-09-04, 01:46
Ok, well it seems that her computer has been overtaken by Virut Virus. ~ Decided to backup all her documents, not including exe , and do a destructive repair, from what I've read it seems like a removal tool is not always 100% effective.

The wisest choice, we would have advised exactly the same actions




I'm afraid I have very bad news :(

This machine needs to be formatted.

This system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

See miekiemoes' blog for similar comments here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Blankman69
2009-09-05, 06:30
I Just don't understand why people wait until they get infected to actually buy or download Anti-Virus software. In my head it's the first thing I put on a computer. Spybot, then Anti-Virus, registry cleaner, then anything you want. Oh well. I'll be back eventually muha:

katana
2009-09-05, 12:21
Spybot, then Anti-Virus, registry cleaner, :
I fully agree with the first two, but ......

Registry Cleaners + "Tweak" Tools

I don't personally recommend the use of ANY Registry Cleaners or "Tweak" Tools

They are marketed as ways to make your machine run faster and more efficiently ...... Some will actually achieve this .... IF you know how to use them correctly.
Removing "Orphaned/Old/Obsolete" registry entries is fine ..... as long as they actually are "Orphaned/Old/Obsolete", it won't speed up your machine though
Stopping services and setting policies can speed up your machine ..... as long as you stop and set the right ones, and even then it's debatable if you will notice the improvement.

Remove the wrong registry entry, or stop the wrong service, and not only can you slow your machine .... you could kill it !

To use a Registry Cleaner or "Tweak" tool to its full advantage, you really need to know what it is they are doing and what else the changes may affect.
In short, if you know how to use them safely ----- you don't actually need them.

discussion on regcleaners >> http://forums.whatthetech.com/Regcleaner_t42862.html
And for more good information see what Miekiemoes has to say >> http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html