GEEK
August 30th, 2009, 15:32
hey guys,
I have been infected by the deadly Virut virus because of a stupid friend. I havent got an antivirus installed and am not able to install one since virut is not allowing the dr.web self protection to install.
I would really appreciate if Kayaker can give me a few pointer on how to deal with it since he has analysed it in depth.
My system state :
Since having been infected a day before i have been running cureit(dr.web on-demand virus remover). It does detect and cure the files but they get reinfected. I am unable to install an antivirus or even access internet because it doesnt allow loading drivers.
My internet works using an ethernet card and the card is disabled and so is the internet because the pc cannot load ethernet card drivers upon startup.
I have disabled screensavers and deleted all .scr but when i try try to disable system restore it say access denied
I have also deleted "System Volume information" folder.
It hooks all processes running including cureit and gmer.Kernel detective gives a bsod when reading kernel mode drivers. GMER has been successfull in detecting a lot of IAT and code modifications and hidden processes but is unable to stop them.
After killing hidden processes the next second they are back again. It has also detected some registry modifications which again i am unable to delete. A detailed GMER scan log is attached below. I have been using Process hacker to avoid the virus from downloading more malware.
I have collected live samples if some one needs. I also ran a string scan in winlogon process and have attached it as well. It contains lot of virut related entries including hundreds of russian websites the virus seems to connect.
I wanted to know:
1. how do you guys think i can prevent it from running at start up?
2. Allow my lan card and antivirus drivers to load?
3. Prevent hooking of all processes including winlogon
I tried booting in safe mode but as expected it didnt help.
I tried checking for a solution on the internet but everyone seems to be in confusion and a complete reformat is suggested most of the time
I going to burn the Dr.web live cd. will it help? and even prevent virus from autostarting?
Update : It hooks 4 functions in ntkrnlmp.exe, Zwcreatesection, Zwcreateprocess, ZwSetSystemInformation, ZwLoadDriver as shown by gmer
Any help would be appreciated
Edit : will attach virut string scan and gmer registry scan in a few hours
I have been infected by the deadly Virut virus because of a stupid friend. I havent got an antivirus installed and am not able to install one since virut is not allowing the dr.web self protection to install.
I would really appreciate if Kayaker can give me a few pointer on how to deal with it since he has analysed it in depth.
My system state :
Since having been infected a day before i have been running cureit(dr.web on-demand virus remover). It does detect and cure the files but they get reinfected. I am unable to install an antivirus or even access internet because it doesnt allow loading drivers.
My internet works using an ethernet card and the card is disabled and so is the internet because the pc cannot load ethernet card drivers upon startup.
I have disabled screensavers and deleted all .scr but when i try try to disable system restore it say access denied
I have also deleted "System Volume information" folder.
It hooks all processes running including cureit and gmer.Kernel detective gives a bsod when reading kernel mode drivers. GMER has been successfull in detecting a lot of IAT and code modifications and hidden processes but is unable to stop them.
After killing hidden processes the next second they are back again. It has also detected some registry modifications which again i am unable to delete. A detailed GMER scan log is attached below. I have been using Process hacker to avoid the virus from downloading more malware.
I have collected live samples if some one needs. I also ran a string scan in winlogon process and have attached it as well. It contains lot of virut related entries including hundreds of russian websites the virus seems to connect.
I wanted to know:
1. how do you guys think i can prevent it from running at start up?
2. Allow my lan card and antivirus drivers to load?
3. Prevent hooking of all processes including winlogon
I tried booting in safe mode but as expected it didnt help.
I tried checking for a solution on the internet but everyone seems to be in confusion and a complete reformat is suggested most of the time
I going to burn the Dr.web live cd. will it help? and even prevent virus from autostarting?
Update : It hooks 4 functions in ntkrnlmp.exe, Zwcreatesection, Zwcreateprocess, ZwSetSystemInformation, ZwLoadDriver as shown by gmer
Any help would be appreciated
Edit : will attach virut string scan and gmer registry scan in a few hours
) ....both confirmed only one virut infected file (the one i had got infected from. i wonder how it escaped after so many scans). i have disabled system restore and scrensaver just to be safe.