Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.Virut infected backup drive - can I get to it on a clean system


  • Please log in to reply
10 replies to this topic

#1 Arrrggghhhhh

Arrrggghhhhh

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:West Coast Canada
  • Local time:08:29 PM

Posted 08 August 2009 - 11:36 PM

Hey ...thanks in advance for your time on this...

Well here is the history.

W32.Virut.CF
WinXP Pro (fully up to date)
Norton Internet Security (<<what a piece of junk this is)
ADSL

Week ago main system starts acting strange... I start hunting. I find reader_s kicking around and start to kill it... and I find this forum and use the advice throughout to try to get rid of it.

Well to no avail... and ended up with many hours of war only to end in a sad defeat... no matter how I attacked it I was never able to get rid of it completely... so I now have a partially rebuilt system (complete reformat including destruction of original partitions,etc... and I have a large data backup HD that I want to get to so I can burn backup DVD's of the work files etc... (no EXE's, SRC, etc...) mainly design files...psd, ai, etc...

So here is the question.

Is there a way that I can do this (beef up my system with a bullet proof AV/Malware setup, if there is such a thing) so I can connect the old drive as a slave and start backing up stuff to DVD without compromising the newly rebuilt system?

I appreciate your time in this matter and hopefully I have posted to the right group.

Regards,


Arrrggghhhhh

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:29 PM

Posted 08 August 2009 - 11:39 PM

Hello,

I'm going to move this to the Am I Infected forum where you can get more immediate assistance on this issue.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Arrrggghhhhh

Arrrggghhhhh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:West Coast Canada
  • Local time:08:29 PM

Posted 09 August 2009 - 12:34 AM

Thanks for that... Orange Blossom : )

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:29 PM

Posted 09 August 2009 - 08:17 PM

Hi and welcome to BC. Please review the virut affected files and make sure you have no files listed that carry Virut on your hard drive. Next download and run Flash Disinfector. Run this on your clean computer.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Next make sure Windows is fully updated - and your antivirus is fully updated. Visit secunia.com and run the online scan. It will tell you if you have other software that needs updates.

Keeping in mind that there is always a chance that something could be lurking and infect the fresh install.

When you plug the external in, run Dr. webcure it on the drive to make sure nothing was there

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 Arrrggghhhhh

Arrrggghhhhh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:West Coast Canada
  • Local time:08:29 PM

Posted 11 August 2009 - 08:30 AM

Thanks for the response Rigel... I will be taking a run at this today... I will let you know how I fair.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:29 PM

Posted 11 August 2009 - 09:19 AM

Caution: If you are considering backing up data, keep in mind, with a Virut infection, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. This same susceptibility to infection applies if you're slaving an infected drive to a clean one in order to back up files. I'm not saying you should not try using such devices or techniques but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

Edited by quietman7, 11 August 2009 - 09:23 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Arrrggghhhhh

Arrrggghhhhh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:West Coast Canada
  • Local time:08:29 PM

Posted 11 August 2009 - 01:07 PM

@quietman7

Yes .. sound insight, thank you. All has been considered, as I have already selected a system for the suicide mission... I am going in getting my files and getting out .. then I will raze the system I used to get the data whether it appears compromised or not. I just needed some guidelines from someone in the know as to how to prepare the suicide system to help ensure I succeed the first time : )

I do appreciate the caution, as I realize how dangerous this infection is and it should never be underestimated.

- Arrrggghhhhh

#8 Arrrggghhhhh

Arrrggghhhhh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:West Coast Canada
  • Local time:08:29 PM

Posted 16 August 2009 - 10:51 AM

Well I am happy to say that I have been able to create a system of file retrieval here that appears to be working well.

I have a "purgatory" machine which had been cleaned and fully stocked with all tools, malware and AV software then connected the "infected" drive and started transfering items to a second system that is also setup with tonnage of protective apps... the files sit there for a day to see if any bells go off.. (none of these files are exe, com, bat, scr, html, etc...) Just me being paranoid now... and rightly so...

THen finally if the files survive the gauntlet they are allowed onto my final working system and backed up to DVD.

Question

Is this overkill...

Norton Internet Security
Windows Defender
Spybot (teatimer and SDhelper)
Superantispyware free
Ad-Aware free
Avira AV free
Prevx


Your insight is appreciated.

Regards,

Arrrggghhhh

Edited by Arrrggghhhhh, 16 August 2009 - 10:52 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:29 PM

Posted 16 August 2009 - 12:04 PM

mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products)

Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and even prevent disinfection of malware by those tools.

More effective alternatives are Malwarebytes Anti-Malware and SUPERAntiSpyware Free.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Arrrggghhhhh

Arrrggghhhhh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:West Coast Canada
  • Local time:08:29 PM

Posted 25 August 2009 - 12:46 PM

I wanted to thank everyone here for providing an exceptionally beneficial selfless service to those of us who are greatly appreciative of the help and guidance.

Kudos to rigel, quietman7, and Orange Blossom... please keep doing what you are doing!

Thanks again and lets close this thread.. I am better versed/armed/skilled now in what I need to do.

With warm regards,

Formerly known as Arrrggghhhhhh....
now to to be known as Ahhhhhh.... lol



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:29 PM

Posted 25 August 2009 - 12:54 PM

Thanks for the kind words and you're welcome on behalf of the Bleeping Computer community.

Tips to protect yourself against malware and reduce the potential for re-infection:Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun

• Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users