Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible "Virut" infection


  • Please log in to reply
16 replies to this topic

#1 davidherman

davidherman

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 05 September 2009 - 02:44 PM

Yesterday I (extremely foolishly) tried installing what I though was a free hacked version of a program I didn't want to pay $40 for, but instead it was some sort of virus/trojan. The first thing that happened was the command propmpt came up and listed some .exe files that were being "installed" that were similar to what I thought I would be installing. Then things slowed down a bit and a few shortcuts to IE appeared on the desktop and were labeled "youporn.com" and the like. I knew then I had a problem. I don't remember the exact sequence of events, but at some point when I couldn't get the program to stop running, I panicked an tried to shut down the computer, and ended up just holding the power button until it turned off, since it didn't seem to want to shut down the correct way.

I rebooted and since I had created a system restore point before running the "program" (I knew it could be dangerous but I really underestimated it) I went to restore, but when I tried to access it, I got a message saying that I didn't have access due to the group policy (even though I'm on the administrator account). (I cant remember for sure whether i tried restoring before shutting down the first time, or not). Regardless, it didn't work, and after looking online I found how to change the group policy settings (I checked in the My Computer properties as well and it had no tab for System Restore), but after rebooting like it said to after "enabling" the system restore, nothing had changed.

I also noticed that file extensions were no longer displayed on files and I couldn't edit the file type, or change folder options (under the tools menu in an explorer window)

At that point I tried running some AV programs, I have Symantec (corporate edition i think) and I ran the quick scan which picked up nothing, and I ran the SpywareTerminator quickscan, which picked up a problem in svchost.exe as well as lsass.exe, and a registry or two. I "removed" the problems, but things didn't get better. I tried running Avira but it said that it was corrupt (or something of that nature) and wouldn't run. I tried ComboFix, which worked wonders for my last virus, but I got this message:


!! ALERT !! It is NOT SAFE to continue!

The contents of the ComboFix package have been compromised.
Please download a fresh copy from bleeping computer.

Note: You may have been infected with a file patching virus (Virut)

I tried running everything in SafeMode as well, but nothing improved. I booted regularly once again, and tried searching for some of the files that might have been installed, but in the middle of the search, explorer.exe (and my desktop and taskbar) simply disappeared, with no error message as far as I can remember. I rebooted in safe mode, and still no explorer. I tried manually running explorer.exe but it said that Windows cannot access the file/path/etc, because I don't have the appropriate permissions (again this is in the admin account in safe mode as well). I can't run the regedit.exe or anything of that sort.

Based on the ComboFix message I tried using programs that specifically were for this Virut (or W32. Virut ?), including Symantec FixVirut and AVG's virut remover. Neither worked, and AVG had to be run during boot as it said the virus was in the memory (it still didn't help).

Currently, when in normal mode, I'm still getting the occasional Symantec autoprotect popup, which sometimes is able to clean, but often cannot and it says it was left alone. The items are usually termed "downloader" or "trojan" of some sort.

Safe mode (which I'm typing from) has no active attacks, but I can't access most antivirus help websites (or similar sites) though they work via a webproxy, so it's clearly a symptom. I have no way to access explorer.exe, and it won't load on boot up. I can load programs through the task manager (including Firefox and SpywareTerminator and Symantec) but the situation is fairly crippling.

Summary of what I've tried:
SpywareTerminator - a few hits, removing risks doesn't help, and the last two scans showed no risks
Symantec - No hits other than active autoprotect results
Avira - Won't run
ComboFix - won't run
Symantec FixVirut - no help
AVG remove Virut - no help

I unfortunately haven't made a hard backup on an external HDD or anything, though I went to Bestbuy and grabbed one today and I will transfer all my documents on to there.

I'm really worried that I will need to reinstall XP and everything, everything I see online makes it sound that way because this sort of thing apparently infects all the .exe files and there is no good way to fix things, but I can't find my reinstall CD for XP or Office (its a Dell Latitude D810, 4yrs old, and the software was preloaded when I bought it through my university). Its possible that the discs are somewhere at my parents house, but I can't find them in my apartment. I can get a reinstall CD from Dell, but I don't want to reinstall the OS until I know for sure that's the only option, since I don't want to lose all my programs...

I talked to Geek Squad, and it would cost me like $200 for them to do anything, and I can pretty much just replace all the programs for that price, using school discounts and such.

What can/should I do?

also, if this sort of thing affects exe files, I should be safe in copying only office documents, video files, and photos to my external HDD right? I won't transfer the infection to the drive?

I'm sort of panicking because I can't afford to be without the computer or money for the time it might take for a pro/geek squad to fix it.

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:20 PM

Posted 05 September 2009 - 04:46 PM

Hello davidherman and :thumbsup: to BleepingComputer. I wish it were under better circumstances.

What you describe does indeed sound like the Virut virus. If you have Virut there is no cleaning it; the only reasonable solution is to format the hard drive and reinstall the OS. I'll provide more information on why this is at the end of this post.

If you have Virut, we can guide you through safely backing up your data and reformatting your computer, so that you don't have to take it to Geek Squad. (off the record. . . I'm not too fond of those guys myself.)

Which brings me to a question which will direct how we proceed.

Do you wish to attempt to confirm the presence of Virut before deciding to format? Note that this may not be reasonably possible; it sounds like you have a number of different infections on your machine apart from Virut that may make it extremely difficult or impossible to confirm or deny the presence of the infection. Given the extremely virulent and lethal (computer-wise) capabilities of Virut, in this situation it would be prudent and wise to assume that you are infected unless we can obtain evidence to the contrary.

The alternative to this is to assume that the computer is infected with Virut and begin the process of backing up your data and then reformatting immediately. This is (unfortunately) the course of action that I would recommend. You will need to obtain the XP reinstallation CD from Dell; this could take a few days to arrive so you'll want to go ahead and jump on that.

Regardless of which choice you make, please note the following:

I unfortunately haven't made a hard backup on an external HDD or anything, though I went to Bestbuy and grabbed one today and I will transfer all my documents on to there.


Please do NOT do this yet! Since we might be dealing with Virut, we must back up your data very carefully to avoid allowing Virut to infect your backup. I can provide you with instructions on how to do this. Don't worry about your computer crashing and failing to start before you have a chance to get your data backed up. If this happens, we can access your hard drive indirectly to recover your files. We must place the integrity of your backup before everything else: if you back up an infected file then you'll reinfect yourself upon restoring the files, and all your hard work will have been for nothing.

As promised, the Virut information is below. Let me know what you wish to do.

~Blade


In your next reply, please include the following:
Answer regarding the course of action you wish to take


***************************************************

Virut is a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 davidherman

davidherman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 06 September 2009 - 01:22 AM

Thanks for the reply. I bought a WD hard drive this morning, and I formatted it before reading this reply (was that bad?), but that should mean it is clean (?). What do I need to do to back up the files safely?

And if its possible to concretely verify that this is Virut, that would be nice, but I think its pretty likely...

Also, I talked to my Dad, and he found my Windows reinstall CD and Dell driver discs, etc, that I had left there, so I'll have that as soon as the mail can get it (they will be mailed Tuesday since Mon. is Labor Day). I assume I can do a clean install from that? I'm still in (grad) school so I think I can take it to the university IT and see what their suggestion is on Mon, but based on your reply and the info I read online, I'm guessing I'll have to do a complete reinstall (and suck up the loss of Acrobat and Minitab, I do have the installation discs for the other programs I care about). Let me know what I need to do to back up documents (MS office documents, pdf, music, video are the only kinds I'll need to really save) and the best method for re-installation. I'll probably need to be walked through that once I commit to it for sure.

also, I guess I'm assuming any programs I don't have hard copies of to reinstall are a loss (I mentioned Acrobat and Minitab, both of which I downloaded from my previous university when I was an undergrad and I don't have any way to reinstall). Is there any way to save installed programs?

Any other suggestions/precautions? I'm running in safe mode, and the only program I'm really using is Firefox 3.5, especially given the pain of trying to run things via task manager or command prompt.

I'll check back in the

Thanks

David

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:20 PM

Posted 06 September 2009 - 12:01 PM

Hello David.

What do I need to do to back up the files safely?

If you formatted it using the infected computer, you should format it again using a clean computer to ensure that the drive is sterile. When you connect the drive to the clean computer to format it, you should hold down the Shift key until Windows detects it to keep autorun.inf from executing if it is present. Then format the drive. After you have done this, you'll want to run the following utility on the drive using a clean computer.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Once you've got this finished let me know, and we'll proceed from there.

Also, I talked to my Dad, and he found my Windows reinstall CD and Dell driver discs, etc, that I had left there, so I'll have that as soon as the mail can get it (they will be mailed Tuesday since Mon. is Labor Day). I assume I can do a clean install from that?

Yes, we can do it using those.

I'm still in (grad) school so I think I can take it to the university IT and see what their suggestion is on Mon

You should inquire as to whether they have experience dealing with Virut infections. I've seen several cases where IT depts. or computer repair techs didn't completely eradicate the virus because they didn't know what they were dealing with.

Is there any way to save installed programs?

Unfortunately, no. If we're dealing with Virut, we must assume all your programs have been infected.

***************************************************

Well. . . let's give confirming Virut a shot. We'll do this by examining some of your system files for signs of Virut infection.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lsass.exe

Please post back the results of the scans in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

~Blade

In your next reply, please include the following:
Jotti/VT scan results

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 davidherman

davidherman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 06 September 2009 - 01:04 PM

I tried both Jotti and VT and neither will load for me (I believe it's because they have "virus" in the URL), and I can't get other virus releated sites (eg. symantec) to load. I always get the error "firefox cannot find the server at www.virustotal.com (or whichever site I try)". I tried a couple of "URL hider" sites like tinyurl, but they wouldn't load Jotti or VT. I tried couple web proxies
which I could get VT to work, but when I tried loading the .exe files, it gave an error that "zero bytes loaded". I don't know if that is a result of running through a proxy, or not...

If I can't get a true confirmation, it's not a big deal I guess, since either way I'm guessing I'll need a complete reinstallation...

I'll try to find a clean computer I can format my HDD on. Is there any danger of using a clean computer, provided that I hold down shift when plugging in the USB?

[edit] Is there a quick/easy way to partition the hard drive? I tried looking for a way (I don't know off hand how to do it provided that explorer loads), but I didn't see any convenient way to do it using only the command prompt... It's not important, but I would have partitioned it under normal circumstances to keep backups separate from other files, though thats something I can do once I can transfer my files to my (hopefully) cleaned computer in the future...

Edited by davidherman, 06 September 2009 - 01:12 PM.


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:20 PM

Posted 06 September 2009 - 02:09 PM

Correct, accessing Jotti or VT via proxy will not allow you to upload files. Let's try one workaround to get you to Virustotal. Instead of typing the URL into the address bar of your web browser, try typing this: (without the quotes)

"74.53.201.162"

If this works, try to proceed with the scan. If not, let me know.

***************************************************

I'll try to find a clean computer I can format my HDD on. Is there any danger of using a clean computer, provided that I hold down shift when plugging in the USB?


It should be fine. If you wanted to be extra cautious, download Flash Disinfector onto the clean computer before attaching the HDD and run it once. This will disable Windows' ability to autorun removable media (i.e. your maybe infected HDD). Then connect the drive (hold down the shift key as directed before, just in case) and format it, then run Flash Disinfector again to immunize your HDD.

***************************************************

As far as partitions go, you should be able to use the XP CD to create new partitions on an empty drive. I don't know much about it beyond that and the fact that there are partition managers out there that you can buy, but I'll check with some colleagues and get back to you on it.

A caution for the future though: Simply having files in a separate partition doesn't mean that they're safe from a malware attack. Some of the nastier malware can spread among all partitions and drives connected to a system. The most secure practice is to keep your backups in a physically separate location that remains disconnected from your computer except during the actual backup process.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 davidherman

davidherman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 06 September 2009 - 02:25 PM

Thanks, I tried using just the IP address you gave and I got this:

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://74.53.201.162/

The following error was encountered:

* Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is webmaster@hispasec.com.

~~~~~~~~~~~~~~~

I guess I'm ok with not confirming Virut 100% if I can't; since it seems like whether it is or not, I will have to reinstall Windows regardless...

I won't worry about partitioning my hard drive now, then, since I don't plan on leaving it plugged in during normal use, only for the occasional file transfer and backup.

I'll see if I can format the drive on my roommates computer when he gets back tonight, so once that is complete what do I need to do to safely move my files? I'm only looking to save stuff thats in My Documents and a few files saved to my desktop...

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:20 PM

Posted 06 September 2009 - 02:41 PM

Well. . . there are two ways we can do this. The simpler and easier, but much less secure of the methods is to simply plug the immunized drive into the machine and copy off the files. The other method is to create a bootable disk and use it to access your Hard Drive from a sterile enviroment. This is much more secure than just plugging the HDD in while Windows is running, but it requires some preparation and a clean computer on which to create the disk.

Regardless of the method you choose, you should note the following guidelines:

Guidelines when backing up:

1) With Virut, the more you back up, the greater the potential for something to go wrong and cause a reinfection. You should only back up what you absolutely cannot stand to lose and cannot replace.
2) Backup your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
3) Do NOT backup any applications/installers and Do NOT backup any files with the following extensions under any circumstances whatsoever
  • .exe
  • .scr
  • .htm
  • .html
  • .xml
  • .zip
  • .rar
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

If you want to use the bootable disk method for backing up (which I would recommend), let me know and I'll provide instructions on how to build one.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 davidherman

davidherman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 06 September 2009 - 03:05 PM

Ok, the first way you mentioned was what I had thought I could do based on what I read before inquiring here, but just so I know all my options, if you could post instructions on how to do the bootable disc method, I'll see what that entails... My only reservations would be that I don't know how much I would be imposing on whoever's computer I need to use to do what I need, what is required of the clean computer (like does it need to be the same operating system), as well as how much time it will take, though my installation cds won't be delivered till the end of the week, so I shouldn't have as much other work on my plate then as I do now...

Is there any way that document/picture/music/video files can be infected? Anything like thumbs.db or desktop.ini files that would be in photo folders or music album folders that would be dangerous? If those are safe, then it would be relatively easy for me to avoid copying any .exe, .scr, .zip, .html, etc...

Also is there any way for me to save my bookmarks from Firefox, or my Outlook contact information?

Edited by davidherman, 06 September 2009 - 03:09 PM.


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:20 PM

Posted 06 September 2009 - 06:15 PM

Any version of Windows will be fine. Here are the steps.

We will be using Knoppix, a bootable disk. From it, we can access your harddrive and do repairs.

From a working computer download and install IMGBurn.

Download Knoppix to your desktop.

Open IMGBurn via the newly created icon on your desktop, or by pointing to Start->All Programs->ImgBurn->ImgBurn
Push the large "Write image file to disk" button.
Right under "Source" and next to "Please select a file" push the Posted Image button.
Browse to and select the Knoppix image file on your desktop.

Place a blank CD-R into your clean system's CD Burner, and press the large button that looks like a page going into a CD in the bottom left of IMGBurn.

Now place this CD into the non-bootable system. Configure the system to boot from CD. You can usually do this by pressing F10, F11, or F12 (try all of them if unsure) to bring up configuration options, and select CDRom as your boot device. Some machines will automatically attempt boot from the CD if one is inserted.

When you see this screen,
Posted Image
Press enter, and wait for Knoppix to boot.
On Knoppix' desktop, you should see an icon for your hard disk (Looks like Posted Image.)

Right click the drive, and select "Change Read\Write Mode". Press "Yes" at the prompt.

Now you have ready access to you hard drive. You can drag and drop files/folder to another hard drive, a flash drive or burn the data to disk.

For safety sake...

Note that the files with the following extensions should not be backed up:
.exe
.scr
.htm
.html
.xml
.zip
.rar
.asp
.php


--
Once the files are done moving, press the large K button in the lower left corner of the screen, and select Log Out...
Then press "Turn off computer".

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:20 PM

Posted 06 September 2009 - 06:50 PM

oh. . . I almost forgot. As far as your firefox bookmarks go. . . the only way you'll be able to take them with you is to create a word or notepad document and copy the urls from each bookmark by hand or by using copy/paste. Firefox stores bookmarks in an .htm file, which is one of the filetypes that is extremely dangerous to back up in this situation.

I don't use Outlook myself. . . but I think you can export your address book to an excel spreadsheet.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 davidherman

davidherman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 09 September 2009 - 10:14 PM

Ok, my hard drive is being formatted on a clean computer (I don't know how long it should take, but its been about 2 hrs and it looks like its 1/3 of the way there? Its a 640GB drive. I didn't think it took that long when I formatted it initially on my computer, but I don't know for sure) and I tried burning Knoppix to a CD, but it took about 40min with no progress, saying it was writing the LeadIn (I think?), before giving an error message and quitting... I don't remember what the error message said unfortunately, but maybe I just had a bad CD? I'll try again tomorrow with a new CD (the blank one I used was the only one I could find and it was about 4yrs old).

If for some reason I can't get Knoppix to burn, how risky is just transferring the files to the hard drive?

Also, once I have my backup and my reinstallation disks, what's the procedure for the format/clean installation?

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:20 PM

Posted 09 September 2009 - 11:11 PM

If for some reason I can't get Knoppix to burn, how risky is just transferring the files to the hard drive?

There's not really a way to put a "how much" on riskiness so that's kind of a difficult question to answer. I wouldn't do it. Following all the precautions I gave you will help to minimize the risk, but there's really no way to eliminate the risk altogether. You're playing with fire here.

***************************************************

One more thing you should do before wiping the drive is download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy. If you can't print. . . copy down the info.

***************************************************

As far as reformatting goes, the best procedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of information on this are
Reformatting Windows XP
Reinstall Windows Vista
Michael Stevens Tech

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 epchabot

epchabot

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 23 October 2009 - 06:32 PM

So I am having the exact problem described in the first post in this thread. Is there someone that can help me through the process of file backup before I reformat and reinstall Windows? I think there is little doubt that I have the Virut infection, just trying to save some data files (pictures and music, mostly). I have a backup from a few months ago, just trying to save stuff from last few months.

this thread stops abruptly, so I'm not sure of the final resolution.

The infected PC is almost entirely toast ... I can't reach any websites via IE, and cannot launch any .exe files.

#15 ANS1

ANS1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 27 October 2009 - 09:52 AM

I am also having the problem described in the first step. After ComboFix failed, the computer entered a loop during the setup process; on the Welcome screen, the computer would suddenly black out and return to the motherboard profile.

I have used the steps here to try and use Dr. WEB to fix the computer; however, it, and other programs as well, are acting as if the C drive is completely empty. :thumbsup:

Does that really mean that the C drive has been deleted? :flowers:


Also, I made a backup of My Documents on a hard drive with other files on it. I used an old and broken-down computer with nothing important on it to sort through it so I can find (and delete) the Virut files, and, as expected, the old comp caught Virut as well. I haven't tried using UBCD4Win and Dr.WEB on it yet, though. One other thing I'm worried about. The hard drive that I put the backup on had other files on it as well; are those ones now infected as well? :trumpet:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users