Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virut, Nimda, Backdoor, Runouce etc. are together trashing my pc!


  • Please log in to reply
1 reply to this topic

#1 alb2009

alb2009

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 06 December 2009 - 07:40 AM

PLEASE HAVE PATIENCE, I DONT THINK YOU'VE HEARD OF SUCH A VARIED PROBLEM, PLEASE DONT BE SCARED BY THE LENGTH OF MY POST, JUST KNOW THAT WHAT IM SAYING IS TRUE AND I DESPERATELY SEEK YOUR HELP!

(this is just back ground info u can skip it...im just saying it from the beginning) 3 weeks i bought a brand new pc. I installed windows xp sp2. and everything was fine. One day, i couldnt update my avira AND superantispyware and could not visit ANY anti virus websites. I didn't know what to do. Bt somehow i got rid of the problem as superantispyware detected a backdoor Trojan and cleaned it. Then i could access everything again, I also used TrendMicro housecall to find another worm downloader from my windows partition. Thats that. I could browse and use my PC safely again. no problems at all were seen.

(THE REAL HEADACHE) THen after a few days...yesterday to be exact, i put in what i thought was a clean DVD (data DVD) in my drive and before i even tried to open it, the chain of events started, (btw.....im pretty damn sure the DVD is infected) -

1. My windows explorer shut down with the usual termination massage it normally gives when you shut it down from he processes window (explorer.exe has encountered a problem and needs to close) and the icons disappeared from my desktop along with the startbar! After a few seconds, it all came back. But i knew something was wrong. I immediately turned on SuperAntiSpyware and ran a scan of the DVD nd my C: (windows drive). ALMOST MORE THAN 11 WORMS AND TROJANS WERE DETECTED of different names and before i could clean them by clicking the button, my pc restarted with a blue screen with some white error (which was there for just a little while so i couldnt read).

some names of the detected worms (as far as i can remember): Nimda, backdoor, gen(something like that) and many more!

2. When i turned it on again, i could not access any .exe files, my dialer was gone from Network Connections so i couldnt access the net and i couldn't update any security software. I tried avira, MalwareBytes AntiMalware, AVG etc. Luckily...only SuperAntiSpyware ran and once again found those viruses. Before it could even finish half of its search, the same blue screen splashed again with the PC rebooting. I panicked and immediately reinstalled my OS from a bootable XP sp2 DVD. Took me 45 minutes. I thought this would take care of the problem.

3. As I had reformatted the C: drive during my installation so i thot the virus was gone for good. But when I entered my the desktop for the first time, this error came on - - - (runouce.exe has encountered a problem and needs to close). I checked the background processes.....along with this runouce.exe...there were a thousand other net1.exe and net.exe processes! I couldnt access the net (as no browser would open and there was no dialer!) nor use ANY .exe files so i couldn't install ANY antivirus or antispyware soft! And i searched for .eml files and there were a LOT OF THEM(i knew Nimda did this during infection). I almost deleted all of them. But still....nothing improved. I deleted the riched30.dll from the PC as i had read somewhere that it was connected to nimda.

4. Luckily I had a spare SATA HDD where i reinstalled the same OS from the same DVD nd evrything is working fine in that HDD as i write. I disconnected the newer and totally infected HDD (Im writing this post frm the spare CLEAN MAXTOR HDD). Anyway, i downloaded stinger.exe and i scanned the maxtor HDD with it, i downloaded AVG 9 free and superantispyware and ran scans with both in the maxtor HDD. This spare HDD was totally clean fortunately! :flowers:

5. I found some instructions in this website to remove the nimda virus. I put stinger.exe, combofix.exe, hijackthis.exe and the ms-dos version of the SuperAntiSpyware online scanner program and put them in a formatted, fresh pen drive. I disconnected the clean HDD and attached the infected one (samsung), and then inserted the pendrive.

6. I logged on to the infected OS in safe mode. THen clicked on the stinger icon. Then the following error was displayed - Stinger has been infected and needs to close. None of the .exe files (as i mentioned before) were working! As a last reosort, I put combofix.exe into the desktop and clicked it. First it did not open. After a delay of 10 secs......a BIG ERROR WAS SHOWN - - "combofix can not run as riched30.dll is missing, reinstalling the application may fix the problem". But then...somehow....Combofix began loading. Then the first menu came and i clicked to proceed. THEN Combofix said "Your computer is infected by the file patching virus virut, combofix has been infected (or something like that)". Then the combofix icon just disappeared from the desktop!

7. So as none of the .exe files in the pendrive would work, I turned on that online ms-dos format SuperAntiSpyware. I couldnt update it as it said something about a firewall blocking it(definitely one of the viruses did this) but still i ran a scan. It found two worm.runouce.exe in the C: Drive....i cleaned them and SuperAntiSpyware told me to reboot the pc to complete the removal. I rebooted the PC....but when i scanned again as a precaution with the same superantispyware, they were found AGAIN! nd this time there were 3! I removed and rebooted again. Then scanned again. The three were still there.

8. i just gave up! NO exe files were working, no dialer in the network connections so no internet, combofix said there was a virut virus, stinger was infected itself, there were infected .eml files all over C drive and there were numerous net1.exe and net.exe running as background processes! I just disconnected the infected hard drive and now im safely (i hope!) using my 80GB maxtor for the time being.




NOW MY PROPOSED SOLUTION would be to put the infected HDD as a slave with the clean one and then completely format it. Every partition. But problem is i have a huge amount of audio and video in the infected HDD (not in the C but in the E and D partitions)! Would transferring the music and movie files in the clean HDD cause a problem (mind you theres no txt files or html files involved....simply mp3, pdf, avi and flv files) ???? Or should i format the whole infected hard drive? I really need those files and i dont think they're infected. :thumbsup: I would instantly format the infected drive as soon as i finish transferring those media files. So tell me, if I do this will there be much problem????


PLEASE....i know this site is full of people who actually know about these stuff. Give me some advice. Im really in a pickle here. I have never been infected with so many viruses! and defintely never by ones with so much destructive potential!





P.S. From the next time I'll always use another hard disk to test out foreign objects and external media before i connect it with my main hard drive. Or are there better ways to test if external media (pen drives, CDs, DVDs, Portable HDDs) are infected??????? Should I use my spare HDD to do this in the future or is there a better and safer way to test these kinds of media. I hadn't even opened the aforementioned DVD and the viruses came flooding in! Please give me some useful methods!!!

P.S.S. very very STUPID QUESTION......if a HDD remains disconnected from the net and from the computer,,,,do the viruses still multiply during that time??

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:12:44 PM

Posted 08 December 2009 - 08:34 PM

.if a HDD remains disconnected from the net and from the computer,,,,do the viruses still multiply during that time??

Yes

Not only would I reformat, I would run a couple passes of zeros over the hard drive
http://www.killdisk.com/
http://www.dban.org/

Would transferring the music and movie files in the clean HDD cause a problem

It is not unheard of. There is no 100% guarantee
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users