Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Volume Information affected with W32.Unruy!gen1 Virus


  • Please log in to reply
2 replies to this topic

#1 Monsfranc

Monsfranc

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 26 June 2010 - 12:37 PM

Hello All

My laptop is affected with W32.Unruy!gen1 Virus, everytime i reboot my pc NAV displays the below message. NAV is able to detect its but not able to delete it permanently.

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: W32.Unruy!gen1
File: C:\System Volume Information\Microsoft\services.exe
Location: C:\System Volume Information\Microsoft
Computer: LOCAL1
User: PRO\SYSTEM
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Saturday, June 26, 2010 6:14:41 PM

Also i am seeing lots of IE / Chrome sessions connecting to various websites. I donno whats happening with the system.

I am running XP SP3 and have already disabled system restore services. But still NAV is unable to delete the virus permanently.

Can somebody help me to remove this virus and avoid IE/Chrome sessions connecting to various sites automatically ???

I have deployed a personal firewall it clearly shows the sessions (IE/Chrome sessions) connecting to various sites (which i am blocking manually everytime which is really a pain)

Pls somebody help!!!

Thanks in Advance
Affected User

Edited by Orange Blossom, 26 June 2010 - 02:36 PM.
Move to AII as no logs posted and prep. guide not followed. ~ OB


BC AdBot (Login to Remove)

 


#2 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:07:51 AM

Posted 06 July 2010 - 04:08 AM

To help the Malware removal guys, as I have not go permission yet to do Malware Removal

It's a high probability there is a Bootkit in behind the repeated file creation.

I tested one that creates files like that and Norton detects the installer (so I could infect my PC with it) as well as the name "W32.Unruy!gen1"

Quads

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:51 PM

Posted 07 July 2010 - 03:53 AM

This is indeed a bootkit/whistler infection.

@ Quads, caution is needed for this infection, since it hooks up the MBR of the disk.If you do not clean that properly, you might end up with an unrecognized/unbootable drive.

@ Monsfranc,

NEVER disable System Restore before attempting to clean an infection! If something goes wrong, you don't have any way to restore your computer to an earlier point. System restore should be reset once a computer is cleaned up.


Please download 7zip and install the program on your computer (we need this program in order to be able to unzip a tool).


When 7zip is succesfully installed, please download bootkit_remover.rar and save the file to your desktop.

Right click on the file and select "extract/unzip here".

This will create two readme files and remover.exe on your desktop.
Double click on remover.exe; a command window will open. Please copy/paste the text under "MBR Status" and post that in your next reply.

Edited by elise025, 07 July 2010 - 03:56 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users