May 26, 2009
Fight with a virus.. it was terrible
Yesterday, I was infected with probably the ugliest breed of virus in computer history (atleast, for me). What it did was nothing serious. I downloaded something off the internet and ran it. Spybot gave me a warning about a registry entry and I knew it was virus. I simple denied it. It again popped up after few minutes. It confirmed that it was a virus because no other software would prompt again for the registry entry. I denied again and no matter how many times I denied, it came back again after a few minutes. So, I knew it was a time for scanning. I scanned and deleted atleast 12 virus executables created in various system folders. I deleted them all. I think the virus injected itself into some system executables too. And I deleted those files too. Everything was going fine. The virus was listed as Win32/Kryptic.AA trojan and WIN32/Rootkit.Agent by my NOD32 AV.
My AV prompted me to restart to delete some files which were too stubborn to get deleted in windows. I think those were the system files which were not being deleted. I restarted and I couldn’t login into windows anymore. On the login screen I typed my password and as soon as I logged in, it logged me out. I was in a login – logout loop. Fortunately, I had another computer. I started looking for solutions. I found solutions like editing the registry which was not possible as I wasn’t able to login even in safemode. Other methods needed me to copy some system files from WIN XP CD to the system folders. I tried all linux live CDs but none of them worked on my Laptop as it had widescreen and X won’t recognize it. Finally, PCLinuxOS worked. I copied the system files from another computer to a pen drive and put the pendrive back onto my laptop but PCLinuxOS won’t recognise it. I was out of luck. Damn! Thiks linux.
I tried googling for editing registry in Linux and found a small distro for just that. I downloaded it. I tried it but it was no good. It edited the registry successfully but it didn’t repair the computer. I was still into login-logout loop.
I tried using UBCD (ultimate boot CD) and tried to boot into DOS with CD-ROM support. I burnt a DVD with all system files from my second computer. I tried copying the files from DVD to the system32 folder using DOS but it gave an error. All the doors seem closed. I could only think formatting in my mind.
Just when I had lost all hopes, something clicked in my mind. I thought to myself, why not try another pen drive on PCLinuxOS as it was the only OS which booted perfectly on my computer. I inserted another pendrive and by God’s grace it worked. I quickly copied all the system files (The main file was userinit.exe which I think got deleted by NOD32 in the process of removing the malware. So, it was not the malware/virus that had caused the login-logoff boot but the AV which caused it) from the second computer to this pendrive. Inserted it into my laptop… copied all the system files to their respective folders and restarted and Voila! I was into windows. I felt stupid and proud at the same time. Stupid for not thinking of using another pendrive before. And proud to mend my computer without formatting (I bet most of them would’ve formatted it).
The problem wasn’t over. As soon as I booted into windows, the spybot started showing those prompts again. I knew if I restarted again, I would have to face the same all over again. So, I downloaded Malwarebytes Anti-malware which is known a very good anti-malware software. Updated it and did a full scan but it seemed to take too much time. So stopped it when it had already scanned 1,00,000 files and found only 2 infections. I did a quick scan, and it found over 50 infections in under a minute. I cleared them all. Scanned again to confirm if they were removed.
For even greater security, I type sfc/scannow in command line. Its an application which checks system files integrity and if any file has been tampered, it replaces it with the original file. It didn’t find any problems.
I still haven’t rebooted my computer. But I am confident that the virus is gone. This how I mended the login logoff loop.
UPDATE: The computer logged in fine. I just restarted it.
Related posts:
I think now virus r making virus that inject it self to normal exe to make it virus.. Last time i fot 2 types of sality virus in my pc and removing it was really hard and destroy most off my exe apps.
@ Pri2sh : Yeah, it injected itself into userinit.exe and explorer.exe.
They are making really hard-to-get-rid-of viruses.
@My Amazing weight loss story:
Thanks, will be posting more regularly.
Hi, gr8 post thanks for posting. Information is useful!
Hi. I like the way you write. Will you post some more articles?
Thanks everyone. Glad you people appreciated.
This is by far the most helpful post I have found on this extremely irritating issue, but I have one question: when you say “copied all the system files to their respective folders”… do you mean everything in c:\$SYSTEMROOT$\system32 or are there others you are referring to.
Thank you
I replaced these files:
C:\windows\system32\userinit.exe
C:\windows\system32\loginui.exe
C:\Windows\Explorer.exe
And everything booted normally
even after my attempt with malware bytes anti virus , it sucks
after some time all anti virus i had installeda are gone
and continued the story of login logoff loop
can u please suggest me any way of bleeding out of my pc ..I am Help Less
I had installed xp professional ,home everythin i can
But I am help less