Yesterday, I was infected with probably the ugliest breed of virus in computer history (atleast, for me). What it did was nothing serious. I downloaded something off the internet and ran it. Spybot gave me a warning about a registry entry and I knew it was virus. I simple denied it. It again popped up after few minutes. It confirmed that it was a virus because no other software would prompt again for the registry entry. I denied again and no matter how many times I denied, it came back again after a few minutes. So, I knew it was a time for scanning. I scanned and deleted atleast 12 virus executables created in various system folders. I deleted them all. I think the virus injected itself into some system executables too. And I deleted those files too. Everything was going fine. The virus was listed as Win32/Kryptic.AA trojan and WIN32/Rootkit.Agent by my NOD32 AV.
My AV prompted me to restart to delete some files which were too stubborn to get deleted in windows. I think those were the system files which were not being deleted. I restarted and I couldn’t login into windows anymore. On the login screen I typed my password and as soon as I logged in, it logged me out. I was in a login – logout loop. Fortunately, I had another computer. I started looking for solutions. I found solutions like editing the registry which was not possible as I wasn’t able to login even in safemode. Other methods needed me to copy some system files from WIN XP CD to the system folders. I tried all linux live CDs but none of them worked on my Laptop as it had widescreen and X won’t recognize it. Finally, PCLinuxOS worked. I copied the system files from another computer to a pen drive and put the pendrive back onto my laptop but PCLinuxOS won’t recognise it. I was out of luck. Damn! Thiks linux.
I tried googling for editing registry in Linux and found a small distro for just that. I downloaded it. I tried it but it was no good. It edited the registry successfully but it didn’t repair the computer. I was still into login-logout loop.
I tried using UBCD (ultimate boot CD) and tried to boot into DOS with CD-ROM support. I burnt a DVD with all system files from my second computer. I tried copying the files from DVD to the system32 folder using DOS but it gave an error. All the doors seem closed. I could only think formatting in my mind.
Just when I had lost all hopes, something clicked in my mind. I thought to myself, why not try another pen drive on PCLinuxOS as it was the only OS which booted perfectly on my computer. I inserted another pendrive and by God’s grace it worked. I quickly copied all the system files (The main file was userinit.exe which I think got deleted by NOD32 in the process of removing the malware. So, it was not the malware/virus that had caused the login-logoff boot but the AV which caused it) from the second computer to this pendrive. Inserted it into my laptop… copied all the system files to their respective folders and restarted and Voila! I was into windows. I felt stupid and proud at the same time. Stupid for not thinking of using another pendrive before. And proud to mend my computer without formatting (I bet most of them would’ve formatted it).
The problem wasn’t over. As soon as I booted into windows, the spybot started showing those prompts again. I knew if I restarted again, I would have to face the same all over again. So, I downloaded Malwarebytes Anti-malware which is known a very good anti-malware software. Updated it and did a full scan but it seemed to take too much time. So stopped it when it had already scanned 1,00,000 files and found only 2 infections. I did a quick scan, and it found over 50 infections in under a minute. I cleared them all. Scanned again to confirm if they were removed.
For even greater security, I type sfc/scannow in command line. Its an application which checks system files integrity and if any file has been tampered, it replaces it with the original file. It didn’t find any problems.
I still haven’t rebooted my computer. But I am confident that the virus is gone. This how I mended the login logoff loop.
UPDATE: The computer logged in fine. I just restarted it.