Five laptops in one week to remove this little darling from. My, people do click some funny emails.
To kill this wee begger and it's friends (from WinXP), do this; {I take no responsiblity if you cabbage your PC though}
1) Scan the HD out of band if you can. Ie remove and use a USB-IDE/SATA adapter if you've got one, or build a Bart-PE CD with the latest version of Clam-AV on it and boot up on the CD and scan from that.
2) Once scanned out-of-band, boot back up into safe mode (F8 repeatedly while turning the pc on)
3) Run regedit; navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
4) In here is an entry 'Userinit' - It should usually only have 'C:\WINDOWS\system32\userinit.exe,' in there - if there's anything else appended to that line remove it from the entry, take it back to the trailing ',' after userinit.exe
5) Then go to HKLM\Software\Microsoft\Windows\CurrentVersion\Run. Backup this reg key and then clean out anything you think is remotely dodgy. Do the same for HKCU\Software\Microsoft\Windows\CurrentVersion\Run & HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run
6) If you weren't able to log in during (2) as the first infected user the above steps can be done as the local admin - once these are done, to get into the other accounts (network ones) reboot, go into safe mode with networking. Then you can sign in as the network users. Use regedit to clean out HKCU\Software\Microsoft\Windows\CurrentVersion\Run for each other affected user.
7) Now that the registry is clean, reboot into normal mode, and run a local virus scan. You need to download and install spybot1.60 from www.safer-networking.org and let spybot clean out some more crap from the registry.
Ta-Daa. Virus gone but not forgotten.
IMHO Symantec Enterprise 11 MR2 does a nice job of ferreting out the nasties out-of-band, and Spybot does a good job of the cleanup afterwards. AVG8 works OK too inband though haven't had to use it in anger out-of-band yet.
No comments:
Post a Comment