# ComboFix on external HD - VIRUT worm



## Messdup

Hey!

I downloaded what I thought to be a pdf file in an .exe archive and was stupid enough to run it. I got the expected extraction dialog but once it ran, I received several error messages from my AV software followed by a blue screen.

I restarted in safe mode trying to restore but all restore points were gone! I then downloaded ComboFix, SuperAntiSpyware and Malwarebytes on another system, copied and installed all programs and ran full scans with each of them. Each of them found something else, removed it and when I restarted I first thought I was all set, but then it just started to get much weirder. 

My McAfee was disabled and could not be re-enabled. My browser gave me funny results and my desktop filled with shortcuts to porn sites. 

I removed the system's boot drive and put it into an external housing. Right now I'm running CureIt on it from another system. Now I would also like to *run ComboFix on the external drive* but I wonder how to do this.

I got the Win32.Virut virus in what seems to be almost ALL my exe files. Do you know if this can reliably be fixed? It will cost me at least a week restoring the entire system and re-installing all my programs. It would be MUCH better not having to re-install.

THANKS!
Messdup


----------



## Messdup

*Re: Win32/Virut worm / virus*

I still don't know how to run Combofix on an external drive, BUT I was able to remove the Win32/Virut virus from my system with CureIt. 

The virus had infected over 400 executables and CurIt removed the piece of code that causes the redirect. Everything seems to run normal again except for some access problems and an error message every time I shut down or restart the system. 

The virus had put an item called "dnusax.exe" in my startup folder and I was unable to save changes in msconfig. I had to uninstall McAfee in order make changes BUT the entry came back after restarting. I then removed all entries from the registry, booted into safe mode and also deleted the entry directly from the startup group. That seemed to do the job.

I'm still getting an error when I shut down: 

"The instruction at "..." referenced memory at "...". The memory could not be "read"". 

The numbers are always different. I haven't found the cause of it yet and none of the scanners finds a problem in my system anymore. 

Man, these viruses get more and more nasty. This one is the toughest yet.


----------



## Ried

Hello Messdup,

You're not going to like what I have to say. You do have one of the nastiest out there - Virut is a polymorphic file infector which affects the executable files (.exe), screensaver files (.scr), .htm, and .html files, *including critical Windows system files*, corrupting them beyond repair in most cases. Many security experts agree that a clean reformat is the only way to clean the infection and return the machine to its normal working state.

Have a look at our colleague miekiemoes' blog for similar comments and more detailed links about Virut *here*

All it takes is one file being missed by DrWebCureit or any other AV that claims to clean Virut, and the infection will rip through your system again. You would be well advised to backup all your personal data (documents, pictures ). DO NOT backup any executable files, i.e. software installers(*.exe), screensavers (*.scr), .htm, or .html files.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too. Burn your backups to CD/DVD. Do NOT copy files from the infected machine to your pendrive OR another machine. You risk infecting the other machine.

=============================

ComboFix _will not _disinfect Virut so I'm not going to discuss running that tool with you at this stage. Run an online scan and let's see what Kaspersky has to say.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at *Kaspersky Online Scanner* 

* **Note***

To optimize scanning time and produce a more sensible report for review:
 Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click *Accept*, when prompted to download and install the program files and database of malware definitions. 
Click *Run* at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on *My Computer* under the green *Scan* bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click *View scan report* at the bottom.
Click the *Save Report As...* button.
Click the *Save as Text* button to save the file to your desktop so that you may post it in your next reply.


----------

