phani said:
True.. It messed up registry and now I cannot see any other option other
than to format my system.
Its a painful task and I am not ready for it yet. Lot of things change
and one major worry is whether I lose my Vista License if do a clean
re-install. Already my Vista (Licensed version) is validated and
activated. If I format & re-install, will that be counted as second
license or not??
I do use Windows Mail and I am getting "undeliverable messages" and
messages that message could not be sent due to virus.
I do continuously check for updates & I am update regarding security
patches, Service Packs and other things from Microsoft Update online
automatically.
Now that the system and network is infected, do I run the risk of losing
the data?? If yes, there is a chance that the back up I take also will
contain this virus. So its all the more important that I need to remove
virus first. Is there any standalone tool to remove this virus? How do I
clean this mess??
Already people whom I communicate say that they are getting messages
with virus from me. Its a big problem for me now.
Of course you run the risk of losing data. When this is over, create and
implement a good backup strategy.
Disconnect all machines from the network and clean each one up. You can
retrieve the data first with a Linux distro running from a live CD (see
below). Then go through the malware removal steps systematically on each
machine. Do not connect any of the machines to the network until you are
100% sure they are all clean. If you can't do any of this - and there is
no shame in admitting this isn't your cup of tea since we all have our
areas of expertise - have a local computer professional come on-site and
fix you up properly. This will not be someone from a
BigComputerStore/GeekSquad type of place. Get recommendations from
friends and colleagues. Do not wait to disconnect the machines from the
network - do it now! Get all necessary tools, rescue systems, etc. from
a different and known-clean machine that was not ever connected to your
network.
A. Data retrieval
Boot the target computer with either a Bart's PE or a Linux live cd such
as Knoppix and retrieve the data that way. Here is general information
on using Knoppix for this:
You will need a computer with two cd drives, one of which is a cd/dvd-rw
OR a usb thumb drive with enough capacity to hold your data OR an
external usb/firewire hard drive formatted FAT32 (not NTFS). To get
Knoppix, you need a computer with a fast Internet connection and
third-party burning software. Download the Knoppix .iso and create your
bootable cd. Then boot with it and it will be able to see the Windows
files. If you are using the usb thumb drive or the external hard drive,
right-click on its icon (on the Desktop) to get its properties and
uncheck the box that says "Read Only". Then click on it to open it. Note
that the default mouse action in the window manager used by Knoppix
(KDE) is a single click to open instead of the traditional MS Windows'
double-click. Otherwise, use the K3b burning program to burn the files
to cd/dvd-r's.
http://www.knoppix.net
http://www.nu2.nu/pebuilder/ - Bart's PE Builder
B. Malware removal
Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware
Include scanning with David Lipman's Multi_AV and follow instructions to
do all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.
http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html
- download site
The site is in German but David's tool is in English so don't let that
worry you. Scroll all the way down to almost the bottom of the page and
you'll see a box titled "Infos Zum Download - Multi-AV Scanning Tool".
You'll see "Download von www pctipp.ch" and the live link to download
Multi_AV.
You can also check to see if there are targeted removal steps for your
malware here:
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html
When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).
Not all tools used will work in Vista and you will need to run them
elevated. Since Vista is so new, it will be a while before removal
techniques and tools are developed. If you are unable to remove the
infection by following the general steps, register at one of the
HijackThis forums as suggested.
The only alternative to going through the malware removal tediously and
systematically, possibly with online help from an HJT forum, and having
the machines handled by a real professional is to back up your data and
do a clean install of Windows. It's your call.
Malke