Simon Wistow (deflatermouse) wrote,
Simon Wistow

Cure for the Itch

For future reference, for the intellectual embetterment of others and for troubled souls searching for answers I commit this to digital bits.

I did a friend a favour the other day and helped him install some software on a phone using a SD card. Unfortunately his SD card had a virus on it (my first since, ooh, about 1993 I think) that my AV software didn't know about.

I first started noticing that things were a bit sluggish although this was Windows so ... then I did what actually turned out to be the dumb thing and rebooted.

At this point I started noticing that I was getting pop ups for WinSysProtect or similar. "Hmm," I thought. Then I started getting Error 216 dialogs everywhere. I disconnected the machine from the network immediately and went searching for answers using a handy Mac.

It appeared I had picked up a trojan called Vundo which seemed to be fairly well known. Most sites on the matter recommended a piece of software called VundoFix which I transferred using a USB key (which I promptly burnt, encased in molten glass and then dumped in a cave somewhere at sea) and sure enough it found the infected files.

The only problem was that this variant of Vundo had attached itself to the winlogon process which meant I couldn't delete it since it was "In Use". Unfortunately winlogon is practically the first thing to start up and therefore booting into SafeMode or similar doesn't help.

At this point I was facing either reformatting or risking using a Knoppix Live cd with Captive NTFS or NTFS-3G both of which made me nervous.

However I found a bit of software called Avenger which allows you to write a small script and then reboot. The script is then executed before winlogon.

This worked a treat and a subsequent thorough scan with every bit AV and Anti-Malware software I could lay my hands on indicated I was now squeaky clean.

So, if you end up in the same situation then I can recommend the above.
Tags: antivirus, av, avenger, error 216, sysprotect, virus, vundo, vundofix, winsysprotect

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 1 comment