Viruses and solutions

In this section you will find recommendations how to fight malicious programs which cannot be disinfected by Kaspersky Lab’s products. In order to disinfect/remove malicious programs you may have to modify the system registry or use an additional utility. If you failed to find the necessary information or you find these recommendations too complicated or inadequate, please send a request to the Technical Support service via the HelpDesk form.

How to cure a computer from Backdoor.Win32.Sinowal.deg
ID Article: 2727	Other languages: Will be translated:	44	2009 Nov 09 18:05	Printable version

There is a utility which can detect and remove Backdoor.Win32.Sinowal.deg and some its modifications even in case of an active infection.

This family of malware has a rather stealthy behavior and cannot be detected on an infected computer by standard means. It hides infected objects “behind” their original copies.

Besides that, main body of the malicious program (kernel level driver) is not present in the file system. It resides in unused area outside of the last partition of a hard disk. This malicious program does not use the operating system to start its driver. The driver is started independently, so the operating system is not aware of its presence.

Although it almost does not have a visible manifestation which would be harmful for the user, malware belonging to the family Backdoor.Win32.Sinowal poses a serious threat to the user because it opens remote access to the infected PC for hackers.

To detect and remove Backdoor.Win32.Sinowal.deg from a system:

Download the utility antiboot.zip. Extract files from the archive using an archiver (for example, WinZip).
Run the file antiboot.exe.
The file antiboot.exe started on an infected PC will display the following messages:
Press y when prompted to cure the system.

The utility will perform disinfection and prompt for a reboot:

Press y and then Enter to reboot.

Due to specific nature of this malicious program, its removal is carried out at the moment the PC is being booted.
You can refuse to reboot. Then the malicious program will remain active until you switch off or reboot the PC by means of the operating system (Start > Shut down > Restart). The PC will be disinfected after a reboot.

When started on a NOT infected PC, the utility displays a message No infected disks found.

Optional command line parameters of the utility antiboot.exe:

-l <file_name>, where file_name is the utility log file name.

The utility generates boot sector dumps (MBR) of the disks infected with the malicious program.

Dump file names are <file_name>.origmbrXX and <file_name>.curedmbrXX.

The files *. origmbrXX contain original MBR copies (before disinfection).

The files *.curedmbrXX contain cured MBR copies.

The XX number depends on the hard disk drive location on PCI bus.

–p <folder_name> - use it to create MBR dump files on all hard disk drives.