Hi ...
Sorry for not writting in Russian ...
But recently after downloading the last version 5.0.3
of the LiveCD I got a strange surprise...
The CD is great ...
but apparently the last version does not delete the virus files....
Usually I use the SAFE mode (text mode) option
and call drweb in the command line...
options : -ni -cud -fl -ar- -al -ok- -path=/disk/mnt/*
it takes several hours , at the end reports some virus (same number in deleted files)
After a reboot if make the same option I still have same the virus!!!
The machines are Windows and have HLLW.shadow.based virus (conficker) ...
Using CureIT! in windows, even in safe mode, the virus is still present ... http://forum.drweb.com/public/style_emoticons/default/sad.png
What I am doing wrong ?
DrWeb general question: does drweb deletes the erronous entry in the Registry due to Conficker ? HLLW.shadow based Virus ?
Livecd 5.03 Problem
Автор
MarkMarques
, май 21 2010 10:21
9 ответов в этой теме
#2
v.martyanov
-
- Virus Analysts
-
- 8 308 Сообщений:
Guru
Отправлено 21 Май 2010 - 10:26
Did you install all updates for Windows?
Личный сайт по Энкодерам - http://vmartyanov.ru/
#3
mrbelyash
-
- Members
- 25 897 Сообщений:
Беляш
Отправлено 21 Май 2010 - 10:35
Install its updates
http://www.microsoft.com/technet/security/...n/ms08-067.mspx
http://www.microsoft.com/technet/security/...n/ms08-068.mspx
http://www.microsoft.com/technet/security/...n/ms09-001.mspx
Disable inet connection and check your PC with Dr.Web CureIT
http://www.microsoft.com/technet/security/...n/ms08-067.mspx
http://www.microsoft.com/technet/security/...n/ms08-068.mspx
http://www.microsoft.com/technet/security/...n/ms09-001.mspx
Disable inet connection and check your PC with Dr.Web CureIT
wiki https://drw.sh/endjcv | Утилиты https://drw.sh/dgweku | Лечить удаленно https://drw.sh/wmzdcl | Скрытые процессы https://drw.sh/tmulje | Логи https://drw.sh/ruy | Песочница https://drw.sh/exhbro
#4
MarkMarques
-
- Posters
- 9 Сообщений:
Newbie
Отправлено 21 Май 2010 - 11:16
I know that I should have patched the machine
but due to software and "politicy" constraints I am not allowed to it ...
Although the machine is off the Internet but inside a network ...
My main problem is why DrWEb liveCD did not deleted the filles and
or why CureIT! detects the mutex with random name , deletes it and afterwards it appears again ...
My main question is : why did LiveCD did not deleted the files ??
but due to software and "politicy" constraints I am not allowed to it ...
Although the machine is off the Internet but inside a network ...
My main problem is why DrWEb liveCD did not deleted the filles and
or why CureIT! detects the mutex with random name , deletes it and afterwards it appears again ...
My main question is : why did LiveCD did not deleted the files ??
#5
MarkMarques
-
- Posters
- 9 Сообщений:
Newbie
Отправлено 21 Май 2010 - 12:15
After some calls the machine is now fully patched but still has the virus ...
I have managed to "disable" the Conficker hidden service ...
I tried KAV rescue CD (no virus present report) ...
Nonetheless If I use CureIT! it reports HLLW.shadow.based file present ...
It deletes it but after a reboot it appears again ...
With LiveCD it reports virus (apparently deletes it but after the reboot it appears again) ...
Any help would be apreciated...
As stated before the machine is fully patched WinXP with SP3 .
I have managed to "disable" the Conficker hidden service ...
I tried KAV rescue CD (no virus present report) ...
Nonetheless If I use CureIT! it reports HLLW.shadow.based file present ...
It deletes it but after a reboot it appears again ...
With LiveCD it reports virus (apparently deletes it but after the reboot it appears again) ...
Any help would be apreciated...
As stated before the machine is fully patched WinXP with SP3 .
#6
drumut
-
- Members
- 325 Сообщений:
Member
Отправлено 21 Май 2010 - 15:01
Hello,
Please write virus's or infected files exact name for instance shadow.exe etc.. Also please send us a virscan.org result.
Please write virus's or infected files exact name for instance shadow.exe etc.. Also please send us a virscan.org result.
OS : Debian Sid , all i have all i need!
#7
MarkMarques
-
- Posters
- 9 Сообщений:
Newbie
Отправлено 21 Май 2010 - 16:33
Sorry for the long reply but the machine does not have access to the internet ... :(
here is the DRweb partial log ....
Although I now have an idea why it did not delete some of the virus....
I suppose the "-ar-" were the culprit .... :)
Nonetheless I still ask: does DrWeb supposed to try to correct the registry , if an infection of HLLW.shadow.based virus is present.
----------------------------------------
Copyright © Igor Daniloff, 1992-2009
Doctor Web, Moscow, Russia
Support service: http://support.drweb.com
To purchase: http://buy.drweb.com
Report dated 2010-05-19, 18:55:46
Command line: -ni -cud -ex -ok- -ml- -ar- -path=/mnt/disk/*
Shell version: 5.0.0.10060 <API:2.2>
Engine version: 5.0.2.3300 <API:2.2>
Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 411
Loading /var/drweb/bases/drwdaily.vdb - Ok, virus records: 1772
Loading /var/drweb/bases/drw50025.vdb - Ok, virus records: 18009
...
Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 514157
Loading /var/drweb/bases/dwrtoday.vdb - Ok, virus records: 61
...
Loading /var/drweb/bases/dwn50000.vdb - Ok, virus records: 2801
Loading /var/drweb/bases/drwrisky.vdb - Ok, virus records: 6197
Loading /var/drweb/bases/drwnasty.vdb - Ok, virus records: 28348
Total virus records: 1332394
Key file: /opt/drweb/drweb32.key
License key number: 0014100132
License key activates: 2010-03-03
License key expires: 2013-04-07
/mnt/disk/sda2/vovecq.exe - archive AUTOIT
>/mnt/disk/sda2/vovecq.exe/DOCUME~1\ADMINI~1.HOM\LOCALS~1\Temp\3\aut2CA6.tmp packed by ASCRIPT
>/mnt/disk/sda2/vovecq.exe/updater_gen\compileroom\F5E20C32A24DADF8.au3.tbl infected with Win32.HLLW.Autoruner.based
/mnt/disk/sda2/BackUp1/BackupEmail - archive 7-ZIP
/mnt/disk/sda2/BackUp1/BackupEmail.7z - archive 7-ZIP
/mnt/disk/sda2/BackUp1/BackupWork - archive 7-ZIP
/mnt/disk/sda2/BackUp1/BackupZIipsEDIS.7z - archive 7-ZIP
/mnt/disk/sda2/BackUp1/eit-linux-vm6.7z - scanning of this object is aborted (Value too large for defined data type)
/mnt/disk/sda2/BackUp1/VirtualMachineLL-ICCP.7z - scanning of this object is aborted (Value too large for defined data type)
/mnt/disk/sda2/ICCPXb/wf5qp36m.exe packed by UPX
/mnt/disk/sda2/Projectos/E60000196/VirtualMachineLL-ICCP.7z - scanning of this object is aborted (Value too large for defined data type)
/mnt/disk/sda2/Projectos/E61010020/05 - WebCam/Install Package/SCATEX-WebCam.tar.gz - archive GZIP
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/aswcmp.exe packed by UPX
>/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/aswcmp.exe - archive AUTOIT
>>/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/aswcmp.exe/DOCUME~1\Stalin\LOCALS~1\Temp\2\aut7C4.tmp packed by ASCRIPT
>>>/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/aswcmp.exe/DOCUME~1\Stalin\LOCALS~1\Temp\2\aut7C4.tmp infected with Win32.HLLW.Autoruner.7709
>>/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/aswcmp.exe/Generador\csufvu.au3.tbl infected with Win32.HLLW.Autoruner.based
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/bzmwtx.exe - archive AUTOIT
>/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/bzmwtx.exe/DOCUME~1\ADMINI~1.HOM\LOCALS~1\Temp\3\aut1021.tmp packed by ASCRIPT
>/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/bzmwtx.exe/updater_gen\compileroom\EBAB53BD845BDF58.au3.tbl infected with Win32.HLLW.Autoruner.based
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/csrcs.exe infected with Win32.HLLW.Autoruner.5897
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/csrcs.exe - deleted!
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/ebqtef.exe infected with Win32.HLLW.Autohit.10890
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/ebqtef.exe - deleted!
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/ebqtef_0.exe infected with Win32.HLLW.Autohit.10890
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/ebqtef_0.exe - deleted!
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/mhgpec.exe infected with Win32.HLLW.Autoruner.3438
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/mhgpec.exe - deleted!
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/mhgpec_0.exe infected with Win32.HLLW.Autoruner.3438
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/mhgpec_0.exe - deleted!
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/neqohl.exe infected with Win32.HLLW.Siggen.73
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/neqohl.exe - deleted!
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Application Data/{7148F0A6-6813-11D6-A77B-00B0D0142000}/Java 2 Runtime Environment, SE v1.4.2.msi - archive OLE
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temp/12943y7a.dll packed by ASPACK
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temp/57WOB6F7.dll packed by ASPACK
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temp/5emffAhG.dll packed by ASPACK
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temp/hGu8YnFX.dll packed by ASPACK
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/VIDEU0EO/admin[7].php - archive GZIP
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/VIDEU0EO/admin[8].php - archive GZIP
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/VIDEU0EO/modules[1].php - archive GZIP
/mnt/disk/sda1/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/0BL0LBZ4/dcwrqelp[1].bmp packed by UPX
>/mnt/disk/sda1/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/0BL0LBZ4/dcwrqelp[1].bmp infected with Win32.HLLW.Shadow.based
>/mnt/disk/sda1/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/0BL0LBZ4/dcwrqelp[1].bmp - deleted!
/mnt/disk/sda1/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/0BL0LBZ4/rkowytrf[1].bmp packed by UPX
>/mnt/disk/sda1/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/0BL0LBZ4/rkowytrf[1].bmp infected with Win32.HLLW.Shadow.based
>/mnt/disk/sda1/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/0BL0LBZ4/rkowytrf[1].bmp - deleted!
/mnt/disk/sda1/Program Files/MSN/MSNCoreFiles/Install/MSN9Components/digopt.msi - archive OLE
Scan report for "/mnt/disk/*":
Scanned: 143924/88218 Cured: 0
Infected: 12/4 Deleted: 8
Modifications: 0/0 Renamed: 0
Suspicious: 0/0 Moved: 0
Adware: 0/0 Ignored: 0
Dialer: 0/0
Joke: 0/0 Scan time: 0:49:56
Riskware: 0/0 Scan speed: 1169 Kb/s
Hacktool: 0/0 Scan speed: 1169 Kb/s
here is the DRweb partial log ....
Although I now have an idea why it did not delete some of the virus....
I suppose the "-ar-" were the culprit .... :)
Nonetheless I still ask: does DrWeb supposed to try to correct the registry , if an infection of HLLW.shadow.based virus is present.
----------------------------------------
Copyright © Igor Daniloff, 1992-2009
Doctor Web, Moscow, Russia
Support service: http://support.drweb.com
To purchase: http://buy.drweb.com
Report dated 2010-05-19, 18:55:46
Command line: -ni -cud -ex -ok- -ml- -ar- -path=/mnt/disk/*
Shell version: 5.0.0.10060 <API:2.2>
Engine version: 5.0.2.3300 <API:2.2>
Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 411
Loading /var/drweb/bases/drwdaily.vdb - Ok, virus records: 1772
Loading /var/drweb/bases/drw50025.vdb - Ok, virus records: 18009
...
Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 514157
Loading /var/drweb/bases/dwrtoday.vdb - Ok, virus records: 61
...
Loading /var/drweb/bases/dwn50000.vdb - Ok, virus records: 2801
Loading /var/drweb/bases/drwrisky.vdb - Ok, virus records: 6197
Loading /var/drweb/bases/drwnasty.vdb - Ok, virus records: 28348
Total virus records: 1332394
Key file: /opt/drweb/drweb32.key
License key number: 0014100132
License key activates: 2010-03-03
License key expires: 2013-04-07
/mnt/disk/sda2/vovecq.exe - archive AUTOIT
>/mnt/disk/sda2/vovecq.exe/DOCUME~1\ADMINI~1.HOM\LOCALS~1\Temp\3\aut2CA6.tmp packed by ASCRIPT
>/mnt/disk/sda2/vovecq.exe/updater_gen\compileroom\F5E20C32A24DADF8.au3.tbl infected with Win32.HLLW.Autoruner.based
/mnt/disk/sda2/BackUp1/BackupEmail - archive 7-ZIP
/mnt/disk/sda2/BackUp1/BackupEmail.7z - archive 7-ZIP
/mnt/disk/sda2/BackUp1/BackupWork - archive 7-ZIP
/mnt/disk/sda2/BackUp1/BackupZIipsEDIS.7z - archive 7-ZIP
/mnt/disk/sda2/BackUp1/eit-linux-vm6.7z - scanning of this object is aborted (Value too large for defined data type)
/mnt/disk/sda2/BackUp1/VirtualMachineLL-ICCP.7z - scanning of this object is aborted (Value too large for defined data type)
/mnt/disk/sda2/ICCPXb/wf5qp36m.exe packed by UPX
/mnt/disk/sda2/Projectos/E60000196/VirtualMachineLL-ICCP.7z - scanning of this object is aborted (Value too large for defined data type)
/mnt/disk/sda2/Projectos/E61010020/05 - WebCam/Install Package/SCATEX-WebCam.tar.gz - archive GZIP
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/aswcmp.exe packed by UPX
>/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/aswcmp.exe - archive AUTOIT
>>/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/aswcmp.exe/DOCUME~1\Stalin\LOCALS~1\Temp\2\aut7C4.tmp packed by ASCRIPT
>>>/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/aswcmp.exe/DOCUME~1\Stalin\LOCALS~1\Temp\2\aut7C4.tmp infected with Win32.HLLW.Autoruner.7709
>>/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/aswcmp.exe/Generador\csufvu.au3.tbl infected with Win32.HLLW.Autoruner.based
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/bzmwtx.exe - archive AUTOIT
>/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/bzmwtx.exe/DOCUME~1\ADMINI~1.HOM\LOCALS~1\Temp\3\aut1021.tmp packed by ASCRIPT
>/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/bzmwtx.exe/updater_gen\compileroom\EBAB53BD845BDF58.au3.tbl infected with Win32.HLLW.Autoruner.based
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/csrcs.exe infected with Win32.HLLW.Autoruner.5897
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/csrcs.exe - deleted!
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/ebqtef.exe infected with Win32.HLLW.Autohit.10890
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/ebqtef.exe - deleted!
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/ebqtef_0.exe infected with Win32.HLLW.Autohit.10890
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/ebqtef_0.exe - deleted!
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/mhgpec.exe infected with Win32.HLLW.Autoruner.3438
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/mhgpec.exe - deleted!
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/mhgpec_0.exe infected with Win32.HLLW.Autoruner.3438
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/mhgpec_0.exe - deleted!
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/neqohl.exe infected with Win32.HLLW.Siggen.73
/mnt/disk/sda1/Documents and Settings/Administrator/DoctorWeb/Quarantine/neqohl.exe - deleted!
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Application Data/{7148F0A6-6813-11D6-A77B-00B0D0142000}/Java 2 Runtime Environment, SE v1.4.2.msi - archive OLE
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temp/12943y7a.dll packed by ASPACK
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temp/57WOB6F7.dll packed by ASPACK
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temp/5emffAhG.dll packed by ASPACK
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temp/hGu8YnFX.dll packed by ASPACK
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/VIDEU0EO/admin[7].php - archive GZIP
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/VIDEU0EO/admin[8].php - archive GZIP
/mnt/disk/sda1/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/VIDEU0EO/modules[1].php - archive GZIP
/mnt/disk/sda1/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/0BL0LBZ4/dcwrqelp[1].bmp packed by UPX
>/mnt/disk/sda1/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/0BL0LBZ4/dcwrqelp[1].bmp infected with Win32.HLLW.Shadow.based
>/mnt/disk/sda1/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/0BL0LBZ4/dcwrqelp[1].bmp - deleted!
/mnt/disk/sda1/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/0BL0LBZ4/rkowytrf[1].bmp packed by UPX
>/mnt/disk/sda1/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/0BL0LBZ4/rkowytrf[1].bmp infected with Win32.HLLW.Shadow.based
>/mnt/disk/sda1/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/0BL0LBZ4/rkowytrf[1].bmp - deleted!
/mnt/disk/sda1/Program Files/MSN/MSNCoreFiles/Install/MSN9Components/digopt.msi - archive OLE
Scan report for "/mnt/disk/*":
Scanned: 143924/88218 Cured: 0
Infected: 12/4 Deleted: 8
Modifications: 0/0 Renamed: 0
Suspicious: 0/0 Moved: 0
Adware: 0/0 Ignored: 0
Dialer: 0/0
Joke: 0/0 Scan time: 0:49:56
Riskware: 0/0 Scan speed: 1169 Kb/s
Hacktool: 0/0 Scan speed: 1169 Kb/s
#8
drumut
-
- Members
- 325 Сообщений:
Member
Отправлено 23 Май 2010 - 00:43
Hello,
If that trojan comes back when you clean it, it may hide itself in system restore. You may consider to reset system restore.
If that trojan comes back when you clean it, it may hide itself in system restore. You may consider to reset system restore.
OS : Debian Sid , all i have all i need!
#9
MarkMarques
-
- Posters
- 9 Сообщений:
Newbie
Отправлено 24 Май 2010 - 12:24
Oh... I see ... 
I thought that by default DrWeb did check the "system restore" files in the Disk ...
So, my previous question regarding the registry fix (HLLW.shadow.based virus ) is also negative ...
Nonetheless, by default , I usually disable system restore in Windows ...
Although I know that conficker does activate it and copies itself to it , even if it is disabled....
So how does DrWeb handle it ?
I thought that by default DrWeb did check the "system restore" files in the Disk ...
So, my previous question regarding the registry fix (HLLW.shadow.based virus ) is also negative ...
Nonetheless, by default , I usually disable system restore in Windows ...
Although I know that conficker does activate it and copies itself to it , even if it is disabled....
So how does DrWeb handle it ?
#10
drumut
-
- Members
- 325 Сообщений:
Member
Отправлено 24 Май 2010 - 14:24
Hello,
I think best approach would be reseting system restore after cleaning process. First clean with dr.web then disable and enable system restore. I also recommend to not disable system restore, believe me even an infected system restore is better than not having a system restore. To have clean system restore we need to reset it.
Let me give you some informations about dr.web which you would want to know.
In complete scanning mode RAM, hard drives, removable media, boot sectors of all disks etc are scanned. Dr.Web scans system restore points too.
Delete action of dr.web can delete any malware except in boot sectors. But cure action can work within boot sectors and cure action is for known viruses, it restores the original state of an object before infection.
In addition to reseting system restore, you may want to try dr.web's cure action. And after these actions taken you need to reboot your system immediately.
I think best approach would be reseting system restore after cleaning process. First clean with dr.web then disable and enable system restore. I also recommend to not disable system restore, believe me even an infected system restore is better than not having a system restore. To have clean system restore we need to reset it.
Let me give you some informations about dr.web which you would want to know.
In complete scanning mode RAM, hard drives, removable media, boot sectors of all disks etc are scanned. Dr.Web scans system restore points too.
Delete action of dr.web can delete any malware except in boot sectors. But cure action can work within boot sectors and cure action is for known viruses, it restores the original state of an object before infection.
In addition to reseting system restore, you may want to try dr.web's cure action. And after these actions taken you need to reboot your system immediately.
OS : Debian Sid , all i have all i need!
