Virus!!!!!!!

T

tecknopunk

New Member
So I'm 99.9999999999999% my brother was the one who downloaded something off of bittorrent that had a virus on it because I never had any problems with viruses before he installed that & started downloading music and movies. So now I have a virus and it keeps adding these strange icons in my Local Disk c:/ folder. I have tried using many antivirus programs and only 1 found the virus but would not delete it from my computer for free. Almost all of them have found threats in my C:/Documents and Settings/Network Service folder, but I can't locate the folder because all that is in my Documents and Settings Folder is All Users, My Name User, and Default User (I am looking at hidden files and folders). I know theres all kinds of junk in my Network Service folder that I really need to get rid of but can't find it, can anyone help me find the folder so I can delete all the stuff in there?
 
laznz1

laznz1

New Member
net work service folder?

try downloading and scanning with AVG Free ware
and see how it goes
 
T

tecknopunk

New Member
I'm assuming there is a folder, when I use the antivirus programs they are finding many objects with the file path C:/Documents and Settings/Network Service/Local Settings/...... I used that program and it didn't find the virus.
 
T

tecknopunk

New Member
that didn't work to get directly to the folder, when I type the file path into the run box, it says "Windows cannot find 'c:\documents' Make sure you typed the name correctly, then try again." But what the virus is doing is creating MS Dos Batch files into my C:\, these weird application files, and txt files named with random letters and numbers and the names of them become processes running on my computer.
 
T

tecknopunk

New Member
so I took your advice ceewi1 and ran the 2 programs you mentioned on a thread (malawarebytes and hijackthis) and here are their log files.

Malwarebytes' Anti-Malware 1.32
Database version: 1644
Windows 5.1.2600 Service Pack 3

1/12/2009 12:25:55 AM
mbam-log-2009-01-12 (00-25-52).txt

Scan type: Quick Scan
Objects scanned: 75579
Time elapsed: 16 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> No action taken.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:40 AM, on 1/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SEC\MagicTune3.6\GammaTray.exe
C:\Program Files\SEC\MagicTune3.6\MagicTune.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
c:\tgu7MTj.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\tgu7MTj.exe
C:\WINDOWS\system32\wuauclt.exe
c:\tgu7MTj.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
c:\tgu7MTj.exe
c:\tgu7MTj.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Msn] c:\tgu7MTj.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnHost] c:\tgu7MTj.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnLoad] c:\tgu7MTj.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnConvert] c:\tgu7MTj.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnMessendger] c:\tgu7MTj.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Msn] c:\tgu7MTj.exe (User 'Default user')
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191713568655
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191728934687
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} (GameTap Web Updater) - http://cnn-5.vo.llnwd.net/c1/static/cab_headless/GameTapWebUpdater.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/bingame/dash/default/DinerDash.1.0.0.98.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\RangeBooster G WDA-2320\JSWUtil\jswpsapi.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 10139 bytes
 
ceewi1

ceewi1

VIP Member
Your system is infected.

Please run Malwarebytes' again and allow it to remove everything it finds.

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

c:\tgu7MTj.exe

Then click Send File. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If that scanner is busy, please use this one: http://virusscan.jotti.org
 
T

tecknopunk

New Member
This is what VirusTotal had to say: (its not for c:\tgu7MTj.exe because i deleted that specific file, but its from another file that the virus created)

File gyZkfS.exe received on 01.12.2009 18:22:05 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 9/38 (23.69%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.12 -
AhnLab-V3 2009.1.10.0 2009.01.12 -
AntiVir 7.9.0.54 2009.01.12 TR/Click.Delf.bss
Authentium 5.1.0.4 2009.01.12 -
Avast 4.8.1281.0 2009.01.12 -
AVG 8.0.0.229 2009.01.12 Clicker.WCB
BitDefender 7.2 2009.01.12 -
CAT-QuickHeal 10.00 2009.01.12 -
ClamAV 0.94.1 2009.01.12 -
Comodo 919 2009.01.12 -
DrWeb 4.44.0.09170 2009.01.12 -
eSafe 7.0.17.0 2009.01.12 Suspicious File
eTrust-Vet 31.6.6304 2009.01.12 -
F-Prot 4.4.4.56 2009.01.12 -
F-Secure 8.0.14470.0 2009.01.12 -
Fortinet 3.117.0.0 2009.01.11 -
GData 19 2009.01.12 -
Ikarus T3.1.1.45.0 2009.01.12 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.12 Trojan-Clicker.Win32.Delf.bss
McAfee 5492 2009.01.11 -
McAfee+Artemis 5492 2009.01.11 Generic!Artemis
Microsoft 1.4205 2009.01.12 -
NOD32 3759 2009.01.12 a variant of Win32/TrojanClicker.Delf.AKM
Norman 5.93.01 2009.01.12 -
Panda 9.4.3.3 2009.01.11 -
PCTools 4.4.2.0 2009.01.12 -
Prevx1 V2 2009.01.12 Cloaked Malware
Rising 21.12.02.00 2009.01.12 -
SecureWeb-Gateway 6.7.6 2009.01.12 Trojan.Click.Delf.bss
Sophos 4.37.0 2009.01.12 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.12 -
TheHacker 6.3.1.4.218 2009.01.11 -
TrendMicro 8.700.0.1004 2009.01.12 -
VBA32 3.12.8.10 2009.01.12 suspected of Trojan-Clicker.Delf.13 (paranoid heuristics)
ViRobot 2009.1.12.1554 2009.01.12 -
VirusBuster 4.5.11.0 2009.01.12 -
Additional information
File size: 193536 bytes
MD5...: ee0277d50a3d958c6fb2b6d7c0adb3e8
SHA1..: 5c69b2fc55e1bb666b5dfcd5e4e2c597db0c0df3
SHA256: d3cc648ccde6883b05a55e3c103ebfc083a6ca6b65470ba362adfcaca27200cb
SHA512: 755c3ee2eecb7aec152e28bc6a3927acb394ce14b8ed3f82e8810ecb21c84cc0
1aa77c68960c7ac7c6f65672c1d3a770643c4ef08817b7f252c423d40bc54bbe
ssdeep: 3072:OB5vfoMynNMcyD+uaf1pfIZGLX+zu+QLBQixtoo5jcZS5bpPS8St8c:OB6M
ynNMi1p8EX+zu+QLJxnQ6pPSec
PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (38.5%)
Win32 EXE Yoda's Crypter (33.4%)
Win32 Executable Generic (10.7%)
Win32 Dynamic Link Library (generic) (9.5%)
Win16/32 Executable Delphi generic (2.6%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x47fc00
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x51000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x52000 0x2e000 0x2de00 7.92 e88ae7c8458afae1a60d123d25d5162d
.rsrc 0x80000 0x2000 0x1200 3.30 5ff95268589e3bc63b026737c4b71898

( 10 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
> advapi32.dll: RegFlushKey
> comctl32.dll: ImageList_Add
> gdi32.dll: SaveDC
> ole32.dll: OleDraw
> oleaut32.dll: VariantInit
> shell32.dll: SHGetMalloc
> URLMON.DLL: CoInternetCreateZoneManager
> user32.dll: GetDC
> version.dll: VerQueryValueA

( 0 exports )
packers (Kaspersky): UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=1DA017AF00C60CE6F4B902D17991A3006F4D36AF' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=1DA017AF00C60CE6F4B902D17991A3006F4D36AF</a>
packers (F-Prot): UPX
 
F

FFCFoo

New Member
Okay? This is simple! Download super antispyware! It's free for 30 days! Also it removes EVERYTHING! It worked for me when I had a problem with a lot of stuff popping up! UPDATE: There is a update for the anti spyware! Wow I need to get this :p. Well here is the link! http://www.superantispyware.com/download.html Send me a message on computer forum if you need any help ;). I would give you my email address but I do not paste it in public :p
 
T

tecknopunk

New Member
FFCFoo said:
Okay? This is simple! Download super antispyware! It's free for 30 days! Also it removes EVERYTHING! It worked for me when I had a problem with a lot of stuff popping up! UPDATE: There is a update for the anti spyware! Wow I need to get this :p. Well here is the link! http://www.superantispyware.com/download.html Send me a message on computer forum if you need any help ;). I would give you my email address but I do not paste it in public :p
Click to expand...

I have been using super antispyware for some time now and keep running it constantly recently and I still have the virus.
 
F

FFCFoo

New Member
tecknopunk said:
I have been using super antispyware for some time now and keep running it constantly recently and I still have the virus.
Click to expand...

The only thing I can think of is to reinstall windows! If you do dont put all your stuff to a disc/flash drive/hard drive ETC because those files might be infected and you will put them on again and BAM Affected again!
 
ceewi1

ceewi1

VIP Member
There should be no need to format and reinstall Windows, we will just need to use a few steps to remove this infection.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan-tab, remove the mark at Heuristic analysis.
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Once done, please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log and the Dr. Web log.
 
Last edited:
You must log in or register to reply here.
Top