Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Virus

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Computer Talk
View previous topic :: View next topic  
Author Message
GαωDL&a
Master Cheater
Reputation: 0

Joined: 17 Dec 2007
Posts: 313

PostPosted: Wed Jun 24, 2009 11:49 pm    Post subject: Virus Reply with quote

I have a virus on my computer and I need a to remove without fully reformatting.

I currently have Symantec AntiVirus. It keeps notifying that it's found a virus in "C:\WINDOWS\System32\drivers\ws2_32sik.sys"
and a few other locations mostly in WINDOWS\System32\.

The virus was put onto my computer through downloading a "free version" of ConnectSpeed.

The virus turned off my firewall then went to work I guess.
As soon as it turned off my firewall I turned it back on.

Now I keep getting these notifications which are seriously bothering.
2-3 come up every min or so.

Help please.
Back to top
View user's profile Send private message
Honda
Grandmaster Cheater Supreme
Reputation: 0

Joined: 07 May 2008
Posts: 1242

PostPosted: Wed Jun 24, 2009 11:56 pm    Post subject: Reply with quote

What notification are you getting?
Take an SS.

And, did your AV display what kind of virus it was?


Last edited by Honda on Wed Jun 24, 2009 11:57 pm; edited 1 time in total
Back to top
View user's profile Send private message
Pancake
Grandmaster Cheater
Reputation: 0

Joined: 26 Jul 2007
Posts: 843

PostPosted: Wed Jun 24, 2009 11:57 pm    Post subject: Reply with quote

Try running a virus scan in safe-mode.
_________________
Back to top
View user's profile Send private message AIM Address
GαωDL&a
Master Cheater
Reputation: 0

Joined: 17 Dec 2007
Posts: 313

PostPosted: Thu Jun 25, 2009 12:21 am    Post subject: Reply with quote


The virus was originally only on 1 user.
Now it's on both of my users.
Back to top
View user's profile Send private message
Honda
Grandmaster Cheater Supreme
Reputation: 0

Joined: 07 May 2008
Posts: 1242

PostPosted: Thu Jun 25, 2009 12:29 am    Post subject: Reply with quote

Solution:

Quote:
Go here first and download and run the sysclean package.
http://www.trendmicro.com/download/dcs.asp You will also need the latest pattern file for the Sysclean programme. You can get it HERE. Read the instructions carefully in the .txt file HERE.

There is a program available that can show if you have a Rootkit problem.
It can be downloaded here: Rootkit Revealer Important Rename RootKitRevealer.exe to nailsetter.exe. The reason for this is that some rootkit trojans can detect this program and hide themselves from it.

Please download AproposFix from HERE and save it to your desktop. Extract it but don`t run it yet.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Open the aproposfix folder on your desktop and doubleclick RunThis.bat and follow the prompts.

When the tool is finished, please reboot back into normal mode and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

There is also this tool available, known as the Gromozon removal tool. that can help to eliminate certain types of rootkit known as the Gromozon rootkit.

Run the Gromozon tool.

It may not run at all and if it does run, it may tell the user that the infection is not present on the machine.

At this point the user must choose to continue with the scan.

Prevx tool will reboot the machine and run its cleaning process.




As an interesting aside: it seems that ONLY people who run NAV/NORTON/SYMANTEC bloatware seem to be HIT by this!



To set things straight:
HiJackThis does NOTHING for or against a Hacktool.Rootkit infection! It can ONLY reveal SOME of the symptoms!
HJT does NOT show: remon.sys, orans.sys, msdirectx.sys and whatever else these files might be called.

If you DO run a Hijackthis scan however,
first put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!. Important: Rename HijackThis.exe to HijackThis1991.exe this is because some new malware can hide from HijackThis.exe.

Look for any or all of these files:
They can be in either \WINDOWS\ or \WINNT\.

Running processes:
C:\WINDOWS\javapanel.exe
C:\WINDOWS\taskcntr.exe
C:\WINDOWS\System32\xpjava.exe

O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe

To get rid of them:

Boot in Safe Mode, see how here.
(ME/XP only) Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
javapanel.exe
taskcntr.exe
xpjava.exe
sysmanager.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
javapanel.exe
taskcntr.exe
xpjava.exe
sysmanager.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
........................................................................... ........................
C:\WINDOWS\javapanel.exe
C:\WINDOWS\taskcntr.exe
C:\WINDOWS\System32\xpjava.exe

O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
........................................................................... ........................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
(XP only) Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal.
(ME/XP only) When all OK, switch System Restore back on.




Source: TechSpot
Back to top
View user's profile Send private message
GαωDL&a
Master Cheater
Reputation: 0

Joined: 17 Dec 2007
Posts: 313

PostPosted: Thu Jun 25, 2009 12:31 am    Post subject: Reply with quote

Some of those "HERE" links don't work. D:
I download all these programs on my main user?
Both users are administrator.
Back to top
View user's profile Send private message
Honda
Grandmaster Cheater Supreme
Reputation: 0

Joined: 07 May 2008
Posts: 1242

PostPosted: Thu Jun 25, 2009 12:35 am    Post subject: Reply with quote

Which users got infected?
Back to top
View user's profile Send private message
GαωDL&a
Master Cheater
Reputation: 0

Joined: 17 Dec 2007
Posts: 313

PostPosted: Thu Jun 25, 2009 12:46 am    Post subject: Reply with quote

Both users are infected.
My main user with all my files though is worst then this one.
Back to top
View user's profile Send private message
Honda
Grandmaster Cheater Supreme
Reputation: 0

Joined: 07 May 2008
Posts: 1242

PostPosted: Thu Jun 25, 2009 12:52 am    Post subject: Reply with quote

Here, try this other method:

Quote:
Solution :

1. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
2. Delete a Key called/containing amvo.exe

Do 1 and 2 for each user that has logged on to the system after the infection

3. Install SpyBot Search and Destroy.
4. Whenever you access a partiton, spybot will detect a change in the registry value, disallow additon of amvo.exe
5. If you want to be doubly sure, run the kaspersky online scan, and make a note of the infected files (online scanner only detects it doesnt remove the virus) it showed up as Worm.Win32.AutoRun.bep and Worm.Win32.OnlineGames
6. Disable system restore on all drives
7. Boot into safe mode
8. Run->cmd
9. go to c:\windows\system32\
10. attrib -s -h -r amvo*.*
11. del amvo*.*
12. If one file cannot be deleted rename the dll/exe to something like .aaa or the other
13. Go to \Local Settings\Temp of each user
14. attrib -h -s -r*.dll
15. del *.dll
16. go to c:\
17. attrib -s-h-r *.inf
18. del *.inf
19. do 13-15 for each partition
20. Boot normal
21. Delete the renamed amvo files (if any)
22. If "Show hidden/system files" is still not working then change value of
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Hidden from 0 to 1
23. Run another kaspersky scan


Those 2 are the only method I found getting rid of hacktool.rootkit
Back to top
View user's profile Send private message
GαωDL&a
Master Cheater
Reputation: 0

Joined: 17 Dec 2007
Posts: 313

PostPosted: Thu Jun 25, 2009 1:15 am    Post subject: Reply with quote

How do I get to HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
Back to top
View user's profile Send private message
Honda
Grandmaster Cheater Supreme
Reputation: 0

Joined: 07 May 2008
Posts: 1242

PostPosted: Thu Jun 25, 2009 1:19 am    Post subject: Reply with quote

Click start > run > type "regedit" and find
HKEY_CURRENT_USER> then Software > Microsoft > CurrentVersion > Run
Back to top
View user's profile Send private message
GαωDL&a
Master Cheater
Reputation: 0

Joined: 17 Dec 2007
Posts: 313

PostPosted: Thu Jun 25, 2009 1:27 am    Post subject: Reply with quote

I can't find "CurrentVersion" under "Microsoft".
Back to top
View user's profile Send private message
Honda
Grandmaster Cheater Supreme
Reputation: 0

Joined: 07 May 2008
Posts: 1242

PostPosted: Thu Jun 25, 2009 1:31 am    Post subject: Reply with quote

Oops, wrong one.

Try this:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

It's in Microsoft > then Windows and you'll see CurrentVersion
Back to top
View user's profile Send private message
Luigi
Grandmaster Cheater Supreme
Reputation: 1

Joined: 24 Mar 2008
Posts: 1082

PostPosted: Sat Jun 27, 2009 1:28 pm    Post subject: Reply with quote

I don't know why I am asking but...
Did the virus delete your system restore points?
Back to top
View user's profile Send private message
puresick
Expert Cheater
Reputation: 3

Joined: 02 Jun 2008
Posts: 178

PostPosted: Sat Jun 27, 2009 11:02 pm    Post subject: Reply with quote

You can try reformatting when all else fails ^^
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Computer Talk All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites