| View previous topic :: View next topic |
| Author |
Message |
GαωDL&a
Master Cheater
 Reputation: 0
Joined: 17 Dec 2007
Posts: 313
|
 Posted: Wed Jun 24, 2009 11:49 pm Post subject: Virus |
 |
|
I have a virus on my computer and I need a to remove without fully reformatting.
I currently have Symantec AntiVirus. It keeps notifying that it's found a virus in "C:\WINDOWS\System32\drivers\ws2_32sik.sys"
and a few other locations mostly in WINDOWS\System32\.
The virus was put onto my computer through downloading a "free version" of ConnectSpeed.
The virus turned off my firewall then went to work I guess.
As soon as it turned off my firewall I turned it back on.
Now I keep getting these notifications which are seriously bothering.
2-3 come up every min or so.
Help please.
|
|
| Back to top |
|
 |
Honda
Grandmaster Cheater Supreme
 Reputation: 0
Joined: 07 May 2008
Posts: 1242
|
| Posted: Wed Jun 24, 2009 11:56 pm Post subject: |
|
|
What notification are you getting?
Take an SS.
And, did your AV display what kind of virus it was?
Last edited by Honda on Wed Jun 24, 2009 11:57 pm; edited 1 time in total |
|
| Back to top |
|
|
Pancake
Grandmaster Cheater
 Reputation: 0
Joined: 26 Jul 2007
Posts: 843
|
| Posted: Wed Jun 24, 2009 11:57 pm Post subject: |
|
|
Try running a virus scan in safe-mode.
_________________
|
|
| Back to top |
|
|
GαωDL&a
Master Cheater
Reputation: 0
Joined: 17 Dec 2007
Posts: 313
|
| Posted: Thu Jun 25, 2009 12:21 am Post subject: |
|
|
The virus was originally only on 1 user.
Now it's on both of my users.
|
|
| Back to top |
|
|
Honda
Grandmaster Cheater Supreme
Reputation: 0
Joined: 07 May 2008
Posts: 1242
|
| Posted: Thu Jun 25, 2009 12:29 am Post subject: |
|
|
Solution:
| Quote: | Go here first and download and run the sysclean package.
http://www.trendmicro.com/download/dcs.asp You will also need the latest pattern file for the Sysclean programme. You can get it HERE. Read the instructions carefully in the .txt file HERE.
There is a program available that can show if you have a Rootkit problem.
It can be downloaded here: Rootkit Revealer Important Rename RootKitRevealer.exe to nailsetter.exe. The reason for this is that some rootkit trojans can detect this program and hide themselves from it.
Please download AproposFix from HERE and save it to your desktop. Extract it but don`t run it yet.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
Open the aproposfix folder on your desktop and doubleclick RunThis.bat and follow the prompts.
When the tool is finished, please reboot back into normal mode and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
There is also this tool available, known as the Gromozon removal tool. that can help to eliminate certain types of rootkit known as the Gromozon rootkit.
Run the Gromozon tool.
It may not run at all and if it does run, it may tell the user that the infection is not present on the machine.
At this point the user must choose to continue with the scan.
Prevx tool will reboot the machine and run its cleaning process.
As an interesting aside: it seems that ONLY people who run NAV/NORTON/SYMANTEC bloatware seem to be HIT by this!
To set things straight:
HiJackThis does NOTHING for or against a Hacktool.Rootkit infection! It can ONLY reveal SOME of the symptoms!
HJT does NOT show: remon.sys, orans.sys, msdirectx.sys and whatever else these files might be called.
If you DO run a Hijackthis scan however,
first put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!. Important: Rename HijackThis.exe to HijackThis1991.exe this is because some new malware can hide from HijackThis.exe.
Look for any or all of these files:
They can be in either \WINDOWS\ or \WINNT\.
Running processes:
C:\WINDOWS\javapanel.exe
C:\WINDOWS\taskcntr.exe
C:\WINDOWS\System32\xpjava.exe
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
To get rid of them:
Boot in Safe Mode, see how here.
(ME/XP only) Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
javapanel.exe
taskcntr.exe
xpjava.exe
sysmanager.exe
Next, click Start/Run and type services.msc and click OK. Look for the service:
javapanel.exe
taskcntr.exe
xpjava.exe
sysmanager.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.
Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
........................................................................... ........................
C:\WINDOWS\javapanel.exe
C:\WINDOWS\taskcntr.exe
C:\WINDOWS\System32\xpjava.exe
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
........................................................................... ........................
Now click on the Fix Checked button in HJT. Exit HJT.
When done, from between the above dotted lines, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
(XP only) Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal.
(ME/XP only) When all OK, switch System Restore back on.
|
Source: TechSpot
|
|
| Back to top |
|
|
GαωDL&a
Master Cheater
Reputation: 0
Joined: 17 Dec 2007
Posts: 313
|
| Posted: Thu Jun 25, 2009 12:31 am Post subject: |
|
|
Some of those "HERE" links don't work. D:
I download all these programs on my main user?
Both users are administrator.
|
|
| Back to top |
|
|
Honda
Grandmaster Cheater Supreme
Reputation: 0
Joined: 07 May 2008
Posts: 1242
|
| Posted: Thu Jun 25, 2009 12:35 am Post subject: |
|
|
| Which users got infected?
|
|
| Back to top |
|
|
GαωDL&a
Master Cheater
Reputation: 0
Joined: 17 Dec 2007
Posts: 313
|
| Posted: Thu Jun 25, 2009 12:46 am Post subject: |
|
|
Both users are infected.
My main user with all my files though is worst then this one.
|
|
| Back to top |
|
|
Honda
Grandmaster Cheater Supreme
Reputation: 0
Joined: 07 May 2008
Posts: 1242
|
| Posted: Thu Jun 25, 2009 12:52 am Post subject: |
|
|
Here, try this other method:
| Quote: | Solution :
1. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
2. Delete a Key called/containing amvo.exe
Do 1 and 2 for each user that has logged on to the system after the infection
3. Install SpyBot Search and Destroy.
4. Whenever you access a partiton, spybot will detect a change in the registry value, disallow additon of amvo.exe
5. If you want to be doubly sure, run the kaspersky online scan, and make a note of the infected files (online scanner only detects it doesnt remove the virus) it showed up as Worm.Win32.AutoRun.bep and Worm.Win32.OnlineGames
6. Disable system restore on all drives
7. Boot into safe mode
8. Run->cmd
9. go to c:\windows\system32\
10. attrib -s -h -r amvo*.*
11. del amvo*.*
12. If one file cannot be deleted rename the dll/exe to something like .aaa or the other
13. Go to \Local Settings\Temp of each user
14. attrib -h -s -r*.dll
15. del *.dll
16. go to c:\
17. attrib -s-h-r *.inf
18. del *.inf
19. do 13-15 for each partition
20. Boot normal
21. Delete the renamed amvo files (if any)
22. If "Show hidden/system files" is still not working then change value of
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Hidden from 0 to 1
23. Run another kaspersky scan
|
Those 2 are the only method I found getting rid of hacktool.rootkit
|
|
| Back to top |
|
|
GαωDL&a
Master Cheater
Reputation: 0
Joined: 17 Dec 2007
Posts: 313
|
| Posted: Thu Jun 25, 2009 1:15 am Post subject: |
|
|
| How do I get to HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
|
|
| Back to top |
|
|
Honda
Grandmaster Cheater Supreme
Reputation: 0
Joined: 07 May 2008
Posts: 1242
|
| Posted: Thu Jun 25, 2009 1:19 am Post subject: |
|
|
Click start > run > type "regedit" and find
HKEY_CURRENT_USER> then Software > Microsoft > CurrentVersion > Run
|
|
| Back to top |
|
|
GαωDL&a
Master Cheater
Reputation: 0
Joined: 17 Dec 2007
Posts: 313
|
| Posted: Thu Jun 25, 2009 1:27 am Post subject: |
|
|
| I can't find "CurrentVersion" under "Microsoft".
|
|
| Back to top |
|
|
Honda
Grandmaster Cheater Supreme
Reputation: 0
Joined: 07 May 2008
Posts: 1242
|
| Posted: Thu Jun 25, 2009 1:31 am Post subject: |
|
|
Oops, wrong one.
Try this:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
It's in Microsoft > then Windows and you'll see CurrentVersion
|
|
| Back to top |
|
|
Luigi
Grandmaster Cheater Supreme
 Reputation: 1
Joined: 24 Mar 2008
Posts: 1082
|
| Posted: Sat Jun 27, 2009 1:28 pm Post subject: |
|
|
I don't know why I am asking but...
Did the virus delete your system restore points?
|
|
| Back to top |
|
|
puresick
Expert Cheater
 Reputation: 3
Joined: 02 Jun 2008
Posts: 178
|
| Posted: Sat Jun 27, 2009 11:02 pm Post subject: |
|
|
| You can try reformatting when all else fails ^^
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
