Can't remove Trojan, Worm

By bjh3440
May 25, 2009
  1. I have been infected with trojans and worms.My spybot,malware bytes and nod32 detects all this threats over and over again...after cleaning and restrat its back again...and ive already switched off the restore feature in windows...the best part is , i even reformatted my harddisk twice...deleted all its partitions and reinstall a fresh copy and its still happening...i followed the instructions given by touc for anothers guys 1st do a hijack...then get LSPfix ,then reboot...get Combofix...when i double clik on combofix after saving in desktop,there is an error that pops up...and when i go to my C drive,there is a log that says Bug.Somebody please help me with this stubborn weird threats on my pc. im not really good in pc related stuff and im terrified.
  2. johnelmore

    johnelmore TS Rookie

    I have the same problem as bjh 3440 and was working fine on sat but sunday it didn't work again. The computer that I am working with is not currently connected to the web It is an e machine running XP with avast antivirus it is a connected to a LAN and a lynksty wireless router(but not now) After scanning it with MBAM (which quarentined many virusesa and showed no more) but the avast scans show two Win32:WysPatch[wrm] and Virus/Gusano which cannot be repaired deleted or put in the chest. I have done a system restore to last Sat when it worked better but if I leave it on it only boots and shows the normal screen and freezes.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    bjh3440, if you would like help, please follow the steps in the Virus and Removal Forum. When finished, attach the three logs for review:

    You have used an old version of HijackThis. Remove it and use the version in steps above.
    Please understand that help given tor remove malware is specifically directed to the logs from that particular person. So when you say this:
    you are not doing it correctly. Deep, special cleaning programs like LSPFix and Combofix should only be run at the instruction of the helper. You can destroy you computer using them randomly.

    I don't know what you've done so far, but the HijackThis log isn't normal. You will also need to temporarily disable TeaTimer before running the scans:
    • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
    • On the left hand side, click on Tools, then click on the Resident Icon in the list.
    • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
    • Click on the "System Startup" icon in the List
    • Uncheck the "TeaTimer" box and "OK" any prompts.
    • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    • Exit Spybot S&D when done.
    • When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.

    This thread is for the use of bjh3440 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum

    John, please start a separate thread describing YOUR specific problems, running the programs and attaching the logs to that thread.
  4. deazy86

    deazy86 TS Rookie Posts: 32

    Hi bjh, check out this site they have mentioned how to remove Trojan, worm or any virus from your PC, it will definitely help you.
  5. bjh3440

    bjh3440 TS Rookie Topic Starter

    Trojans, Nuwar worms

    heres my logs after following the 8 steps and disabling my antivirus and spybot.

    im sorry about following another guys thread..i really didnt know i couldnt...anyway thank you so much for the taking time to assist me on the matter.Your time and genuine help is very much appreciated.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please read this description:
    The Disclaimer:

    Obviously there was a problem with Combofix and what is on your system- per the bug report.

    To uninstall ComboFix.exe without removing any backups of files that it deleted
    Right click ComboFix.exe and select delete

    Please open HijackThis, and select Do a system scan only.
    Place a checkmark next to the following entries (if present):
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\wuauclt.exe (there are 2 of these processes- they are for the Windows Autoupdate)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

    Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

    When finished: Boot into Safe Mode
    [*] Restart your computer and start pressing the F8 key on your keyboard.
    [*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following if present:
    Apply> OK

    Start> Run> services.msc> OK
    [*] In the list of services, right-click Windows User Mode Driver Framework, and then click Properties.
    [*] Click the General tab.
    [*] In the Startup type box, click Disabled or Manual, and then click OK.
    [*] On the File menu, click Exit.

    Right click on Start> Explore> Windows> System 32> verify location of both of the following processes this folder:

    Reboot into Normal Mode. NOTE: a nag message will display- you can ignore it and close after checking 'don't show this message again.' Stay in Selective Startup.

    Please empty the Recycle Bin.

    Run a full system scan wit Eset Nod32. Attach log.
    Rescan with HijackThis and attach new log.

    As mentioned previously, the HJ log doesn't display a 'normal system'. There is a possibility that you will have to reformat and reinstall.

    Regarding UMWdf- from Microsoft:
    You will change that startup to either Disabled or Manual per the instruction above.
  7. bjh3440

    bjh3440 TS Rookie Topic Starter

    Still Not Removed

    I followed the instructions you provided very very carefully...i am afraid my pc still looks the same...after reboot it still gets all this alerts...the same ones...and after i do a virus scan and remove them the same ones come back after reboot..whats going on with my pc .... ?
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, here's what you have and the reason why it comes back:

    From Blind Dragon:

    the link to "Under The Hood" has a lot of technical info, but you will get some more info there.

    Here's the clue in the Nod32 log:
    Win32/Virut.NBP virus error while cleaning

    I'm afraid you've wasted a lot of time running programs that won't remove it. Please reformat and reinstall.

    Other Trojans were quarantined:
    Win32/Inject.CCO>> added to Nod32 database 2009-03-23
    Win32/Kryptik.NG>> added to Nod32 database 2009-05-14
    Win32/TrojanDownloader.Small.OPK Trojan>> added to Nod32 database 2008-12-22

    After a quarantine, you can delete the files. Then you must empty the Recycle Bin.
    Some of the Trojans show file extension of tmp and temp. When you do disc cleanups, tmp and temp files should be removed and the Recycle Bin emptied. Remember this for after you get going again.

    This may be a problem for you:
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

    The backups may be infected.
  9. bjh3440

    bjh3440 TS Rookie Topic Starter

    Again bobbye, appreciate your time...what do you suggest i do now ?

    Reformat disk C,and reinstall windows xp as per normal? cause i did that twice previously and it didnt work.

    Can i leave my disk D alone?

    or wipe my harddisk using a programme? then what do i do?

    When you say disc cleanup,tmp file should be removed...disc cleanup means err using Ccleaner? right? or is there another way to do that?
  10. bjh3440

    bjh3440 TS Rookie Topic Starter

    my spybot,malware bytes,superantispyware and nod32 cant updates its tried getting it done manually...was still not possible...but for nod32 i managed to update manually and the moment i did...tons of popups came out non stop about this win32/Virut.NBP virus..i attached the log of the amount that was detected...

    .i also followed this thread bleeping computer..asking to run this programme called autorun in safe mod...then delete the files where the malware is in.reboot back to normal mode.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Suggest you follow directions here for Clean Install: Windows

    All of the Virut wasn't quarantined. Maybe you will understand this better>polymorphic virus is same as drug resistant germs. (poly means many, morphic means shapes> polymorphic means many shapes)

    A very non-technical comparison, but the process is similar. The bad 'stuff' wants to survive, whether it's a virus, bacteria or some malware. So it "morphs" into a different form when something tries to kill it. In the case of Virut, as soon as you get rid of one form, another takes over, so you can't get rid of all of it!

    The malware is protecting itself and isn't going to let up update security programs that "might" harm it.
  12. kritius

    kritius TS Guru Posts: 2,084

    Another problem with virut is that it damages the code of the files, so that even if you managed the "clean" the files they could be damaged beyond repair.

    Virut was meant to be a computer killer.
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That depends what you have on disk D... an operating system? programs? or just documents, music, ect.

    Basically you need to lose anything that runs off a .scr or .exe file (all programs)

    You can back up pictures and documents

    Format the drive

    Reinstall windows per the guide listed above

    Run scans on your backups

    Then place the backups back on the drive.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...