I have been infected with trojans and worms.My spybot,malware bytes and nod32 detects all this threats over and over again...after cleaning and restrat its back again...and ive already switched off the restore feature in windows...the best part is , i even reformatted my harddisk twice...deleted all its partitions and reinstall a fresh copy and its still happening...i followed the instructions given by touc for anothers guys thread...to 1st do a hijack...then get LSPfix ,then reboot...get Combofix...when i double clik on combofix after saving in desktop,there is an error that pops up...and when i go to my C drive,there is a log that says Bug.Somebody please help me with this stubborn weird threats on my pc. im not really good in pc related stuff and im terrified.
Can't remove Trojan, Worm
- Thread starter bjh3440
- Start date
- Status
I have the same problem as bjh 3440 and was working fine on sat but sunday it didn't work again. The computer that I am working with is not currently connected to the web It is an e machine running XP with avast antivirus it is a connected to a LAN and a lynksty wireless router(but not now) After scanning it with MBAM (which quarentined many virusesa and showed no more) but the avast scans show two Win32:WysPatch[wrm] and Virus/Gusano which cannot be repaired deleted or put in the chest. I have done a system restore to last Sat when it worked better but if I leave it on it only boots and shows the normal screen and freezes.
Bobbye
Posts: 16,313 +36
bjh3440, if you would like help, please follow the steps in the Virus and Removal Forum. When finished, attach the three logs for review:
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
You have used an old version of HijackThis. Remove it and use the version in steps above.
Please understand that help given tor remove malware is specifically directed to the logs from that particular person. So when you say this:
you are not doing it correctly. Deep, special cleaning programs like LSPFix and Combofix should only be run at the instruction of the helper. You can destroy you computer using them randomly.
I don't know what you've done so far, but the HijackThis log isn't normal. You will also need to temporarily disable TeaTimer before running the scans:
SPYBOT TEATIMER
This thread is for the use of bjh3440 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum
John, please start a separate thread describing YOUR specific problems, running the programs and attaching the logs to that thread.
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
You have used an old version of HijackThis. Remove it and use the version in steps above.
Please understand that help given tor remove malware is specifically directed to the logs from that particular person. So when you say this:
you are not doing it correctly. Deep, special cleaning programs like LSPFix and Combofix should only be run at the instruction of the helper. You can destroy you computer using them randomly.
I don't know what you've done so far, but the HijackThis log isn't normal. You will also need to temporarily disable TeaTimer before running the scans:
SPYBOT TEATIMER
- Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
- On the left hand side, click on Tools, then click on the Resident Icon in the list.
- Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
- Click on the "System Startup" icon in the List
- Uncheck the "TeaTimer" box and "OK" any prompts.
- If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
- Exit Spybot S&D when done.
- When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.
This thread is for the use of bjh3440 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum
John, please start a separate thread describing YOUR specific problems, running the programs and attaching the logs to that thread.
Trojans, Nuwar worms
heres my logs after following the 8 steps and disabling my antivirus and spybot.
im sorry about following another guys thread..i really didnt know i couldnt...anyway thank you so much for the taking time to assist me on the matter.Your time and genuine help is very much appreciated.
heres my logs after following the 8 steps and disabling my antivirus and spybot.
im sorry about following another guys thread..i really didnt know i couldnt...anyway thank you so much for the taking time to assist me on the matter.Your time and genuine help is very much appreciated.
Bobbye
Posts: 16,313 +36
Please read this description:
Obviously there was a problem with Combofix and what is on your system- per the bug report.
To uninstall ComboFix.exe without removing any backups of files that it deleted
Right click ComboFix.exe and select delete
Please open HijackThis, and select Do a system scan only.
Place a checkmark next to the following entries (if present):
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\wuauclt.exe (there are 2 of these processes- they are for the Windows Autoupdate)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
Then, close all other open windows, leaving only HijackThis open, and select Fix checked.
When finished: Boot into Safe Mode
[*] Restart your computer and start pressing the F8 key on your keyboard.
[*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following if present:
Winamp
UMWdf
Apply> OK
Start> Run> services.msc> OK
[*] In the list of services, right-click Windows User Mode Driver Framework, and then click Properties.
[*] Click the General tab.
[*] In the Startup type box, click Disabled or Manual, and then click OK.
[*] On the File menu, click Exit.
Right click on Start> Explore> Windows> System 32> verify location of both of the following processes this folder:
lsass.exe
smss.exe
Reboot into Normal Mode. NOTE: a nag message will display- you can ignore it and close after checking 'don't show this message again.' Stay in Selective Startup.
Please empty the Recycle Bin.
Run a full system scan wit Eset Nod32. Attach log.
Rescan with HijackThis and attach new log.
As mentioned previously, the HJ log doesn't display a 'normal system'. There is a possibility that you will have to reformat and reinstall.
Regarding UMWdf- from Microsoft:
You will change that startup to either Disabled or Manual per the instruction above.
The Disclaimer:
Obviously there was a problem with Combofix and what is on your system- per the bug report.
To uninstall ComboFix.exe without removing any backups of files that it deleted
Right click ComboFix.exe and select delete
Please open HijackThis, and select Do a system scan only.
Place a checkmark next to the following entries (if present):
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\wuauclt.exe (there are 2 of these processes- they are for the Windows Autoupdate)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
Then, close all other open windows, leaving only HijackThis open, and select Fix checked.
When finished: Boot into Safe Mode
[*] Restart your computer and start pressing the F8 key on your keyboard.
[*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following if present:
Winamp
UMWdf
Apply> OK
Start> Run> services.msc> OK
[*] In the list of services, right-click Windows User Mode Driver Framework, and then click Properties.
[*] Click the General tab.
[*] In the Startup type box, click Disabled or Manual, and then click OK.
[*] On the File menu, click Exit.
Right click on Start> Explore> Windows> System 32> verify location of both of the following processes this folder:
lsass.exe
smss.exe
Reboot into Normal Mode. NOTE: a nag message will display- you can ignore it and close after checking 'don't show this message again.' Stay in Selective Startup.
Please empty the Recycle Bin.
Run a full system scan wit Eset Nod32. Attach log.
Rescan with HijackThis and attach new log.
As mentioned previously, the HJ log doesn't display a 'normal system'. There is a possibility that you will have to reformat and reinstall.
Regarding UMWdf- from Microsoft:
You will change that startup to either Disabled or Manual per the instruction above.
Still Not Removed
I followed the instructions you provided very very carefully...i am afraid my pc still looks the same...after reboot it still gets all this alerts...the same ones...and after i do a virus scan and remove them the same ones come back after reboot..whats going on with my pc .... ?
I followed the instructions you provided very very carefully...i am afraid my pc still looks the same...after reboot it still gets all this alerts...the same ones...and after i do a virus scan and remove them the same ones come back after reboot..whats going on with my pc .... ?
Bobbye
Posts: 16,313 +36
Okay, here's what you have and the reason why it comes back:
From Blind Dragon:
http://www.tech-101.com/solutions-security/topic219.html?hilit=Virut
the link to "Under The Hood" has a lot of technical info, but you will get some more info there.
Here's the clue in the Nod32 log:
Win32/Virut.NBP virus error while cleaning
I'm afraid you've wasted a lot of time running programs that won't remove it. Please reformat and reinstall.
Other Trojans were quarantined:
Win32/Inject.CCO>> added to Nod32 database 2009-03-23
Win32/Kryptik.NG>> added to Nod32 database 2009-05-14
Win32/TrojanDownloader.Small.OPK Trojan>> added to Nod32 database 2008-12-22
After a quarantine, you can delete the files. Then you must empty the Recycle Bin.
Some of the Trojans show file extension of tmp and temp. When you do disc cleanups, tmp and temp files should be removed and the Recycle Bin emptied. Remember this for after you get going again.
This may be a problem for you:
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
The backups may be infected.
From Blind Dragon:
http://www.tech-101.com/solutions-security/topic219.html?hilit=Virut
the link to "Under The Hood" has a lot of technical info, but you will get some more info there.
Here's the clue in the Nod32 log:
Win32/Virut.NBP virus error while cleaning
I'm afraid you've wasted a lot of time running programs that won't remove it. Please reformat and reinstall.
Other Trojans were quarantined:
Win32/Inject.CCO>> added to Nod32 database 2009-03-23
Win32/Kryptik.NG>> added to Nod32 database 2009-05-14
Win32/TrojanDownloader.Small.OPK Trojan>> added to Nod32 database 2008-12-22
After a quarantine, you can delete the files. Then you must empty the Recycle Bin.
Some of the Trojans show file extension of tmp and temp. When you do disc cleanups, tmp and temp files should be removed and the Recycle Bin emptied. Remember this for after you get going again.
This may be a problem for you:
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
The backups may be infected.
Again bobbye, appreciate your time...what do you suggest i do now ?
Reformat disk C,and reinstall windows xp as per normal? cause i did that twice previously and it didnt work.
Can i leave my disk D alone?
or wipe my harddisk using a programme? then what do i do?
When you say disc cleanup,tmp file should be removed...disc cleanup means err using Ccleaner? right? or is there another way to do that?
Reformat disk C,and reinstall windows xp as per normal? cause i did that twice previously and it didnt work.
Can i leave my disk D alone?
or wipe my harddisk using a programme? then what do i do?
When you say disc cleanup,tmp file should be removed...disc cleanup means err using Ccleaner? right? or is there another way to do that?
my spybot,malware bytes,superantispyware and nod32 cant updates its database.....so tried getting it done manually...was still not possible...but for nod32 i managed to update manually and the moment i did...tons of popups came out non stop about this win32/Virut.NBP virus..i attached the log of the amount that was detected...
.i also followed this thread bleeping computer..asking to run this programme called autorun in safe mod...then delete the files where the malware is in.reboot back to normal mode.
.i also followed this thread bleeping computer..asking to run this programme called autorun in safe mod...then delete the files where the malware is in.reboot back to normal mode.
Bobbye
Posts: 16,313 +36
Suggest you follow directions here for Clean Install:
http://www.tech-101.com/tutorials/topic104.html?hilit=Reinstall Windows
All of the Virut wasn't quarantined. Maybe you will understand this better>polymorphic virus is same as drug resistant germs. (poly means many, morphic means shapes> polymorphic means many shapes)
A very non-technical comparison, but the process is similar. The bad 'stuff' wants to survive, whether it's a virus, bacteria or some malware. So it "morphs" into a different form when something tries to kill it. In the case of Virut, as soon as you get rid of one form, another takes over, so you can't get rid of all of it!
The malware is protecting itself and isn't going to let up update security programs that "might" harm it.
http://www.tech-101.com/tutorials/topic104.html?hilit=Reinstall Windows
All of the Virut wasn't quarantined. Maybe you will understand this better>polymorphic virus is same as drug resistant germs. (poly means many, morphic means shapes> polymorphic means many shapes)
A very non-technical comparison, but the process is similar. The bad 'stuff' wants to survive, whether it's a virus, bacteria or some malware. So it "morphs" into a different form when something tries to kill it. In the case of Virut, as soon as you get rid of one form, another takes over, so you can't get rid of all of it!
The malware is protecting itself and isn't going to let up update security programs that "might" harm it.
Blind Dragon
Posts: 3,774 +4
That depends what you have on disk D... an operating system? programs? or just documents, music, ect.
Basically you need to lose anything that runs off a .scr or .exe file (all programs)
You can back up pictures and documents
Format the drive
Reinstall windows per the guide listed above
Run scans on your backups
Then place the backups back on the drive.
- Status
Similar threads
