Extremely stubborn virus

Status
Not open for further replies.

Anonymous Danny

Posts: 33   +0
Long story short, got a big virus download spree. Managed to clean up most of it except one thing. There is this one process 152k big, that shows up that i kno isn't supposed to be there, everytime i try to end process to delete it, it says it does not exist. then i noticed that this file, everytime i end the process, renames itself and restarts itself. how do i get rid of something like this?
 
Normally it is not the file itself that is "renaming" itself and restarts itself. But there is a sister process that is doing that, which is more subtle then the one you see.

First off, what is your OS? XP? I will assume here on out that you have XP.

Download Autoruns from www.sysinternals.com. The link is http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml.
Also download Regsupreme from http://www.macecraft.com/regsupreme/
They have a free one, or a trial. Get that.

Download both those tools to the C: drive, such as C:\tools.

Next restart into Safe Mode with Networking. (by pressing F8 before XP loads).

Once into Safe Mode, make sure your bad process isn't running.
Then run autoruns. Now, it will scan for startups. But what you want to do is this:

1. When it opens, let it finish scanning until the menu items turn black again.

2. Go into the View menu and check "Hide signed Microsoft Entries".

3. Then check each of the FIVE top entries one by one. They all start with "show ...". Each time you check one, wait for it to rescan again.

Now review the listing. Note any obvious infections. They are pretty easy to spot because the file will most likely have a random name, and be in the system or system32 folder. You may even recognize it. Write down the file names!
If you aren't sure about some entries, take a screen shot or something and show us what is listed.
Click any bad entry to highlight it, then click the red X on the tool bar to remove the startup.

Once all the startups are removed you can close the program.
Next click Start-Search. Then in the files box type each of the noted files you wrote down, and separate them by a semicolon " ; ".
It would look like this for example: " jeidh.exe;diehsidl.dll;blabla.com" etc...
Then click advanced options and make sure hidden files are selected, and also that it is searching the C: drive. And sub-folders.
Then do the search. Delete any found files.

Next we need to do some more cleanup.
Go into your Internet Explorer options. Delete cookies, cache and history.
Go into C:\Documents and settings\username\Local Settings\Temp
Delete all files in the temp folder.
Also go into Local Settings\Temporary Internet Files (or something like that) and delete all files in the Content.ie folder.
Viruses will sometimes hide in these folders.

Alright, moving on!

Next install the regsupreme program. Then open it, press OK on the popup box. When it's done, start a new scan and put it to level "deep". Name the backup whatever you want. When it's done scanning, click the Select menu and select-all. Then the "clean" button at the bottom. Or "fix", I forget.
This step will make sure any traces of the virus strewn about the registry will be removed, so it doesn't try to load again (though the file is missing).
When it's cleaned, close the program.

You might now want to click Start-Run and type MSCONFIG. Look through the startup tab, if any baddies are there, repeat these steps, mark file, delete, find startup, run regsupreme.
Then click the Services tab, check "hide MS entries". Look through those and see if you can spot a bad service. If so, tell us, that has to be removed from the registry, as well as delete the file.

Now then. Open IE, browse to "housecall.trendmicro.com" and run their free virus scan on your hard drive. NOTE any infected files, be sure to delete them if housecall can't when the scan is over. If anything new is deleted, run regsupreme again.

Hopefully with these two programs and these steps, the virus will be gone. But no guarantees. There may be many more steps needed if this doesn't work for you.

Good luck!
 
As an alternative solution. Go HERE and follow the instructions carefully. Print them out if you can.

Once you have done that, go HERE for instructions on how to post your Hijackthis log.

Regards Howard :grinthumb
 
Oh sure howard, you only had to type 3 lines. Don't cheat!

Yes, RBS' post would be the "many more steps" I referred to. But since he says he already cleaned it up, sans one sticky one. I figured it might be one last bugger in startup someplace.

night all
 
I like typing three lines lol

I only suggested RBS`s post`s in case there were any more nasties lurking around.

Regards Howard :haha: :haha:
 
Status
Not open for further replies.
Back