Help Removing A Virus

Status
Not open for further replies.
My computer has been infected with the W32.PicrateA@mm virus. I have tried using Symantec's removal procedure's but can't seem to find anything in my registry in the folders they are giving. What it does is it sends out a mass email and prevents you from opeing Task Manager and System items like that. I was wondering if anyone could help me in removing this virus on my computer.
 
Just to add in here is a copy of my Hijackthis file, and when I run the program NoAdware it detects the files on the computer but something is in the registry causing the files to come back everytime the computer restarts.
 
Not everybody has Microsoft word, and word files can potentially contain nasty macros.

Please could you edit your above post, resaving your log and uploading it as a .txt attachment.

Could you please also run a full virus scan of your machine, using either your current AV, or if you don't have one, download and install AVG antiVirus from http://free.grisoft.com

Looking through your log, I see that it also contains adware. Could you please read the stickies at the top of this forum entitled 'How to post your HJT logs' and follow the instructions contained in 'how to remove begin2search/coolwebsearch'
 
Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

DDCMan.exe
winupdates.exe
NoAdware3.exe
PartyPoker.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
dlbtcoms.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, UNinstall anything to do with (not delete yet):
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\NoAdware3\NoAdware3.exe
C:\Program Files\PartyPoker\PartyPoker.exe (you can re-install it again later if you trust it, (I don't))

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\NoAdware3\NoAdware3.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\RunServices: [Winzip Archiver] Winzip32.exe (no need to run this all day)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
FIX ALL your O18 - Protocol: entries
O23 - Service: dlbt_device - Dell - C:\windows\system32\dlbtcoms.exe
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Boot normal. When all OK, switch System Restore back on.
 
Status
Not open for further replies.
Back