Need help removing virus.

[a1nerd]

I have this virus on my computer raserv.exe it's some kind of malware virus. I have avast running and it detects the virus and asks me if i want to delete it and i press ok. After i delete the virus it kees showing up. I have done scane with avast and spyware dr and removed this virus several times but it always shows up when i do a scan. Anyway to remove this virus?

 

[howard_hopkinso]

Doing a google search for raserv.exe doesn`t help much.

Go HERE and follow the instructions very carefully. Print them out if you can.

Once you have done that go HERE for instructions on how to post your Hijackthis log.

Regards Howard :grinthumb

 

[triplate]

Turn off Sys Restore and run your scanner in Safe Mode...

 

[tbrunt3]

This is more a backdoor Tj disable system restore run your virus scan and follow the steps howard_hopkinso posted

 

[a1nerd]

Thank you guys that info was very helpful

 

[triplate]

You,re welcome...

 

[a1nerd]

Cws is still on my machine after trying everything above. Here is my hijackthis reeport.

Logfile of HijackThis v1.99.1
Scan saved at 11:36:00 PM, on 4/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\wuauclt.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\david tonnessen\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\lsd_f3.dll
O20 - Winlogon Notify: usbX7 - C:\WINDOWS\SYSTEM32\usbX7.dll
O21 - SSODL: radrop - {E08E350E-5EB5-4E0A-AAA0-DBA3AF7BE6F3} - C:\WINDOWS\System32\radrop.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

 

[tbrunt3]

Greetings

First it is advised to place HJT in is own folder .The reason is for back up yours is not there

download the CWS removal tool here

http://www.bleepingcomputer.com/files/Smartkiller.php

have hijack this fix BUT ONLY AFTER YOU PLACE HJT IN IT's OWN FOLDER
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm



O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

Here are some other very good links buy Realblackstuff follow this information closley.

How to remove Begin2Search / CoolWebSearch

https://www.techspot.com/vb/topic17297.html


How to post your Hijackthis log-files.

https://www.techspot.com/vb/topic19133.html

 

[a1nerd]

How do you find and delete the fixed files? I am speaking of the files that i found and fixed in hijackthis.

 

[RealBlackStuff]

Set your Windows Explorer to show ALL hidden and system files and folders.
Then use the Search from Start-bar or Find function in Explorer. Delete when found by highlighting the file, then click on Del button and confirm.

 

[a1nerd]

Sorry i'm a little slow could you be more specific. I am not very computer literate. I also did everything that you suggested in your post on removing the cws virus excpet for deleting the deleted files and that stupid cws still shows up when i do a scan

Will cws follow my keystrokes and hijack my passwords?

Set your Windows Explorer to show ALL hidden and system files and folders.
Then use the Search from Start-bar or Find function in Explorer. Delete when found by highlighting the file, then click on Del button and confirm.

 

[poertner_1274]

Open my computer, then go to Tools>>Folder Options. Then click on the View tab. Once in there look for a checkbox with Show Hidden Files and Folders.