Need Help With Virus

Status
Not open for further replies.
C

camo12g

Posts: 6   +0
Hi, I would really appreciate some help in removing a virus. Every time I turn on or re-boot the computer Avast picks up a VBS:Malware-gen 1.reg virus.
I have gone through the 15 steps program but it hasn’t fixed the problem. I have attached the required logs and panda antirootkit came back with no results.

Cheers
Andrew…
 
Hello and welcome to Techspot.

You haven`t posted the results of the Panda Antirootkit scan.

Your system is infected with a very dangerous backdoor trojan. This may well have stolen your confidential information.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

Please let me know what you want to do.

Regards Howard :wave: :wave:

This thread is for the use of camo12g only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
hi, the panda antirootkit scan came back with no results. "no rootkits have been found". I would like to try and clean it before I do a complete re-install.
Cheers
Andrew..
 
Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

[]<Look for a service that has no name.

Close the services window.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:


File::
C:\WINDOWS\system32\winsock32.exe
C:\WINDOWS\mrofinu173.exe
C:\WINDOWS\system32\lpertg.exe
C:\WINDOWS\system32\2C23BBC401.sys
Folder::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"<NO NAME>"=-
Click to expand...
Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard :wave: :wave:

This thread is for the use of camo12g only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Yes, the computer boot up with no virus warning. Have attached my fresh log flies.

Many thanks for your help it is really appreciated.
Cheers
Andrew...
 
Nope, still no attachments. I have removed your previous attachments, maybe that`ll help.

Regards Howard :)

This thread is for the use of camo12g only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
We just need to get rid of one registry entry.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
""=-
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Please note: there is no space in the runservices part of the CFScript. It is caused by a glitch in the copying process. If you get this in your script, remove the space between the runservic and the es.

Regards Howard :)

This thread is for the use of camo12g only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
That all looks clean.

Delete the following folder.

C:\Qoobox.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

You can now get rid of all the tools we used to clean up your system.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of camo12g only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks Howard for the great work that you do. it was greatley appreciated by me.

Cheers
Andrew...

This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

Only the original thread starter can do this. Anyone else, will be ignored.
 
Status
Not open for further replies.

Similar threads

J
Need help with BSOD Event ID 41
Replies
1
Views
1K
Kshipper
Kshipper
D
Solved Possible Virus
2
Replies
34
Views
16K
Broni
Broni
Confusd73
Solved Amazon Assistant
2
Replies
33
Views
6K
Broni
Broni

Latest posts

Back