Virus Removal Steps

Keep the infection local.
Disconnect from the network/internet. I mean physically pull out your RJ45/RJ11 plug. This stops the virus from progating throughout your network or over the internet (worms/viruses), stop your data from leaving (calling home) your compromized system (trojans) through backdoors and stops your machine from participating in a zombie mob DOS attack.

Perform a Virus Scan.
This is the first attempt to determine if your system is truly infected. Do a deep scan of every single file and folder on the system. This may take several hours but it is necessary. Make sure your virus definition(Database) is updated. Many of them can update the database locally via a update file you can grab off the offical website.

Grab the prescribed removal tool. Once you've identified the virus infecting your system. you can now better deal with the particular infection by administering the proper "vaccine". You can go to any of the known antivirus companies website and grab a removal tool. This tool will delete any of the known virus-infected files and registry entry made by the virus. Take not of the virus "version" and download the corresponding tool. It will require you to do a scan and then reboot into safe mode and perform the scan again.

Removal Tools:
• AVG
http://free.grisoft.com/doc/8/lng/us/tpl/v5
• Kaspersky
http://www.kaspersky.com/removaltools
• Norton
http://www.symantec.com/enterprise/securit...emovaltools.jsp
• McAfee
http://us.mcafee.com/virusInfo/default.asp?id=vrt
• Panda
http://www.pandasoftware.com/download/utilities/

I also suggest downloading McAfee's Stinger and PC-Cilin's Virus Cleanup template (and their respective virus definition files) which are standalone/install-less virus removal engine.
• McAfee Stinger
http://vil.nai.com/vil/stinger/
• PC-Cilin VCT
http://www.trendmicro.com/download/dcs.asp

Additionally, you can scan your PC online with
• PC-Cilin Trendmicro's Housecall
http://housecall.trendmicro.com/
• Panda Antivirus Active Scan
http://www.pandasoftware.com/products/ActiveScan.htm
• Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
• McAfee File Scan
http://us.mcafee.com/root/mfs/default.asp
• Norton Fee Online Virus Scanner
http://kb.wisc.edu/helpdesk/page.php?id=2389

It is very important that you place any media you're using to trasfer the Removal tool, virus database update file or when performing a scan to read-only-mode until you are certain that your system is no longer infected. If you're media does not have read-only option then don't use it. If you have no choice, once it is put in the system, assume that it is also infected and treat it accordingly. These devices can be put into read-only mode by the sliding button on your device. Read your manual. Any portable media not on read-only mode are susceptible to being infected by the virus.

Check for unusual applications and processes.
A virus is just like a regular application and need to be running in order to work. It should also have a way to start itself up again when the system is rebooted (taking advantage of many of the ways programs automatically start-up in Windows). There are typically five ways that programs start-up automatically in windows and we need to look at these five ways to look for the virus.

1. The most rudimery is the Startup folder. Any application or shortcut that is located in the Startup folder will automatically start-up each time the system is booted into Windows. There are several of these folders located throughout the system notebly each user’s profile

• C:\Documents and Settings\<username>\Start Menu\Programs\Starup
(this includes Default and All Users profiles as well)
• C:\Documents and Settings\Default User\Start Menu\Programs\Startup and;
• C:\Documents and Settings\All Users\Start Menu\Programs\Startup

and Windows system files such as;

• c:\autoexec.bat
• c:\config.sys
• Windows\win.ini, wininit.ini, system.ini
• Windows\system\autoexec.nt, config.nt

more reading: http://www.aumha.org/a/loads.php

2. The most typically is from the Registry. Several locations in the registry that controls auto-startup of applications are contained. The HKEY_USERS and HKEY_CURRENT_USER run when the user logs in while settings under HKEY_LOCAL_MACHINE run when the system starts up. Some of the registry keys that you need to look it include:

Local User
HKEY_USERS\<User UID>\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\*CurrentVersion\RunOnce

Local Machine
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

a more extensive list of launch point can be found here:
http://www.silentrunners.org/sr_launchpoints.html

3. The current favorite is as a Service. Just like running from the registry, any viruses that installs itself as a service can run without user intervention upon start-up. It can also start back up when when you kill it because the service control has the option to restart the service upon a failure (in which case, manually killing it constitutes a failure).



4. Less common is from a Script. The GPO is an enterprise-wide feature that enables the network administrator to write a script to perform certain tasks upon start-up/shutdown on multiple computers in a network/domain using scripting language such as VB, JS,etc. Your computer also has a local GPO and you need to launch the GPO editor console and to check if there are any suspicious scripts running on your system.

Running Scripts are located in

• Local Computer Policy\Computer Configuration\Windows Settings\Scripts (Startup/Shutdown)\Startup for programs that run when the computer is started and;

• Local Computer Policy\User Configuration\Windows Settings\Scripts (Logon/Logoff)\Logon for programs that run when the user logs in.



If you don't do any scripting, aren't on a domain, then anything in here is considered highly suspicious.

5. Possibly, but rarely, from a Scheduled Task. A scheduled task has the ability to run applications on start up and on log in of a user. They also have the ability to run a program as a different user or as the system itself. The Scheduled Tasks can be found under the Control Panel.

it is very common to see virus writers use a combination of these steps so you need to cover all these basics.

Using Msconfig,Gpedit.msc,Services.msc
The Microsoft System Configuration Utility or simply MSCONFIG is a tool built into Windows that is designed to help you troubleshoot problems with your computer. You can see some of the programs that run in the background upon startup here together with some registry entries and it's a good place to start. To check your services you need to use Services.msc and to check scripts, as mentioned before, Gpedit.msc. All are run from Start > RUn >



more information:
http://support.microsoft.com/kb/310560

for a more extensive utitily I would recommend AutoRuns from Sysinternals.
http://www.microsoft.com/technet/sysintern...s/Autoruns.mspx

Turn off System Restore.
There is some debate about whether to turn off system restore or not when during an infection. The reason why we need to be concerned with system restore is because system restore can at certain times cache a virus which will be restored with the other windows system state files during a system restore operation. Often times you will also get the AV complaining that it is unable to clean one or more files in the System Volume Information data store. The downside is that when you purge the restore points, you will be unable to restore your system to a previous system state if anything goes wrong.

Use Task Manager
Get familiar with process running in the background on your own PC. once you're familiar with all the usual process then anything out of the ordinary will stand out like a sore thumb. most (not all) viruses tend to have weird filenames like Age_of_empire.exe (huh? i didn't play that game) and some try to look legitimate by taking similar names to common Windows processes. eg. svchost.exe instead of scvhost.exe.

Once you're comfortable with processes, you can opt to use Process Explorer from Sysinternal. Downloadable from here: http://www.microsoft.com/technet/sysintern...ssExplorer.mspx

this are normal processes


as a general rule, take extra interest in any processes don't have a company name (with the exception of DPCs, Interrupts, System, SMSS, Services, System Idle Process and things mentioned above), verification signer (Process explorer auto verifies images) and version number attached to it. you can kill the process by right-clicking on it selecting Kill. process explorer also allows you to search for a specific process. you should also be interested in purple threaded processes.



If you're unsure what a process is responsible for you can check it out here:
http://www.liutilities.com/products/wintas...ibrary/scvhost/

This post has been edited by AsenDURE: Jun 20 2007, 02:53 PM

Rootkits

what are rootkits?
normally only sysadmins are concerned with these, but i'm seeing alot of these crap floating around in the home networking environment. could be coz alot of current Windows version seem to be based on NT/Server platform. a rootkit is program that that allows the a hacker to mask intrusion and gain root or privileged access to the computer. rootkits can then monitor traffic, grab keystrokes, steal passwords, or create a "backdoor" into the system for the hacker to administer the infected system remotely for almost anything he wishes to.

because rootkits can run at the kernel & API level, it can be hidden from the OS & the upper layer utils like Explorer (file viewers), does not show up in Task Manager (process viewers), will not leave visible entries in the startup folders or common startup locations mentioned above. It will also not show up on most antivirus scanners & antispyware. rootkits not only take advantage of the vulnerbilities in your OS but even in your antispyware/antivirus detector as well.

rootkits are not themselves not malware programs but ofthen times are used to hide the presence of malware programs/trojans/worms. detecting rootkits requires a specialist rootkit detector.

check rootkit threat alerts from here:
http://www.rootkit.com/board.hot.php

types of rootkit-run levels


rootkit detectors

• M'zoft's Sysinternal RootkitRevealer [from sysinternal, 'nuff said]
http://www.microsoft.com/technet/sysintern...itRevealer.mspx

• X-Focus's Ice Sword [chinese, very good and for experienced users only]
http://www.xfocus.net/tools/200509/

• M'zoft's Malicious Software Removal Tool
http://www.microsoft.com/downloads/details...&displaylang=en

• Blacklight from F-Secure [non-free]
http://www.f-secure.com/blacklight/

• Sophos Anti-Rootkit [Release Candidate 1]
http://sophos.com/products/free-tools/soph...ti-rootkit.html

• RKDetector
http://www.rkdetector.com/

• RootKit Hook Analyzer
http://www.resplendence.com/hookanalyzer

Rootkit removal
The difficulty with rootkit removal is lies problem that rootkits work by changing the OS itself at the kernal level, it may not be possible to remove the rootkit without causing Windows to become unstable or non-functioning.

For rootkits that are 'bundled' with spyware/malware, removing the malware hidden by the rootkit presents the normal problems of removing any malware but removing the rootkit itself may unstabilize your entire system to the point that the malware can not be completely removed.

This post has been edited by AsenDURE: Jun 20 2007, 11:08 AM

ok folks, comment, correct, discuss, contribute...

Update
=====

• Panda Rootkit cleaner is in Alpha Stage (credits to havuk)
http://research.pandasoftware.com/blogs/re...it-cleaner.aspx

• GMER (credits to havuk)
http://www.gmer.net

• DarkSpy (credits to havuk)
http://www.softpedia.com/get/Antivirus/Dar...i-Rootkit.shtml

• Trendmicro's Rootkit Cleaner is in Beta Stage
http://www.trendmicro.com/download/rbuster.asp

• McAfee's Rootkit Detective is in Beta Stage
http://vil.nai.com/vil/stinger/rkstinger.aspx

It's good that alot of security/AV companies are taking rootkit seriously. In your next AV upgrade/purchase/license renewal, you may want to seriously consider this feature included in your AV package.

This post has been edited by AsenDURE: Jun 21 2007, 10:32 AM

i would like to suggest
1. avs for antivirus (www.activevirusshield.com)
2. steps on how to remove and create new system restore points as virus normally lurks there...

sometimes u come across viruses that disable your taskmanager, msconfig and regedit. You can use this to regain access to your registry
http://www.symantec.com/security_response/...-050614-0532-99

or, the direct link to the file

http://securityresponse.symantec.com/avcenter/UnHookExec.inf

(same thing)

This post has been edited by danixal: Jul 31 2007, 02:41 PM

If you have a copy of the virus, upload it here so antivirus companies can study it and make signatures, also good to see if files are infected by viruses if your antivirus dosent detect it yet . XD

http://www.virustotal.com/

or

http://virusscan.jotti.org/

AVG Anti-Rootkit Free

This post has been edited by rich8833: Aug 1 2007, 12:10 PM

Ice Sword is good in handling running process. You can view the process that hide with rootkits.

Add microworld e'scan antivirus. Quite good and fast too.

Thanks for the info mod. By the way, I have a question. My computer has been infected by something( don't know how to call it and it is invisible to my Kaspersky and Adaware and Spybot ), when I delete the folder, minutes later it pops out. The folder name's is MSOCache. Any ideas?

everybody who using Microsoft Office 2003 also will have this folder (including the computer I using now)
no need to remove it because it is legit

and please use google next times
http://www.theeldergeek.com/msocache_folder.htm

btw, that folder should located in the systemroot and is a hidden system folder...

Since many AV cant detect KAVO / NTDELECT, I've show how to remove it manually

~~~~~~~~~~~~~
Remove kavo / kava / ntdelect

**DELETE**

run CMD,

Type this to show hidden and system files since ur regedit n folder opt has been kacau by kavo0.dll,
CD \windows\system32
ATTRIB kavo.exe -R -A -S -H
ATTRIB kavo0.dll -R -A -S -H
ATTRIB kavo1.dll -R -A -S -H

Delete
"\windows\system32\kavo.exe",
"\windows\system32\kavo0.dll",
"\windows\system32\kavo1.dll"
by using unlocker (DL Here)

**REGISTRY**

Change Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
"CheckedValue" to 2
"DefaultValue" to 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" to 1
"DefaultValue" to 2

Dear Mod/Enthusiast/Sifu,

I've got a case of virus infection date back last Tuesday which is spread through email with an .exe attachment entitled Princess.Diana.Killing.Revealed.exe

According to the user, she didn't even double-click on the email, just highlighting (system on double-click settings, not single-click mode) it and the attachment triggered. Some of the symptoms are:

1. Floppy drive keeps on running intermittenly with or without any diskette inserted.
2. Unable to use Task Manager
3. Unable to use the Run command box
4. Unable to use Ctrl-Alt-Del for Task Manager too
5. Command prompt had been disabled by Administrator (I'm the Administrator and it was never set to disabled)
6. Trying to run any .exe (programs) will be terminated in split-seconds blink.
7. When attempt to use Safe Mode, all the 3 Safe Mode options were not successful only Boot Windows Normally enabled.
8. Folder Options to view Hidden Files were disabled.
9. The PC is connected to a Domain and after the infection, a force restart of the PC leads to the removal of the PC from the Domain. Since logging in as a Domain user is impossible, I can only log in as Local but the PC name had been changed to "VirusBenci". Due to the use of Malay language and the email also sent from a user with email address who83@yahoo.com I suspect that it's another Indonesian creation of Brontok.
10. When plugged in a USB drive and view the content, it'll infect file within and append the .exe extention to some documents within. When plugged to a healthy PC without using the Autoplay or viewing under Windows Explorer, the virus will not be triggered. An attempt to view the content within the USB drive with Command Prompt didn't show any hidden files at all except when the syntax "dir /ah" is used to view files with hidden attribute. There were 2 files shown within the infected USB key, Word.exe and autorun.inf. Using Microsoft Editor, the autorun.inf file content shows that it's pointing to the Word.exe file. The file itself is Read-Only attribute therefore the file cannot be edit. I manage to create 2 blank text file and change the extention and filename same like the 2 and overwrite 2 virus file before deleting both safely. Somehow, I should have tried a different way like changing the file attributes so that I can see the files and the Antivirus software would be able to detect it.

NOW I NEED SOME HELP HERE.

I planned to removed the infected HDD, and use it as external drive and perform a scan via a healthy PC. But virus were not detected as I suspect it's a new strain.

Also, I would like to know if there's anyway I can access to the registry of the OS installed on the external HDD? Where is the location and how to edit it so that the BRontok will be crippled?

help!

recently my friend's pc infected a virus named "W32.mamuwow.Flint" that named on his Norton Anti Virus.

have anyone know how to kill this??

AVR CAN FOUND IT MUST CAN KILL IT LARH.. -.-

Er... My comp got 36 virus healed by AVG... One of them is explorer... My explorer infected by trojan/virus... After AVG healed it, a pop up ask me insert Windows XP SP2 CD because my explorer is unrecognized version?? I got no taskbar now... Desktop is so clean... How to handle this? I'm thinking to reformat it...

hmm.. explorer deleted.. best way it reinstall your OS.. but repairing your OS can work too i think. i never facing this prob, hope expert will guide u better

As you said that youe explorer.exe was infected by virus. In that case your explore.exe backup files in dllcache also deleted by AVG. This thing only can be fix by installing or repairing your Windows.

PS: For me I just reformat it.

before that try this, copy any explorer.exe form any pc but have the same version with ur winxp...it might work, but try it first....if the prob still contineu..repair or format ur pc...thx

This post has been edited by amysiko: Feb 15 2008, 05:55 PM

I think everyone knows that.
Still, there are alternatives to counter this issue rather than format it. Easier, reliable if you ask me.

i cant format my thumbdrive...
i cant even delete or copy the file inside it...
y?

Hi sifu/brothers, I am having a problem here. A message popped out after I download a torrent file. The message ask me to delete or disable this file in order to download. The problem is I dunno how to delete this file any idea? Here's the file.



Here's the file.


This post has been edited by Guenhwyvar: Mar 7 2008, 10:58 PM


Attached thumbnail(s)

theres some file in system cannor be deleted....play safe...back up the file before delete it...

Any idea to remove a virus named Virut without having to reinstall all *.exe files that is infected

registry editor... remove it from there.

I come across the worm Allapple-Gen which attacks my services.exe and forcing my computer to restart in 45 seconds.

It also duplicates a lot of htm or html files in all over random files.

Since I am at work today, I just gather enough information to go home to battle it again tonight.

1) look for service.exe or services.exe besides the one in C:\Windows\System32
2) Look around registry editor at the Run section.
2) Turn off system restore
3) Scan the computer in safe mode. I am using NOD32

Wish me luck.

remember to sent samples of the infected file to samples@eset.sk so that other users of NDO32 can stay protected.

Hello Master Sifoo. Ineed Help Here...
How I want Remove The Virus Name "JambanMuV2"
I see it On System Properties. Please Help Me...

I can't believe it! What a name...LOL

http://help.wugnet.com/vista/JamBanMuV2-ftopict108264.html

use KillFlash ( right click save-as )

to change ur registration name & company ,

Start >> Run >> type regedit

HKLM >> Software >> Microsoft >> Windows NT >> Current Version

find "RegisteredOwner" .. double click it and fill in watever u want .. do the same for "RegisteredOrganization" ..

U should try this too..simple step and it always help to get rid of virus form pendrive
How to prevent the virus

Hey guys,
i got a problem over here.
U see, i think i have downloaded some serial keys or something like that,
and from that day onwards,
I cant browse webs at all,
i thought it was my line problem bt when i connect the modem to other pc,
is working fine!
I tried having full scan with kaspersky and Adaware,
But is still the same problem!
I can enter my homepage, Google.
But i cant google search, and enter other webs as well.
Seriously Need Help.
>.<
Thanks alot!

Use this scanner. It is free.

Quite reliable I think.

http://onecare.live.com/site/en-US/default.htm?s_cid=sah

It help me remove virtumonde trojans.

Anyone heard of a virus called "Nadiah" ?
Room mate's lappie infected by it i think, C drive n D drive can't open
Any solutions in removing the virus? AVG can't detect..Thanks!

Run flash disinfector, and then run an online scan and manually delete the virus.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop:
Note: Please delete any existing copy of Flash Disinfector(if any) on your pc and download this one.

• Double-click Flash_Disinfector.exe to run it.
• Follow any prompts that may appear.
• Your desktop will vanish for a while, and then reappear. This is normal.
• Wait until the program has finished scanning, then please exit the program.
• Restart your computer and see if problem still persists.

uwlmj.com
path: C:\uwlmj.com and D:\uwlmj.com

Popup from Kaspersky Internet Security 2009 ver8.0 (trial version) detect this as Potentially Dangerous Program when i want to open my C:\ or D:\
I deny the access, but then i can open both HDD.
other than that, i can't view the "Protected Operating system file" and any hidden file even though i've uncheck the required box.
Goolge bout uwlmj.com but no result.

so how i want to removed this uwlmj.com
is it a virus or worst?
please help..

This post has been edited by dan137: Jun 24 2008, 10:30 AM

http://spywaredlls.prevx.com/RRFHGH44829215/UWLMJ.COM.html

erm... sorry if its inappropriate for this post to b at here...

i wanna ask for help as my comp was infected by a trojan named PSW.OnlineGames.AWIU (thread detected by my AVG free version) is there anyway to remove this trojan as my AVG keeps detect this trojan access my comp files... and another matter is tat now i cant open my C and D drive directly, when i click the driver (C and D Drive) a windows will pop out (sumthng lik "open with" window) and i hav to access my C and D drive using explore option...

Currently using Active virus shield ... but recently they shut the services down not sure why ?

Any recommendations as something similar and good as active virus shield ? Now using Avira AntiVir ... not sure if its good enuf ?

i'm using avast, so far no prob n most worms/trojan was cleared, last time my office pc installed wit norton but sucks... after installed avast no prob til now..

sifu any opinion on avast??

Mine was infected by that virus too. Been detected by Eset. But new problem occured, I cannot enable option to show my hidden file. Anybody have the solution?

hi,
for bagata's problem i think any new antivirus can handle that problem. it is actually a problem that cause by a file named 'autorun.inf'. if antivirus cannot delete the file, you can delete it manually. the file attribute is hidden and system. so therefore you need to show hidden file and uncheck hide protected operating system file to see it.you'll be warn when you uncheck the hide protected operating system file but it's ok. when u the file just delete it. restart the pc then it'll be just fine.

but when u effected by kavo like worm-trojan. it patch ntdetect file so that you cannot see the hidden file. to solve this
you need to follow the instruction below. this tool only can be run in windows xp and 2000 only.


1. Disable “System Restore� on your System (Accessories > System Tools > System Restore)
2. Click here to download this file - kavo killer
3. Unzip and extract it anywhere
4. Restart your PC in safe mode (for WinXP, before the WinXP screen comes in, press F8 repeatedly until you come to the start-up options)
5. Locate the exe file and double-click on it
6. Click on the top right-most button (the only button with an icon)

7. When finished. Reboot
8. Just to be sure, set your anti-virus to scan at boot time and restart again to make sure the Kavo.exe is no more

That’s it. Let me know if this post has helped you.

(courtesy of http://mrbadak.com/2008/01/11/remove-kavo-easily/)

Bro...

When I downloading the kavo killer file, it detected containing a virus... How?

---

Added on September 5, 2008, 8:40 amFind this while goggling around looking for my problem solution. Hope this help...



This post has been edited by Deani_77: Sep 5 2008, 08:41 AM

ok Deani, sory for that. i did not check the file.BTW this should be ok. i upload it myself.

download link
http://rapidshare.com/files/142720162/kavo_killer.rar.html

i'm using kaspersky Internet security 2009 and it's ok. eset sometime detect apps like this as virus. i don' know why. but if its still detected it as virus please turn off ur antivirus.

if u worried being infected, please change ur antivirus first.

please follow the instruction for further steps

hope this will do.

keep updating so i can give more support. TQ

Hi Jovi,
asking the TS to disable his antivirus without checking first is a bad advice. You should ask the TS to check the file content by uploading to Jotti or Virustotal for results that are more affirmative.

Thx bean_man for ur advice. it is actually my bad by advising Deani to do that, but i do that with a very good reason. i've been using the program for almost a year now for virus removing service and it works just fine. even for the second link i, upload it myself. it's the same tools that i've using for almost a year. the steps that i have copy from other site is the same steps that i have been using. it just a fast way to write an instruction without writing it.

BTW thx for ur advice. i'm sending this app to Jotti or Virustotal as u advised for more confirmation. i'm new here and looking forward for more reply TQ

---

Added on September 10, 2008, 9:41 ami've send the file to Jotti and Virustotal and both give partially bad result. . some detected it as trojan. but from my experience it will not effected your windows. i'm using Kaspersky Internet Security which is i' ve red the no 1 internet security app for now, and KIS detect nothing. lastly it may be up to Deani to decide weather to try it or not. . for me b4 i found this tools, the only way to resolve the prob is to reinstall the windows

This post has been edited by jovi: Sep 10 2008, 09:41 AM

I DL the file and checked an indeed it is a partial result. But the classification of trojan means to me that i should be aware about running it as it could very well install a backdoor that you did not know about.

Yap u should be aware for that situation. maybe i'll start google around the net to find new safer solution for this. its involve some registry modification and maybe replace new ntdetect file on the system using bart pe will do. But i'll try find it first.TQ

Hi All,

My pc was infected by virus, i guess. When i shut down, it prompt me "rundll32.exe" not responding. When start up, it will prompt up "error loading c:\windows/system32/ccwld16_080326.dll" and "error loading c:\windows/system32/3fadll" saying that this specified module could not be found. My pc will keep on pop up "error loading c\:windows/downlo~1/621sc.dll when i'm using it.

Beside the above, when i suft net, my IE will freezed when i click on any link or when i type in the address in IE tab bar. For example: when i sign up for lowyat, i need to confirm my registration by clicking some link from my email, but it freeze and i have us use ctrl & alt to close it. Otherwise, it will freeze there loading. It cause lots of inconvenience to me.

I've scanned using Spyeraser but the free version only allowed me to scan but no remove service provided. Other software like adaware and avg, avast can't help my problem. Please refer to the below for the log file from spyeraser software:

Start Date:September 10, 2008 at 03:06:45PM

End Date:September 10, 2008 at 03:12:24PM

Total Time:5 Mins 39 Secs
Detected Infections

Cookie.Tracking-Cookie
Details: A Tracking Cookie is any cookie that is installed on a computer to save and access various activities of the user. It may be used by web sites to identify returning visitors who have registered for special services; to monitor, measure, and scrutinize visitors' navigation and use of web site features. It can also count the number of visitors to web sites and allow web surfers to use virtual "shopping carts". All this information is saved for future target advertising and marketing campaigns by various internet Advertising and Marketing companies. Though these cookies do not pose immediate threats but they can be misused to capture confidential information like user names and passwords.
Status:No Action taken
Category: Tracking Cookie



Infected Cookies
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[2].txt
C:\Documents and Settings\user\Cookies\user@xiti[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[4].txt

Cookie.DoubleClick
Details: A Tracking Cookie is any cookie that is installed on a computer to save and access various activities of the user. It may be used by web sites to identify returning visitors who have registered for special services; to monitor, measure, and scrutinize visitors' navigation and use of web site features. It can also count the number of visitors to web sites and allow web surfers to use virtual "shopping carts". All this information is saved for future target advertising and marketing campaigns by various internet Advertising and Marketing companies. Though these cookies do not pose immediate threats but they can be misused to capture confidential information like user names and passwords.
Status:No Action taken
Category: Tracking Cookie



Infected Cookies
C:\Documents and Settings\user\Cookies\user@doubleclick[2].txt

Malware (General Components)
Details: Malware is a malicious program that is developed to seriously harm and damage the targeted system and may be installed on it without the knowledge or consent of the user. It can change system settings, corrupt the registry and destroy personal data. The Programs that cannot be classified in other categories or carry more than one traits which belong to different categories have been categorized under this categories.
Status:No Action taken
Category: Malware (General)



Infected files detected

FileName: c:\windows\system32\kavo1.dll
MD5: b60e1b788b0d248305dff1a7e4cc6048 (187392 Bytes)

FileName: c:\windows\system32\kavo.exe
MD5: 6651fcbbcb100f9b608e47a503588690 (117194 Bytes)

FileName: c:\windows\system32\kavo0.dll
MD5: b859812358da146372ff243edc8341a3 (187392 Bytes)
Infected registry keys/values detected
hkey_classes_root\appid\activex.dll\
hkey_classes_root\appid\activex.dll\appid\
hkey_classes_root\iehpr.invoke.1\
hkey_classes_root\iehpr.invoke\
hkey_local_machine\software\classes\iehpr.invoke.1\clsid\
hkey_local_machine\software\classes\iehpr.invoke.1\
hkey_local_machine\software\classes\iehpr.invoke\clsid\
hkey_local_machine\software\classes\iehpr.invoke\curver\
hkey_local_machine\software\classes\iehpr.invoke\


Details:
Status:No Action taken
Category:




RCS.TeamViewer
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_current_user\appevents\schemes\apps\vncviewer\vncviewerbell\.current\
hkey_current_user\appevents\schemes\apps\vncviewer\vncviewerbell\.default\

RCS.TightVNC
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_deferral\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_getupdaterect\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_keypress\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_lbuttonup\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_mbuttonup\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_rbuttonup\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_timer\
hkey_current_user\software\orl\vnchooks\application_prefs\
hkey_current_user\software\orl\winvnc3\autoportselect\
hkey_current_user\software\orl\winvnc3\idletimeout\
hkey_current_user\software\orl\winvnc3\inputsenabled\
hkey_current_user\software\orl\winvnc3\localinputsdisabled\
hkey_current_user\software\orl\winvnc3\locksetting\
hkey_current_user\software\orl\winvnc3\onlypollconsole\
hkey_current_user\software\orl\winvnc3\onlypollonevent\
hkey_current_user\software\orl\winvnc3\password\
hkey_current_user\software\orl\winvnc3\passwordviewonly\
hkey_current_user\software\orl\winvnc3\pollforeground\
hkey_current_user\software\orl\winvnc3\pollfullscreen\
hkey_current_user\software\orl\winvnc3\pollundercursor\
hkey_current_user\software\orl\winvnc3\removewallpaper\
hkey_current_user\software\orl\winvnc3\socketconnect\
hkey_local_machine\software\orl\winvnc3\default\

Adware.FlashEnhancer
Details: Adware programs secretly embed themselves on the victim抯 computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:No Action taken
Category: Adware



Infected registry keys/values detected
hkey_current_user\software\xml\

RCS.UltraVNC
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_current_user\appevents\eventlabels\vncviewerbell\
hkey_current_user\appevents\schemes\apps\vncviewer\vncviewerbell\
hkey_current_user\appevents\schemes\apps\vncviewer\
hkey_current_user\software\orl\winvnc3\
hkey_local_machine\software\orl\winvnc3\

RAT.WinVNC-based.h
Details: A remote administration tool is a program that enables a user to control a system remotely. It can access files, restart ?shutdown the system and even format the hard drive of the victim抯 machine. Such programs are basically used by administrators of a network to keep a watch on the peers. It generally works in the stealth mode and can start automatically at system boot-up. This program may pose grave security and privacy threats and hence the user is advised to remove this program from the system if not installed for a legitimate purpose.
Status:No Action taken
Category: Remote Administration Tool



Infected registry keys/values detected
hkey_current_user\software\orl\winvnc3\querysetting\
hkey_current_user\software\orl\winvnc3\querytimeout\

RAT (General Components)
Details: A remote administration tool is a program that enables a user to control a system remotely. It can access files, restart ?shutdown the system and even format the hard drive of the victim抯 machine. Such programs are basically used by administrators of a network to keep a watch on the peers. It generally works in the stealth mode and can start automatically at system boot-up. This program may pose grave security and privacy threats and hence the user is advised to remove this program from the system if not installed for a legitimate purpose.
Status:No Action taken
Category: Remote Administration Tool



Infected registry keys/values detected
hkey_current_user\software\orl\vnchooks\

RCS.RealVNC
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_local_machine\software\orl\

Malware.Malware-(General-Components)
Details: Malware is a malicious program that is developed to seriously harm and damage the targeted system and may be installed on it without the knowledge or consent of the user. It can change system settings, corrupt the registry and destroy personal data. The Programs that cannot be classified in other categories or carry more than one traits which belong to different categories have been categorized under this categories.
Status:No Action taken
Category: Malware (General)



Infected files detected

FileName: c:\windows\6.tmp
MD5: d41d8cd98f00b204e9800998ecf8427e (0 Bytes)

Trojan-Downloader (General Components)
Details: A Trojan Downloader is a program that is usually installed through an exploit or some other erroneous channels. The key objective of this program is to download malevolent code or other malwares and unwanted softwares on the user抯 system. Downloaders can also be written in script languages such as VB Script and Java Script. These programs often make use of Microsoft Internet Explorer vulnerabilities. A Trojan downloader, when executed, normally installs itself on to the system and waits for the user to connect to the Internet. Once the internet connection is available, it endeavors to connect to a web or ftp site, download specific file or files and run them. These downloaded files may harm the system and result in malfunctioning of the system.
Status:No Action taken
Category: Trojan-Downloader



Infected files detected

FileName: c:\windows\2.tmp
MD5: 4316e55df1b80f5bd5f143bfffd271ef (24576 Bytes)

Trojan-Downloader.Adload.ko
Details: A Trojan Downloader is a program that is usually installed through an exploit or some other erroneous channels. The key objective of this program is to download malevolent code or other malwares and unwanted softwares on the user抯 system. Downloaders can also be written in script languages such as VB Script and Java Script. These programs often make use of Microsoft Internet Explorer vulnerabilities. A Trojan downloader, when executed, normally installs itself on to the system and waits for the user to connect to the Internet. Once the internet connection is available, it endeavors to connect to a web or ftp site, download specific file or files and run them. These downloaded files may harm the system and result in malfunctioning of the system.
Status:No Action taken
Category: Trojan-Downloader



Infected files detected

FileName: c:\documents and settings\user\local settings\temp\cml23.tmp
MD5: 58f95f1d32ffdfb817600d73a259ce8c (450560 Bytes)

FileName: c:\documents and settings\user\local settings\temp\cml3a.tmp
MD5: ce3a554190f6f1b89ef686a654855dac (860160 Bytes)

Adware.bho.jw
Details: Adware programs secretly embed themselves on the victim抯 computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:No Action taken
Category: Adware



Infected files detected

FileName: c:\documents and settings\user\local settings\temp\cml25.tmp
MD5: 604f615bf7963c2f7015db84236b646c (450560 Bytes)




--------------------------------------------------------------------------------

Start Date:September 11, 2008 at 10:23:46AM

End Date:September 11, 2008 at 10:27:52AM

Total Time:4 Mins 6 Secs
Detected Infections

Cookie.Tracking-Cookie
Details: A Tracking Cookie is any cookie that is installed on a computer to save and access various activities of the user. It may be used by web sites to identify returning visitors who have registered for special services; to monitor, measure, and scrutinize visitors' navigation and use of web site features. It can also count the number of visitors to web sites and allow web surfers to use virtual "shopping carts". All this information is saved for future target advertising and marketing campaigns by various internet Advertising and Marketing companies. Though these cookies do not pose immediate threats but they can be misused to capture confidential information like user names and passwords.
Status:No Action taken
Category: Tracking Cookie



Infected Cookies
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[2].txt
C:\Documents and Settings\user\Cookies\user@xiti[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[4].txt
C:\Documents and Settings\user\Cookies\user@apmebf[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[5].txt

Cookie.FastClick.com
Details: A Tracking Cookie is any cookie that is installed on a computer to save and access various activities of the user. It may be used by web sites to identify returning visitors who have registered for special services; to monitor, measure, and scrutinize visitors' navigation and use of web site features. It can also count the number of visitors to web sites and allow web surfers to use virtual "shopping carts". All this information is saved for future target advertising and marketing campaigns by various internet Advertising and Marketing companies. Though these cookies do not pose immediate threats but they can be misused to capture confidential information like user names and passwords.
Status:No Action taken
Category: Tracking Cookie



Infected Cookies
C:\Documents and Settings\user\Cookies\user@fastclick[2].txt

Cookie.BS.Serving-Sys
Details: A Tracking Cookie is any cookie that is installed on a computer to save and access various activities of the user. It may be used by web sites to identify returning visitors who have registered for special services; to monitor, measure, and scrutinize visitors' navigation and use of web site features. It can also count the number of visitors to web sites and allow web surfers to use virtual "shopping carts". All this information is saved for future target advertising and marketing campaigns by various internet Advertising and Marketing companies. Though these cookies do not pose immediate threats but they can be misused to capture confidential information like user names and passwords.
Status:No Action taken
Category: Tracking Cookie



Infected Cookies
C:\Documents and Settings\user\Cookies\user@bs.serving-sys[2].txt

RCS.TeamViewer
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_current_user\appevents\schemes\apps\vncviewer\vncviewerbell\.current\
hkey_current_user\appevents\schemes\apps\vncviewer\vncviewerbell\.default\

RCS.TightVNC
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_deferral\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_getupdaterect\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_keypress\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_lbuttonup\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_mbuttonup\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_rbuttonup\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_timer\
hkey_current_user\software\orl\vnchooks\application_prefs\
hkey_current_user\software\orl\winvnc3\autoportselect\
hkey_current_user\software\orl\winvnc3\idletimeout\
hkey_current_user\software\orl\winvnc3\inputsenabled\
hkey_current_user\software\orl\winvnc3\localinputsdisabled\
hkey_current_user\software\orl\winvnc3\locksetting\
hkey_current_user\software\orl\winvnc3\onlypollconsole\
hkey_current_user\software\orl\winvnc3\onlypollonevent\
hkey_current_user\software\orl\winvnc3\password\
hkey_current_user\software\orl\winvnc3\passwordviewonly\
hkey_current_user\software\orl\winvnc3\pollforeground\
hkey_current_user\software\orl\winvnc3\pollfullscreen\
hkey_current_user\software\orl\winvnc3\pollundercursor\
hkey_current_user\software\orl\winvnc3\removewallpaper\
hkey_current_user\software\orl\winvnc3\socketconnect\
hkey_local_machine\software\orl\winvnc3\default\

Adware.FlashEnhancer
Details: Adware programs secretly embed themselves on the victim抯 computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:No Action taken
Category: Adware



Infected registry keys/values detected
hkey_current_user\software\xml\

RCS.UltraVNC
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_current_user\appevents\eventlabels\vncviewerbell\
hkey_current_user\appevents\schemes\apps\vncviewer\vncviewerbell\
hkey_current_user\appevents\schemes\apps\vncviewer\
hkey_current_user\software\orl\winvnc3\
hkey_local_machine\software\orl\winvnc3\

RAT.WinVNC-based.h
Details: A remote administration tool is a program that enables a user to control a system remotely. It can access files, restart ?shutdown the system and even format the hard drive of the victim抯 machine. Such programs are basically used by administrators of a network to keep a watch on the peers. It generally works in the stealth mode and can start automatically at system boot-up. This program may pose grave security and privacy threats and hence the user is advised to remove this program from the system if not installed for a legitimate purpose.
Status:No Action taken
Category: Remote Administration Tool



Infected registry keys/values detected
hkey_current_user\software\orl\winvnc3\querysetting\
hkey_current_user\software\orl\winvnc3\querytimeout\

RAT (General Components)
Details: A remote administration tool is a program that enables a user to control a system remotely. It can access files, restart ?shutdown the system and even format the hard drive of the victim抯 machine. Such programs are basically used by administrators of a network to keep a watch on the peers. It generally works in the stealth mode and can start automatically at system boot-up. This program may pose grave security and privacy threats and hence the user is advised to remove this program from the system if not installed for a legitimate purpose.
Status:No Action taken
Category: Remote Administration Tool



Infected registry keys/values detected
hkey_current_user\software\orl\vnchooks\

Malware (General Components)
Details: Malware is a malicious program that is developed to seriously harm and damage the targeted system and may be installed on it without the knowledge or consent of the user. It can change system settings, corrupt the registry and destroy personal data. The Programs that cannot be classified in other categories or carry more than one traits which belong to different categories have been categorized under this categories.
Status:No Action taken
Category: Malware (General)



Infected files detected

FileName: c:\windows\system32\kavo.exe
MD5: 6651fcbbcb100f9b608e47a503588690 (117194 Bytes)

FileName: c:\windows\system32\kavo0.dll
MD5: b859812358da146372ff243edc8341a3 (187392 Bytes)

FileName: c:\windows\system32\kavo1.dll
MD5: b60e1b788b0d248305dff1a7e4cc6048 (187392 Bytes)
Infected registry keys/values detected
hkey_classes_root\appid\activex.dll\
hkey_classes_root\appid\activex.dll\appid\

RCS.RealVNC
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_local_machine\software\orl\

Malware.Malware-(General-Components)
Details: Malware is a malicious program that is developed to seriously harm and damage the targeted system and may be installed on it without the knowledge or consent of the user. It can change system settings, corrupt the registry and destroy personal data. The Programs that cannot be classified in other categories or carry more than one traits which belong to different categories have been categorized under this categories.
Status:No Action taken
Category: Malware (General)



Infected files detected

FileName: c:\windows\6.tmp
MD5: d41d8cd98f00b204e9800998ecf8427e (0 Bytes)

Trojan-Downloader (General Components)
Details: A Trojan Downloader is a program that is usually installed through an exploit or some other erroneous channels. The key objective of this program is to download malevolent code or other malwares and unwanted softwares on the user抯 system. Downloaders can also be written in script languages such as VB Script and Java Script. These programs often make use of Microsoft Internet Explorer vulnerabilities. A Trojan downloader, when executed, normally installs itself on to the system and waits for the user to connect to the Internet. Once the internet connection is available, it endeavors to connect to a web or ftp site, download specific file or files and run them. These downloaded files may harm the system and result in malfunctioning of the system.
Status:No Action taken
Category: Trojan-Downloader



Infected files detected

FileName: c:\windows\2.tmp
MD5: 4316e55df1b80f5bd5f143bfffd271ef (24576 Bytes)

Trojan-Downloader.Adload.ko
Details: A Trojan Downloader is a program that is usually installed through an exploit or some other erroneous channels. The key objective of this program is to download malevolent code or other malwares and unwanted softwares on the user抯 system. Downloaders can also be written in script languages such as VB Script and Java Script. These programs often make use of Microsoft Internet Explorer vulnerabilities. A Trojan downloader, when executed, normally installs itself on to the system and waits for the user to connect to the Internet. Once the internet connection is available, it endeavors to connect to a web or ftp site, download specific file or files and run them. These downloaded files may harm the system and result in malfunctioning of the system.
Status:No Action taken
Category: Trojan-Downloader



Infected files detected

FileName: c:\documents and settings\user\local settings\temp\cml23.tmp
MD5: 58f95f1d32ffdfb817600d73a259ce8c (450560 Bytes)

FileName: c:\documents and settings\user\local settings\temp\cml3a.tmp
MD5: ce3a554190f6f1b89ef686a654855dac (860160 Bytes)

Adware.bho.jw
Details: Adware programs secretly embed themselves on the victim抯 computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:No Action taken
Category: Adware



Infected files detected

FileName: c:\documents and settings\user\local settings\temp\cml25.tmp
MD5: 604f615bf7963c2f7015db84236b646c (450560 Bytes)

Can anyone suggested what should i do to deleted the virus DIY? FYI this is company pc and we will be issued a warning letter if our pc found to be infected by virus.

Your assistance on the above is highly appreciated.

Thank you.

Hi,
I failed to perform the above. when i type in attrib kavo.exe -r -a -s -h when i run CMD as instructed, it said file not found - kavo.exe. I've scanned my pc using spyeraser, it listed out the file infected are:
c:\windows\system32\kavo1.dll
c:\windows\system32\kavo.exe
c:\windows\system32\kavo0.dll

Please refer to the attached for log file.

Now, my pc has problem to click link from the website. It will freeze when i click on link. I've to use ctrl & alt to close the IE otherwise my pc will hang.


Attached File(s)
 log_file.htm ( 36.63k ) Number of downloads: 46

Looking at this. I would suggest that you look for an emergency boot Cd such as Avira rescue system CD and burn a copy and run that. Run a scan and it should pick some of the viruses up. But bear in mind that you may lose some functionality as the damage from the virus would most likely be done.

I need help regarding my situation right now. To keep it simple I write the details in points.

EDITED:

1. There's a shady program running in my pc. I found it in my Task Manager and the program is tyjkfww.exe or something like that. So I just kill the process but it still keep on opening itself.

2. The "virus" disabling my antivirus. I even fiin out that my antivirus's .exe file has been deleted.

3. I noticed that i have that program "tyjkfww.exe" at any root folder of any drive (like C://,D:// except for CD/DVDROM drive) with its own autorun.inf. Yeah, they're hidden but luckily my ACDSee program can 'see' them. I tried to unhide them but can't because they keep on hiding. I tried to delete them but they still exist. And here i thought that there is no use for me to format my pc.

4. I also noticed that the program "tyjkfww.exe" will not open if i use "right click-->explore" a root folder rather than double clicking the root folder.

5. I still have my folder options but can't unhide hidden files and folders.

6. I no longer can view any pictures using the usual windows picture preview.

Are there any cleaner for this?

Oh my... i keep on editing my post...

7. It seems that my pc keeps on utilizing its cpu at 50% even though i have closed all programs.

This post has been edited by sgwc: Nov 4 2008, 12:40 PM

Please post this on the tech support corner. A malware helper will aid you.

have anyone encountered this problem before?
swsyorn.exe
i cant open up my system restore,it'll close it down immediately
same goes for antivirus
disabled my safe mode as well

guys....i found out combofix written by subs, its pretty good.
warning: its very good but its rather intrusive in its way.

it changes my desktop and closes everything before running, but everything will be back to normal after restart. i was infected with win32/heur type virus. blocked my avg from updating, blocked most rootkits scanners from installing. downloaded it from my laptop copied into my pc...changed it to a generic name so that the virus doesn't detect it.

killed the rootkit on the first run, then leaved behind the rest of the cleaning job to my avg.

izzit true we have to have very good internet connection to update karpersky antivirus?

sifu(s),

my laptop have been infected with worm.win32.autorun.scw virus.
i got the virus name after i scanned with my kaspersky anti virus 7
unfortunately, it cannot be removed by kav7 due to my c drive have been corrupted with the virus already.
any suggestion what should i do to make my vista is ok all over again instead of formatting c drive?
attached here is the hijackthis log for sifu(s) referrence.

thank you in advance for helping me out.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:52 PM, on 11/30/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Launch Manager\WLBTTray.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\IObit\Advanced WindowsCare V2\Awcl.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2756381265-1365012787-916203025-1003\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'weMA')
O4 - HKUS\S-1-5-21-2756381265-1365012787-916203025-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'weMA')
O4 - HKUS\S-1-5-21-2756381265-1365012787-916203025-1003\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot (User 'weMA')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GrooveSystemServices.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LckFldService - Unknown owner - C:\Windows\system32\LckFldService.exe
O23 - Service: SONbuddyDriverService - Green Packet Inc. - C:\Program Files\iTalk\iTalk Buddy For Windows\SONbuddyDriverService.exe
O23 - Service: SONNonAdminService - Green Packet - C:\Program Files\iTalk\iTalk Buddy For Windows\SONNonAdminService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: WisLMSvc - TODO: <Company name> - C:\Program Files\Launch Manager\WisLMSvc.exe

--
End of file - 10394 bytes

---

Added on November 30, 2008, 7:40 pmdear sifu jovi,

u rocks!!!! thank you bro!!




This post has been edited by Faiza|: Nov 30 2008, 07:40 PM

There is a good combination of antivirus that i always do.
Install AVG then Install Avast then Install Bit Defender. The process is ligther than installing Kaspersky alone.
This works well for my PC and 4 years old Laptop.

Hi guys, just wondering, I'm an IT guy as well, I practice safe computing, which practically eliminates 95% of the viruses. Using non admin account, and not opening unsafe files, right click explore /disable autorun pendrives etc..

Problem is, if the virus is written effectively.
How would you know if you got hit with a virus?

Case in point is the me_cute.exe virus that some of my colleagues got hit with. In this case, the me_cute.exe virus writer actually made a mistake in the registry field, which tried to load c:\windows\system32userinit.exe
instead of c:\windows\system32\userinit.exe

Ofcourse, the file doesn't exists and windows can't load normally. which gives a tell tale sign that something is a miss, and the troubleshooting steps begins.

Whether this was a typo by the virus writer, or he did it on purpose, we'll never know. BUT if he DID typed the path to userinit.exe correctly, the girls will never even know they got hit with a virus. they'll happily reboot, and use their pc continuosly, and passing their pendrives around infecting others in the process.

Which leads me to the question, how would you know if your PC has been compromised? If the virus is written cleverly, and is local to a specific region. the latest updates on AVG8 paid version didn't even catch the virus. and uploading the file to virus total, i noticed a lot of other AVs don't even have the signature for it yet.

A virus which spreads by pendrive, properly written, limited to a specific local, KL/PJ/Ipoh. it'll be hard for people to even notice it's there until it's too late (IE the pen drive reaching our hands, and we right click, and noticed the hidden autorun.inf inside it.....)

---

Added on December 13, 2008, 12:57 pmIs there steps that we can do manually, to ensure our PC is safe?

Even for us IT ppl, sometimes we accidentally do double click the pendrive, and that's all it takes for the virus to get in.

In my case, I noticed it due to my firewall alerting me of outgoing communications.

Layered defense. But again, what if it escaped my firewall too, then I'd have no idea I've already been compromised.

This post has been edited by eltaria: Dec 13 2008, 12:57 PM

Greetings and Happy Holidays!

I come baring a not so delightful little 'gift'

At the end of last week I notice something strange with my desktop and my laptop. A series of scans showed me that I have been infected by a virus called Trojan Horse Crypt.AYG. I tried many means possible. Even took my lappy over to my IT guy in the office and the 2 of us couldn't crack it at all. Here is a summary of what I've done so far.

1. unplugged desktop from internet to stop it from further infestation. Since the lappy was newer and had less important stuff on it, I kinda used it to search around the net for solutions but to no avail.

2. I took the comps off the router and went direct dial but internet would cut itself off every 20 minutes because the dialer would have hung.
Noted an extra svchost.exe process running with massive mem usage. java.exe also takes more mem than usual. The only way to get back online was the restart the comp. It seems that if I'm on the LAN there is no problems with the connection but when I do direct dial it happens. At times FF3 would even autoshutdown.

3. AVG 8 picks up the virus, says it healed it/dumped it in the vault but then it pops up all over again. I have...
a) cleaning the vaults
b) manually deleting the folders/files and emptying the recycle bin each time. They come out in these:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5

C:\Documents and Settings\LocalService\Network Settings\Temporary Internet Files\Content.IE5

folders inside them would be in random 8 letter alpha numeric names( e.g. TwEot5FY) and the files in them would be 4 letter 1 number in bracket jpegs(e.g.rspw[1].jpg).

After healing/vaulting, a popup appears 10 minutes later with the same infection but a slightly dissimilar file name.


4. Tried the following without much luck:
a) AVG 8
b) hijack this (nothing unusual showed up)
c) system restore (no difference)
d)Panda online scan (wants me to pay to disinfect)
e)Tea Timer spybot search and destroy (couldn't find it)
f)Geekz Virus remover (couldn't even run the program for some strange reason says it's a runtime error)
g)a number of other BIOS and windows based ones my IT just has on his super secret weapon CD virus annihilator! (couldn't find it-it hides too well)

5. In my frustration I deleted all the contents of the C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 above (specifically the desktop.ini and index.dat) and it seems to have stopped popping up on AVG now whenever I run a scan.

I'm not sure if what I did was right or wrong. I feel like I've just kinda put a lid on it but haven't cleared it out entirely. Please correct me if I'm wrong. My main desktop is still in suspended animation. I fear turning it on. Because it has less ram and processing power than my lappy, explorer.exe hangs every time the dialer dies.

This is a pretty obscure version of the crypt virus. I haven't been able to find one similar to it on google or trendmicro. Can it possibly be a dialer virus? I'm at my wits end trying to understand this one.

Did u ever tried to scan it during safe mode?
i think ur avg couldnt lean it properly becoz it was already loaded during windows startup.

Topic starter can add Smart Virus Remover on it. it's just a small antivirus...but it can restore window defults...like cant view folder option...run...all and etc etc

i check my autorun file in my usb drive and i found this:



How cani fix this? Everytime i plug in the usb drive the auto run refer to "Program". I left click and explore and find this file. I format it twice.. same problem happen.

---

Added on December 30, 2008, 1:57 pmUpdate: problem solved using Smart Virus Remover

This post has been edited by Shafique: Dec 30 2008, 01:57 PM

This a bit similar to what my company currently facing. Even we had install with antivirus software, it also cannot stop this virus from spread to others.

Worm:W32/Downadup.AL => http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

thank

Hi, my pc infected by Win32.Worm.Downadup.Gen detected by Bitdefender, its ruining my network software. and my AV still cannot clean them.

Don't use AVG. It's crap! A lot of virus such as the one spread by usb stick or thumbdrive cannot be clean. Do yourself a favor and buy Kaspersky (KIS 2009) license.

This post has been edited by gyver: Jan 14 2009, 04:30 PM

Got this article from my IT regional department.

http://www.computerworld.com/action/articl...&intsrc=kc_feat

FAQ: How to protect your PC against the Downadup worm
Biggest worm in years hits millions of PCs, but you can fend off attack
Gregg Keizer
January 20, 2009 (Computerworld) Security experts say it's the biggest worm attack in years, call it "amazing" and report that it infected nearly 9 million PCs in just two weeks.

Downadup is downright nasty. And that's even before it does much more than just spread.

But as analysts argue about how the compromised computers will be used -- to build a massive botnet, perhaps -- or how much information hackers will steal from infected machines, users like you have a more immediate concern: "How do I keep my PC from joining the ranks of the hacked?"

That's a simple question. Unfortunately, because of this worm's flexibility, the answers aren't.

What's the worm again? Thanks to the lack of an industry-wide labeling system, the worm goes by more than one name. Some companies dub it "Downadup," others call it "Conficker."

No matter the name, it's the same threat.

When did Downadup first appear? Security companies warned of the worm in late November 2008; Symantec Corp. was one of the first to sound the alarm when it raised its ThreatCon security alert level on Nov. 21. Within a week, Microsoft Corp. had added its voice to the chorus as it acknowledged a significant uptick in attacks.

However, the worm only really took off about a week ago as newer variations struck users and resulted in millions of infections.

How does it spread? One of Downadup's most intriguing aspects, say security researchers, is its multipronged attack strategy: It can spread three different ways.

The one that's gotten the most attention exploits a vulnerability in Windows that Microsoft patched nearly four months ago. The bug, which is in a file-sharing service that's included in all versions of the operating system, can be exploited remotely just by sending a malformed data packet to an unpatched PC.

But the worm can also spread by brute-force password attacks, and by copying itself to any removable USB-based devices such as flash drives and cameras. More on those two in a moment.

What machines are most vulnerable to Downadup attack? According to Microsoft, unpatched Windows 2000, Windows XP and Windows Server 2003 machines are at the greatest risk to exploits of the bug patched in October. That gibes with reports from security companies, which have highlighted the danger to PCs running Windows XP Service Pack 2 and XP SP3. Not coincidentally, those versions account for the bulk of Windows' market share.

Unpatched Windows Vista and Server 2008 systems, meanwhile, are less likely to fall victim to attack, since hackers must have authenticated access to the computer, or in other words, know the log-in username and password.

Any Windows-powered machines, however, can be compromised by the worm's password and USB attack strategies.

I'm running Windows 7 beta... am I safe? According to the Microsoft support document that details the October patch, yes you are.

Microsoft offered the fix as a security patch to users of the Windows 7 "pre-beta," the version it gave developers in late October and early November. It then integrated the patch into Windows 7 before it launched the public beta on Jan. 10.

OK, so how do I protect my PC? Because this thing is a triple threat, you'll need to take more than one defensive measure.

First of all, if you haven't already done so, apply the October fix that Microsoft tagged as MS08-067. If you have Windows Update set to automatically download and install patches, you should be protected, but it never hurts to double-check. You can verify that the patch has been installed by bringing up Windows Update, then clicking "Review your update history" and looking for a security update labeled as "KB958644."

If you are only now installing the patch, you might want to take Microsoft's advice and also download and install the January edition of its free Malicious Software Removal Tool (MSRT), which was updated last week so that it can detect, and then delete, Downadup infections.

What's this about password attacks? Although most of the news about Downadup's spread has focused on its exploitation of a patched bug in Windows, the worm also propagates by trying to guess other machines' administrative passwords.

Once the worm penetrates a corporate network -- perhaps by infecting a single unpatched machine, say a laptop, that is later connected to that network -- it tries to break into other PCs, including those that have been patched with the October emergency fix.

"One of the ways in which the Conficker worm (also known as Confick or Downadup) uses to spread is to try and batter its way into ADMIN$ shares using a long list of different passwords," said Graham Cluley, a senior technology consultant at Sophos, in an entry to a company blog last Friday. Cluley included the list of passwords that Downadup tries, which range from the ubiquitous password and the moronic secure to the slightly-more-clever letmein and nimda, or admin spelled backward.

Cluley urged users to steer clear of what he called "poorly-chosen passwords," while other security companies recommended that users not only pick stronger passwords but change them periodically as well.

Obviously, if you're using a password that's on the Downadup list, you should change it immediately.

And the worm can spread from flash drives, too? Yes.

From the moment Downadup infects a PC, it copies a file, named "autorun.inf" to the root of any USB storage devices, typically flash drives, that are connected to the compromised computer. That file name takes advantage of Windows' Autorun and Autoplay features to copy the worm to any machine that a flash drive, camera or other USB device is plugged into. Downadup will infect that PC when the drive or device is connected, or when the user double-clicks the device's icon within Windows Explorer or from the desktop.

Security experts have recommended that users disable both Autorun and Autoplay in Windows.

A December blog post by Symantec researcher Ben Nahorney spells out how to disable Autoplay, while a separate post on the Hackology blog outlines how to turn off Autorun by editing the registry.

What are the signs that my PC has been hit? Microsoft's advisory about Downadup lists several symptoms of infection, including these:


Account lockout policies are being tripped (because your password's been hijacked, and changed, by the attacker).
Automatic Updates are disabled (because Downadup tries to keep the PC unpatched by turning off Windows Update's automatic update, as well as Background Intelligent Transfer Service (BITS), the Windows component used by Windows Update to actually deliver the updates).
Various security-related Web sites cannot be accessed (because Downadup blocks access to a whole host of security companies' sites in an effort to prevent antivirus software from being updated, which could result in the worm's detection and eradication).
If your PC is exhibiting any of these symptoms -- or the others that Microsoft spells out here -- the company recommends that you immediately use the MSRT to clean the machine.

You can download the MSRT from Microsoft's site, or follow these instructions, posted at its support site, that walk administrators through the steps to deploy the tool in enterprise environments.

This post has been edited by Shinnen: Jan 21 2009, 01:43 PM

I think the file is corrupted. Can't open.

I just wondering if BitDefender really is the best anti virus ever..?
I googled it and the software list as the top antivirus remover.
I used it once. Kinda heavy and laggy

Try this few anti virus scanner maybe it can help you solve your problems...

Unemployed Software


Just try to help

just want to share

i using clamwin portable av and a-square free ver to remove virus/spyware/etc..(both are standalone)
update it..
run the clamwin to remove the virus in ram(make sure change the setting to move to quarantine)
run the a-square..
remover the pest...
put both them in pendrive(format it)...

setel..

lately i always found virus with name.. sality.. can anybody help me..

Sality is a low risk virus

Sality

Hello.. Sality is a polymorphic virus that infects Win32 PE executable files, or in other words, infects each .exe and .scr files..

If your computer has Sality on it, I recommend you to go to any Malware Removal forum for further assistance.. The list can be found in website below..

http://www.uniteagainstmalware.com/schools.php

http://asap.maddoktor2.com/

To be honest, the most efficient way to combat Sality is just to do a full-reformat to your computer.. If you choose to reformat the computer, please don't forget to backup all of your data first.. Do NOT include any .exe and .scr files.. Meaning that do not include any screensaver, installer, applications in your backup.. You risk infecting other computers as well..

W32.Downadup/conficker prevention


Disable Autorun on ALL drives
- using tweak ui
http://www.pcdoctor-guide.com/wordpress/?page_id=1546
- using registry editor and gpedit.msc
http://antivirus.about.com/od/securitytips/ht/autorun.htm

(prevent most virus/worm/trojan that propogated through USB drives)

Disable System Restore

Disable hidden administrative share
http://www.petri.co.il/disable_administrative_shares.htm

Install Microsoft Patch MS08-067,
http://www.microsoft.com/technet/security/...n/MS08-067.mspx

Have w32.downadup remover handy
- http://www.symantec.com/security_response/...-011316-0247-99

Use strong password with all windows accounts

Read this thread, Virus Removal steps

Read Microsoft conficker guide

Fast detection of w32.downadup / conficker
1. Open Windows Explorer
2. Right click at any folder, click search
3. With normal uninfected system the folder you choose will appear in 'Look in:' , but with infected system, there will be nothing.



Anybody else have some more ideas?

This post has been edited by shahlanibrahim: Mar 11 2009, 10:38 PM

Now i have this problem.



damn that ACL.
i need to delete "$Secure" in ntfs partition.
is there is other solution?

This post has been edited by kekacang: Mar 25 2009, 05:47 PM

Does AVG really useful ?

Try Node32 or kapersky, I have bad experience with AVG and I will never use it anymore.

not sure if its been posted, but i have this "system.exe" which they say is a spyware

so i tried:
1-scanning using adware = failed(dling bitdefender now)
2-tried the solution frm majorgeeks by using killbox - failed
3-booting safe mode and killing the process then del the file in system32 = failed
4-Did step (2) in safe mode = failed
5-Tried Unlocker in safe mode = failed
6-AVG = failed

any more suggestions?

maybe i should try spybot? kapersky? is the free version enough?


*update* = ahh nvm solved it with spybot S&D

This post has been edited by dopeycheese: May 2 2009, 01:24 PM


Attached thumbnail(s)

Hi guys, please help me. There are some weird process in my task manager.


As you can see, there are some process named BN***.tmp. I've googled it, and maybe it is some sort of spyware.

Story:

My PC got BSOD. After some checking, I thought there may be some virus. So I uninstalled my blacklisted NOD32, and tried to install KIS and NIS. But the installer won't start.

I've scanned my harddisk using my friend's PC, and it found virus in my HDD, and it deleted them. But I still can't intall any AV. When I reonline back, the BN***.tmp files will appear again. How can I delete them altogether?

Thx in advance.

---

Added on May 19, 2009, 12:58 amProblems solved

This post has been edited by matyrze: May 19 2009, 12:58 AM