BF2S Forums Virus help

Nasty stuff. I once saw a virus attached to a system .dll file. I eventually got it clean by doing a sys restore and then running the scan. I think there was a bit of luck involved tbh.

[TUF]Catbox wrote:

If you have tried everything... and it's not fixed...
Use combofix         this is a free tool but very powerful... I have used it to fix quite a few really infested computers
http://www.bleepingcomputer.com/combofi … e-combofix

NO NO NO!!!! Why do you always recommend ComboFix? STOP DOING THAT!

Whatever you do, DO NOT RUN CF! You should not touch CF until you've done everything else you can to remove the virus. CF is the LAST tool you use, because that program can royally screw your computer up if you are unsure about what you are doing. DO NOT TOUCH IT!

OK ... that being said: Try what Aussie said. As an alternative virus scanner, take a look at Malware Bytes' Anti Malware. MBAM is a good program. Make sure your parents update the program once they install it. Once that is done, do a full scan. Follow instructions to remove the viruses from the computer. After a reboot (chances are it will reboot), then you need to have them do a quick scan. If that scan comes back clean, your computer is fine.

But DO NOT use CF until you've done everything else.

After the computer has been cleaned, have your parents install COMODO Firewall for Windows. Then make sure they are running an anti-virus program with active protection. Symantec 2009 is quite good. They can also buy a copy of MBAM if they want and that will turn on active protection on the program.

My mistake. I missed that.

I've not messed up my own two computers while running ComboFix, but while reading forums for hours researching how to remove the viruses that I had, I found multiple stories of people running ComboFix and being forced to completely reformat and reinstall.

Sorry again, my mistake.

MBAM doesn't work. The install is corrupted, and I can't force it through a simple reinstall.

Install corrupted? That means the viruses are probably blocking the install file from running.

Redownload the MBAM install file and rename the file to something like iexplorer.exe. Rename it however, BEFORE you save it. You'll want to make sure you have it set in FF or IE that you can save and rename your files before doing a download to a predesignated folder. Do that and come back.

Any chance of getting a Hijack This log?

Steelie - gtfo

dude, this is a plain vanilla spyware infection.  those three files are just randomly generated files that run during startup and live in the system32 folder.  they are not legitimate... the only difficulty is removing them, and getting rid of the associated registry junk that keeps putting them back.  there are so many undocumented locations in the registry where files can run during boot, its sometimes tough to track them all down. 

my favorite spyware removal method is changing the ntfs permissions on the virus files to deny the system account full control.  the next time you reboot, the virus won't be able to run, and you can delete the files.  sneaky sneaky.

@nismo, i will not gtfo, since i'm certain i have seen, written, and removed more viruses than you can imagine.  these kinds of fights are the reason i stay away from these threads usually.

the saddest part of my day is when i spend hours devising a way to manually remove spyware (by hand, deleting files and reg keys) only to see someone has released a package to do it for me.  fml

I'm quite glad I've been paranoid enough to tell my parents not to use the internet on it at all (nor have the connection enabled.)

With that said, the computer will not start in safe mode. It crashes as it exits the safe mode "splash" screen, invariably.

Last edited by nukchebi0 (2009-11-11 10:18:53)

steelie34 wrote:

hijack-this will provide some good info... are you unable to run it?

it will list alot of the 'hidden' startup entries in the registry.

I'm curious if he'll be able to at all. I honestly don't think he will, but it would be nice to be surprised.

i always look at it as a trade-off of time.  if it would take more time to wrestle with this virus than it would to just do a windows repair, i would go for the repair.  you can never be 100% sure of complete removal especially with an annoying one like this.

[TUF]Catbox wrote:

If you have given up and are going to reformat...
try the combofix program like i said in a post above
http://www.bleepingcomputer.com/combofi … e-combofix

When you d/l combofix.... choose save as and rename it to   combo-fix.exe and save...  (this should help the corrupt .exe problem)
then when it d/l    click on the combo-fix.exe and let it run and it should clear up your issue....after combofix
you can run malwarebytes and get rid of any other lingering spyware... 
http://www.malwarebytes.org/

combofix is very powerful and a last resort ....
but if you are going to
reformat.... it's free and worth a shot

yea, if reformat is your last option, always good to run CF and see if that fixes anything. Just make sure you do not touch the computer at all when it's running. Turn CF on and walk away for a while.

You should be able to back up any data from the computer first, though. Doubtful the trojan will latch onto your photos and mp3s and whatnot. Though I would be careful nonetheless.

nukchebi0 wrote:

So I got MBAM to work, and had it remove things along with AVG. Scan of those two, along with Adaware, come back clean. Is the computer usable, or should I run something else to ensure it is safe?

sounds like u'r ok.  i'd put a condom around my modem to make sure this stuff doesnt happen again.