Question:
So I have a Virus it seems..?
2008-12-13 08:51:56 UTC
Right well i'm a little stuck on how to go about removing this without formatting, and before i do so i'd just like to make sure nobody has an answer.

Anyway, i've used freewaredown.com or whatever the exact name is for quite awhile - and had stopped thinking twice before i clicked stuff on it. And basically i got phised, yeah silly me.

The virus came with the 3,80 freeware version of WinRaR, i diddnt install it for a little, as i diddnt need to use it, but a little earlier i did, and opened up a file (Thought it might be the file i opened at first, but i diddnt execute it and the annoying little pop-ups the trojan keeps throwing at me were WinRaR windows)

So basically i need a hand removing it, looks like I put off getting a proper anti-virus program for too long (Norton = wasted money! :)

took a peak in program files and found this test in a notepad dated when i installed it

normal virus lingo, this is the first part
=== Verbose logging started: 02/01/2007 17:05:58 Build type: SHIP UNICODE 3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (14:D8) [17:05:58:166]: Resetting cached policy values
MSI (c) (14:D8) [17:05:58:166]: Machine policy value 'Debug' is 0
MSI (c) (14:D8) [17:05:58:166]: ******* RunEngine:
******* Product: c:\e12843ff0cf49505852e\msxml.msi
******* Action:
******* CommandLine: **********
MSI (c) (14:D8) [17:05:58:182]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (14:D8) [17:05:58:182]: Grabbed execution mutex.
MSI (c) (14:D8) [17:05:58:182]: Cloaking enabled.
MSI (c) (14:D8) [17:05:58:182]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (14:D8) [17:05:58:198]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (34:C8) [17:05:58:198]: Grabbed execution mutex.
MSI (s) (34:C8) [17:05:58:198]: Resetting cached policy values
MSI (s) (34:C8) [17:05:58:198]: Machine policy value 'Debug' is 0
MSI (s) (34:C8) [17:05:58:198]: ******* RunEngine:
******* Product: c:\e12843ff0cf49505852e\msxml.msi
******* Action:
******* CommandLine: **********
MSI (s) (34:C8) [17:05:58:198]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (34:C8) [17:05:58:213]: File will have security applied from OpCode.

Then obviously a lot of it rewriting system file names, re-routing filepathings etc is there, way too long to link here.

It also will not let me search the internet as most virsus do and just brings up a "Your machine have a virus! click following link to download FREE anti-virus!" - not that stupid at least =)

any tips before it ruins my rig?
Eight answers:
cotojo
2008-12-13 10:03:33 UTC
Do NOT use System restore or you will infect the Restore partition.

It's a malware infection caused by a rogue program that infects users computers and finds non-existent problems in a bid to get users to purchase the fake software.

Use the following free programs, download, install, update and reboot into Safe Mode to remove:



Norman Malware Cleaner - No install required, will also run from usb flash drive or CD, simply download, double click to open, Accept Agreement then Run:

http://download.norman.no/public/Norman_Malware_Cleaner.exe

Kills running processes that are infected

Removes infections from disk (including ActiveX components and browser helper objects)

Reveals and removes rootkits

Restores correct registry values

Removes references created by malware in hosts file which redirect to other sites and block downloads

Removes windows firewall rules for malicious programs



Alternative download site:

http://www.download.com/Norman-Malware-Cleaner/3000-2144_4-168467.html?tag=mncol



Malwarebytes Anti-Malware:

http://www.malwarebytes.org/mbam.php

Select Full Scan.

Remove all infections that it finds after scan.



SUPERAntiSpyware Free Edition:

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Select Scan your Computer, select your drive and select Perform Complete Scan and remove infections, then click on Preferences, click Repairs Tab and click on any of the System and Browser Repair Items that you may have problems with then click Perform Repair.



Spyware Doctor Starter Edition - Realtime monitoring:

http://www.download.com/Spyware-Doctor-Starter-Edition/3000-8022_4-10704508.html

This is an easy to use, preconfigured application that is ready to use as soon as you install it.

It will protect against spyware, adware, spyware trojans,keyloggers and more.
Kristi
2016-08-25 00:56:56 UTC
2
2008-12-13 08:58:49 UTC
If you don't have access to the internet, things just got a lot more complicated. What you'll need to do is go onto a different computer, and download the following programs to a jump drive. (sometimes called Flash Drive.) Download the installers, and drag them to the jump drive.



< Malware Bytes >

-->Download: http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html



< SuperAntiSpyware >

--> Download: http://www.download.com/SUPERAntiSpyware-Free-Edition/3000-8022_4-10523889.html



Once that is done, connect your flash drive to your computer and run the installers. After they've been successfully installed, do the following:



Reboot your computer into safe mode, and run at least one full scan using each. Remove whatever it is they find. I actually recommend running more than one - just to be safe.



Need help getting into safe mode?

--> http://www.bleepingcomputer.com/tutorials/tutorial61.html



EDIT: If the scan in safe mode removed some of the problems, then run it again and see if it continues to help. It might not detect everything on the first sweep, so doing so a second and third time could help.
popcorn
2008-12-13 10:40:42 UTC
Have you tried running your av in safe mode ? You can manually download updates fo MBAM and SAS if you can get to a clean pc ( see links.One more idea,try the Avira rescue cd.Its fully updated linux based program.It works on xp/vista.Download the file on clean pc,double click,insert cd/dvd and burn to disc.Insert disc into infected pc and BOOT UP.Follow instructions for scan,when choosing language choose English,PRESS SPACE then enter.You can post hijackthis log,I will look at for you.If the virus is nasty you may have to rename HijackThis.exe to run.You could also try safe mode with networking ( f 8 key on boot ) this may allow you to update.Good luck, let us know how you get on
linuXn1nja
2008-12-13 09:01:50 UTC
I'm not sure if this will work but you might as well give it a try. Reset your IE settings. Go to your control panel and pop open the Internet Settings. Go to the Advanced tab and click on the "Reset..." botton. Just might get rid of that annoying popup you are talking about and let you browse for direct online scan somewhere.
Lana T
2008-12-13 09:00:52 UTC
How about using another comp and download Avast! onto a USB flash drive. Then install and run it on the affected comp. Might have to boot affected comp in safe mode (F8). Might not fix everything, but it could be a start.
beck
2008-12-13 09:03:20 UTC
try SUPER ANTISPYWARE. if the infection is too harmful it may not help. to be in the safer side reinstall the operating system. If u r not sure how to do reinstallation go to http://gur.in/ for slides and click OS reinstall guide. Make a note of it and get started if u don have any other computer.



to download SUPER ANTISPYWARE: -

http://www.superantispyware.com/





Felix :-)
2008-12-13 08:57:00 UTC
im gonna tell you in steps

1.go onto the start button.

2.all programs

3.accesories

4.system tools.

5. system restore.

6. restore on to a earlier date.

7. click next

8. it should restart.

9. the virus will be gone


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...