2008-12-13 08:51:56 UTC
Anyway, i've used freewaredown.com or whatever the exact name is for quite awhile - and had stopped thinking twice before i clicked stuff on it. And basically i got phised, yeah silly me.
The virus came with the 3,80 freeware version of WinRaR, i diddnt install it for a little, as i diddnt need to use it, but a little earlier i did, and opened up a file (Thought it might be the file i opened at first, but i diddnt execute it and the annoying little pop-ups the trojan keeps throwing at me were WinRaR windows)
So basically i need a hand removing it, looks like I put off getting a proper anti-virus program for too long (Norton = wasted money! :)
took a peak in program files and found this test in a notepad dated when i installed it
normal virus lingo, this is the first part
=== Verbose logging started: 02/01/2007 17:05:58 Build type: SHIP UNICODE 3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (14:D8) [17:05:58:166]: Resetting cached policy values
MSI (c) (14:D8) [17:05:58:166]: Machine policy value 'Debug' is 0
MSI (c) (14:D8) [17:05:58:166]: ******* RunEngine:
******* Product: c:\e12843ff0cf49505852e\msxml.msi
******* Action:
******* CommandLine: **********
MSI (c) (14:D8) [17:05:58:182]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (14:D8) [17:05:58:182]: Grabbed execution mutex.
MSI (c) (14:D8) [17:05:58:182]: Cloaking enabled.
MSI (c) (14:D8) [17:05:58:182]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (14:D8) [17:05:58:198]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (34:C8) [17:05:58:198]: Grabbed execution mutex.
MSI (s) (34:C8) [17:05:58:198]: Resetting cached policy values
MSI (s) (34:C8) [17:05:58:198]: Machine policy value 'Debug' is 0
MSI (s) (34:C8) [17:05:58:198]: ******* RunEngine:
******* Product: c:\e12843ff0cf49505852e\msxml.msi
******* Action:
******* CommandLine: **********
MSI (s) (34:C8) [17:05:58:198]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (34:C8) [17:05:58:213]: File will have security applied from OpCode.
Then obviously a lot of it rewriting system file names, re-routing filepathings etc is there, way too long to link here.
It also will not let me search the internet as most virsus do and just brings up a "Your machine have a virus! click following link to download FREE anti-virus!" - not that stupid at least =)
any tips before it ruins my rig?