PDA

View Full Version : Omg, virus! Xo


kooky
26-09-08, 23:20
Yeah that's right, I just got attacked by the virus Antispyware 2008 (or whatever it is!) while downloading this MP3 & I'm currently scanning my PC now with mcafee, please some help quick I do not want my PC to die! :(

http://i206.photobucket.com/albums/bb215/tutuy4/other/untitled-8.jpg

tlr online
26-09-08, 23:25
Don't use your PC until the scan is complete.

http://www.kaspersky.com/virusscanner

spikejones
27-09-08, 00:36
boot in safe mode (press F8 before the windows logo appears)
run full system antivirus and spyware scans
post report of ardiag.exe (http://www.tombraiderhub.com/ardiag.exe) after the scans complete.

stay in safe mode wherever possible to work with removal of malware, and do not return to normal mode until verification of complete removal is possible.

kooky
27-09-08, 02:35
boot in safe mode (press F8 before the windows logo appears)
run full system antivirus and spyware scans
post report of ardiag.exe (http://www.tombraiderhub.com/ardiag.exe) after the scans complete.

stay in safe mode wherever possible to work with removal of malware, and do not return to normal mode until verification of complete removal is possible.

I tried removing the malware from the PC in Safe mode it tried removing the PUP.x file from the PC, it could not completely remove it, it said "could not completely remove the malware"? So am I stuck with it?! :(

---------------------------------------------------------------
AutoRuns Diagnostics for TRF v 0.5 Developed by EscondeR
---------------------------------------------------------------



Program:
"Tracks files that are managed by Adobe Photoshop Elements"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AdobeActiveFileMonitor5.0
Program path & name:
"c:\program files\adobe\photoshop elements 5.0\photoshopelementsfileagent.exe"
Enabled: [V]


Program:
"McAfee Protection Manager"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
mcmscsvc
Program path & name:
"c:\program files\mcafee\msc\mcmscsvc.exe"
Enabled: [V]


Program:
"Allows McAfee applications to communicate securely on the local network."
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
McNASvc
Program path & name:
"c:\program files\common files\mcafee\mna\mcnasvc.exe"
Enabled: [V]


Program:
"McAfee Proxy Service"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
McProxy
Program path & name:
"c:\program files\common files\mcafee\mcproxy\mcproxy.exe"
Enabled: [V]


Program:
"Scans files for viruses and other threats when they are accessed by this computer."
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
McShield
Program path & name:
"c:\program files\mcafee\virusscan\mcshield.exe"
Enabled: [V]


Program:
"MpfService"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
MpfService
Program path & name:
"c:\program files\mcafee\mpf\mpfsrv.exe"
Enabled: [V]


Program:
"This service filters e-mail messages on your computer"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
MSK80Service
Program path & name:
"c:\program files\mcafee\msk\msksrver.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
RegManServ
Program path & name:
File not found: C:\Program Files\Registry Defragmentation\RegManServ.exe"
Enabled: [V]


Program:
"Provides low-level support for McAfee SiteAdvisor"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SiteAdvisor Service
Program path & name:
"c:\program files\siteadvisor\6261\saservice.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
EagleNT
Program path & name:
File not found: C:\WINDOWS\system32\drivers\EagleNT.sys"
Enabled: [V]


Program:
"VSCore Code Analysis Driver"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
mferkdk
Program path & name:
"c:\windows\system32\drivers\mferkdk.sys"
Enabled: [V]


Program:
"McAfee Personal Firewall Plus Driver"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
MPFP
Program path & name:
"c:\windows\system32\drivers\mpfp.sys"
Enabled: [V]


Program:
"Px Engine Device Driver for Windows 2000/XP"
Publisher:
"(Not verified) Sonic Solutions"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PxHelp20
Program path & name:
"c:\windows\system32\drivers\pxhelp20.sys"
Enabled: [V]


Program:
"SiteAdvisor"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
SiteAdvisor
Program path & name:
"c:\program files\siteadvisor\6261\siteadv.exe"
Enabled: [V]


Program:
"EasyNetwork User Interface"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
McENUI
Program path & name:
"c:\program files\mcafee\mhn\mcenui.exe"
Enabled: [V]


Program:
"McAfee Integrated Security Platform"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
mcagent_exe
Program path & name:
"c:\program files\mcafee.com\agent\mcagent.exe"
Enabled: [V]


Program:
"Adobe Photo Downloader 3.0 component"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
Adobe Photo Downloader
Program path & name:
"c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
Enabled: [V]


Program:
"NVIDIA nView Wizard
Publisher:
Version 110.38 "
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
nwiz
Program path & name:
"(Not verified) NVIDIA Corporation""c:\windows\system32\nwiz.exe"
Enabled: [V]


Program:
"Microsoft .NET Runtime Execution Engine"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
application/octet-stream
Program path & name:
"c:\windows\system32\mscoree.dll"
Enabled: [V]


Program:
"Microsoft .NET Runtime Execution Engine"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
application/x-complus
Program path & name:
"c:\windows\system32\mscoree.dll"
Enabled: [V]


Program:
"Microsoft .NET Runtime Execution Engine"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
application/x-msdownload
Program path & name:
"c:\windows\system32\mscoree.dll"
Enabled: [V]


Program:
"SiteAdvisor"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
siteadvisor
Program path & name:
"c:\program files\siteadvisor\6261\siteadv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
Entry name:
0
Program path & name:
File not found: about:Home"
Enabled: [V]


Program:
"Microsoft .NET IE SECURITY REGISTRATION"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
Entry name:
n/a
Program path & name:
"c:\windows\system32\mscories.dll"
Enabled: [V]

The Malware below:

Program:
N/A
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
MSFox
Program path & name:
c:\documents and settings\brooks\local settings\temp\a.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
AppleSoftwareUpdate.job
Program path & name:
File not found: C:\Program Files\Apple Software Update\SoftwareUpdate.exe"
Enabled: [V]


Program:
"QuickClean Console Application"
Publisher:
"(Verified) McAfee Inc."
Entry path:
Task Scheduler
Entry name:
McDefragTask.job
Program path & name:
"c:\program files\mcafee\mqc\qcconsol.exe"
Enabled: [V]


Program:
"QuickClean Console Application"
Publisher:
"(Verified) McAfee Inc."
Entry path:
Task Scheduler
Entry name:
McQcTask.job
Program path & name:
"c:\program files\mcafee\mqc\qcconsol.exe"
Enabled: [V]


Program:
"SiteAdvisor"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{089FD14D-132B-48FC-8861-0048AE113215}
Program path & name:
"c:\program files\siteadvisor\6261\siteadv.dll"
Enabled: [V]


Program:
"McAfee Phishing BHO"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
McAfee Phishing Filter
Program path & name:
"c:\program files\mcafee\msk\mcapbho.dll"
Enabled: [V]


Program:
"VSCore Script Scanner"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
scriptproxy
Program path & name:
"c:\program files\mcafee\virusscan\scriptsn.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Display Panning CPL Extension
Program path & name:
File not found: deskpan.dll"
Enabled: [V]


Program:
"VDMSound LaunchPad Shell Extension"
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
VDMSound LaunchPad
Program path & name:
c:\program files\vdmsound\launchpad.dll"
Enabled: [V]


Program:
"7-Zip Shell Extension"
Publisher:
"(Not verified) Igor Pavlov"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
7-Zip Shell Extension
Program path & name:
"c:\program files\7-zip\7-zip.dll"
Enabled: [V]


Program:
"Application Deployment Support Library"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
ShellLink for Application References
Program path & name:
"c:\windows\system32\dfshim.dll"
Enabled: [V]


Program:
"Application Deployment Support Library"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Shell Icon Handler for Application References
Program path & name:
"c:\windows\system32\dfshim.dll"
Enabled: [V]


Program:
"NVIDIA Desktop Explorer
Publisher:
Version 110.38 "
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Desktop Explorer
Program path & name:
"(Not verified) NVIDIA Corporation""c:\windows\system32\nvshell.dll"
Enabled: [V]


Program:
"NVIDIA Desktop Explorer
Publisher:
Version 110.38 "
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Desktop Explorer Menu
Program path & name:
"(Not verified) NVIDIA Corporation""c:\windows\system32\nvshell.dll"
Enabled: [V]


Program:
"NVIDIA Desktop Explorer
Publisher:
Version 110.38 "
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
nView Desktop Context Menu
Program path & name:
"(Not verified) NVIDIA Corporation""c:\windows\system32\nvshell.dll"
Enabled: [V]


Program:
"SiteAdvisor"
Publisher:
"(Verified) McAfee Inc."
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
McAfee SiteAdvisor
Program path & name:
"c:\program files\siteadvisor\6261\siteadv.dll"
Enabled: [V]



http://i206.photobucket.com/albums/bb215/tutuy4/other/viruses.jpg

spikejones
27-09-08, 03:20
download Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) and use it to kill the following entries: (delete them permanently)


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
MSFox
Program path & name:
c:\documents and settings\brooks\local settings\temp\a.exe"
Enabled: [V]

Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
RegManServ
Program path & name:
File not found: C:\Program Files\Registry Defragmentation\RegManServ.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
EagleNT
Program path & name:
File not found: C:\WINDOWS\system32\drivers\EagleNT.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
Entry name:
0
Program path & name:
File not found: about:Home"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
AppleSoftwareUpdate.job
Program path & name:
File not found: C:\Program Files\Apple Software Update\SoftwareUpdate.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Display Panning CPL Extension
Program path & name:
File not found: deskpan.dll"
Enabled: [V]


I also suggest you to get rid of McAffee and use Kaspersky as TLR linked above.

spikejones
27-09-08, 03:24
just noticed the image above...
do me a favor and go to:

Tools -> folder options -> View -> unselect option for "Hide extensions for known file types"

post another image with the file extensions showing on those files you circled. i can make a batch file that should take them all out straight away if they are locked with a read only attribute (hopefully).

can you not delete them manually though?

Andariel
27-09-08, 03:25
Malwarebytes' Anti-Malware ftw. :)

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

spikejones
27-09-08, 04:02
yeah.. i checked that one out and it just froze up on me. not much of a FTW in my opinion.

i still stick by spybot search and destroy (http://www.safer-networking.org/en/index.html) which coincidentally happens to get definition updates from many more servers than the malwarebytes application. add on top of that many more features than malwarebytes. and you never get a popup asking to register or upgrade anything.

kooky
27-09-08, 04:05
just noticed the image above...
do me a favor and go to:

Tools -> folder options -> View -> unselect option for "Hide extensions for known file types"

post another image with the file extensions showing on those files you circled. i can make a batch file that should take them all out straight away if they are locked with a read only attribute (hopefully).

Here they are:

a (http://i206.photobucket.com/albums/bb215/tutuy4/other/malware.jpg)
b (http://i206.photobucket.com/albums/bb215/tutuy4/other/c.jpg)
c (http://i206.photobucket.com/albums/bb215/tutuy4/other/d.jpg)
d (http://i206.photobucket.com/albums/bb215/tutuy4/other/d2.jpg)
e (http://i206.photobucket.com/albums/bb215/tutuy4/other/e.jpg)

can you not delete them manually though?

I didn't delete them in the recycle bin because I thought it stay in the PC permanently.

spikejones
27-09-08, 05:22
if it can be sent to the recycle bin, the recycle bin can be emptied ;)

try this little batch file i just made:
http://www.mediafire.com/file/mqnztm22otk/cleanup.bat

i can post the source code here as well so you know what its gonna do:

@echo off
echo Hopefully this thing works
pause
echo Unlocking Files
attrib -r "c:\documents and settings\brooks\local settings\temp\a.exe"
attrib -r "c:\documents and settings\brooks\local settings\temp\b.exe"
attrib -r "c:\documents and settings\brooks\local settings\temp\c.exe"
attrib -r "c:\documents and settings\brooks\local settings\temp\d.exe"
attrib -r "c:\documents and settings\brooks\local settings\temp\e.exe"
echo please report if errors occured.. EG: "Path not found" or "access denied".
pause
echo Removing Files
del "c:\documents and settings\brooks\local settings\temp\a.exe"
del "c:\documents and settings\brooks\local settings\temp\b.exe"
del "c:\documents and settings\brooks\local settings\temp\c.exe"
del "c:\documents and settings\brooks\local settings\temp\d.exe"
del "c:\documents and settings\brooks\local settings\temp\e.exe"
echo deletion process is complete, please check your folder to ensure the process completed successfully
echo PRESS ANY KEY TO CLOSE
pause
exit


the application will run in a command line window (you can just double click the file to run it). read the prompts on the screen and enjoy. just do as the application states and let me know if there are any errors you encounter okay? note that when using a command line tool to erase files they wont go to the recycle bin... they end up gone for good.

kooky
27-09-08, 05:41
Thank you Spikejones, Now my PC is back to normal again! :hug: Virus Deleted & Destroyed. :)

spikejones
27-09-08, 05:58
I went medieval on it ass!:D

glad it worked for ya!:tmb: