Author Topic: Got a virus need help (Read 193 times)

lugh · « **Reply #20 on:** December 15, 2010, 08:22:34 PM »

Process Explorer can be downloaded from Systernals or run from their cloud computing server platform:

h**p://technet.microsoft.com/en-us/sysinternals/default.aspx

Microsoft bought them out and hired Russinovich a few years ago

Autoruns, Handle, Rootkit Revealer and other utilties might also be helpful:

h**p://technet.microsoft.com/en-us/sysinternals/bb545027

Normally one reformats and does a clean reinstall if a malware infection is suspected

A Linux bootable CD/DVD can delete partitions that Windows can't

The Kapersky products are thought of very highly in dealing with malware

Sedit · « **Reply #21 on:** December 15, 2010, 09:27:49 PM »

Yeh I already deleted the explorer.exe and winlogon.exe and replaced them with the copys Muso gave me. Relatively simple once a batch file was made and run from dos.

Im going to run process explorer now because I still have a virus and can't find it using any spyware/antivirus ect.. know there is something still there because im still getting popups when using google. I have looked all over for random named DLL or EXE files and found nothing and going thru the registry is time consuming and fairly useless by hand. Im shocked that nothing has found this other virus yet and am woundering if its some kind of unknown adware.

Im not 100% sure yet but it seems to be loading a copy of SVCHOST.exe and abusing the living shit out of my CPU until I terminate that instance of the SVCHOST.exe. It stops with the pop ups then after a while loads itself back up.

Wizard X · « **Reply #22 on:** December 16, 2010, 12:37:12 AM »

Also use TCPView v3.02 http://technet.microsoft.com/en-au/sysinternals/bb897437 to show all connections and process names or PID. Open IE, or FireFox, to about:blank and see what process(es) are connecting.

lugh · « **Reply #23 on:** December 16, 2010, 01:20:13 AM »

Process Explorer will show TCP/IP information on a selection by clicking properties, the lower pane view can be varied between Dynamic Link Libraries or Handles

The string selection can be used for debugging

Autoruns will show everything that loads on boot

lugh · « **Reply #24 on:** December 16, 2010, 02:48:24 AM »

You can download the freeware version of the Kapersky virus scanner and removal tool from:

h**p://www.softpedia.com/get/Antivirus/Kaspersky-Virus-Removal-Tool.shtml

their products have always worked very well

akcom · « **Reply #25 on:** December 16, 2010, 05:50:12 PM »

Use process explorer to figure out what service is running in that instance of svchost.exe. If it's not a legit service then just end it and remove it (sc.exe from the command line). If it is a legit service, process explorer should allow you to look at which DLL's are loaded in the process. Take it from there.

Wizard X · « **Reply #26 on:** December 17, 2010, 12:11:53 AM »

Quote from: akcom on December 16, 2010, 05:50:12 PM

Use process explorer to figure out what service is running in that instance of svchost.exe. If it's not a legit service then just end it and remove it (sc.exe from the command line). If it is a legit service, process explorer should allow you to look at which DLL's are loaded in the process. Take it from there.

Or use services.msc http://www.herongyang.com/Windows/Service-Control-Panel-Services-Console.html

http://free.antivirus.com/hijackthis/
http://www.trendmicro.com/ftp/products/hijackthis/HijackThis.exe
http://free.antivirus.com/imperia/md/content/us/trendwatch/freetools/quickstart_hijackthis_061509.pdf

http://www.herongyang.com/Windows/Service-Create-Delete-Services-with-sc-exe.html
http://ss64.com/nt/sc.html
http://ss64.com/ps/get-service.html

Sedit · « **Reply #27 on:** December 17, 2010, 02:26:31 AM »

Lugh I want Kapersky but im afraid to DL it because im not sure if my browser is redirecting me to a faux site or not. The Download site it sends me to looks bogus but im not sure if it is or not.

Im going to run the gamment of every legit antivirus programs I can because I have three running at the same time right now and non are picking up the virus on my system and its becoming hard to know what sites are real and which are scams.

akcom · « **Reply #28 on:** December 17, 2010, 03:36:52 AM »

WizardX, services.msc will not allow you to delete services, only stop/disable them.

Sedit: if the site looks bogus it's very possible the virus is redirecting addresses. To make sure this isn't the case go to start > run and type (no quotes) "notepad.exe %WINDIR%\System32\drivers\etc\hosts" and press enter. delete everything in the file and add the following line:

Quote

127.0.0.1 localhost

save the file and quit. if there were any other entries that didn't start with # then the virus was redirecting you to different websites. Either way, your fine now.

lugh · « **Reply #29 on:** December 17, 2010, 03:45:53 AM »

Some of us gave up using Internet Explorer a long time ago since it's too risky

There are lots of good alternatives such as K-Meleon:

h**p://kmeleon.sourceforge.net/

which is an optimized version of Firefox

It's way more secure than Internet Explorer, the Softpedia download site works very well

You need to run the Kapersky virus scanner as soon as possible

Wizard X · « **Reply #30 on:** December 17, 2010, 04:00:22 AM »

Quote from: akcom on December 17, 2010, 03:36:52 AM

WizardX, services.msc will not allow you to delete services, only stop/disable them.

Yes, your correct! However, I would be stopping (or disable) services and not deleting until Sedit CAN accurately identify the malware. HijackThis can delete services.

Wizard X · « **Reply #31 on:** December 17, 2010, 04:07:03 AM »

Quote from: Sedit on December 17, 2010, 02:26:31 AM

Lugh I want Kapersky but im afraid to DL it because im not sure if my browser is redirecting me to a faux site or not. The Download site it sends me to looks bogus but im not sure if it is or not.

Im going to run the gamment of every legit antivirus programs I can because I have three running at the same time right now and non are picking up the virus on my system and its becoming hard to know what sites are real and which are scams.

Have you run Spybot from http://safer-networking.org yet?

Sedit · « **Reply #32 on:** December 17, 2010, 04:22:03 AM »

Quote from: Wizard X on December 17, 2010, 04:07:03 AM

Quote from: Sedit on December 17, 2010, 02:26:31 AM
Lugh I want Kapersky but im afraid to DL it because im not sure if my browser is redirecting me to a faux site or not. The Download site it sends me to looks bogus but im not sure if it is or not.

Im going to run the gamment of every legit antivirus programs I can because I have three running at the same time right now and non are picking up the virus on my system and its becoming hard to know what sites are real and which are scams.

Have you run Spybot from http://safer-networking.org yet?

No I have running all at the same time mind you killing you, killing my CPU as a result,

Windows security,
Advast
Super Antispyware.

Im afraid folks that what we have here has never been identified AKA the virus was manipulated to pass by most antivirus and malware programs..

lugh · « **Reply #33 on:** December 18, 2010, 03:16:53 AM »

Zero Day malware can often be detected using a heuristic scanner:

h**p://en.wikipedia.org/wiki/Antivirus_software

a list of antivirus software:

h**p://www.dmoz.org/Computers/Security/Malicious_Software/Viruses/Detection_and_Removal_Tools/

It would be a lot simpler just to reformat and reinstall XP

Wizard X · « **Reply #34 on:** December 19, 2010, 12:51:38 AM »

Quote from: lugh on December 18, 2010, 03:16:53 AM

It would be a lot simpler just to reformat and reinstall XP

I concur, however, prevention is better than cure. If you recover from this infection, or reinstall, I suggest to use WinRescue 7 http://www.superwin.com/frescue7.htm
For XP http://www.superwin.com/frescuex.htm, Vista http://www.superwin.com/frescuev.htm, or other Windows OS - look at the bottom of the page.

Since WinRescue backs up the Registry and important configuration files, and you can restore in DOS mode with WinRescue - any malware will be neutralized since the Registry and important configuration files are restored from backup(s), thus avoiding a complete Windows reinstall.

Also, XP Recovery CD Maker, Rescue Tools on a Boot CD for WinXP and Win2000 http://www.superwin.com/xp-recovery-cd/index.htm is another tool to have. And it can be used as a bootable USB.

Sedit · « **Reply #35 on:** December 20, 2010, 03:42:59 AM »

That is my plan. Reinstall everything yet since its a notebook computer I have no harddrive or anything to aid me in doing to simply.

I was gonna this weekend but I couldnt find the data cable needed to connect to my other computer that had the software on it.

I just want windows 7 but I dont know how to do that on my computer.

Wizard X · « **Reply #36 on:** December 20, 2010, 04:58:39 AM »

Quote from: Sedit on December 20, 2010, 03:42:59 AM

That is my plan. Reinstall everything yet since its a notebook computer I have no harddrive or anything to aid me in doing to simply.

I was gonna this weekend but I couldnt find the data cable needed to connect to my other computer that had the software on it.

I just want windows 7 but I dont know how to do that on my computer.

Create a Windows 7 ISO file (search Google "creating a windows iso") and use How To Create Bootable Windows 7, Vista, or XP USB Flash/Pen Drive Quickly using WinToFlash tool (free). http://www.intowindows.com/how-to-create-bootable-windows-7-vista-or-xp-usb-flashpen-drive-with-a-single-click-must-try/
http://www.mydigitallife.info/2009/11/10/windows-7-iso-x86-and-x64-official-direct-download-links-ultimate-professional-and-home-premium/ GOOD!

Create a Windows 7 ISO file on a bootable USB.

How to Create and Make Bootable Windows 7 ISO from EXE Plus Setup1.Box and Setup2.Box Files.
http://www.mydigitallife.info/2009/10/23/how-to-create-and-make-bootable-windows-7-iso-from-exe-plus-setup1-box-and-setup2-box-files/
http://www.mydigitallife.info/2009/07/25/download-32-bit-64-bit-windows-7-rtm-build-7600-16385-original-untouched-msdntechnet-leaked-retail-dvd-iso/

Working 32-bit Windows 7 Home Premium x86 ISO from Digital River: http://msft-dnl.digitalrivercontent.net/msvista/pub/X15-65732/X15-65732.iso

Sedit · « **Reply #37 on:** December 20, 2010, 08:08:02 AM »

What if I dont have a windows 7 disk to create the image file from? I don't want to get a warez version because of obvious reasons so until I find a good copy of windows 7 im SOL.

I have poweriso virtual drive manager on my computer and always assumed I could work with that somehow to get the deed done when I get everything I need.

Wizard X · « **Reply #38 on:** December 20, 2010, 09:09:55 PM »

Quote from: Sedit on December 20, 2010, 08:08:02 AM

What if I dont have a windows 7 disk to create the image file from? I don't want to get a warez version because of obvious reasons so until I find a good copy of windows 7 im SOL.

I have poweriso virtual drive manager on my computer and always assumed I could work with that somehow to get the deed done when I get everything I need.

I suggest you partition your hard drive (or RAM solid state hard drive) as C & D and install a dual boot Windows operating system. If you have a Vista, or XP CD, you can install that on C and later install Windows 7 on D. If ever you get another virus say on "C" OS, you boot to "D" OS and delete the malware.

How to create a multiple-boot system in Windows XP. http://support.microsoft.com/kb/306559

How to Dual Boot Windows 7 with XP or Vista. http://lifehacker.com/5126781/how-to-dual-boot-windows-7-with-xp-or-vista

Windows Vista Beta: How to dual-boot Windows XP and Windows Vista. http://lifehacker.com/179906/windows-vista-beta--how-to-dual+boot-windows-xp-and-windows-vista

Wizard X · « **Reply #39 on:** December 24, 2010, 01:19:09 AM »

Quote from: Sedit on December 17, 2010, 04:22:03 AM

Im going to run the gamment of every legit antivirus programs I can because I have three running at the same time right now and non are picking up the virus on my system and its becoming hard to know what sites are real and which are scams.

No I have running all at the same time mind you killing you, killing my CPU as a result,

Windows security,
Advast
Super Antispyware.

Im afraid folks that what we have here has never been identified AKA the virus was manipulated to pass by most antivirus and malware programs..

In Admin account. Start, Run, and type CMD (enter). At the command type Tasklist /SVC. This will list all services that are running, including other instances of svchost.exe. This file is for services that are using dynamic link library(.dll) You could have some service that is trying to take over the system. Try stopping some services that you don't use, or don't recognize and see how that works.

Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/tasklist.mspx?mfr=true

Some MS legitimate DLL are very CPU intensive like secur32.dll http://www.processlibrary.com/directory/files/secur32/22323/

So if your CPU is working very intensive, low memory also contributes to CPU usage, IT MAY NOT BE A VIRUS/MALWARE?

Author Topic: Got a virus need help (Read 193 times)

lugh

Re: Got a virus need help

Sedit

Re: Got a virus need help

Wizard X

Re: Got a virus need help

lugh

Re: Got a virus need help

lugh

Re: Got a virus need help

akcom

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Sedit

Re: Got a virus need help

akcom

Re: Got a virus need help

lugh

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Sedit

Re: Got a virus need help

lugh

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Sedit

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Sedit

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Wizard X

Re: Got a virus need help