Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Folder Viruses


  • This topic is locked This topic is locked
15 replies to this topic

#1 SevenTheMessenger

SevenTheMessenger

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 18 March 2009 - 03:03 PM

Ok, so I used malwarebytes the other day and it cleaned up most of my registry of viruses. However, I understand that it probably won't find everything. Therefore, I opened up the registry editor and I found some suspicious folders. The names are:

Loaddr
emtxbofvntgtdu
rcqf3948

I'm quite sure these are linked to spyware but I don't want to take the risk of deleting them without knowing for sure. Inside these folders are Topaff.exe, RUNDLL32.exe with a whole bunch of letters and numbers after it, then there's a suspicious file with the name C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\inzbgezvhdkukre.dll".

I know most of them are viruses but what about the Rundll32.exe? It looks weird with all the numbers and letters after it and I read the some viruses disguise themselves as real files to keep you from deleting it.

If anyone can help please do so. I appreciate it...

BC AdBot (Login to Remove)

 


#2 Idontknowme

Idontknowme

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 18 March 2009 - 03:10 PM

You should also get SuperAntiSpyware: http://www.superantispyware.com/

Then i would go here (Use IE for this one) http://www.bitdefender.com/scan8/ie.html that online well clean any infected files it finds either by disinfecting or just simply delete it.

Btw, do have a Antivirus on your computer?

Oh and, if you are ever unsure about a file, then upload it to http://www.virustotal.com/ (It has 10mb limit)... it might easy your mind on what to do it with them

Edited by Idontknowme, 18 March 2009 - 03:17 PM.


#3 SevenTheMessenger

SevenTheMessenger
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 18 March 2009 - 03:17 PM

I don't have any antivirus programs on my computer, I only have virus removal programs such as Spybot, malwarebytes and ad-aware. I ran all of these but they didn't delete the files I mentioned in my first post. I'm sure they are viruses though, but at the same time I don't want to take the risk since I don't have the equipment to back up my registry if I delete the wrong file.

#4 Idontknowme

Idontknowme

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 18 March 2009 - 03:20 PM

Well, then i would either get Avira or Avast! ( which are both free with very high detection rate )

And you should sumbit those to Virustotal. The link to it is on my first post

Also, you should go to the Hijack part of the forum. They will help with any malware problem you have.

On your spybot do you have Teatimer running??? You should turn it off... all it does waste system resources and not needed

Edited by Idontknowme, 18 March 2009 - 03:23 PM.


#5 SevenTheMessenger

SevenTheMessenger
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 18 March 2009 - 03:22 PM

Well, then i would either get Avira or Avast! ( which are both free with very high detection rate )

And you should sumbit those to Virustotal. The link to it is on my first post

Also, you should go to the Hijack part of the forum. They will help with any malware problem you have.


Will do..thanks

#6 SevenTheMessenger

SevenTheMessenger
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 20 March 2009 - 07:44 PM

There's a folder in my registry with the topaff.exe and cproc.exe virus. There's other files in the folder also but I'm not if they're viruses or not, should I delete the entire folder because these files are in the same folder as the topaff.exe and cproc.exe?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:50 AM

Posted 21 March 2009 - 09:56 AM

First DO NOT remove anything from the registry without a backup first. It can make the PC inoperable. First lets' get another log


Next run MBAM:
Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Edited by boopme, 21 March 2009 - 10:00 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 SevenTheMessenger

SevenTheMessenger
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 21 March 2009 - 04:28 PM

I've ran Malwarebytes already, I've scanned my computer like 5-6 but it doesn't detect the viruses I mentioned in my first post, even though I'm quite sure they are viruses. My computer has been running better since I've removed a lot of the malicious files with Malwarebytes but sometimes when I run it in normal mode it crashes or it freezes. But the names of these folders in my registry just seem odd to me, they're named emtxbofvntgtdu, loaddr, rcqf3948 and cprocsvc and even the files inside of the folders look weird. Oh yea...I can't back up my data due to me not having the equipment right now.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:50 AM

Posted 21 March 2009 - 07:45 PM

Ok they are viruses and I'd like to do another scan please and see if I can get a clue from a log.

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 SevenTheMessenger

SevenTheMessenger
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 22 March 2009 - 03:21 PM

Ok, I'll do that now...

#11 SevenTheMessenger

SevenTheMessenger
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 30 March 2009 - 05:24 PM

Ok...when I went to regedit, then I went to Hkey_local_machine/Software/Microsoft/shared tools/msconfig/startupreg...and there's a folder by the name of Rundll32.exe, a few days ago when I searched through my regedit I don't think this folder was there. Anyways, is this a virus? I know some viruses name themselves after legit processes and another funny thing is...in this folder there's a item by the name of 5f1c204a1 - and when I start up my computer it says:

"The Application or DLL c:documents and settings/owner/application data/macromedia/common/5f1c204a1.dll is not a valid windows image" and it also does the same thing for another file by the name of Bunofalo.dll.

Are these viruses/trojans/worms/etc? I've ran plenty of anti-virus programs but none seem to detect it even though I quite positive that they're harming my computer.

#12 eyom

eyom

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 30 March 2009 - 07:18 PM

.exe folders are obviously viruses. try downloading process explorer . if you see a program running with an icon of a folder, then it is a virus.

#13 SevenTheMessenger

SevenTheMessenger
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 30 March 2009 - 08:56 PM

Ok I just deleted the folder. What about Bunofalo.dll? Is that a legitimate file for windows? When I search through my documents and find the file, I click on properties and the file has no creation date, no modified date, 0 bytes and whenever I click to open up anything the "The Application or DLL is not a valid windows image" box pops up. If you can answer this for me I'll appreciate it. Thanks...

#14 eyom

eyom

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 31 March 2009 - 06:33 AM

i found out this one on google "You should urgently check your PC and remove any malicious software including BUNOFALO.DLL as soon as possible."
BUNOFALO.DLL is unsafe can also use the following file names:
33069915.SVD
it will also try to add as registry auto start to load program on boot up.

#15 SevenTheMessenger

SevenTheMessenger
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 31 March 2009 - 01:27 PM

Yea I saw that on google a few days ago, I wasn't sure of what to do since that was the only site that came up for it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users