Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

removing a virus manually...


  • Please log in to reply
11 replies to this topic

#1 laurie68

laurie68

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:13 PM

Posted 08 May 2009 - 11:47 AM

Hi, and thanks in advance for helping me. I have been told that I may have a virtuamond malware. Please keep in mind, I am very, VERY naive about computers, terms used ect., ie I just learnt what booting a computer REALLY means, lol.

Now, I have downloaded malwarebytes, and scanned my computer, in safe mode, NUMEROUS times. Slowly, but surley, they have disappeared but one. What it reads every time in my quarantine list is this....

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\NT\Currentversion\winlogon\userinit (Trojan.Agent) -> Data:c:windows\system32\userinit.exe->Quaranatined and deleted successfully

Now, although it reads SUCCESSFULLY, the same thing shows up every time I scan.

Some of the symptoms my computer has is, as an example, facebook....(one of the few things I know how to maneuver through) I go to my inbox, click on a post, and a new window opens up, showing a different letter than the one I clicked on, while keeping the old window open.

I assume this is a result of the virus.

Another, my bank called, my credit card was used to purchase online merchandise, as I used it to buy a security package that suddenly appeared on my screen saying I needed. If I clicked on a link, say YOUTUBE, (yes I know I am REALLY into computers) it would redirect me to an encyclopedia site, or something of that nature, (like someone is telling me to broaden my mind, rather than just entertain).

Please, using the simplest of computer terms, could someone help me in fixing this? My daughter will only give up her computer for so long, hehehehe.

If there is any other information I can relay, please let me know, I am in your hands!! Think of this as a challenge in patience and kindness..... Okay, I guess you can see how desperate I am to fix this!!!

Again, thank you so much,
Laurie

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:13 PM

Posted 08 May 2009 - 12:25 PM

my bank called, my credit card was used to purchase online merchandise,


Your computer has been severely compromised and I would strongly suggest you consider Reformatting and reinstalling the operating system

We can try to clean you up if you'd like to try

First off Malwarebytes is best run in normal mode, not Safe mode
Update mbam and run a FULL scan
Please post the results

Then download and run



ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 laurie68

laurie68
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:13 PM

Posted 08 May 2009 - 01:14 PM

wow, have only been scanning a few minutes and already 10 objects have been found. Thanks for your help Mark, I will keep you posted!! So glad my friend pointed me in this direction!!!!

#4 laurie68

laurie68
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:13 PM

Posted 08 May 2009 - 01:47 PM

ouch!!! 629 viruses found. I will run it again.....
in case it is important, this is what they were called:
Trojan agent, BHO, Ertfor, and DownloadWorm ertfor
Rogue installer
Trojan fake alert
Virus Virut
and TONS of Adware Zanger.

Btw, I am scanning my computer, but using my daughters to post here.

PLease let me know if my updates are not protocol here, I do not want to be a nuisnace.....

Laurie

Edited by laurie68, 08 May 2009 - 02:05 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:13 PM

Posted 08 May 2009 - 03:28 PM

Hello sory to jump in but as I was reading I see VIRUT in your scan..
Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. Virux is an even more complex file infector which also infects script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.
[code=auto:0]Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. Virux is an even more complex file infector which also infects script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 MrBoo

MrBoo

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 08 May 2009 - 03:44 PM

yeah, you had a really bad virus attack then. If you have virut AND someone trying to steal your credit card, you should reformat your computer as soon as you can and change your personal stuff like passwords

#7 laurie68

laurie68
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:13 PM

Posted 08 May 2009 - 04:04 PM

oh no!!!!! Oh NO!!!!!!
Does this mean I need a new computer????? There is no way I can do all those things, it seems so confusing!! Btw, thank you so much for taking the time to relay that information.... it was very kind.

I think I am going to cry. If I get a new computer, then I will loose all the pictures stored on it right? I am refering to digital pictures I had downloaded of my girls growing up......

Can a place like staples fix it? Would it be better to just buy a new one??

I cant beleive someone would be so mean as to do this to pepole!!!!!!

Just stunned.............

Should I give up scanning??

WHy do they get from ruining peoples computers??? I dont see the thrill......

#8 laurie68

laurie68
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:13 PM

Posted 08 May 2009 - 04:38 PM

Alright, I have calmed down abit, sorry.
I rescanned, and at the end of scan it says
"caretain items could not be removed. the first few are listed below. all items that could not be removed have been added to the delete reboot list"

so then the list says........
C:\WINDOWS\Temp\msb.jll
C:\WINDOWS\Temp\nsrbgxod.bak

i have no idea what any of that means, but thought the info could help.

also, my desk top, after reboot, turned itself off, as i was loading malware again..... maybe i hit an off button on accident, but really dont think i did. paranoia will destroy ya.........? NOPE, it just got it on again, and ms windows ballon says "the system has recovered from a serious error". wow, just keeps getting better

I feel like I am fighting the terminator.

so now on reboot, there is a list of them on the quarantine list to delete, 13 actually. Trojan agent 2x's, trojan downloader 1x, worm autorun 8x's and trojan fake alert, once. at what point do I attempt to follow the above directions? or throw in the towel.

I still cant believe virus's are entertainment for some people.

Edited by laurie68, 08 May 2009 - 04:54 PM.


#9 MrBoo

MrBoo

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 08 May 2009 - 05:46 PM

well if you have virut you cant fix it, and no you dont need a new computer, just reinstall windows from the CD.
Just hope the virut file was a mis reading. if the virut file was ak1.exe in your windows folder, then i think it isnt really virut, but i dont know what the file was.

for msb.dll and the other file, download unlocker (its a file deleter) and delete the nsrbgxod thing first with it, then use unlocker to delete msb.dll.
Dont restart your computer until you know for sure you got rid of msb.dll either, because it will automaticly come back and download everything on reboot if it is still there

edit: heres the unlocker link http://download.cnet.com/Unlocker/3000-2248_4-10493998.html

Edited by MrBoo, 08 May 2009 - 05:48 PM.


#10 compternoob

compternoob

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 08 May 2009 - 06:27 PM

I feel sorry for your lost well I'm only 15 and I am a computer noob and what i want to be in the future is to be a computer nerd =] so lemme see I'll advise you to reformat which can be done easily when you ahve a windows xp/vista cd. I've heard that NoAdware gives false results but still workes sumtimes go download it and google for a serial code they're free ... after youdownload it run the program and when its done installing you open the NoAdware.exe and click "scam my computer" and jsut wait for the scan to finish afterwards when its done detectingall the malware/adwar/spyware... you can click delete and dont do backups and restart computer and tell me hows it going.

#11 laurie68

laurie68
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:03:13 PM

Posted 08 May 2009 - 07:01 PM

hi hun, and thanks!!! everyone is being so helpful!!
now, when you say windows vista card, is that something i have to go buy? or is that the windows cd thing? i have no idea how to back up anything, so i wont restart nothing.

do i go online for this? is it safe for me to do that while it still says i have viruses?


hi hun, and thanks!!! everyone is being so helpful!!
now, when you say windows vista card, is that something i have to go buy? or is that the windows cd thing? i have no idea how to back up anything, so i wont restart nothing.

do i go online for this? is it safe for me to do that while it still says i have viruses?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:13 PM

Posted 08 May 2009 - 07:09 PM

Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users