Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware removal(live security suite)


  • Please log in to reply
No replies to this topic

#1 jparora1248

jparora1248

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 28 May 2010 - 04:29 PM

sir,
Two computers(winXP-pro-sp3) in my office have infected with virus/malwares but of different nature. In First machine, Avira free was installed. Same machine had to be reformatted(only C-drive out of three partitions, C, D & E) a week ago after a virus removal exercise with Mcafee AV, which resulted vanishing of Desktop & start menu. Probably fresh virus infection occured due to non-formatting of other two partitions containing lot of data( mainly .doc, .pdf, .jpg, .htm & .txt).

This time I tried to clean the machine with a updated Nod32(installation folder copied from another machine) kept in a flash drive. cleaning was done in safe mode when some 2000+ virus was removed by Nod32 including some conficker,autoit viruses. Before reaching safe mode, I tried TaskMgr, Msconfig, regedit & windows search, all of which were disabled. However, it was possible to view hidden files & file extentions, inluding system files.
But after reboot, viruses not removed, took control of machine & reaching safe mode was blocked. One thing i noted is infection of svchost.exe & explorer.exe. First one was operated from a folder(2537452) within system32, second one was associated with a file "regsvr.exe"

I read your article for removal of security tool & accordingly downloaded rkill.com, kept in desktop & wanted to run but every time virus terminated the application before starting. I could install a current version of malwarebytes' Antimalware & run the same but no effect. it could remove only a few adwares. One more thing I should mention that whenever I inserted a pendrive in it, I found 4 infections(all hidden files)-
i) autorun.gen ii) xxx.exe iii) xxxx.pif & iv) xxxxxx.vmx, one of which is MS-Dos application.

I would like to know at this moment i) can I reach safe mode at all? ii) can I kill rogue processes through msconfig/rkill or any other application without which I feel machine cannot be cleaned.

However your article on security tool removal was extremely helfful in cleaning my Second machine of same configuration(with T.M officescan) infected with similar malware ( Live security suite). I could reach safe mode in this machine & could run rkill in safe mode after which installed malwarebyte app. & run in safe mode. Here difference with security tool is LSS has disabled any .exe appln. including msconfig, regedit, taskmge, disable viewing hidden files & file extensions. It was residing in C\program files\LSS & one folder under Application data containing uninstall.exe. which was visible after rkill.com killed 3 processes. I could regain access to all (msconfig,regedit etc)after rkill killed regue processes.Malwarebytes could not delete all the files & so I installed Eraser, then erased all hidden malware folders, searched all rogue registry entries(keys/subkeys/values). At last, I run Nod32 (portable) in safe mode. Now my 2nd machine is totally free from all infections which would not have been possible without reading your article.

Now my request- kindly help me bringing First machine in order. I am sorry for my inability to present my problem in brief.

Thanks & regards,

jparora1248

EDIT: Moved from XP to more appropriate Am I Infected forum ~ Hamluis.

Edited by hamluis, 28 May 2010 - 04:55 PM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users