Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus in C:/Program Data/Microsoft


  • Please log in to reply
2 replies to this topic

#1 keithmoon

keithmoon

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 21 April 2014 - 07:55 AM

Hello......

 

Its in a folder represented only by digits...its an .exe file, when you delete it then it just re-appears. I have deleted it from the registry, and it just re-appears in the registry.

 

My problem is i am on a pay as you go dongle plan. Its running in the back ground downloading heaps of data. I had 10 gig of data 24 hours ago, i now have 6 gig of data. Everyytime i am on line where i would normally use say 1 meg in a 10 minute spell, i am using 40 meg of data....

 

Don't know what to do. My malicious spy software does not pick it up. It even had a Microsoft label, it looks like its a legit software piece of kit...


Edited by hamluis, 21 April 2014 - 08:02 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 keithmoon

keithmoon
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 21 April 2014 - 09:21 AM

Directory of the virus......C:\ProgramData\Microsoft\{828b6afb-2a06-b0c0-1613-f1649a62ceec}

 

Virus File...........{828b6afb-2a06-b0c0-1613-f1649a62ceec}.exe

 

 

Registry Location......HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

"C:\ProgramData\Microsoft\{828b6afb-2a06-b0c0-1613-f1649a62ceec}\{828b6afb-2a06-b0c0-1613-f1649a62ceec}.exe"

 

In WINDOWS Startup........ Microsoft R WINDOWS R OPERATING SYSTEM The R has a circle around it like a Genuine Windows Microsoft Certificate

 

 

 

In Windows Services this service/virus automatically starts these services..Normally these services would be a manual start, but the virus starts them....

 

Display Name - Computer Browser

C:\Windows\System32\svchost.exe -k netsvcs

Service Name - Browser

 

Display Name - IPsec Policy Agent

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

Service Name - PolicyAgent

 

Please help, i am losing all my data, i paid $100 bucks in Australia for 10 gig of data, and lost half of it....


Edited by keithmoon, 21 April 2014 - 09:22 AM.


#3 keithmoon

keithmoon
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 21 April 2014 - 10:37 PM

Has anybody got any idea's? I am lost..

 

It looks like a genuine Microsoft Windows Operating System File, but for one it should not be in the Program Data/Microsoft Folder, as it has only appeared these last few days in there....

 

Also, when i do MSCONFIG, in startup, under items it has a Microsoft Windows Operating System File entry, which i have never seen before, and looking in the registry, this is the entry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

Evertime i delete it from the registry, it re-appears, and every time i delete the folder with the {828b6afb-2a06-b0c0-1613-f1649a62ceec}.exe in it, it just re-appears....

 

How can i get rid of this file without a complete format?

 

I have done a complete Malwarebytes scan, and it does not pick it up as the file looks genuine, but in Windows Tadsk Manager it is showing a Host Process for Windows Tasks (svchost.exe) Everytime i end these processes they start up again.

 

Where do i need to look and what do i need to look for?

 

Thanks for any help...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users