Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Almost Cleaned Except For One Problem.


  • Please log in to reply
9 replies to this topic

#1 Darc_Confusion

Darc_Confusion

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 28 January 2007 - 09:08 PM

I followed the instructions from the tutorial on How to remove a Trojan, Virus, Worm, or other Malware
the problem is I still can't delete the files from System32. It says the files are being used by another program and it won't let me delete them. I'm sure this is an extremely newb problem but if anyone could help I would really appreciate it. Thank you very much.

Edited by Darc_Confusion, 28 January 2007 - 09:09 PM.


BC AdBot (Login to Remove)

 


m

#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:12:06 PM

Posted 29 January 2007 - 03:27 AM

Have you tried to do the same in Safe mode?

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:06 AM

Posted 29 January 2007 - 12:51 PM

Download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE" using the F8 method.

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
As fozzie indicated, you should be able to delete any remaining bad files in safe mode.

The Windows operating system protects files when they are being accessed by an application or a program. Hackers know this so they will write malware that can insert itself and hide in these protected areas when the files are being used. Using Safe Mode reduces the number of modules requesting files to only the essentials to make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Darc_Confusion

Darc_Confusion
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 30 January 2007 - 12:45 AM

Everything has either been removed or deleted (except for one file which was moved) but I'm still receiving pop ups for some reason. I'm not exactly sure what I should do next.

Edited by Darc_Confusion, 30 January 2007 - 12:46 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:06 AM

Posted 30 January 2007 - 05:01 AM

Can you describe the popups? What do they say?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 tmd

tmd

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 30 January 2007 - 08:54 AM

Could You post somethings here, so it's easy to solve your problem.
In System32, u range files in Modified days. There are many .dll .exe files in that folder. U Post thost oldest files here, includes .exe .dll .
You show the name of the file that could not be deleted. It may help.

#7 Darc_Confusion

Darc_Confusion
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 30 January 2007 - 10:43 PM

I'm not sure if this is allowed but this is a copy of the DrWeb.csv file. The files I thought were the problem were the first to go so I'm at a loss as to what I should do now.


geede.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.; opnomnn.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.; ywoimfpn.dll;c:\windows\system32;Trojan.Virtumod;Deleted.; RegUBP2b-Sheena.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Deleted.; A0121317.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP217;Trojan.Juan;Deleted.; A0122357.reg;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP217;Trojan.StartPage.1505;Deleted.; A0125732.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP218;Trojan.Virtumod;Deleted.; A0125733.reg;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP218;Trojan.StartPage.1505;Deleted.; awtqrro.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.; awtussq.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.; bdasedfl.exe;C:\WINDOWS\system32;Adware.TopSearch;Incurable.Moved.; ckgfwqkt.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.; efcbbbb.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.; fcccywu.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.; geede.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.; gnikjmjm.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.; ifelbbye.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.; lbjlkecc.dll;C:\WINDOWS\system32;Trojan.Juan;Deleted.; opnomnn.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.; qommmkj.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.; urqnmmn.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.; vgtnjgeh.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.; whcfwcqs.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.; xxyxurq.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.; yfcpemqo.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;


Also I I just checked autoruns and I know at least two of the trojans have regenerated themselves.

Edited by Darc_Confusion, 30 January 2007 - 10:47 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:06 AM

Posted 30 January 2007 - 10:54 PM

DrWeb found several Vundo files. Just to make sure we got all the files following the instructions for using Vundofix in "How To Remove Winfixer/Virtumonde/Msevents/Trojan.vundo".

Let us know how your computer is running and if the pop ups stopped.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Darc_Confusion

Darc_Confusion
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 02 February 2007 - 05:52 PM

I used the Vundofix and I think after the second time it got rid of the problem completely. Autoruns is showing the fils as "not found" so I think it's finally fixed. Thanks for everything I really appreciate the help. :thumbsup:

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:06 AM

Posted 02 February 2007 - 07:40 PM

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users