[Gavyd]

VIRUS - Help needed

Hey troops.........I let my wee bro on my MAIN machine.....as stupid as the wee rat is its got a virus and is a to get rid of. Im no stranger to a PC and its causing me some grief! Its seems to be a browser hacker (IE Only) im using Firefox so im ok....its opening numerous windows and throwing up all sorts of error messages. I currently have AVG and Adaware installed and can’t get rid....its seems to have embedded itself in C: /Windows/System32........ Would be much appreciated of any help, bellow are a few error messages that are coming up

Thanks in advance

Black Door Trojan

Net-Worm-IVirsus@fp

Trojan-Spy.win32@mx

I installed AVG Anti-Spyware

Below are a few screen dumps

[sophus]

hey, I went to this path (c:\windows) and there's no such shell.exe. So, kill this task, quarentine this thing and see if it works.

[Gavyd]

Cheers im in work at the minute will do it when i go home. I will more than likely need to go into "safe mode" to delete this file?? Is there anything else in the list that you know should not be running??

Thanks for the help

[evilfantasy]

Quote:

Originally Posted by sophus

hey, I went to this path (c:\windows) and there's no such shell.exe. So, kill this task, quarentine this thing and see if it works.

A) "If" you were able to delete it would possibly leave the system unbootable, or bootable with errors. system32 files are important to windows running properly, even if they are malicious.

B) "If" you were able to delete it, it would likely re-create itself before even hitting the recycle bin.

We don't mind people helping in malware removal, but if you are not familiar with the tools needed to properly clean infections please refrain from giving instructions.

You will need to run a few more scans and add the logs as attachments.
Guide for attaching logs to a post

==========

Use the ESET Nod32 Online Scanner

Click YES, I accept the Terms of Use. Then Start.

The scan report is saved by default in C:\Program Files\EsetOnlineScanner\log.txt

Add the EsetOnlineScanner\log.txt in your post as an Attachment.

Guide for attaching logs to a post

==========

Download HijackThis to your desktop.
Double-click on the file you just downloaded.
Click on the "Install" button to install.
It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Please do not change the default install location.
Upon install, HijackThis should open for you.

Next click on the "Do a system scan and save a log file" button.
HijackThis will scan and then a log will open in notepad.
In the top left of the notepad window click "File" > "Save As" name it hijackthis and then save it to the Desktop.
Please save the log as a text (.txt) file or .log
Do NOT attach MS-Word .DOC files, they will NOT be looked at!
In your post, add the log as an Attachment.
* Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
** Don't use the Analyse This button. It's findings are dangerous if misinterpreted.

Guide for attaching logs to a post

==========

Items needed as attachments in next post:
EsetOnlineScanner\log.txt
HijackThis log

[Carl]

if you can`t get rid of it or your computer`s to badly infected, back up your most important files to an external HDD and then refomat windows (DON`T DO THE QUICK FORMAT as it may stay on there do the long format as it`ll wipe all your old files off and the virus with it,) and thern carry on installing windows xp.
best of luck mate.

[evilfantasy]

Quote:

Originally Posted by Carl

if you can`t get rid of it or your computer`s to badly infected, back up your most important files to an external HDD and then refomat windows (DON`T DO THE QUICK FORMAT as it may stay on there do the long format as it`ll wipe all your old files off and the virus with it,) and thern carry on installing windows xp.
best of luck mate.

We aren't to that point yet.

Most virus can be cleaned without having to resort to wiping the drive and starting over.

[sophus]

Quote:

Originally Posted by evilfantasy

A) "If" you were able to delete it would possibly leave the system unbootable, or bootable with errors. system32 files are important to windows running properly, even if they are malicious.

B) "If" you were able to delete it, it would likely re-create itself before even hitting the recycle bin.

We don't mind people helping in malware removal, but if you are not familiar with the tools needed to properly clean infections please refrain from giving instructions.

You will need to run a few more scans and add the logs as attachments.
Guide for attaching logs to a post

==========

Use the ESET Nod32 Online Scanner

Click YES, I accept the Terms of Use. Then Start.

The scan report is saved by default in C:\Program Files\EsetOnlineScanner\log.txt

Add the EsetOnlineScanner\log.txt in your post as an Attachment.

Guide for attaching logs to a post

==========

Download HijackThis to your desktop.
Double-click on the file you just downloaded.
Click on the "Install" button to install.
It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Please do not change the default install location.
Upon install, HijackThis should open for you.

Next click on the "Do a system scan and save a log file" button.
HijackThis will scan and then a log will open in notepad.
In the top left of the notepad window click "File" > "Save As" name it hijackthis and then save it to the Desktop.
Please save the log as a text (.txt) file or .log
Do NOT attach MS-Word .DOC files, they will NOT be looked at!
In your post, add the log as an Attachment.
* Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
** Don't use the Analyse This button. It's findings are dangerous if misinterpreted.

Guide for attaching logs to a post

==========

Items needed as attachments in next post:
EsetOnlineScanner\log.txt
HijackThis log

Maybe I haven't read some of your forum rules, and I'm sorry for that.
But I'm not an irresponsible guy who throws random tips through the forum. My intention is to help this guy, only.
So I said, "kill this task" and "quarentine this thing", not "delete" it.
Even though I have said it, it wouldn't be something like leaving your system "unbootable", because shell.exe DOES NOT exist, it is clearly a malware. But I had to make sure, so I went to C:\windows\system32 and there was no shell.exe. Every one knows, that most of this malware we get, are installing themselves in specific places, and \system32 is a common one. Just my opinion.

[Carl]

Quote evilfantasy "We aren't to that point yet.

Most virus can be cleaned without having to resort to wiping the drive and starting over"

i know i was just saying just incase.

[evilfantasy]

My point was, hiding/deleting/quarantining suspicious entries can make it harder for removal tools to detect, repair or remove them.

Shell.exe is added by a worm so again, it won't work, it will just recreate itself somewhere else.

I'm not taking a shot at your suggestions, just explaining that it won't work.

[sophus]

I understand evilfantasy, we're both trying to help. So making my argument valid doesn't make your point invalid, and vice-versa. I prefer to solve problems like this by myself. And then, when I can't do that I try some anti-virus or anti-spyware. It's my method and experience not an absolute truth.
But let's quit this, and see how Gavyd is managing his problem.