How can I remove this virus remnant?

t_ski · Dec 20, 2010

My wife picked up a virus the other day and I was able to remove all of it except for this:

The virus planted a startup file somewhere and I cannot figure out where it is located. And since the name is not standard characters, I can't do a search for it. I already tried picking some characters out of the windows character map, but could not find this reference. Any suggestions?

This is on Windows XP Home SP2.

UPDATE: Case closed. I was able to find the file calls with Autoruns. Thanks :toast:

Red_Machine · Dec 20, 2010

If you download CCleaner from www.piriform.com (it's free, so DON'T pay for it when it gives you the option to), it has a tab where you can disable or delete startup entries.

Marineborn · Dec 20, 2010

agreed with red, also you can try to find the startup proggy in the registry i beleive and delete it, unless im thinking of something else

inferKNOX · Dec 20, 2010

If you know what's what in your system, Autoruns will help you weed out anything that's not supposed to be attaching itself to your system startup.

95Viper · Dec 20, 2010

inferKNOX said:
If you know what's what in your system, Autoruns will help you weed out anything that's not supposed to be attaching itself to your system startup.

+1

IMO, definitely look at Autoruns.
Nice tool. Free, too. Goes a little further than MSConfig and others.

It will show in the lists "File not found" entries.
You can check and un-check items to test and\or you can delete the item after you see if you do not need it.

Be careful with it, you can muck up your OS.

Mussels · Dec 20, 2010

that looks like its starting up with windows, have you checked in MSCONFIG?

t_ski · Dec 20, 2010

Marineborn said:
agreed with red, also you can try to find the startup proggy in the registry i beleive and delete it, unless im thinking of something else

I looked for the 7 or so different areas in the registry that have startups (HKLM and HLCU), but only found the stuff in MS config.

Mussels said:
that looks like its starting up with windows, have you checked in MSCONFIG?

Yes, it is something that startes with Windows, but it does not show up in MSconfig. That's the first place I looked though :toast:

MxPhenom 216 · Dec 20, 2010

Malware Bytes, MSE, and CCleaner are your best friends

newtekie1 · Dec 20, 2010

I was also going to suggest Autoruns.

Check to make sure it isn't attaching itself to explorer. It should be the 3rd thing listed in Autoruns, the listing for the Shell. It should just be Explorer.exe. If it is anything else, that might be your problem.

kenkickr · Dec 20, 2010

Go and grab Hijackthis 2.0.4. Great tool to see EVERYTHING that is running in the background and to get rid of certain items you do not want running in the background/startup. If not sure what your removing post a screenshot and we can help you out.

SuperAntiSpyware is pretty good AS app.

t_ski · Dec 20, 2010

nvidiaintelftw said:
Malware Bytes, MSE, and CCleaner are your best friends

I did use Malwarebyte's to remove the virus (had to do it in safe mode as the virus kept blocking mbam). I dl'ed MSE but did not install it because I was in safe mode at the time, and it would not run in safe mode. Just plain forgot to run it when I got bak into Windows...

95Viper · Dec 21, 2010

The file reference might be hiding in the boot execute, devices, services, or anywhere, as, your first post is not necessarily showing a exe or com file.
Could be a dll, sys, or other.

I am not nagging you, just trying to help; have you tried autoruns yet and looked through it?
It will show you in the section called image path that the "File not Found".
Chances are one them is your culprit. You can un-check and\or delete it.
Seems like whatever it was... is gone; just a reference to file location is left.

t_ski · Dec 21, 2010

95Viper said:
Seems like whatever it was... is gone; just a reference to file location is left.

That was exactly the case. However, I am glad to say, Autoruns was able to find both registry entries that were calling the file. I tried unchecking them to test, and the message went away, so I ran it again and followed the registry path to both locations and deleted the keys (were already in a "disabled" folder in the registry).

Thanks to everyone that gave some input, especially those who suggested Autoruns. I had not heard of the utility, but I will be telling all my tech buddies at work about it tomorrow. Case closed! :toast:

System Name	My i7 Beast
Processor	Intel Core i7 6800K
Motherboard	Asus X99-A II
Cooling	Nickel-plated EK Supremacy EVO, D5 with XSPC Bayres & BIX Quad Radiator
Memory	4 x 8GB EVGA SuperSC DDR4-3200
Video Card(s)	EVGA 1080 SuperClocked
Storage	Samsung 950 Pro 256GB m.2 SSD + 480GB Sandisk storage SSD
Display(s)	Three Asus 24" VW246H LCD's
Case	Silverstone TJ07
Audio Device(s)	Onboard
Power Supply	Corsair AX1200
Keyboard	Corsair K95
Software	Windows 10 x64 Pro

System Name	Chachamaru-IV \| Retro Battlestation
Processor	AMD Ryzen 9 5900X \| Intel Pentium II 450MHz
Motherboard	ASUS ROG STRIX X570-F Gaming \| MSI MS-6116 (Intel 440BX chipset)
Cooling	Noctua NH-D15 SE-AM4
Memory	32GB Corsair DDR4-3000 (16-20-20-38) \| 512MB PC133 SDRAM
Video Card(s)	nVIDIA GeForce RTX 4070 FE \| 3dfx Voodoo3 3000
Storage	1TB WD_Black SN850 NVME SSD (OS), Toshiba 3TB (Storage), Toshiba 3TB (Steam)
Display(s)	Samsung Odyssey G5 27" @ 1440p144 & Dell P2312H @ 1080p60
Case	SilverStone Seta A1 \| Beige box
Audio Device(s)	Creative Sound Blaster AE-7 (Speakers), Creative Zen Hybrid headset \| Sound Blaster AWE64
Power Supply	EVGA Supernova 750 G2 \| 250W ASETEC
Mouse	Roccat Kone Air\| Microsoft Serial Mouse v2.0A
Keyboard	Vortex Race3 \| Dell AT102W
Software	Microsoft Windows 11 Pro \| Microsoft Windows 98SE

System Name	THE MAD BEAST!!!
Processor	Tinfoil rapper with some coathangers
Motherboard	Graham cracker with with frosting
Cooling	A shovel full of snow
Memory	Grey matter out of a corpse
Video Card(s)	Cat eyes
Storage	A whales brain
Display(s)	Cyclops eyeball
Case	Inside a yetis hollowed out corpse
Audio Device(s)	howling banchee
Power Supply	32 hamster on a massive wheel
Software	WHo needs software when you have a box of kittens
Benchmark Scores	IS gatrillions a number?

System Name	inferKNIGHT
Processor	Intel Core i5-4590
Motherboard	MSI Z97i Gaming AC
Cooling	Corsair H100i
Memory	2 x 4GB DDR3-1866 Crucial Ballistix Tactical Tracer (R/G)
Video Card(s)	ASUS GTX 970 STRIX 3.5GB (+0.5GB? o.O)
Storage	1 x 256GB Cricial M550, 1 x 2TB Samsung 7200.12
Display(s)	Samsung SyncMaster T260
Case	Corsair Obsidian 250D
Power Supply	Corsair RM750
Software	Windows 8.1.1 pro x64

System Name	Rainbow Sparkles (Power efficient, <350W gaming load)
Processor	Ryzen R7 5800x3D (Undervolted, 4.45GHz all core)
Motherboard	Asus x570-F (BIOS Modded)
Cooling	Alphacool Apex UV - Alphacool Eisblock XPX Aurora + EK Quantum ARGB 3090 w/ active backplate
Memory	2x32GB DDR4 3600 Corsair Vengeance RGB @3866 C18-22-22-22-42 TRFC704 (1.4V Hynix MJR - SoC 1.15V)
Video Card(s)	Galax RTX 3090 SG 24GB: Underclocked to 1700Mhz 0.750v (375W down to 250W))
Storage	2TB WD SN850 NVME + 1TB Sasmsung 970 Pro NVME + 1TB Intel 6000P NVME USB 3.2
Display(s)	Phillips 32 32M1N5800A (4k144), LG 32" (4K60) \| Gigabyte G32QC (2k165) \| Phillips 328m6fjrmb (2K144)
Case	Fractal Design R6
Audio Device(s)	Logitech G560 \| Corsair Void pro RGB \|Blue Yeti mic
Power Supply	Fractal Ion+ 2 860W (Platinum) (This thing is God-tier. Silent and TINY)
Mouse	Logitech G Pro wireless + Steelseries Prisma XL
Keyboard	Razer Huntsman TE ( Sexy white keycaps)
VR HMD	Oculus Rift S + Quest 2
Software	Windows 11 pro x64 (Yes, it's genuinely a good OS) OpenRGB - ditch the branded bloatware!
Benchmark Scores	Nyooom.

How can I remove this virus remnant?

t_ski

Former Staff

Red_Machine

Marineborn

inferKNOX

95Viper

Super Moderator

Mussels

Freshwater Moderator

t_ski

Former Staff

MxPhenom 216

ASIC Engineer

newtekie1

Semi-Retired Folder

kenkickr

t_ski

Former Staff

95Viper

Super Moderator

t_ski

Former Staff

System Name	Ryzen Reflection
Processor	AMD Ryzen 9 5900x
Motherboard	Gigabyte X570S Aorus Master
Cooling	2x EK PE360 \| TechN AM4 AMD Block Black \| EK Quantum Vector Trinity GPU Nickel + Plexi
Memory	Teamgroup T-Force Xtreem 2x16GB B-Die 3600 @ 14-14-14-28-42-288-2T 1.45v
Video Card(s)	Zotac AMP HoloBlack RTX 3080Ti 12G \| 950mV 1950Mhz
Storage	WD SN850 500GB (OS) \| Samsung 980 Pro 1TB (Games_1) \| Samsung 970 Evo 1TB (Games_2)
Display(s)	Asus XG27AQM 240Hz G-Sync Fast-IPS \| Gigabyte M27Q-P 165Hz 1440P IPS \| Asus 24" IPS (portrait mode)
Case	Lian Li PC-011D XL \| Custom cables by Cablemodz
Audio Device(s)	FiiO K7 \| Sennheiser HD650 + Beyerdynamic FOX Mic
Power Supply	Seasonic Prime Ultra Platinum 850
Mouse	Razer Viper v2 Pro
Keyboard	Razer Huntsman Tournament Edition
Software	Windows 11 Pro 64-Bit

Processor	Intel Core i7 10850K@5.2GHz
Motherboard	AsRock Z470 Taichi
Cooling	Corsair H115i Pro w/ Noctua NF-A14 Fans
Memory	32GB DDR4-3600
Video Card(s)	RTX 2070 Super
Storage	500GB SX8200 Pro + 8TB with 1TB SSD Cache
Display(s)	Acer Nitro VG280K 4K 28"
Case	Fractal Design Define S
Audio Device(s)	Onboard is good enough for me
Power Supply	eVGA SuperNOVA 1000w G3
Software	Windows 10 Pro x64

System Name	Addison Clark
Processor	Ryzen 9 7950x3D delid
Motherboard	Asus X670E Hero
Cooling	Custom Bykski loop CPU, GPU, 2x 360 rads, and 1x 280 rad with Arctic P12 and P14 ARGB fans
Memory	G.Skill DDR5-6000 64GB CL30
Video Card(s)	Gigabyte 4090 Aorus Master
Storage	Kingston Fury 2TB and 4TB NVME
Display(s)	Samsung 57"
Case	Lian Li O11 mini
Audio Device(s)	Onboard
Power Supply	Thermaltake 1000w SFX-L
Mouse	Corsair Dark Core RGB SE
Keyboard	Corsair K95 Platnium
Software	Win 11 Pro