1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

How can I remove this virus remnant?

Discussion in 'Networking & Security' started by t_ski, Dec 20, 2010.

  1. t_ski

    t_ski Former Staff

    Joined:
    Apr 11, 2006
    Messages:
    10,909 (3.50/day)
    Thanks Received:
    4,388
    My wife picked up a virus the other day and I was able to remove all of it except for this:

    [​IMG]

    The virus planted a startup file somewhere and I cannot figure out where it is located. And since the name is not standard characters, I can't do a search for it. I already tried picking some characters out of the windows character map, but could not find this reference. Any suggestions?

    This is on Windows XP Home SP2.

    UPDATE: Case closed. I was able to find the file calls with Autoruns. Thanks :toast:
     
    Last edited: Dec 21, 2010
    Crunching for Team TPU
  2. Red_Machine

    Red_Machine

    Joined:
    Oct 1, 2010
    Messages:
    1,732 (1.17/day)
    Thanks Received:
    380
    Location:
    Marlow, ENGLAND
    If you download CCleaner from www.piriform.com (it's free, so DON'T pay for it when it gives you the option to), it has a tab where you can disable or delete startup entries.
     
    t_ski says thanks.
  3. Marineborn

    Marineborn New Member

    Joined:
    Jan 17, 2009
    Messages:
    2,144 (1.02/day)
    Thanks Received:
    312
    agreed with red, also you can try to find the startup proggy in the registry i beleive and delete it, unless im thinking of something else
     
    t_ski says thanks.
  4. inferKNOX

    inferKNOX

    Joined:
    Jul 17, 2009
    Messages:
    899 (0.47/day)
    Thanks Received:
    118
    Location:
    SouthERN Africa
    If you know what's what in your system, Autoruns will help you weed out anything that's not supposed to be attaching itself to your system startup.
     
    t_ski and 95Viper say thanks.
  5. 95Viper

    95Viper

    Joined:
    Oct 12, 2008
    Messages:
    4,417 (2.01/day)
    Thanks Received:
    1,616
    Location:
    στο άλφα έως ωμέγα
    +1:toast:
    IMO, definitely look at Autoruns.
    Nice tool. Free, too. Goes a little further than MSConfig and others.

    It will show in the lists "File not found" entries.
    You can check and un-check items to test and\or you can delete the item after you see if you do not need it.

    Be careful with it, you can muck up your OS.
     
    t_ski says thanks.
  6. Mussels

    Mussels Moderprator Staff Member

    Joined:
    Oct 6, 2004
    Messages:
    42,377 (11.55/day)
    Thanks Received:
    9,682
    that looks like its starting up with windows, have you checked in MSCONFIG?
     
    t_ski says thanks.
  7. t_ski

    t_ski Former Staff

    Joined:
    Apr 11, 2006
    Messages:
    10,909 (3.50/day)
    Thanks Received:
    4,388
    I looked for the 7 or so different areas in the registry that have startups (HKLM and HLCU), but only found the stuff in MS config.

    Yes, it is something that startes with Windows, but it does not show up in MSconfig. That's the first place I looked though :toast:
     
    Crunching for Team TPU
  8. MxPhenom 216

    MxPhenom 216 Corsair Fanboy

    Joined:
    Aug 31, 2010
    Messages:
    10,053 (6.64/day)
    Thanks Received:
    2,270
    Location:
    Seattle, WA
    Malware Bytes, MSE, and CCleaner are your best friends
     
    t_ski says thanks.
  9. newtekie1

    newtekie1 Semi-Retired Folder

    Joined:
    Nov 22, 2005
    Messages:
    20,030 (6.15/day)
    Thanks Received:
    6,094
    I was also going to suggest Autoruns.

    Check to make sure it isn't attaching itself to explorer. It should be the 3rd thing listed in Autoruns, the listing for the Shell. It should just be Explorer.exe. If it is anything else, that might be your problem.
     
    t_ski says thanks.
    Crunching for Team TPU 50 Million points folded for TPU
  10. kenkickr

    kenkickr

    Joined:
    Dec 5, 2007
    Messages:
    4,827 (1.92/day)
    Thanks Received:
    1,452
    Go and grab Hijackthis 2.0.4. Great tool to see EVERYTHING that is running in the background and to get rid of certain items you do not want running in the background/startup. If not sure what your removing post a screenshot and we can help you out.

    SuperAntiSpyware is pretty good AS app.
     
    t_ski says thanks.
    Crunching for Team TPU
  11. t_ski

    t_ski Former Staff

    Joined:
    Apr 11, 2006
    Messages:
    10,909 (3.50/day)
    Thanks Received:
    4,388
    I did use Malwarebyte's to remove the virus (had to do it in safe mode as the virus kept blocking mbam). I dl'ed MSE but did not install it because I was in safe mode at the time, and it would not run in safe mode. Just plain forgot to run it when I got bak into Windows...
     
    Crunching for Team TPU
  12. 95Viper

    95Viper

    Joined:
    Oct 12, 2008
    Messages:
    4,417 (2.01/day)
    Thanks Received:
    1,616
    Location:
    στο άλφα έως ωμέγα
    The file reference might be hiding in the boot execute, devices, services, or anywhere, as, your first post is not necessarily showing a exe or com file.
    Could be a dll, sys, or other.

    I am not nagging you, just trying to help; have you tried autoruns yet and looked through it?
    It will show you in the section called image path that the "File not Found".
    Chances are one them is your culprit. You can un-check and\or delete it.
    Seems like whatever it was... is gone; just a reference to file location is left.

    :)
     
    t_ski says thanks.
  13. t_ski

    t_ski Former Staff

    Joined:
    Apr 11, 2006
    Messages:
    10,909 (3.50/day)
    Thanks Received:
    4,388
    That was exactly the case. However, I am glad to say, Autoruns was able to find both registry entries that were calling the file. I tried unchecking them to test, and the message went away, so I ran it again and followed the registry path to both locations and deleted the keys (were already in a "disabled" folder in the registry).

    Thanks to everyone that gave some input, especially those who suggested Autoruns. I had not heard of the utility, but I will be telling all my tech buddies at work about it tomorrow. Case closed! :toast:
     
    95Viper says thanks.
    Crunching for Team TPU

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page