Fun Stuff > CLIKC

Trojan Virus - help

(1/2) > >>

Bowers:
So, I've managed to pick up a trojan virus somehow. I've downloaded a bunch of anti virus programmes, none of which seems to work.
It's gotten to the point  now where my PC wont let me even run task manager or itunes. I've got eleven days worth of music, some of which has been backed up but not all (I got lazy)
As a poor student I was hoping you guys would be able to help me get rid of this thing. Infected files include wauclt.exe, mcumgr.exe and vssvs.exe

Cheers for all your help

bicostp:
Sounds like you have a phony antivirus running. Does it pop up a window for something like "Vista Total Security 2010"? (If it does, a screenshot would be helpful.) Are there any new folders in the Start menu for programs you don't remember installing? Are you running Windows XP, Vista, or Win7?

Download HijackThis, rename the .exe to "hikackthis.com", and post the log here.

http://free.antivirus.com/hijackthis/

Those filenames belong to legitimate programs, provided they're in the directories they should be in.

wuauclt.exe = Windows Update C:\windows\system32
vssvs.exe = Windows Volume Shadow Copy C:\windows\system32
mcumgr.exe = McAffe Update Manager

If the "antivirus" program that's running is telling you those files in those directories are infected, and is asking you to pay $100 or so to "fix" them, then it's fake.

Bowers:
Thats pretty much exactly whats happened, cheers for your help.
I'll post the log when I get back from work,
thanks

Dimmukane:
If that's the thing I think it is then it is annoying as hell to get rid of.  Involving registry editing/regfixes, safe mode file search and destroy, and tons of other stuff that's a pain in the ass.

bicostp:
Actually it's not too difficult to get rid of, especially in Vista and Windows 7. I work at an IT desk and see it all the time; once you figure out a procedure to follow, it's easy to get rid of. Here's how I do it:

1. Copy the entire contents of the quote at the bottom of this post into Notepad, save it as a .reg file on the desktop (select "All Files" so Notepad doesn't tack the .TXT extension on). This will delete the problematic entries from the registry and allow you to run .exe files normally again. (You can go in and delete them manually, but it takes some digging. This patch works every time and takes seconds to use.
2. Reboot into Command Line Safe Mode (so the thing won't load)
3. Run msconfig (it's built into Windows)
4. Go to the Startup tab
5. Disable anything trying to run out of any of the folders under the C:\Users\[your name]\, C:\Profiles\[your name], or C:\Documents and Settings\[your name] directory. Check all the other entries as well, because some manage to work their way into C:\Program Files. (I have seen this on XP a lot but never on Vista and Windows 7 with UAC enabled, unless the user was a fool and ran Firefox with elevated privileges).
6. Run Regedit (type it into the command prompt).
7. In Regedit, click "File -> Import" and select the .reg file from step 1. Allow it to merge with the registy. Once you see the "Sucessfully merged" message, you can close Regedit. (You can delete that file if you want, but I recommend putting it away somewhere so you can use it in case you get hit by a similar malware infection again.)
8. Restart your computer normally. The malware shouldn't run at this point.
9. Right click the malware's shortcut on the desktop (it usually has a shield icon and has a funny-sounding name like "Security Tool" or "Total [XP/Vista/7] Antivirus 2010")
10. XP: Click Properties, then "Find Target". Vista/7: Click "Open File Location" in the context menu.
11. You should now be in the folder with the malware .exe. Go up to the parent directory and delete the entire malware folder.

Your computer should be fine now! At this point, I recommend installing Malwarebytes' Anti-Malware and allowing it to perform a full scan in case there's anything we missed. A full scan will take a couple hours to perform, but you can shorten that by running a drive cleaning utility like CCleaner so it doesn't have to waste time scanning temporary junk. (Get the portable or Slim builds; the normal one includes the Ask.com toolbar.)


--- Quote ---Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
--- End quote ---

Navigation

[0] Message Index

[#] Next page