THESE FORUMS NOW CLOSED (read only)

  • 29 Mar 2024, 04:05
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: Trojan Virus - help  (Read 3508 times)

Bowers

  • Balloon animal serial killer
  • *
  • Offline Offline
  • Posts: 87
  • Breadsticks
Trojan Virus - help
« on: 02 May 2010, 09:13 »

So, I've managed to pick up a trojan virus somehow. I've downloaded a bunch of anti virus programmes, none of which seems to work.
It's gotten to the point  now where my PC wont let me even run task manager or itunes. I've got eleven days worth of music, some of which has been backed up but not all (I got lazy)
As a poor student I was hoping you guys would be able to help me get rid of this thing. Infected files include wauclt.exe, mcumgr.exe and vssvs.exe

Cheers for all your help
Logged

bicostp

  • Beyoncé
  • ****
  • Offline Offline
  • Posts: 734
Re: Trojan Virus - help
« Reply #1 on: 02 May 2010, 10:27 »

Sounds like you have a phony antivirus running. Does it pop up a window for something like "Vista Total Security 2010"? (If it does, a screenshot would be helpful.) Are there any new folders in the Start menu for programs you don't remember installing? Are you running Windows XP, Vista, or Win7?

Download HijackThis, rename the .exe to "hikackthis.com", and post the log here.

http://free.antivirus.com/hijackthis/

Those filenames belong to legitimate programs, provided they're in the directories they should be in.

wuauclt.exe = Windows Update C:\windows\system32
vssvs.exe = Windows Volume Shadow Copy C:\windows\system32
mcumgr.exe = McAffe Update Manager

If the "antivirus" program that's running is telling you those files in those directories are infected, and is asking you to pay $100 or so to "fix" them, then it's fake.
« Last Edit: 02 May 2010, 10:33 by bicostp »
Logged

Bowers

  • Balloon animal serial killer
  • *
  • Offline Offline
  • Posts: 87
  • Breadsticks
Re: Trojan Virus - help
« Reply #2 on: 02 May 2010, 10:39 »

Thats pretty much exactly whats happened, cheers for your help.
I'll post the log when I get back from work,
thanks
Logged

Dimmukane

  • Vulcan 3-D Chess Master
  • *****
  • Offline Offline
  • Posts: 3,683
  • juicer
Re: Trojan Virus - help
« Reply #3 on: 02 May 2010, 10:49 »

If that's the thing I think it is then it is annoying as hell to get rid of.  Involving registry editing/regfixes, safe mode file search and destroy, and tons of other stuff that's a pain in the ass.
Logged
Quote from: Johnny C
all clothes reflect identity constructs, destroy these constructs by shedding your clothes and sending pictures of the process to the e-mail address linked under my avatar

bicostp

  • Beyoncé
  • ****
  • Offline Offline
  • Posts: 734
Re: Trojan Virus - help
« Reply #4 on: 02 May 2010, 11:38 »

Actually it's not too difficult to get rid of, especially in Vista and Windows 7. I work at an IT desk and see it all the time; once you figure out a procedure to follow, it's easy to get rid of. Here's how I do it:

1. Copy the entire contents of the quote at the bottom of this post into Notepad, save it as a .reg file on the desktop (select "All Files" so Notepad doesn't tack the .TXT extension on). This will delete the problematic entries from the registry and allow you to run .exe files normally again. (You can go in and delete them manually, but it takes some digging. This patch works every time and takes seconds to use.
2. Reboot into Command Line Safe Mode (so the thing won't load)
3. Run msconfig (it's built into Windows)
4. Go to the Startup tab
5. Disable anything trying to run out of any of the folders under the C:\Users\[your name]\, C:\Profiles\[your name], or C:\Documents and Settings\[your name] directory. Check all the other entries as well, because some manage to work their way into C:\Program Files. (I have seen this on XP a lot but never on Vista and Windows 7 with UAC enabled, unless the user was a fool and ran Firefox with elevated privileges).
6. Run Regedit (type it into the command prompt).
7. In Regedit, click "File -> Import" and select the .reg file from step 1. Allow it to merge with the registy. Once you see the "Sucessfully merged" message, you can close Regedit. (You can delete that file if you want, but I recommend putting it away somewhere so you can use it in case you get hit by a similar malware infection again.)
8. Restart your computer normally. The malware shouldn't run at this point.
9. Right click the malware's shortcut on the desktop (it usually has a shield icon and has a funny-sounding name like "Security Tool" or "Total [XP/Vista/7] Antivirus 2010")
10. XP: Click Properties, then "Find Target". Vista/7: Click "Open File Location" in the context menu.
11. You should now be in the folder with the malware .exe. Go up to the parent directory and delete the entire malware folder.

Your computer should be fine now! At this point, I recommend installing Malwarebytes' Anti-Malware and allowing it to perform a full scan in case there's anything we missed. A full scan will take a couple hours to perform, but you can shorten that by running a drive cleaning utility like CCleaner so it doesn't have to waste time scanning temporary junk. (Get the portable or Slim builds; the normal one includes the Ask.com toolbar.)

Quote
Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
« Last Edit: 02 May 2010, 11:50 by bicostp »
Logged

Bowers

  • Balloon animal serial killer
  • *
  • Offline Offline
  • Posts: 87
  • Breadsticks
Re: Trojan Virus - help
« Reply #5 on: 03 May 2010, 10:41 »

Hey, I've followed your instructions religiously and have got up to stage 9. Upon restarting my laptop after making the adjustments the virus seems to have gone but there is no malwear shortcut on my desktop. Also, when I try and open itunes it says the itunes file is locked. Thanks for all your help so far, the virus itself seems to have gone now, is there any further action I should take? I might try and reinstall itunes now
Logged

bicostp

  • Beyoncé
  • ****
  • Offline Offline
  • Posts: 734
Re: Trojan Virus - help
« Reply #6 on: 03 May 2010, 10:57 »

Run Malwarebytes; it should find the virus files for you.

You can probably find the files manually if you look at the things you disabled in msconfig.

Did it create an entry in the Start menu? The shortcut trick works there, too.

Could you post a screenshot of the iTunes error? It could be either the database or the executable itself that's locked. If it gives you a specific file name, look it up and check its properties to see if the "locked" box is checked.

Bowers

  • Balloon animal serial killer
  • *
  • Offline Offline
  • Posts: 87
  • Breadsticks
Re: Trojan Virus - help
« Reply #7 on: 03 May 2010, 11:15 »



Thats the message I get every time I try and open itunes.

Doesn't look like it left anything on the start menu, I'm running a scan with Malwarebytes now
Logged

bicostp

  • Beyoncé
  • ****
  • Offline Offline
  • Posts: 734
Re: Trojan Virus - help
« Reply #8 on: 03 May 2010, 11:54 »

I think somewhere in the My Documents/My Music/ directory there's an iTunes folder with an XML file in it. That's probably the one that got locked. Check its properties to see if it's locked, and take ownership of it if it "belongs" to another account on your PC for some reason.

You could also try this:
http://www.cybertechhelp.com/forums/showpost.php?s=56c08787b1accd0c3e8572dac84b2128&p=759992&postcount=6

It's for an old version of iTunes but it could work.
Pages: [1]   Go Up