Question

  • Creator
    Topic
  • #2156233

    path of a virus

    Locked

    by scriptmx ·

    im infected with a virus, when i scan with AV all are done but when i restart my pc a file named wmsetup.dll come again into %temp%, i want to know the path for wmsetup.dll that come everytime when i connect to the net, i scanned with combofix and this the files that are removed:

    C:\Program Files\Messenger\msgmr.dll
    C:\WINDOWS\AppPatch\AcSpecf.dll
    C:\WINDOWS\AppPatch\AcSpecf.sdb
    C:\WINDOWS\AppPatch\AcXtrnel.sdb
    C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    C:\WINDOWS\Fonts\Framdee.ttf
    C:\WINDOWS\system32\[u]0[/u]8223B03.dll
    C:\WINDOWS\system32\122B901E.cfg
    C:\WINDOWS\system32\122B901E.dll
    C:\WINDOWS\system32\12B02216.dll
    C:\WINDOWS\system32\43ACDCC5.cfg
    C:\WINDOWS\system32\43ACDCC5.dll
    C:\WINDOWS\system32\4901228.sys
    C:\WINDOWS\system32\495271CA.cfg
    C:\WINDOWS\system32\495271CA.dll
    C:\WINDOWS\system32\4BF9CBA3.cfg
    C:\WINDOWS\system32\4BF9CBA3.dll
    C:\WINDOWS\system32\4D023DE9.dll
    C:\WINDOWS\system32\4F34C688.dll
    C:\WINDOWS\system32\58FF3024.dll
    C:\WINDOWS\system32\7ADC2AB1.cfg
    C:\WINDOWS\system32\7ADC2AB1.dll
    C:\WINDOWS\system32\9CA963CA.cfg
    C:\WINDOWS\system32\9CA963CA.dll
    C:\WINDOWS\system32\A8FC611B.dll
    C:\WINDOWS\system32\D91BC61E.cfg
    C:\WINDOWS\system32\D91BC61E.dll
    C:\WINDOWS\system32\DA63E650.cfg
    C:\WINDOWS\system32\DA63E650.dll
    C:\WINDOWS\system32\DE02F764.cfg
    C:\WINDOWS\system32\DE02F764.dll
    C:\WINDOWS\system32\drivers\eth8023.sys
    C:\WINDOWS\system32\drivers\HBKernel32.sys
    C:\WINDOWS\system32\E3367679.dll
    C:\WINDOWS\system32\E4814792.cfg
    C:\WINDOWS\system32\E4814792.dll
    C:\WINDOWS\system32\EC7DA7DC.dll
    C:\WINDOWS\system32\HBBO.dll
    C:\WINDOWS\system32\HBCHIBI.dll
    C:\WINDOWS\system32\HBmhly.dll
    C:\WINDOWS\system32\HBQQFFO.dll
    C:\WINDOWS\system32\HBZHUXIAN.dll
    C:\WINDOWS\system32\system.exe
    C:\WINDOWS\temp\wmsetup.dll

All Answers

  • Author
    Replies
    • #2795607

      Clarifications

      by scriptmx ·

      In reply to path of a virus

      Clarifications

    • #2795589

      Tough one

      by vhrocker ·

      In reply to path of a virus

      With much experience in removing mal-ware I can really only say a few things. There is no “said way” of doing this.

      For starters, I would use a selection of tools. HiJackThis, Regedit, and Command Prompt.

      HiJackThis ( a free download) should help you determine whats running or what is modified in the registry and even delete items for you. BE CAREFUL THOUGH!
      You might even want to go into the registry yourself with regedit to manually remove some of those items. ALSO BE CAREFUL HERE!

      After this you could probably restart (maybe several times) and run your AV again. If files still won’t remove, go to command prompt and use ‘del’ command. If necessary, and/or to be safe, go into safe mode to be sure nothing is in memory.

      Be prepared for at least an hour of work, and if you are not so experienced, possibly more.

      Good luck, I hope that helps.

    • #2795571

      Also don’t forget to

      by ic-it ·

      In reply to path of a virus

      turn off system restore, many files will reload from there. Once cleaned reboot into safe mode and run your scans again.

    • #2795567

      Try this

      by rob miners ·

      In reply to path of a virus

      It looks like you are infected with W32.Spybot.OBB I would recommend MalwareBytes for a removal and turn off System Resore.

      Click Start > Run.
      Type regedit
      Click OK.

      Navigate to the subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
      HKEY_CURRENT_USER\Software\Microsoft\OLE

      In the right pane, delete the value:

      “Windows” = “system.exe”

      Navigate to the subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\OLE

      In the right pane, reset the value:

      “EnableDCOM” = “N”

      Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

      In the right pane, reset the value:

      “restrictanonymous” = “1”

      Exit the Registry Editor.

      Download Malwarebytes Anti-Malware.

      http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe

      * Double-click mbam-setup.exe and follow the prompts to install the program.
      * At the end, be sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
      * If an update is found, it will download and install the latest version.
      * Once the program has loaded, select Perform Quick Scan, then click Scan.
      * When the scan is complete, click OK, then Show Results to view the results.
      * Be sure that everything is checked, and click Remove Selected.

      Just to be on the safe side when you finish do an online scan with Bitdefender.

      http://www.bitdefender.com/scan8/ie.html

      Keep us informed as to your progress if you require further assistance.

      If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as Helpful so that others may benefit from the outcome. 😉 😀

      • #2804287

        thnaks but still infected

        by scriptmx ·

        In reply to Try this

        thanks about replys, i did all what you told, i disabled my system restore, i scanned with malwarebyte & antivirus, all deleted but a the stupid file named wmsetup.dll come again into %temp% folder, and when i type netstat i see a bad adresses that i don’t open , really i’m in trouble 🙁

        • #2804227

          Did you run all the scans in …

          by older mycroft ·

          In reply to thnaks but still infected

          SAFE mode?

        • #2804223

          See how you go with this

          by rob miners ·

          In reply to thnaks but still infected

          Boot into Safe Mode.

          Click Start, Run and type in cmd then press Enter.


          Type in regsvr32 /u wmsetup.dll where wmsetup.dll is the name of the file that you need to Unregister and press Enter.

          See if this will remove the tempory files.

          1. Click Start, and then click My Computer.

          2. Right-click the disk in which you want to free up space, and then click Properties.

          3. Click the General tab, and then click Disk Cleanup.

          4. Click the Disk Cleanup tab (if it is not already selected), click to select the check boxes next to the files that you want to remove, and then click OK.

          5. Click Yes to proceed with this action, and then click OK.

          You can also try RegRun to remove TR/Dldr.Murlo.NN,Trojan

          http://www.greatis.com/appdata/d/Temp/w/wmsetup.dll.htm

          Keep us informed as to your progress if you require further assistance.

          If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as Helpful so that others may benefit from the outcome. 😉 😀

        • #2804207

          scanned but…

          by scriptmx ·

          In reply to See how you go with this

          as i told i scanned i tried with regsvr32 but it wont remove, the Av removed it from %temp% but it come again after 5min and load itself in %temp%

        • #2804205

          Can you post

          by rob miners ·

          In reply to scanned but…

          your HijackThis log file for me. < edit > A new one would be best.

Viewing 3 reply threads