Question

Locked

winjpg.jpg and winxp.exe virus

By ani_rins ·
Hi,

My computer has the following virus in C:\Windows\System32 folder (winjpg.jpg and winxp.exe). The taskmanager, msconfig and regedit are all disabled. I booted thru a boot CD and found the files and deleted them but now on restart i get the message "Can not finf script file C:\Windows\System32\winjpg.jpg".Also i found some other hidden file in C which are eexyv.exe,autorun.inf, nds0q.exe and winfile.jpg.What should I do to clean my system of all.My Mcafee is up to date but does not catch it.

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

run a good anti malware tool like

by PurpleSkys In reply to winjpg.jpg and winxp.exe ...

malwarebytes - http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button it's a free program

Collapse -

A couple of extra steps

by Jacky Howe In reply to winjpg.jpg and winxp.exe ...

Install MalwareBytes as suggested update MBAM and your Antivirus. Run in Safe Mode with Networking.

With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe.

Removing malware from System Restore points:

When your infected with any trojans, spyware, malware, they could have been saved in System Restore and can re-infect you. It's best to remove them.

XP
Press the WinKey + r type sysdm.cpl and press Enter.
Select the System Restore tab and check "Turn off System Restore".


Vista
Press the WinKey + r type sysdm.cpl and press Enter
Select the System Protection tab. Untick the box next to Local Disk C: and any other drives and click on Turn System Restore off.


After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".


If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

Command line removal or create Batch files.

Click Start Run and type cmd and then press Enter.

Execute the following commands in the command line in order to activate the registry editor and Task Manager:

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

You could also check these registry entries and change the values from 1 to 0 if they are disabled.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"


If MalwareBytes doesn't remove the autorun try this.

Open a Command Prompt by pressing the WinKey + r and then typing <b>cmd</b> in the run box. At the command prompt type the (drive letter): and press Enter.

drive letter is the drive letter that you are connecting to.

type dir /ah and press Enter.

This will display a list of the Hidden files on the Drive. Check whether the following file is there Autorun.inf and also look for suspicious .exe files.

If the file is there

type notepad autorun.inf and press Enter.

Save the file to another location with an extension .txt as this will contain the executable file that is being invoked.

Type attrib -h -r -s (drive letter)autorun.inf and press Enter.

Type del (drive letter)autorun.inf


To remove the files from the Registry and the Locations that they are invoked from follow these instructions.

Tip! The executable file will be named in the file that you previously saved with Notepad.


Press the WinKey + r and type in <b>msconfig</b> and press Enter. Click on the startup Tab.

Check the list to find the file that you are looking for, expand the <u>Location</u> column to see where it is loading from in the registry.

Press the WinKey + r and type in <b>regedt32</b> and click OK. Browse to the key listed in the <u>Location</u> column for Msconfig.

Delete the key on the right hand side only, that specifically matches that startup file.

Note the <b>Command</b> folder in msconfig. Browse to the folder, and delete the .exe file.

:::::eXample:::::

The Startup TAB of Msconfig will show you the directory where pop.exe loads from:

<b>Command</b> c:\Windows\system32\pop.exe

and

<u>Location</u> will guide you to it's location in the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

With the registry editor open find the Run key in the left window. On the right hand pane you'll see each file that is in the Run key, pop.exe will be there. Right click and Delete the entry for pop.exe.

Browse to the c:\Windows\system32 folder, and select the pop.exe file, hold down the Shift Key and press the Del Key.

Repeat these steps for each item that you want to remove.

Collapse -

Solved

by majidbaigs In reply to winjpg.jpg and winxp.exe ...

Download and install the malware bytes. Run the full scan and restart your pc.
http://www.malwarebytes.org/

Back to Malware Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums