Question

Locked

worms?

By lesterguerzon ·
hi!

this is a weird virus encounter (first time ever!)

i accidentally removed my avira antivirus when i was uninstalling some programs in my win xp pro pc, leaving it off guard. by coincidence, my brother inserted a usb flash, then after checking my pc again, i found out that there are five (5) files appearing whenever i open folders. they keep on appearing on any folder that i open. they have icons of a winrar (filename is back-up), a windows folder (filename is don't delete), a music file, a text file, and an xls file. i think these are worms? they seem to be so, but the computer recognizes them as applications. moreover, i cannot install ANY program anymore! i tried to download an avast home from another computer into my usb and tried to scan my computer, but it keeps on exiting the program.

what should i do? any info? i don't want to reformat my computer! help me please?!

Regards,
Lester.

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Well if you can not install anything

by OH Smeg In reply to worms?

You are sort of limited in what you can do. All I can suggest here is trying a Boot Disc to scan the system with but of course without the OS running it is not very likely to pick up much.

Col

Collapse -

Safe Mode by pressing F8

by Jacky Howe In reply to worms?

Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers.

If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM. You can also download the updates for MBAM and run them from the USB.

From another System download and install Spybot, update it and copy the the installed folders to a USB Stick. Copy MBAM and the Update as well.

Removing malware from System Restore points
To remove the malware, you must first disable System Restore, then scan the system with up-to-date antivirus software - allowing it to clean, delete, or quarantine any viruses found. After the system has been disinfected, you may then re-enable System Restore. The steps for disabling System Restore vary, depending on whether the default Start Menu or the Classic Start Menu is being used.

Default Start Menu XP
If using the default Start Menu, click Start | Control Panel | Performance and Maintenance | System. Select the System Restore tab and check "Turn off System Restore".

Classic Start Menu XP
If using the Classic Start Menu, click Start | Settings | Control Panel and double-click the System icon. Select the System Restore tab and check "Turn off System Restore".

Vista
Start, right mouse click Computer and select Properties. Select Advanced System Properties, click contine and then System Protection. Untick the box nect to Local Disk C: and click on Turn System Restore off.


After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

Once you have restarted the Infected System in Safe Mode, navigate to the USB stick and run Spybot.

Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

Download Malwarebytes Anti-Malware, install it and update it.

<a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
<a href="http://malwarebytes.gt500.org/mbam-rules.exe" target="_blank"><u>mbam-rules</u></a>

I would keep scanning with it until it is clean by closing out and rebooting and running it again.

Run this Rootkit Revealer GMer
<a href="http://www.gmer.net/index.php" target="_blank"><u>Gmer</u></a>

FAQ
<a href="http://www.gmer.net/faq.php" target="_blank"><u>FAQ</u></a>

Tip! If you want to write protect the USB drive/stick while you are working on an infected System.
In the recent release of Windows XP Service Pack 2 (SP2), a new feature was added by Microsoft to allow the write protection of USB block storage devices. This entails a simple Registry modification that requires no hardware devices to write protect thumb drives.

If the USB drive has no small switch for write protection you can turn it on through the Registry via Command Line.

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

and one to turn it off but a System restart is required. Place the Batch file on the USB to turn it off.

reg delete HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /f


If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

Command line removal or create Batch files.

Click Start Run and type cmd and then press Enter.

Execute the following commands in the command line in order to activate the registry editor and Task Manager:

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

One of the ways by which a virus can infect your PC is through USB/Pen drives. Common viruses such as ?Ravmon? , ?New Folder.exe?, ?Orkut is banned? etc are spreading through USB drives. Most anti virus programs are unable to detect them and even if they do, in most cases they are unable to delete the file, only quarantine it. Here are the things which you can do if you want to remove such viruses from your USB drives.

Don?t click on Ok , just choose ?Cancel?. Open the Command Prompt by typing ?cmd? in the run box. In the command prompt type the drive letter: and press enter . Now type dir /w/a and press enter.

This will display a list of the files in the pen drive. Check whether the following files are there or not

Autorun.inf
Ravmon.exe
New Folder.exe
svchost.exe
Heap41a

or any other exe file which may be suspicious.

If any of the above files are there, then probably the USB drive is infected. In command prompt type attrib -r -a -s -h *.* and press enter. This will remove the Read Only, Archive, System and hidden file attribute from all the files. Now just delete the files using the command del filename. example del Ravmon.exe. Delete all the files that are suspicious. To be on a safer side, just scan the USB drive with an anti virus program to check whether it is free of virus or not. Now remove the drive and plug it again. In most of the cases, the real culprit turns out to be the ?Autorun.inf? file which mostly gets executed when someone clicks Ok in the dialog window which appears above. Thus the infections can spread

http://www.whoismadhur.com/2008/01/26/how-to-remove-virus-from-usb-drives/

UnHide Files
attrib -S -H -R /S /D

Back to Malware Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums