Malware

Question

Locked

path of a virus

By scriptmx ·
im infected with a virus, when i scan with AV all are done but when i restart my pc a file named wmsetup.dll come again into %temp%, i want to know the path for wmsetup.dll that come everytime when i connect to the net, i scanned with combofix and this the files that are removed:

C:\Program Files\Messenger\msgmr.dll
C:\WINDOWS\AppPatch\AcSpecf.dll
C:\WINDOWS\AppPatch\AcSpecf.sdb
C:\WINDOWS\AppPatch\AcXtrnel.sdb
C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
C:\WINDOWS\Fonts\Framdee.ttf
C:\WINDOWS\system32\08223B03.dll
C:\WINDOWS\system32\122B901E.cfg
C:\WINDOWS\system32\122B901E.dll
C:\WINDOWS\system32\12B02216.dll
C:\WINDOWS\system32\43ACDCC5.cfg
C:\WINDOWS\system32\43ACDCC5.dll
C:\WINDOWS\system32\4901228.sys
C:\WINDOWS\system32\495271CA.cfg
C:\WINDOWS\system32\495271CA.dll
C:\WINDOWS\system32\4BF9CBA3.cfg
C:\WINDOWS\system32\4BF9CBA3.dll
C:\WINDOWS\system32\4D023DE9.dll
C:\WINDOWS\system32\4F34C688.dll
C:\WINDOWS\system32\58FF3024.dll
C:\WINDOWS\system32\7ADC2AB1.cfg
C:\WINDOWS\system32\7ADC2AB1.dll
C:\WINDOWS\system32\9CA963CA.cfg
C:\WINDOWS\system32\9CA963CA.dll
C:\WINDOWS\system32\A8FC611B.dll
C:\WINDOWS\system32\D91BC61E.cfg
C:\WINDOWS\system32\D91BC61E.dll
C:\WINDOWS\system32\DA63E650.cfg
C:\WINDOWS\system32\DA63E650.dll
C:\WINDOWS\system32\DE02F764.cfg
C:\WINDOWS\system32\DE02F764.dll
C:\WINDOWS\system32\drivers\eth8023.sys
C:\WINDOWS\system32\drivers\HBKernel32.sys
C:\WINDOWS\system32\E3367679.dll
C:\WINDOWS\system32\E4814792.cfg
C:\WINDOWS\system32\E4814792.dll
C:\WINDOWS\system32\EC7DA7DC.dll
C:\WINDOWS\system32\HBBO.dll
C:\WINDOWS\system32\HBCHIBI.dll
C:\WINDOWS\system32\HBmhly.dll
C:\WINDOWS\system32\HBQQFFO.dll
C:\WINDOWS\system32\HBZHUXIAN.dll
C:\WINDOWS\system32\system.exe
C:\WINDOWS\temp\wmsetup.dll

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Tough one

by vhrocker In reply to path of a virus

With much experience in removing mal-ware I can really only say a few things. There is no "said way" of doing this.

For starters, I would use a selection of tools. HiJackThis, Regedit, and Command Prompt.

HiJackThis ( a free download) should help you determine whats running or what is modified in the registry and even delete items for you. BE CAREFUL THOUGH!
You might even want to go into the registry yourself with regedit to manually remove some of those items. ALSO BE CAREFUL HERE!

After this you could probably restart (maybe several times) and run your AV again. If files still won't remove, go to command prompt and use 'del' command. If necessary, and/or to be safe, go into safe mode to be sure nothing is in memory.

Be prepared for at least an hour of work, and if you are not so experienced, possibly more.

Good luck, I hope that helps.

Collapse -

Also don't forget to

by IC-IT In reply to path of a virus

turn off system restore, many files will reload from there. Once cleaned reboot into safe mode and run your scans again.

Collapse -

Try this

by Jacky Howe In reply to path of a virus

It looks like you are infected with W32.Spybot.OBB I would recommend MalwareBytes for a removal and turn off System Resore.
<br>

Click Start > Run. <br>
Type regedit <br>
Click OK. <br>
<br><br>

Navigate to the subkey:<br><br>

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run<br>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices<br>
HKEY_CURRENT_USER\Software\Microsoft\OLE<br>
<br>

In the right pane, delete the value:<br>

"Windows" = "system.exe"<br>


Navigate to the subkey:<br>

HKEY_LOCAL_MACHINE\Software\Microsoft\OLE<br>


In the right pane, reset the value:<br>

"EnableDCOM" = "N" <br>


Navigate to the subkey:<br>

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa<br>


In the right pane, reset the value:<br>

"restrictanonymous" = "1" <br>


Exit the Registry Editor.<br><br>

Download Malwarebytes Anti-Malware.
<br>
http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe
<br><br>

* Double-click mbam-setup.exe and follow the prompts to install the program.<br>
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.<br>
* If an update is found, it will download and install the latest version.<br>
* Once the program has loaded, select Perform Quick Scan, then click Scan.<br>
* When the scan is complete, click OK, then Show Results to view the results.<br>
* Be sure that everything is checked, and click Remove Selected.<br>
<br>
Just to be on the safe side when you finish do an online scan with Bitdefender.
<br>
http://www.bitdefender.com/scan8/ie.html
<br><br>
<i>Keep us informed as to your progress if you require further assistance.</i>
<br><br>
<i>If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as <b>Helpful</b> so that others may benefit from the outcome.
</i>

Collapse -

thnaks but still infected

by scriptmx In reply to Try this

thanks about replys, i did all what you told, i disabled my system restore, i scanned with malwarebyte & antivirus, all deleted but a the stupid file named wmsetup.dll come again into %temp% folder, and when i type netstat i see a bad adresses that i don't open , really i'm in trouble

Collapse -

Did you run all the scans in ...

by OldER Mycroft In reply to thnaks but still infected
Collapse -

See how you go with this

by Jacky Howe In reply to thnaks but still infected

Boot into Safe Mode.
<br><br>
Click Start, Run and type in <b>cmd</b> then press Enter.
<br>
Type in <b>regsvr32 /u wmsetup.dll </b> where <i>wmsetup.dll </i> is the name of the file that you need to <b>Unregister</b> and press Enter.
<br><br>
See if this will remove the tempory files.
<br><br>
1. Click Start, and then click My Computer.
<br>
2. Right-click the disk in which you want to free up space, and then click Properties.
<br>
3. Click the General tab, and then click Disk Cleanup.
<br>
4. Click the Disk Cleanup tab (if it is not already selected), click to select the check boxes next to the files that you want to remove, and then click OK.
<br>
5. Click Yes to proceed with this action, and then click OK.
<br><br>
You can also try RegRun to remove TR/Dldr.Murlo.NN,Trojan
<br>
http://www.greatis.com/appdata/d/Temp/w/wmsetup.dll.htm
<br><br>
<i>Keep us informed as to your progress if you require further assistance.</i>
<br><br>
<i>If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as <b>Helpful</b> so that others may benefit from the outcome.
</i>

Collapse -

scanned but...

by scriptmx In reply to See how you go with this

as i told i scanned i tried with regsvr32 but it wont remove, the Av removed it from %temp% but it come again after 5min and load itself in %temp%

Collapse -

Can you post

by Jacky Howe In reply to scanned but...

your HijackThis log file for me. < edit > A new one would be best.

Related Discussions

Related Forums