Virus Removal, Help !

Fr0dders · 8 Apr 2007 at 08:34

Hi guys

wondering if somebody can help me out here. My dad's PC has a virus on it, which changes the nameserver in IE to something it chooses, thus sending you to random links (and no doubt earning the writer a portion of the referals)

but anyway, i know where this virus is. its in the tempoary internet files folder. But nothing can touch it. Every program i use to access the folder crashes. NOD32 crashes, AVG crashes, windows explorer crashes, user accounts deletion crashes, windows disk cleanup wizard crashes

absolutely everything i do crashes. And it still loads in safe mode. But i cant find the entry in my startup folder to stop it running. Any suggestions ? the anti virus programmes are useless, they just crash when they try and scan the area.

SB118 · 8 Apr 2007 at 08:41

Can you manually delete the temp internet files and IE5 folders in safe mode?

Other method (if anti-virus won't play) is to navigate using an internet explorer window, but then end the explorer.exe process.

Fr0dders · 8 Apr 2007 at 08:47

both methods crash as soon as i get near the user folder

i cant actually get into user folder before it crashes.

zetec452 · 8 Apr 2007 at 09:11

You need something like BartPE which will allow you to boot from the CD and delete the virus.

SB118 · 8 Apr 2007 at 09:13

Can you get directly to it from the IE internet settings?

Else it's CMD line time

Fr0dders · 8 Apr 2007 at 12:06

ive tryed booting into safemode with commandline access

i run the delete command, but it doesnt actually delete everything

even though ive used the *.* switch

i really dont want to have to format my Dads PC (he has no backups or anything)

any other pointers on a way to boot into windows without this virus loading ?

bledd · 8 Apr 2007 at 12:08

sounds like there's random crap in your hosts file..?

open that in notepad and look what it's like

.walls · 8 Apr 2007 at 12:42

MrLOL said:
i run the delete command, but it doesnt actually delete everything

even though ive used the *.* switch

If the attributes of the file are flagged as hidden, system or read only, the file won't get deleted - try:

attrib -s -h -r *.* && del *.*

Before doing that, though - have you tried Hijackthis? That will look in all the startup locations for you (but you have to decide what to get rid of...) post a log here.

Fr0dders · 10 Apr 2007 at 23:16

=walls= said:
Before doing that, though - have you tried Hijackthis? That will look in all the startup locations for you (but you have to decide what to get rid of...) post a log here.

yup

ive actually deleted the user profile and re-created a new one. And totally stripped it bare. Theres only about 3/4 entries in Hijack this now. Still hasnt gone

bledd. said:
sounds like there's random crap in your hosts file..?

open that in notepad and look what it's like

hosts file is empty apart from localhost. Its actually a trojan, as it crashes every programme that attempts to get near the file. As soon as i head to C:\documents and settings\simon windows explorer crashes within seconds, but doesnt crash when browsing c:\windows etc..

also AVG crashes when its scans that directory, disk clean crashed when i tryed to clear tempoary internet files etc..

i know its in there,but its a nasty virus and NOD32 can scan, but doesnt pick anything up. AVG does find it, but crashes when it gets to the file. Same as diskclean does.

any other ideas ?

bledd · 10 Apr 2007 at 23:20

chuck that HD in another pc and try cleaning it from there

sounds like a real mofo

M0t0r0la · 11 Apr 2007 at 16:09

bledd. said:
chuck that HD in another pc and try cleaning it from there

sounds like a real mofo

Agree, and use a decent AV such as Symantec's Corporate.v9.0.2.1000 Final

rickyt · 11 Apr 2007 at 21:33

Bare in mind ,theres some nasty virus's , spyware & malware that's so new there nothing to locate them or get rid of them . I remember years ago a new nasty on a work Pc that nothing shifted , NewGenLook was it's name and at the time there was nothing to fix it .It brought hard core porn the the screen and was so invisible nothing would shift it. I got rid of it in the end though ........it's called a Format .Remember to back up often in case you get a nasty .

Fr0dders · 14 Apr 2007 at 22:44

rickyt said:
it's called a Format .Remember to back up often in case you get a nasty .

ive told my dad that this is the only way

oh and to stop downloading porn

rickyt · 15 Apr 2007 at 11:55

For the future ,once your Dad's Pc is up and running with all the drivers/programs on , get hold of a program like Ghost , I use Paragon . This can make a perfect copy/image of your drive to a disk or spare hard drive .If you get a nasty virus or whatever you just copy your image back to your Pc drive .This might only take a couple of minutes ,but WOW ,is it quicker than formatting and doing all the installation again .

Peace · 15 Apr 2007 at 12:20

I would give Trend House call a try before the format as you got nothing to loose and they have the most up-to-date pattern files...

Here

bledd · 15 Apr 2007 at 13:02

M0t0r0la said:
Agree, and use a decent AV such as Symantec's Corporate.v9.0.2.1000 Final

/sick on floor

HighlandeR · 15 Apr 2007 at 13:18

sounds too much hassle, format/restore quick n easy