Log in

View Full Version : Virus help?


Turiel
03-11-2007, 01:43 PM
Hey,

So I have a virus that Symantec AV reports as "Downloader" here:
C:\WINDOWS\system32\__c00A65B8.dat

It cannot repair, quarantine, or delete this file and I'm getting notifications about it every couple of seconds.

I tried the following without success:
- Deleting manually
- Safe mode
- Using a System Restore point
- Booting to a Linux rescue cd (cannot mount the partition because its Intel software RAID 0, Linux doesn't support it)

Any ideas? Really bugging me.

Đightrain
03-11-2007, 02:01 PM
Can it not delete it cause the file is in use? Been a long time since i used it but can you force it into DOS and delete it from there? Can't remember if you can delete from there or not... my memory fails =[

Edit: Also if it is putting the file into use as you get into windows you can use Hijack This to delete the process which puts it into use i think =/

JeFF
03-11-2007, 02:24 PM
I have this operating system called MiniPE-XT that you can run from a CD. With that I was able to delete a file that caused a similar problem. I think MiniPE-XT isn't a free software though so um... *cough*.

Flawless
03-11-2007, 03:17 PM
Symantec AVNot to derail the topic, but... is that Nortan?

BigBadAlex
03-11-2007, 03:25 PM
Download 'hirens boot disk v9.1' from any reputable torrent site...has more useful tools than you will ever need...all without going into windows:)

Valoran
03-11-2007, 03:27 PM
Not to derail the topic, but... is that Nortan?
Yes.

If there's no further information about this "downloader" virus on the Symantec website, then it's probably quite a new virus. I'd suggest running hijackthis and having a look at the log for anything being loaded into the registries start-up that you don't want to be.

Strange that safe mode didn't work though.

Run a search through the registry for the rogue file?

Marcuk
03-11-2007, 06:29 PM
I used this program that removed a file that was in use a while back

http://www.snapfiles.com/get/moveonboot.html

Seemed to work well, but im guessing if the virus you have is a "downloader" the file that is listed is most likely just one part. As soon as you remove one part it will "Download" another part. Had a pretty nasty virus that did this a while back the only cure for it seemed to be a format / reinstall.

Does nortan give you any name of the virus instead of just a file and location?

Thordyn
03-11-2007, 07:25 PM
Headbutt a tunnel through the floor.

Flawless
03-11-2007, 07:43 PM
Tried using a different AV to get rid of it?

Ammanna
03-11-2007, 09:43 PM
Boot into safe mode with command prompt, this does not load the GUI, and several virsus that still run a safe mode pigiback on the windows shell loading. Seeing as you run this website, I'm assuming your more than capable enough of using the command prompt to delete the file, dos style from there.

AnteroVipune
03-11-2007, 09:59 PM
Headbutt a tunnel through the floor..

Turiel
04-11-2007, 01:57 AM
Fixed it eventually with 'Remove File On Boot' in HijackThis.

Thanks for all the suggestions - no boot disk would work as it didn't have the drivers for the software RAID controller, and safe mode command prompt wouldn't work either.

So Valoran wins teh priaz!

Đightrain
04-11-2007, 02:23 AM
you can use Hijack This

.

Turiel
04-11-2007, 02:27 AM
Hmm your suggestion wasn't quite there Nightrain, just clicking 'Fix Item' in HT didn't do it:P

Although I appear to be getting spammed with virus infections - in the last 5 minutes:
Virus name: Downloader
File: C:\WINDOWS\system32\fwohbjyg.dll
Virus name: Downloader
File: C:\WINDOWS\system32\itewwmrh.dll
Virus name: Trojan.Metajuan
File: C:\WINDOWS\system32\nxwpwrnc.dll
Virus name: Trojan.Vundo
File: C:\WINDOWS\system32\rypsrawe.dll
Virus name: Downloader
File: C:\WINDOWS\system32\xkkbnywf.dll

Thankfully Symantec AV was able to quarantine them all on detection this time.

And I *think* I may have firewalled the address where they're coming from.

Flawless
04-11-2007, 02:32 AM
Symantec sucks >.>

Đightrain
04-11-2007, 02:34 AM
I didn't say click "fix item" i said delete the startup process like valoran did ;P

Edit: Stop downloading pr0n, thought you'd have learnt your lesson after the 1st time

Đightrain
04-11-2007, 02:35 AM
Tuniq tower cases sucks >.>

Fixed

Goonerr
11-11-2007, 05:14 PM
Symantec sucks >.>
.

Bunneh
12-11-2007, 10:40 AM
Ran a check myself today, found Winexplore (not winexplorer) in my system folder. Seems AVG caught it and quarenteened it before it could do anything. I've just run S&D and AVG's Rootkit, nothing else found.

I hate the fuckers who make these damn malicious things. Bring back hanging!

Muffy
12-11-2007, 10:52 AM
Headbutt a tunnel through the floor.

lmfao!
________
Reviews Of Portable Vaporizers (http://vaporizers.net)