Trying to get Rid of a Virus

[NikolaeVarius]

My Friend has a pretty nasty virus that is sucking up alot of resources, and freezing the computer. I'm trying to the un the Mcafee command line scanner, but everytime I run it, I can an error that says 'scan.exe is not recognized as a valid executable internal or external file" and it stops. And yes, I've followed the instructions to the letter. How do I get around this?

 

[Schadenfroh]

Try running it using John's .bat file

More info here

 

[NikolaeVarius]

Thats the file I'm using. Everything is from the site. Interestingly enough, it runs in normal mode, but not in safe mode. But this virus won't die in normal mode.

 

[Schadenfroh]

Originally posted by: tenshodo13
Thats the file I'm using. Everything is from the site. Interestingly enough, it runs in normal mode, but not in safe mode. But this virus won't die in normal mode.

Try deleting the infected file with killbox

 

[John]

Thanks for the plugs.

1) Boot into normal mode and download/install SUPERAntiSpyware
2) Download/install and run ccleaner
3) Reboot to safe mode w/ networking
4) Disable system restore
5) Run an f-secure and/or Nod32 online virus scan

This should be a good start....

 

[mechBgon]

And also, at the command line, you may need to maneuver to the C:\McAfee directory before you fire off the batch file. cd \ switches you to the root of C:\ and cd McAfee switches you to the C:\McAfee directory where your batch file is.

 

[NikolaeVarius]

Hmm, interesting. It runs in normal safe mode, if I double click the RUNSCAN.bat icon. However, in command mode, it doesn't work when run the RUNSCAN.bat command. However, if I just run scan.exe, it lists out all the available commands, meaning it works.
]
Also, Runscan.bat brings out the error "Scan.exe is not recognized as an internal of external command, operable program or batch file."

 

[NikolaeVarius]

Okay, I've isolated the two files
One is

c:\WINDOWS\system32\iifgf.dll
c:\WINDOWS\system32\khfefff.dll

Ati vir, Kapsersky, McAfee Command line can't delete them. I've tried running them in safe mode and normal mode. I've tried Killbox, but it can't delete them either.. I think a reformat is in order...

 

[mechBgon]

If it's that bad, reformatting and getting the system secure might be worth it. But I'd be curious to know what type of malware it is. Any chance you could email me copies of those .DLL files to mechbgon originpoint com? Any idea where the infection originated from (PM if preferred)?


Also, if you still want to remove the files,

1) boot from the WinXP CD and start Windows Setup.

2) choose the Repair option, let it go a little further, and pick the Recovery Console when that choice comes up

3) at Recovery Console, use the password for the Administrator account (which may be blank, just hit ENTER)

4) now you can use the del command to delete files in the current directory, and the cd command to change directories.

 

[NikolaeVarius]

Ehh, apparently, my friend was browsing Gaia Online and doing some trading, and suddenly, something downloaded itself. Then the computer crashed. On next reboot, the computer was going crazy.

And also, exactly how do I send them? Just zip them and send them through gmail?

 

[mechBgon]

Originally posted by: tenshodo13
And also, exactly how do I send them? Just zip them and send them through gmail?

Yeah, and you'll probably need to password-protect the Zip file to prevent them getting nuked by the email servers. Just LMK the password. If nothing else, I can get them onto CastleCops' malware listserv to be distributed to many security companies, if they're not getting detected by some companies yet.

 

[NikolaeVarius]

Oh, The viruses are getting detected. the Anti Virus just cant do anything about them.

And I'm trying, but I'm having a hard time keeping the computer stable enough to isolate the files into a manipulable form.

 

[Medea]

Those two files are with Spyware Quake.

Assuming you have either Win2k or XP2:

1. Download SmitFraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Save it to your Desktop.
Reboot into Safe Mode
Select Option #2
Answer YES to the questions
A reboot may be needed to finish the cleaning process. If you computer does not restart automatically, do it yourself manually by rebooting into Safe Mode so it can finish.

When it's done, there will be a log created named rapport.txt

2. You can run RogueRemover afterwards although SmitFraudFix probably will have deleted Spyware Quake. Read the log from SmitfraudFix (rapport.txt) to check.
http://www.malwarebytes.org/rogueremover.php

3. You should run Superantispyware-Free afterwards.
http://www.superantispyware.co...d=SUPERANTISPYWAREFREE
Update it first and then perform a "Complete Scan"
You can review the log when it's finished.