swpui
asked on
Worm
Anyone know where is the worm hiding? When I on pc and whenever there is an internet connection, a message pop up 'Cannot find C:\Documents and Settings\vchoong\hfhmy.exe ' because my trenmicro deleted the exe. If I off the pc and on back again, the different message pop up again saying can't find another exe 'Cannot find C:\Documents and Settings\vchoong\qfgpfmf.e xe'. The worm keep on coming in although it has been deletecd by trendmicro. It must be some payloads hiding in the pc, any idea? Can find in the regedit?
scan with prevx this should help you here.
http://evowww.prevx.com/homeandfamilyusers.asp?units=1&duration=year&val=free#configurator
http://evowww.prevx.com/homeandfamilyusers.asp?units=1&duration=year&val=free#configurator
ASKER
samithsukumar, attached hijackthis log file for you to analyse
hijackthis.log
hijackthis.log
Use ccleaner to clean the pc & restart. Let me know the result.
Ref:
http://www.filehippo.com/d ownload_cc leaner/
Ref:
http://www.filehippo.com/d
I'm not that sure if a temp file and internet cache cleaner is able to deal with a worm.
Just out of curiosity I would give the free (!!!) prevx scanner a try (specialized to remove all malware on a computer)
http://www.prevx.com/
Just out of curiosity I would give the free (!!!) prevx scanner a try (specialized to remove all malware on a computer)
http://www.prevx.com/
Btw. your highjackthis file apprears clean.
ASKER
detected by kaspersky and Prevx but cannot be cleaned because it is active!!
detected: virus P2P-Worm.Win32.Palevo.jvq, File: \\192.168.0.60\c$\RECYCLER \S-1-5-21- 1988609988 -829964899 2-12630747 9-7096\dll run32.exe
Any idea to inactive it, then clean?
detected: virus P2P-Worm.Win32.Palevo.jvq,
Any idea to inactive it, then clean?
is that your ip?
192.168.0.60
it's hiding in the recycle bin, nice...
192.168.0.60
it's hiding in the recycle bin, nice...
Boot into safe more and remove with kaspersky.
http://www.malwarebytes.org/forums/index.php?showtopic=14702
http://www.malwarebytes.org/forums/index.php?showtopic=14702
or buy a license from prevx if the free scanner don't remote the threat
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please download ComboFix by sUBs: And attach the logfile to make sure it's clean.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run, re-download and rename before saving to your desktop)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run, re-download and rename before saving to your desktop)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
ASKER
The worm can be removed but after removed when you restart pc, gotta go into safe mode to manually delete the infected folder in the recycler. this will completely clear it
Ref:
Download Hijackthis from
http://free.antivirus.com/