Solved

Virus cannot be removed

Posted on 2011-03-17
11
775 Views
Last Modified: 2012-05-11
hi guys,

I have 4 windows xp in my network, all of them are infected with an unknown virus.
I have tried avg, malwarebyte, microsoft security and it didn't work also I created a karpesky's bootable cd and "No virus found" also tried conflicker tools but it just said "no virus found".  the problems is I can not  access to any computer or share folder    start -> run -> \\computer1 start asking for password when I type the password just said it didn't find the domain.  phisical conectivity is fine.  all the computer has a services with an strange name like in the picture.

basically I would like to know how to remove it without format my pc?
e1 e3
0
Comment
Question by:nttech
11 Comments
 
LVL 4

Expert Comment

by:ucando1
ID: 35162076
Backup and reinstall xp, If there is a bug, that was removed it may have damaged sys files and the clean install is the best option anyhow.
0
 

Author Comment

by:nttech
ID: 35162132
Thanks for your reply.

this option is not the best way to go for 2 reasons.

I don't know where the virus is, so  when I transfer back up or  data  it may affect my computers again.

second reason is now I have 12 machine infected and It can take me a week to rebuild this machine.
0
 
LVL 76

Expert Comment

by:arnold
ID: 35162753
Boot the system in safe mode and navigate to the c:\windows\prefetch
Clear the stuff from there exluding the layout.ini file.
See if that helps.
While in safe mode you could delete the service:
http://geekswithblogs.net/shahedul/archive/2006/10/13/93984.aspx
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 35163198
Try running an Eset online scan, it has proved to have been effective when other scanners have failed:
http://www.eset.com/online-scanner

If no improvement, try Hitman Pro, a second opinion scanner:
Hitman Pro http://www.surfright.nl/en/hitmanpro
0
 
LVL 27

Accepted Solution

by:
Jonvee earned 500 total points
ID: 35163223
If those two scanners find nothing theres still ComboFix!    We could take a look at the resulting log file to see if any infection has been "deleted", then decide if a re-run with a script is necessary.

Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, or Shields that you may have running.
It may also be necessary to rename ComboFix.exe before saving it to your desktop.  
If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine.

Double click "combofix.exe"(or the renamed ComboFix.exe) and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
Please post that log here.

ComboFix must be run in normal mode.

Should you need it>   A guide and tutorial on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:nttech
ID: 35163383
Thanks guys I will do it and I let you know the result
Cheers
0
 
LVL 4

Expert Comment

by:coolcurrent4u
ID: 35163717
Try Avira antivirus, when installing it, set the install option to custom, and set the detection mode to High Heuristic. Am using avira premium, and it is very effective.

Also just to be sure make sure the virus is not transfered by one of your users, restrict usb drive access for the main time.

and make sure the file is you are trying to access is present and is accessible.

Download hijack this and scan you system and post the log here for help.

Also download process viewer and also scan and post the screen-shot of file list here for help
0
 
LVL 6

Expert Comment

by:mkuehngoe
ID: 35164002
Try the microsoft removal tool for malicious software. In most cases this will get the stuff (loopks like trojan)
0
 
LVL 23

Expert Comment

by:edbedb
ID: 35164483
I don't think it will solve the issue but you could just delete that entry in the Autoruns list. That should remove the service and it can't hurt anthing because the target file is missing anyway.
0
 

Author Comment

by:nttech
ID: 35177334
Hi guys,

I tried all your suggestions and I couldn't clean it up. for 2 reason.
the virus is in the server and every time users tried to open a map drive, they get infected.
second reason. this computers are running an application that need to run using IE 7. so they are not getting Update from windows, I call AVG support and they have advised me one of the reason this virus is attacking me is because we didn't patch the computer running xp.  computer running windows 7 are fine.

at the end I have created a virtual machine running windows 7 and everything looks ok.  it's a solucion temporarily, but it will give me time to think how to fix it.  thanks everyone for your answers.  
0
 

Author Closing Comment

by:nttech
ID: 35177341
read above
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now