Virus still present after formatting?

Question

BigM1ke 0 Light Poster

14 Years Ago

Hi guys! I badly need your help!

Yesterday, I caught something while surfing (I opened an .exe file like an idiot, without thinking about it!). Moments after that, 3 porn icons appeared on my desktop and my antivirus (avg) went crazy with many notifications of infections. I was getting a popup notification each and every 5 minutes about some spyware stuff too (see below). After fighting with the virus for a few hours, I decided to format my hard drive (only the 'C').

Once I did that this afternoon, everything was going smoothly until I executed the Windows Live Polygamy executable (since me and my g/f always use Messenger, we need this little application that worked before the formatting). Right after that, the 3 porn icons resurrected from the dead and appeared on my desktop again! The popup notification is also back and here's what it's saying :

"Microsoft software removal tool"
Your computer can ben infected with spying progrmas (spyware). It is recommanded that you run a quick system check now.

***(screenshot included)***

What can I do to get rid of this guys?
Thank you VERY much!

windows-virus

3 Contributors
36 Replies
312 Views
2 Days Discussion Span
Latest Post 14 Years Ago Latest Post by jholland1964

All 36 Replies

jholland1964 650 Posting Expert

14 Years Ago

Ok, do it this way:
Please download ComboFix from Here or Here to your Desktop

During the download, rename Combofix to Combo-Fix as follows:
When the box asking where to save the file comes up you will be given an chance to list the file name. That is where you will rename it to Combo-Fix.

Once it is on your desktop with that new name try to follow the previous instructions

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 1 · 2009-08-27T00:58:24+00:00

The culprit is obviously that Windows Live Polygamy executable. Remove that from the computer ASAP. Where did you get that program, exactly where?
Do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer

Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

Reboot the computer

Download and run a Full System Scan with HiJackThis and save the log.
Post back here with all three logs. Please copy/paste them

BigM1ke 0 Light Poster · Answer 2 · 2009-08-27T02:24:29+00:00

I took it from this website : ht tp://mess.be/

I'll do the steps you told me and let you know!
Thanks alot!

BigM1ke 0 Light Poster · Answer 3 · 2009-08-27T03:04:42+00:00

Alright!
I've done the scan with Malwares but the online one with Internet Explorer isn't working (server not found?). Here are both Malwares and HJthis logs :

Malwarebytes' Anti-Malware 1.40
Version de la base de données: 2551
Windows 5.1.2600 Service Pack 2

2009-08-26 16:55:31
mbam-log-2009-08-26 (16-55-31).txt

Type de recherche: Examen complet (C:\|)
Eléments examinés: 97977
Temps écoulé: 20 minute(s), 49 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 1
Clé(s) du Registre infectée(s): 6
Valeur(s) du Registre infectée(s): 17
Elément(s) de données du Registre infecté(s): 3
Dossier(s) infecté(s): 1
Fichier(s) infecté(s): 17

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
c:\WINDOWS\system32\evdoserver.dll (Backdoor.Bot) -> Delete on reboot.

Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\evdoserver (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\evdoserver (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\evdoserver (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5db5ec15-cb84-42c7-9004-73ddd9076b04} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5db5ec15-cb84-42c7-9004-73ddd9076b04} (Trojan.BHO) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):
c:\WINDOWS\system32\evdoserver.dll (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2PUDHZ9E\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6M6JP9A0\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6M6JP9A0\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F3HMXQ12\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XYAXLN1R\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD457655-D1C7-4B55-96A9-01B50E448FEB}\RP13\A0001945.exe (Malware.Tool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD457655-D1C7-4B55-96A9-01B50E448FEB}\RP13\A0001949.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD457655-D1C7-4B55-96A9-01B50E448FEB}\RP13\A0001951.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT5F.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:02:25, on 2009-08-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dvdpaly.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sofatnet.exe
C:\WINDOWS\system32\wiawow32.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.fr/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.fr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.fr/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.fr/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.softneoweb.com/icleaner/uninstall.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Ultimate Edition 2.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: MSN helper - {5DB5EC15-CB84-42c7-9004-73DDD9076B04} - westkj.dll (file missing)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251285559656
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: sofatnet Service (sofatnet) - Sigma Designs In - C:\WINDOWS\system32\sofatnet.exe

--
End of file - 4441 bytes

BigM1ke 0 Light Poster · Answer 4 · 2009-08-27T03:17:19+00:00

I can already tell that the popup isn't appearing every 5 minutes now!

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 5 · 2009-08-27T03:17:35+00:00

While you MBA-M program DID remove infections you used an out of date database, 2551. The most current one is 2700. You always need to update the program before running a scan. Please update the program and run another scan just to be certain.
Can I ask where you are located? Your logs appear to be in French. Not that they won't work I just am wondering why.

BigM1ke 0 Light Poster · Answer 6 · 2009-08-27T03:27:38+00:00

While you MBA-M program DID remove infections you used an out of date database, 2551. The most current one is 2700. You always need to update the program before running a scan. Please update the program and run another scan just to be certain.
Can I ask where you are located? Your logs appear to be in French. Not that they won't work I just am wondering why.

I was just about to tell you something about this. I can't update my antivirus, re-install windows live messenger or update anything at all for that matters! And I'm not connected to a router... May the virus be the cause of this?

I live in Quebec, Canada. The French thing is normal! :)

ps I'm having this error (0x8104000b) when trying to install Messenger with the windows live installer. It's telling me I'm not connected to the internet...

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 7 · 2009-08-27T03:31:48+00:00

I was just about to tell you something about this. I can't update my antivirus, re-install windows live messenger or update anything at all for that matters! And I'm not connected to a router... May the virus be the cause of this?
I live in Quebec, Canada. The French thing is normal! :)
ps I'm having this error (0x8104000b) when trying to install Messenger with the windows live installer. It's telling me I'm not connected to the internet...

Certainly the virus may be causing this inability to do updates. Have you tried all this SINCE running MBA-M or was this before?

Had to ask about the language in the scans. I am in the US but I realize all who post here are not but occasionally will will have somebody mistakenly download the wrong language version for the program they are using and I just wanted to be certain.

BigM1ke 0 Light Poster · Answer 8 · 2009-08-27T03:35:25+00:00

Yep, AVG isn't working, MBA-M and Messenger too. I just tried them again.

With Malwares, the status progress just stays at 0%. Nothing happens. AVG is giving me an error message after awhile.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 9 · 2009-08-27T03:35:49+00:00

Check this:
This error can occur if you have Windows Live Family Safety installed and running on your computer. This application may be blocking the download of Windows Live Essentials installation files.

1. Start Windows Live Family Safety and make sure you are logged in.
2. Start Windows Live Family Safety and turn off the filter.
Run Windows Live Essentials setup again and select 'Ignore any open programs' if you get to the screen titled 'Please close these programs'.

BigM1ke 0 Light Poster · Answer 10 · 2009-08-27T03:38:46+00:00

Check this:
This error can occur if you have Windows Live Family Safety installed and running on your computer. This application may be blocking the download of Windows Live Essentials installation files.
1. Start Windows Live Family Safety and make sure you are logged in.
2. Start Windows Live Family Safety and turn off the filter.
Run Windows Live Essentials setup again and select 'Ignore any open programs' if you get to the screen titled 'Please close these programs'.

I've never heard of Windows Live Family Safety. I doubt I have it on my computer. In my Windows Live folder in the programs menu, I only have Windows Live Call now that I have deleted Messenger.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 11 · 2009-08-27T03:45:59+00:00

It appears, after looking through your HJT log that you still have at least two trojans running on the system.
Do this:
Download ComboFix, You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET

. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

Post back here with that log.

BigM1ke 0 Light Poster · Answer 12 · 2009-08-27T03:51:17+00:00

It appears, after looking through your HJT log that you still have at least two trojans running on the system.
Do this:
Download ComboFix, You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET
. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

Post back here with that log.

Are you sure this software is working? Here's the message I got after a few seconds (see picture). The software closed by itself right after.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 13 · 2009-08-27T03:59:21+00:00

Ok, remove it and try again from HERE. But before you try again go to Task Manager and if you see these two listings, Stop them
sofatnet.exe
wiawow32.sys
Then try to download the new combofix file.

BigM1ke 0 Light Poster · Answer 14 · 2009-08-27T04:01:38+00:00

The link isn't working.
For the 2 listings, they were both there. Even when I close it, wiawow32.sys comes back the very next second.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 15 · 2009-08-27T04:05:27+00:00

Did you get this message when you downloaded Combofix or when you clicked on it?

BigM1ke 0 Light Poster · Answer 16 · 2009-08-27T04:06:22+00:00

Did you get this message when you downloaded Combofix or when you clicked on it?

When I clicked on it, a small progress bar activated, and few secs after it was completed (maybe 20), the message appeared.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 17 · 2009-08-27T04:16:15+00:00

If you have the virut infection there is nothing that can be done other than a reformat.

BigM1ke 0 Light Poster · Answer 18 · 2009-08-27T04:18:09+00:00

Alright I will do that then!
Just to be sure, my other hard drives should be safe, right? I just have to format the C..

BigM1ke 0 Light Poster · Answer 19 · 2009-08-27T04:27:22+00:00

Ok, do it this way:
Please download ComboFix from Here or Here to your Desktop
During the download, rename Combofix to Combo-Fix as follows:
When the box asking where to save the file comes up you will be given an chance to list the file name. That is where you will rename it to Combo-Fix.
Once it is on your desktop with that new name try to follow the previous instructions

Unfortunately, the same thing happens... (the 2nd link only was working for me)

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 20 · 2009-08-27T05:00:11+00:00

jholland1964 650 Posting Expert

14 Years Ago

Then I guess a reformat is the only answer.

BigM1ke 0 Light Poster · Answer 21 · 2009-08-27T05:01:06+00:00

Alright, I'll format my 'C' hard drive later on.
Thanks alot for your time, I appreciated it!

BigM1ke 0 Light Poster · Answer 22 · 2009-08-28T01:58:34+00:00

Then I guess a reformat is the only answer.

I formatted earlier today and reinstalled many things.. but right after I tried to install Mirc, I got an error about the .exe file and the icons appeared again on my desktop..

I formatted AGAIN and now I want to be sure I got rid of it. I'm kinda afraid of installing software with .exe already downloaded on another hard drive on my cpu... What should I do? Thx alot!

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 23 · 2009-08-28T02:01:18+00:00

Look, this file is OBVIOUSLY the problem, this is multiple times now this program has infected the computer. Where exactly are you getting these files to install, because where ever it is it most definitely has infection built into it's downloads.

BigM1ke 0 Light Poster · Answer 24 · 2009-08-28T02:03:26+00:00

Those files have been on my computer for awhile (from a few months to many years)! That's why I don't get! I think I'll delete them all and just download them again to be sure..

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 25 · 2009-08-28T02:30:18+00:00

When you have had infection such as this it is ALWAYS wise to get rid of ALL files related to the infection and download new ones. Just be sure to go to a legitimate site, one with a very good reputation AND scan each and every install file before installing.

BigM1ke 0 Light Poster · Answer 26 · 2009-08-28T04:53:32+00:00

Alright thank you again! I've deleted all my software installation .exe files. I've run a full Malwares and AVG scan and everything seems alright.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 27 · 2009-08-28T05:12:21+00:00

Ok, please pick good clean sites to download your software, or you will have this again.
When you download scan each file before you install.
For Microsoft stuff, go there.
You can scan each downloaded file very easily with MBA-M by the way. Works great.

Also install SpywareBlaster. It protects the computer, has a good restricted sites section and protects against tracking cookies, spyware, adware, bad activex programs and it doesn't run in the background. Download, install, update and enable all. Then close the program. It interferes with NOTHING because it doesn't run, but it DOES protect.

BigM1ke 0 Light Poster · Answer 28 · 2009-08-28T06:55:01+00:00

BigM1ke 0 Light Poster

14 Years Ago

Alright! I will install it! Thx again!

Virus still present after formatting?

Recommended Answers Collapse Answers

All 36 Replies

Recommended Answers