0

I am trying to fix a computer that apparently has the WPP virus. The guy that owns it said it just showed up and he thought he had removed it....translation....he removed a lot of files and now I'm not sure what's left or if the error messages I'm getting are the result of the virus or his "fixing" it. I'll give you the background on it:

The laptop is running Windows XP. When he gave it to me to fix he said it was booting into normal mode but when I booted it the first time I could only get it into Safe Mode. It will run Safe Mode with Networking through an Ethernet. I could not get any kind of anti-malware, anti-spyware, or anti virus to run. He was using SuperAntiSpyware as an antivirus..no other protection. Not only that the SAS hadn't been updated for a month or so. I was able to run Kapersky Rescue disk on a burned CD booting first to the CDROM. I could not get a log to save so I ran it again and wrote down everything it found. Here's the list:

Trojan.Downloader.SWF.Gida.a
Virus.Win32.Parite.b
not-a-virus:Adware.Win32.BHO.gkp
Packed.Win32.Krap.ah
Virus.Win32.Virut.ce
Trojan.Win32.Agent2.clzx
Packed.Win32.Krap.af
Trojan-Downloader.Win32.Klever.at
Trojan.Win32.FraudPack.ztd
Trojan-Downloader.JavaAgent.ab
Packed.Win32.Krap.w
Virus.Win32.Virut.ce
Trojan.Win32.FraudPack.zgr
P2P-Worm.Win32.Vilsel.mcg
Packed.Win32.TDSS.z
Trojan-Downloader.Win32.Klever.ah
Trojan.Win32.Koblu.bdl
Packed.Win32.Koblu.c
Trojan.Win32.Koblu.bkm
Trojan.Win32.Koblu.bdm
Backdoor.Win32.Delf.rmm
Trojan-Spy.Win32.Gologger.20.ab
Backdoor.Win32.Bredolab.azc
Trojan.Win32.Pincav.lym
Trojan-Downloader.Win32.Small.aohr
Packed.Win32.Katusha.g
Trojan.Win32.Pasta.dha
Trojan-Downloader.Win32.Genome.xbc
Trojan-Downloader.Win32.Small.aohr
Virus.Win32.Virut.ce
Trojan-PSW.Win32.Kates.c

I can't get into any .exe files. I have tried and it just sits there. I haven't tried Safe Mode with command prompt, but I'm hoping it'll work since the other Safe Modes are. Can someone help with the next step? I have read other posts about using ComboFix but I have also read on ComboFix's tutorial not to use it unless you have someone who knows how to use it and what to look for. So I came here. Also, the guy doesn't have his CD's and didn't make a recovery CD...big surprise. So wiping the drive isn't an option. I dealt with other viruses but this WPP seems to be a doozy of a rootkit so I know I need guidance with this one. I appreciate the help!

3
Contributors
6
Replies
7
Views
7 Years
Discussion Span
Last Post by azarzycki
0

First of all Combofix is NOT available right now due to a problem with the program. DO NOT attempt to download it at all. Please heed this warning from BleepingComputer

ComboFix is not available for download until an issue with the program has been resolved. Please be patient while the developer fixes the program and makes it available once again. As more information becomes available, we will update this page.

DO NOT attempt to download ComboFix from sites other than BleepingComputer.com and Forospyware.com!

Other sites hosting ComboFix are not authorized mirrors and are hosting outdated copies of ComboFix that contain a bug that may render some machines unbootable. Using unauthorized mirrors of ComboFix puts your computer at risk of not booting again. Please wait for the official version to be fixed and released again.

Try this:
Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

0

First of all Combofix is NOT available right now due to a problem with the program. DO NOT attempt to download it at all. Please heed this warning from BleepingComputer

Try this:
Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

I just got home from work. I'll run the scan tonight and post the log as soon as it's done. Thanks.

0

I just got home from work. I'll run the scan tonight and post the log as soon as it's done. Thanks.

I renamed it so the rootkit wouldn't detect it...didn't work. Now I can't get any executable file to run. When I try to run any application the "Open with" box opens. Any ideas from anyone? This is extremely frustrating. I can actually see what this darn thing is doing...just not where it's coming from.

0

please do follow to fix executable file to run

start--run
input : cmd
then you will go to command windows,input
assoc .exe=exefile
enter ,then try to open gmer.exe again

if you can't open yet ,rename gmer.exe to gmer.com

good luck

Edited by johnn2009: add

0

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista, right-click on it and Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* If the tool does not run from any of the links provided, please let me know.


Do not reboot the computer, you will need to run the application again

0

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista, right-click on it and Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* If the tool does not run from any of the links provided, please let me know.


Do not reboot the computer, you will need to run the application again

I'm having to download the software to my computer and then put it onto the other one. So if I save it to my flash drive, and then run it, will it work?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.