Help Needed With Removing Virus

Last night I thought I'd have one more go at deleting it using some of the tools recommended here. I tried the CureIt AV, but this time copied it to my desktop and running it instread of clicking 'run' straight from the website. Anyway, it worked - or so I thought. It deleted 30 od nasties, but there were 3 o4 4 it said were 'uncurable' so it 'moved/quarantined them.

Feeling a bit happier, I decided to call it a day and look at things afresh in the morning, so closed down my PC for the night. This morning, I reran my Norton AV scan and this time it found nothing at all. I then reran the CureIt AV scan and it too came back with nothing.

However, when I then tried to look again at the Avira Antivir, Trend and Kaspersky tools recommended here, it seems I'm still being blocked and could not open the web pages.

So, my questions are:

1) How can I confirm I still have something on my PC, and how do I confirm what and where it is? At the moment, the only sign is that I seem to be blocked from certain AV sites.

2) What does 'quarantineing' actually do and mean?

3) Sysmantec recommended reloading XP, deleting a load of stuff, updating definitions, deleting values form registry. Unfortunatley, I didn't make a note of all the recommended commands and instructions - if I go follow recomendations to reload XP, will this be enough on it's own to get rid of it, or will it still be lurcking somewhere on my PC and simply reinfect my new XP version?

4) Could this be related to the dreaded conficker virus I keep reading about? Sysmantic originally listed the 3 items as 'infostealer.bank.c, but this doesn't seem to be one of its aliases.
 
it seems I'm still being blocked and could not open the web pages.
Click to expand...
Yes, you are ...

First of all, Turn off system restore then follow these destructions ... (do not turn on system restore until I say so)

Make sure all browser Windows and other applications (including email) are closed.
Right-click the Internet Explorer icon on the desktop.
Choose 'Properties'.
Click the 'Security' tab.
Click the 'Trusted Sites' icon to highlight ... Also check 'Restricted Sites'
Click the 'Sites' button to review the list of sites included.
If you see an unwanted site on the list, click once on the site link displayed to highlight it, then click the 'Remove' button.
When finished viewing or modifying the Trusted Sites list, click OK and then click Apply (if any changes were made).
Click OK to exit the Properties menu.

Next, we need to check your "Hosts" file, you should find it ...

Open/Run notepad as administrator then file open and paste in ... C:\Windows\System32\drivers\etc\hosts

The host file should look like this ...

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost


DELETE ANYTHING else you see ... then save ... nothing else should be in the host ... that is my HOST file I pasted here. ;)

Now, let me know if anything was found ... then try and visit one of the online scanners we recommend.

Disclaimer; Please note ... if anything goes wrong, you were the one following my instructions, I ain't gonna take any skip if you screw up.

Once we see that you have passed at least two of the online scanners, then you can setup a restore point again. :thumb:
 
muckshifter said:
Disclaimer; Please note ... if anything goes wrong, you were the one following my instructions, I ain't gonna take any skip if you screw up. :thumb:
Click to expand...
Always good to get that bit in!
bowdown.gif
 
Thanks for the info muchshifter - I've printed the destructions and will give it a go later this evening (when i'm not being pestered by wife & kids!)

I'll report back - watch this space!!
 
Okay, managed to get rid of the kids for 5 mininutes! I have got the contents of my host file. It doesn't look much like yours and has tons of websites in it! Just thought I'd run it past you before deleting anything. Mind you, it looks like more of a case of what NOT to delete rather than what I should delete. Here it is:

127.0.0.1 viruslist.com


127.0.0.1 *symantec*
127.0.0.1 *avast*
127.0.0.1 *avira*
127.0.0.1 *nod32*
127.0.0.1 *eset*
127.0.0.1 *pandasecurity*
127.0.0.1 *agnitum*
127.0.0.1 ********downloads4.kaspersky-labs.com
127.0.0.1 ********downloads3.kaspersky-labs.com
127.0.0.1 ********downloads2.kaspersky-labs.com
127.0.0.1 ********downloads1.kaspersky-labs.com
127.0.0.1 ftp://downloads4.kaspersky-labs.com
127.0.0.1 ftp://downloads3.kaspersky-labs.com
127.0.0.1 ftp://downloads2.kaspersky-labs.com
127.0.0.1 ftp://downloads1.kaspersky-labs.com
127.0.0.1 ********www.secuser.com
127.0.0.1 a188.x.akamai.net
127.0.0.1 liveupdate.symantec.d4p.net
127.0.0.1 ftp.nai.com
127.0.0.1 www.grisoft.cz
127.0.0.1 www.grisoft.com
127.0.0.1 free.grisoft.cz
127.0.0.1 tds.diamondcs.com.au
127.0.0.1 ieupdate.gdata.de
127.0.0.1 ieupdate6.gdata.de
127.0.0.1 ieupdate5.gdata.de
127.0.0.1 ieupdate4.gdata.de
127.0.0.1 ieupdate3.gdata.de
127.0.0.1 ieupdate2.gdata.de
127.0.0.1 ieupdate1.gdata.de
127.0.0.1 www.iavs.cz
127.0.0.1 download7.avast.com
127.0.0.1 download6.avast.com
127.0.0.1 download5.avast.com
127.0.0.1 download4.avast.com
127.0.0.1 download3.avast.com
127.0.0.1 download2.avast.com
127.0.0.1 download1.avast.com
127.0.0.1 upgrade.bitdefender.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.lavasoftusa.com
127.0.0.1 www.a-2.org
127.0.0.1 updates.a-2.org
127.0.0.1 niuone.norman.no
127.0.0.1 www.diamondcs.com.au
127.0.0.1 www.attechnical.com
127.0.0.1 www.zeylstra.nl
127.0.0.1 fractus.mat.uson.mx
127.0.0.1 www.toonbox.de
127.0.0.1 radius.turvamies.com
127.0.0.1 diamondcs.fileburst.com
127.0.0.1 downloads.My-eTrust.com
127.0.0.1 acs.pandasoftware.com
127.0.0.1 v4.windowsupdate.microsoft.com
127.0.0.1 v5.windowsupdate.microsoft.com
127.0.0.1 www.NoAdware.net
127.0.0.1 www.nod32.com
127.0.0.1 www.eset.sk
127.0.0.1 avu.zonelabs.com
127.0.0.1 retail.sp.f-secure.com
127.0.0.1 retail01.sp.f-secure.com
127.0.0.1 retail02.sp.f-secure.com
127.0.0.1 www.moosoft.com
127.0.0.1 secuser.model-fx.com
127.0.0.1 secuser.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 pccreg.antivirus.com
127.0.0.1 dl1.antivir.de
127.0.0.1 dl2.antivir.de
127.0.0.1 dl3.antivir.de
127.0.0.1 dl4.antivir.de
193.125.23.12 updates.sald.com
127.0.0.1 secuser.model-fx.com
127.0.0.1 secuser.com
127.0.0.1 www.secuser.com
127.0.0.1 www.k-otik.com
127.0.0.1 www.megasecurity.org
127.0.0.1 housecall.trendmicro.com
127.0.0.1 fr.mcafee.com
127.0.0.1 antivirus.cai.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.securitoo.com
127.0.0.1 www.Kaspersky-FR.com
127.0.0.1 www.avgfrance.com
127.0.0.1 www.antivirus-online.de
127.0.0.1 www.gietl.com/test-clamav/
127.0.0.1 ftp.esafe.com
127.0.0.1 ftp.microworldsystems.com
127.0.0.1 ftp.europe.f-secure.com
127.0.0.1 ftp.ca.co
127.0.0.1 ftp.symantec.com
127.0.0.1 files.trendmicro-europe.com
127.0.0.1 akamai.net
127.0.0.1 www.inline-software.de
127.0.0.1 www.norman.com
127.0.0.1 www.ravantivirus.com
127.0.0.1 www.f-prot.com
127.0.0.1 www.drsolomon.com
127.0.0.1 www.avast.com
127.0.0.1 www.vsantivirus.com
127.0.0.1 www.openantivirus.org
127.0.0.1 www.bitdefender.com
127.0.0.1 www.pandasoftware.es
127.0.0.1 www3.ca.com
127.0.0.1 security.symantec.com
127.0.0.1 www.dialognauka.ru
127.0.0.1 www.viguard.com
127.0.0.1 www.free-av.com
127.0.0.1 www.nod32.lu
127.0.0.1 www.zonelabs.fr
127.0.0.1 www.anti-virus-software-review.com
127.0.0.1 www.vet.com.au
127.0.0.1 www.eicar.org
127.0.0.1 www.avp.ch
127.0.0.1 anti-virus.com
127.0.0.1 www.bitdefender.fr
127.0.0.1 microsoft.fr
127.0.0.1 www.trendmicro.fr
127.0.0.1 fr.bitdefender.com
127.0.0.1 www.sophos.fr
127.0.0.1 www.emsisoft.net/fr
127.0.0.1 www.nsclean.com
127.0.0.1 www.antiviraldp.com
127.0.0.1 www.pestpatrol.com
127.0.0.1 www.agnitum.com
127.0.0.1 www.simplysup.com
127.0.0.1 www.misec.net
127.0.0.1 www.nod32.nl/_en
127.0.0.1 www.centralcommand.com
127.0.0.1 www1.my-etrust.com
127.0.0.1 www.authentium.com
127.0.0.1 www.bitdefender.secyber.net/BITDEFENDER/index.html
127.0.0.1 www.finjan.com
127.0.0.1 www.fmsinc.com/free/utilities/fmsavs10.htm
127.0.0.1 www.psnw.com
127.0.0.1 www.gwava.nl
127.0.0.1 www.gecadsoftware.com
127.0.0.1 www.ikarus-software.at/portal/index.php
127.0.0.1 www.pspl.com
127.0.0.1 www.safetynet.com
127.0.0.1 www.stiller.com
127.0.0.1 www.sybari.com
127.0.0.1 www.wildlist.com
127.0.0.1 www.mcaffee.com/anti-virus/virusmap.asp
127.0.0.1 www.mcaffee.com
127.0.0.1 www.blackice.iss.net
127.0.0.1 www.ccsoftware.ca/8signs
127.0.0.1 www.deerfield.com
127.0.0.1 www.kerio.com
127.0.0.1 www.looknstop.com
127.0.0.1 www.mcafee-at-home.com
127.0.0.1 www.sygate.com
127.0.0.1 www.tinysoftware.com
127.0.0.1 www.visualizesoftware.com
127.0.0.1 www.kerio.com
127.0.0.1 www.zonelabs.com
127.0.0.1 www.zonelog.co.uk
127.0.0.1 www.safer-networking.org
127.0.0.1 www.webroot.com
127.0.0.1 www.lavasoft.nu
127.0.0.1 www.spywareguide.com
127.0.0.1 www.aluriasoftware.com
127.0.0.1 www.pestpatrol.com
127.0.0.1 www.spyblocker-software.com
127.0.0.1 www.spycop.com
127.0.0.1 www.spywareguide.com
127.0.0.1 www.javacoolsoftware.com
127.0.0.1 www.wilderssecurity.net
127.0.0.1 www.trapware.com
127.0.0.1 www.winpatrol.com
127.0.0.1 www.liutilities.com
127.0.0.1 www.x-cleaner.com
127.0.0.1 shop.symantec.com
127.0.0.1 dispatch.mcafee.com/us
127.0.0.1 nai.com/us/index.asp
127.0.0.1 secure.nai.com/us/index.asp
127.0.0.1 www.kaspersky.co.uk
127.0.0.1 kaspersky.co.uk
127.0.0.1 www.housecall.com
127.0.0.1 housecall.com
127.0.0.1 kav.ru


I take this is all the sites I'm bloked from? If I delete them all, i'm left with an empty file! Is that okay, or should I replace it with something?
 
I'm not sure if this is normal, but I have other hosts files:

1) C:\Windows\System32\drivers\etc\1.hosts
2) C:\Windows\System32\drivers\etc\lmhosts.sam

First one just seems to be another list of url's:

C:\windows\System32\drivers\etc\1.hosts

127.0.0.1 www.trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 us.mcafee.com
127.0.0.1 www.nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 www.f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com

But the second one looks much more like your host file:

C:Windows\System32\Drivers\etc\lmhosts.sam

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the computername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:<domain>" tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add "public" to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
# 102.54.94.102 "appname \0x14" #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.

Hope this additional info is helpful and meaningful (to someone!).
 
If you delete all of your main hostsfile, and replace it with the contents from Mucks (just to make sure the localhost relay works). That would explain why you've not been able to get to some sites :)

I don't think you should have "C:\Windows\System32\drivers\etc\1.hosts", the 2nd extra host file is fine though.
 
Ian is correct ... keep the lmhosts.sam file, it is safe.

You can delete "C:\Windows\System32\drivers\etc\1.hosts" and you can delete everything you see in your Hosts file and replace it with everything I posted in green ... save & reboot.

:thumb:
 
Okay, hosts file now updated and 1.hosts deleted.

I thought I'd have a go at running the two online scanners recommended (trend and Kaspersky). But I'm stil having difficulty, although I can now get to the websites okay.

Kaspersky: Fails before getting to the scan. I get a message saying "Aplication's digital signal has an error, so you want to continue? - the digital signature was generated with a trusted certificate but expired." I carried on anyway, but the program failed. Also got a message saying "Java applet has failed".

Trend: Get a message saying: "Updating and starting Housecall", but then it goes idle and there is no sign of activity. I know it says it could take some minutes, but I've left in half and hour and there is not so much as a progress bar.

I thought that maybe my Norton software was somehow blocking them, so thought i'd turn it off/disable it. I'm probably being a bit thick (as usual when it comes to computers), but I couldn't see a dtop/disable option anywhere.

Once again, HELP!
 
Try this site for HC ...

http://housecall.trendmicro.com/uk/

You are using IE6/7/8, yes? if so, adjust the IE browser’s Security level to Medium at least and be sure that signed ActiveX objects are enabled.

Try this one also ...

http://www.eset.com/onlinescan/

While you are there, download the trial of the NOD AV program, so you can replace Norton ... to uninstall Norton you will need Norton's own removal tool, 'cos it don't uninstall correctly. ;)


:user:
 
I still cant get the trend AV to run - no error messages, just seems to hang when it says it is updating and starting housecall.

I have run the online scan from eset. It found two threats: Win32/adware.virtumode.neo - datafile applications (C\windows\system32\yyad.ini and C\windows\system32\yyadd.ini.2). Both have now been deleted. Nothing else was found.

I have also downloaded the Norton uninstall tool. Before downloading the NOD AV tool, I just wanted to get you opinion as to whether the NOD AV tool is significantly better than the free Antivir one? The Nod one will eventually have to be paid for after the trial, and being rather skint, I like the price of the Antivir one much better!!

Do you think it is reasonable to assume that I am 'clean' now, or am I being overly optomistic?
 
In my humble opinion, NOD is far superior, but for free, you can't beat Antivir ...

please, don't be tempted with any of the other "free" av programs, you may as well use Norton. :lol:

Give SuperAntiSpyware a run though your system, then I'll say you are good to go ...


Have fun ...

:user:
 
Back
Top