Today when i booted the computer comodo pf came up with a message telling me some file was trying to load hooks into every program i had running and that file im sure was a virus so i denied but it didnt allow any connectivity in the application.
I looked at my process list and i noticed a weird process called v6.exe so i disabled its startup as im sure that caused it.
So… i restarted my computer and comodo no longer showed a file trying to load hooks but v6.exe kept regenerating! I immediately searched google for a cure but when i looked at a couple solutions they all required long manual steps which i didnt want to do.
This program was extremely annoying because it kept opening dialers every half an hour and it closed my full screen game also slowed my computer a lot and caused programs to not load!!!
The dialers were able to launch because the virus took over winlogon.exe which launched my nvidia dialer.(very lucky i didnt have dial-up or the dialer could of cost me 100+ as the dialers were on 3 at a time.
Also my avast didnt detect this v6.exe as a virus but it cleared up its traces but that wasnt good enough as it kept regenerating!!!
If comodo hadnt of stopped this virus it could of keylogged all my applications or made those applications do bad actions to the system files.
To clear this up i used a2 free which found all its traces and the main v6.exe
Right now im not sure if a2 cleared all of it up because it deleted v6.exe and other traces but no registry files which might cause this virus to regenerate again.
But my explorer.exe crashed because of this virus so i have to restart.
I’m glad to hear that Comodo firewall warned you about the activity, and allowed you to block it; and that a-squared free was able to detect and remove it.
Sounds like you had quite a nasty little program on your hands!
LM
PS: Just wait until CFP version 3 comes out with full HIPS!
Great to hear… but hey, CFP is just doing its job (:WIN)
You see, this is why its important to do well in the leak tests, so that these types of malware can’t leak
Also, with v3, we will have a HIPS which will totally render this useless and they won’t be able to infect you in the first place
This virus as i already said regenerates but it makes like 500 copies of itself in the windows TEMP folder which causes the dialers to constantly open!
The copies of itself have the .tmp extension and comodo is still detecting them and i deny but it keeps using the windows winlogon file to start itself!
Im wondering how is winlogon.exe not in my comodo app list but it must be a certified by comodo app so how do i turn this mode off again?
Is there a possible way to stop the files from using winlogon? Or is the winlogon file already infected and needs replacing.
In CFP, you can go to Security/Advanced/Miscellaneous, and uncheck, “Do not show alerts for applications certified by Comodo.” Click OK, then reboot.
Now you will get popups for everything, and can deny winlogon if you get an alert.
Be aware though, that if you deny access to application svchost.exe with parent of services.exe, your internet will not be able to update your IP address, and you will lose connectivity.
I had a nasty Virus and a Trojan i was useing AVG and it never caught a thing I had Norton anti virus and it never caught it So i then Got the Avast anti virus program Still nothing would show up .I tryed several programs trying to get rid of these things but nothing was working .I thought for sure i was going to have to format my computer .UNTILL i did notiice my C.o.m.o.d.o. Fire wall was asking me to accept or deny this kernels88.exe and a v6.exe .YEP if i would have been paying more attention to my fire wall i might have saved my self a lot of greaf lol. (L)
But i did find a way to get rid of them and thought i would share it with every one .
Now the first thing i recomend that you do is go get yourself the C.o.m.o.d.o. Fire wall and the CCleaner GO here to get it >> http://www.CCleaner.com
Programs and install them.
This is how i remove Trojans manually First off you can get one from just going to a site even with all your firewalls up and virus scanners running.You don’t have to down load a thing just going to the site is enough it will attach itself in your system 32 windows folder. And in your prefetch folder. the reason it will attach itself to the prefetch folder is this way it can try to get actsess to the Internet every time you reboot i think.
But this is also were it gives itself a way and if you watch your firewall closely it will pop up saying that a .EXE is trying to get actsess to the Internet and when it does you need to pay close action to the numbers the fire wall is giving to you. For example my C.o.m.o.d.o. fire wall caught these two. kernels88.exe Both which are Trojans,
v6.exe So if you see your firewall bring up any thing that has an EXE. in it beware.
And Make sure you Deny Actsess
Now how to get rid of it.
When the firewall brings this up copy and paste it to a note pad. And save it to your desk top.
Now go to your start bar and then search. Click on search the Internet.
Now copy and paste from your note pad the My first one was a Trojan kernels88.exe. Or what ever one that you might have gotten.I think this will work.
You will find out real fast if it is infected with a Trojan or a virus fast enough. Once you know for sure that it is.Then close the window and start a new search only this time we are going to hunt it down.
Now go to your start bar click on Search. then all files and Folders.
Now copy and paste from your note pad the Trojan kernels88.exe. Or what ever one that you might have gotten.
Into the Search bar and click on search.
When it Comes up You right click on it and slect open Containing Folder if its in your PREFETCH folder it will open it for you and it will be high lited . Some Times You can just delete it from there but not always .If it wont let you delete it right click on it and reName it Here is what i do i leave the thing pertty much the same kernels88.exeCRAP and add the word ■■■■ behind it .Then you need to copy this to your Word Pad too.So we can hunt it down again.
Ok now You need to reboot the computer.
now after rebooting go to your word pad and copy and paste the name that you renamed kernels88.exeCRAP in to the search bar once again .Only this time you will delete it.
If you have the CCleaner run it at the Recycle Bin now. and if you dont have the program CCleaner i sugest that you go get it .You can go get it from here www.CCleaner.com
And if you dont have this program At least make sure that you MT the Recycle Bin.
Now you will need to reboot once more.
Now its inporant to remember you need to do the prefetch folder first that way the trojan caint split up or hide on you i have found out after you get rid of the prefetch folder the thing wont try to get on the internet any more.
Now if you have the CCleaner which i hope you do by now . its time to run it befor we go on to kill the main part of the trojan.
Open the CCleaner click on the Analyze button Then click on the Run Cleaner Button.
Now look to the left you will see a Blue I Con That says Issues under it click on it then click on the button that says Scan for Issues Then click on the button that says FIX Selected Issues.
It will pop a box that says Do you want to Backup Changes to the Registry?
Click on the NO Button.
Now when the next Box pops up Click on the Button that says FIX ALL SELECTED ISSUES.
Then it will pop another box asking you if your SURE click on the OK button.
Then click on the CLOSE Button.
Now its time to REBOOT once more.
Now all of the above will stop the trojan from multplying or getting on the internet .Now its time to finish it off for good.
Now this time we are not looking for the Prefetch we allready took care of that so there shouldnt be any show up when you use the search this time.
What we are looking for now will be in the System 32 folder But the numbers will be the same as it was in the prefetch folder.kernels88.exe
Do it the same way rename it to kernels88.exeCRAP And copy it to the word pad the same as befor Then reboot.
After you reboot do the search over and use the kernels88.exeCRAP The new name that you renamed it too and when you find it delete it .
Now open up the CCleaner again Click on the Analyze Button then on the Run Button.
Now Go to the Blue I Con Button that says ISSUES on the left under the cleaner button.
And click on it Now click on the Button that says SCAN FOR ISSUES.
Then Click on the button that says FIX Selected Issues. BUT when the next pop up comes up Make sure you click on the NO button.You do not want to save any of this to the backup registry.
Then click on the button that says FIX ALL SELECTED ISSUES.and when it ask you if your sure click on the OK Button.
Then click on the CLOSE button.
Now you need to reboot for the last time its gone for ever.
If something happened and say like you for got to save the name to a word pad dont worry it will try to reach the internet again and when it does the C.O.M.O.D.O. will pop up telling you .
BEFOR it was renamed > kernels88.exe And after I Renamed mine to > kernels88.exeCRAP
The same thing with the v6.exe After i renamed mine to v6.exeCRAP Then just rebooted went back and deleted it the same way .
Now the main reason i suggest the CCleaner it will take these trojans and viruses out of the registry for you .
This worked great for me .Hope it does you too. Take care DAN (R)
A virus cannot run on registry keys alone, registry keys are settings you still need code to read those settings and in the case of the RUN section of the registry you need code to run.
Registry changes COULD open ports in windows (If you have a NAT router, it won’t matter or a software firewall), the only problem registry changes can do is interfere with other programs that may not like the entries or the changes that have been applied.
