Two days ago, Ive noticed that my computer is slowing down. Ive accesed the control managment (to be honest I don`t know how it is called on english, cause my XP is on croatian, but the keypad shortcut is AltGr + Ctrl + Del) and I saw that some installation process in going on. Before I was able to end it, the installation completed and my comp was infected.
It changed my wallpaper, deleted some icons, and locked me out of some key systems. I can`t access hard disk, control panel, control managment, or any system that could help me to realise what is wrong.
Ive run a on - demand scanner with full system scan twice, and I couldnt remove virus. First time it found 345 infected files, and cleaned 296, and second time it founded 52 infected files, and cleaned only three. One of the problems is that more than 2000 files, including some in /windows/system32/ are locked and cannot be accessed.
The “XP” is opening my internet broswers suggesting me to download some of the “antivirus programs” to clean it, but I didn`t fail on that. (the sites are “safewebnavigate.com”, “antivirus-2008.pro.com”…)
What should I do, and how can I get rid of this virus?
And microsoft has sent me “microsoft windows malicious software removal tool” via automatic updates, but it has found only one infected file… Is that program any good?
Here are some screenshots of my problem, uploaded to imageshack…
All those “antivirus, and anti****” icons you can see on my background are added by virus…
NOD has found many different versions of win32/worm, trojan downloader, you name it…
And AMON has found NewHeur_PE virus.
This is file name…
Module Object Name Threat Action User Information
9.7.2008 18:07: VIRUS ALERT! IMON file -Virus Link Removed- unknown NewHeur_PE virus NT AUTHORITY\SYSTEM
Removed Virus Link- 3xist. (:m*)
Those links will automatically begin downloading. Once you installed all 3 apps, Download all necessary definition updates for all of the products.
Now reboot, & when your computer starts up, Keep pressing “F8” until you get to the option to choose Safe Mode (Safe Mode is a special diagnostic mode) and click on it without networking. Finally, Scan & Remove all the infections found with MalwareBytes, SUPERAntispyware, NOD32, & ClamWin. (Make sure you do full system scans & ONE at a time). Now Reboot a 2nd time normally, & re-run the scans again.
Post back after you completed those steps, Tell me how your system is
One of the things you should do on a weekly basis is to manually check and update all your security programs. I have several that I have turned of in services.msc but bring them back online if I want more options in scanning.
The last infection I had caused the screen to constantly reload, I was able to stop it by booting to safe mode and then ran malwarebytes which slopped that problem and allowed me to scan in regular mode. If you think you are infected always scan in both modes.
My disappointment is that while scanning with over a dozen different programs, that many will find something different, a few times they will find the same file but not all, No one program finds them all not even 70% (maybe 60%) when I have gotten infected.
More than just a few of the scanning tools you use, will have false positives (but scan individually that program with other anti malware programs to be safe.
Let one of the Experts in anti malware removal assist you, sometimes they will recommend a removal program that is directed towardsyour infection. And at one point they will recommend clearing / turning OFF Windows Restore.
I mentionded earlier about insuring you update regularly, another item many do not pay attention to is the scan settings on each scanner. I found on almost all by default are set for Quick / Smart Scan. When you have an infection make sure you set the scan for Deep / Full scan (also inside archives).
The time usually takes 2-3 times longer, so be patient.
The quick scan setting also goes for Microsofts Malicious Removal Tool and Windows Defender. The difference is that Windows Defendere works like CAVS to scan for malware and the Malicious Removal Tool scans for malware that is already active like BoClean BUT you have to start the scan, while BoClean automatically reacts.
Windows Defender even though how low it is thought of, once found an infection that the others had missed ! The Malicious removal tool is normally uninstalled on the next reboot, after the monthly Windows patch updates.
Update Update Update, have several programs available (not necessarily running), and work with an Expert in malware scanning and removal.
Also be aware that most AV’s only remove the “Active” components of your infection.
And take care it won’t startup again with your computer.
A lot of virus/worm/trojan suff also changes things in your registry and on file level/security.
So if i would get infected this way i think i’d go for the backup of may important data and do a clean install from the bottom up. And as UncleDoug stated, update, update, update. Run Secunia’s PSI or Comodo’s Vulnerability analyzer to see what application’s you run that need to be updated.
Run a realtime virusscanner a firewall and do some manual scanning with others every 2 weeks or so, save the logfiles so you can go back in time later to see if some “infection” was already there, or as most of them have false positives, compare them, or look them op on google to see if it’s real.