Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42869
  • Total Topics: 16078
  • Online Today: 3869
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Possible virus ("popups are coming up of different viruses are being detected")  (Read 6163 times)

0 Members and 1 Guest are viewing this topic.

dana

  • SCF Newbie
  • *
  • Posts: 1
  • KARMA: 1
Not sure what I am doing here. I chatted with McAfee last night, because I was getting all these
warning of worms and trojans and other popups telling me my computers was in danger. So I clicked
on whatever the down load was. (never had this to happen before) so no clue that I was hurting anything.
It is the personal antivirus from windows. I did a mcafee scan and it showed no viruses, but I couldn't
get the pop ups to stop. and they where also blocking my internet. so talked with mcafee and they
suggested to come on here to remove this virus. they now have my internet working, but sometimes
the blocks still come up. the popups are coming up of different viruses are being detected. HELP!!!!
Never came across this issue. How does this happen if you are protected with mcafee.

Dana

Samker's Computer Forum - SCforum.info


Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Possible virus
« Reply #1 on: 22. July 2009., 07:23:23 »
Hi Dana and Welcome to SCF Community.

Don't worry we will help you to fix this, now please:

1. Provide us all possible details related to yours problems / infection.

2. Run Kaspersky or BitDefender Online AntiVirus Scan: http://scforum.info/index.php/topic,734.0.html

3. Download & run HijackThis: http://scforum.info/index.php/topic,785.0.html

4. Provide us logs from HijackThis & AntiVirus Online Scan


We will wait your reply (with logs).

Regards,

SCF Team

s4ck

  • SCF Newbie
  • *
  • Posts: 9
  • KARMA: 2
Hey Dana, it is important to delete temporary files, the user profile and the Windows Temp as follows:
1 .- Start / Run /% temp% accept
 
2 .- c: \ windows \ temp

should remove all files in those folders, but you can view these folders, using a script: a copy GrĂ¡balo as txt and *. vbs and then run
---------------------------------------------
On Error Resume Next

Dim objShell, objFileSystem, objTextStream, objRegex
Dim colRegexMatches1, colRegexMatches2
Dim nReturnCode
Dim strIpFileText
Dim element, i

Dim List
List = array ( "n1de? Ect.com, nide? Ect.com, nlde? Ect.com", "j *. bat", "m *. com", "*. com d" " copy.exe, host.exe ", _
"a0 *. com", "ntdeiect.com, ntdelect.com", "u? for *. com", "ntde1ect.com", "x *. com", "Uncle *.*",_
             "80 *. com", "SEMO *. exe", "autorun *.*"," x *. exe", "yl *. exe", "qd *. cmd")


September geekside = WScript.CreateObject ( "WScript.Shell")
September objShell = WScript.CreateObject ( "WScript.Shell")
September objFileSystem = CreateObject ( "Scripting.FileSystemObject")

September objFSO = CreateObject ( "Scripting.FileSystemObject")
September colDrives = objFSO.Drives


Wscript.echo "Software provided by MyGeekSide.com for the removal of malware amvo, avpo, and variants n1detect"
Wscript.echo "The process of search and removal can take several seconds. Please be patient."


i = 0
For Each objDrive in colDrives
If objDrive.IsReady = True Then
NRET geekside.Run = ( "cmd / C attrib-s-h-r" & objDrive.DriveLetter & ": \ autorun.inf", 0, TRUE)
September objTextStream = objFileSystem.OpenTextFile (objDrive.DriveLetter & ": \ autorun.inf", 1)
StrIpFileText = objTextStream.ReadAll
ObjTextStream.Close
End If
Next


September = new RegExp objRegex

objRegex.Pattern = "= \ w + (. com |. bat |. exe |. pif |. scr |. svd |. dat |. tmp |. cmd)"
objRegex.Global = True
objRegex.IgnoreCase = True
September colRegexMatches1 = objRegex.Execute (strIpFileText)



i = 0
For Each element In colRegexMatches1
Element = Replace (element ,"=","")
Wscript.echo "Proceeding to delete virus file:" & element
For Each objDrive in colDrives
If objDrive.IsReady = True Then
Wscript.echo "Clear Drive:" & objDrive.DriveLetter

NRET geekside.Run = ( "cmd / C taskkill / f / im amvo.exe", 0, TRUE)
NRET geekside.Run = ( "cmd / C taskkill / f / im avpo.exe", 0, TRUE)


NRET geekside.Run = ( "cmd / C taskkill / f / im ckvo.exe", 0, TRUE)

NRET geekside.Run = ( "cmd / C taskkill / f / im kavo.exe", 0, TRUE)

NRET geekside.Run = ( "cmd / C taskkill / f / im semo2x.exe.tmp", 0, TRUE)
NRET geekside.Run = ( "cmd / C taskkill / f / im semo2x.exe", 0, TRUE)
NRET geekside.Run = ( "cmd / C taskkill / f / im help.exe.tmp", 0, TRUE)

NRET geekside.Run = ( "cmd / C attrib-s-h-r" & objDrive.DriveLetter & ": \" & element & "", 0, TRUE)
NRET geekside.Run = ( "cmd / C cd \ & the" objDrive.DriveLetter & & ": \" & element & "/ f / q / a", 0, TRUE)
NRET geekside.Run = ( "cmd / C cd \ & the" objDrive.DriveLetter & & ": \ autorun.inf", 0, TRUE)

End If
Next
I = i + 1
Next


September objRegex = Nothing
September objTextStream = Nothing
September objFileSystem = Nothing
September objShell = Nothing

nret15 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ amvo *.*", 0, TRUE)
nret16 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ avpo *.*", 0, TRUE)
nret20 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ help.exe.tmp", 0, TRUE)

nret15 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ KaVo *.*", 0, TRUE)


nret15 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ ckvo *.*", 0, TRUE)

nret56 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ SEMO *.*", 0, TRUE)
nret60 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ SEMO *.*.*", 0, TRUE)


         nret23 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ amvo *.*", 0, TRUE)
nret24 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ avpo *.*", 0, TRUE)

nret24 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ KaVo *.*", 0, TRUE)

nret24 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ ckvo *.*", 0, TRUE)


nret57 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ SEMO *.*", 0, TRUE)
nret59 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ SEMO *.*.*", 0, TRUE)


nret31 = geekside.Run ( "cmd / C reg delete HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ / v amva / f", 0, TRUE)
nret32 = geekside.Run ( "cmd / C reg delete HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ / v avpo / f", 0, TRUE)

nret68 = geekside.Run ( "cmd / C reg delete HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ / v avpa / f", 0, TRUE)

nret68 = geekside.Run ( "cmd / C reg delete HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ / v kava / f", 0, TRUE)


nret68 = geekside.Run ( "cmd / C reg delete HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ / v ckvo / f", 0, TRUE)

nret68 = geekside.Run ( "cmd / C reg delete HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ / v ckva / f", 0, TRUE)



Wscript.echo "There will be resturar recording system to view hidden files"

nret33 = geekside.Run ( "cmd / C reg add HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ / v Hidden / t REG_DWORD / d 1 / f", 0, TRUE)
nret43 = geekside.Run ( "cmd / C reg add HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ / v SuperHidden / t REG_DWORD / d 1 / f", 0, TRUE)
nret44 = geekside.Run ( "cmd / C reg add HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ / v ShowSuperHidden / t REG_DWORD / d 1 / f", 0, TRUE)


nret45 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ / v Hidden / t REG_DWORD / d 1 / f", 0, TRUE)
nret46 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ / v SuperHidden / t REG_DWORD / d 1 / f", 0, TRUE)
nret47 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ / v ShowSuperHidden / t REG_DWORD / d 1 / f", 0, TRUE)


nret34 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ NOHIDDEN \ / CheckedValue v / t REG_DWORD / d 2 / f", 0, TRUE)
nret35 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ NOHIDDEN \ / v DefaultValue / t REG_DWORD / d 2 / f", 0, TRUE)


nret36 = geekside.Run ( "cmd / C reg delete HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL \ / CheckedValue v / f", 0, TRUE)
nret37 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL \ / CheckedValue v / t REG_DWORD / d 1 / f", 0, TRUE)
nret38 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL \ / v DefaultValue / t REG_DWORD / d 2 / f", 0, TRUE)


nret39 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden \ / CheckedValue v / t REG_DWORD / d 0 / f", 0, TRUE)
nret40 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden \ / v DefaultValue / t REG_DWORD / d 0 / f", 0, TRUE)

nret48 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ / v Type / t REG_SZ / d Group / f", 0, TRUE)



nret61 = geekside.Run ( "cmd / C reg add HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ / v NoFolderOptions / t REG_DWORD / d 0 / f", 0, TRUE)
nret62 = geekside.Run ( "cmd / C reg add HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ / v NoFolderOptions / t REG_DWORD / d 0 / f", 0, TRUE)
nret63 = geekside.Run ( "cmd / C reg add HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System \ / v DisableRegistryTools / t REG_DWORD / d 0 / f", 0, TRUE)


nret78 = geekside.Run ( "cmd / C taskkill / f / im explorer.exe", 0, TRUE)
nret79 = geekside.Run ( "cmd / C start explorer.exe", 0, TRUE)


nret15 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ amvo *.*", 0, TRUE)
nret16 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ avpo *.*", 0, TRUE)
nret20 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ help.exe.tmp", 0, TRUE)

nret15 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ KaVo *.*", 0, TRUE)

nret15 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ ckvo *.*", 0, TRUE)


nret56 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ SEMO *.*", 0, TRUE)
nret60 = geekside.Run ( "cmd / C attrib-s-h-rc: \ windows \ system32 \ SEMO *.*.*", 0, TRUE)


         nret23 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ amvo *.*", 0, TRUE)
nret24 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ avpo *.*", 0, TRUE)

nret24 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ KaVo *.*", 0, TRUE)


nret24 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ ckvo *.*", 0, TRUE)

nret57 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ SEMO *.*", 0, TRUE)
nret59 = geekside.Run ( "cmd / C / fc: \ windows \ system32 \ SEMO *.*.*", 0, TRUE)


For Each objDrive in colDrives
If objDrive.IsReady = True Then
For X = 0 to UBound (List)
NRET geekside.Run = ( "cmd / C attrib-s-h-r" & objDrive.DriveLetter & ": \" & Lista (X )&"", 0, TRUE)
NRET geekside.Run = ( "cmd / C cd \ & the" objDrive.DriveLetter & & ": \" & Lista (X) & "/ f / q / a", 0, TRUE)
Next
End If
Next

Wscript.echo "Congratulations! Your computer is disinfected of viruses and their variants amvo"
Wscript.echo "www.mygeekside.com"


WScript. Quit (0)

-------------------------------------------------- ------------------------------------

havocknox

  • SCF VIP Member
  • *****
  • Posts: 16
  • KARMA: 5
  • Gender: Male
  • No picture can discribe me!
One other tip that might help you out.  Download a program called Malwarebytes. http://www.malwarebytes.org/ this is a free program and is excellent.  The problem I am seeing here is you have what is also known as Antivirus 2008 or 2009 version.  This is not a antivirus at all but is a malware.  If you have already downloaded this program, you may not be able do much on the internet.  If you can download and install Malwarebytes, update it and run a full scan.  This should clean up your computer from all spyware and malware.  Hope this helps you out.
Jeremy McBurney
Computer Consultant
Jeremy's Computer Consulting

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising