I had a nasty virus last week called win pc anti virus, it was telling me I had a trogen and started a scan by itself and no matter how many time I stopped it it just kept starting,

Anyway I did get rid of most of it with Malwarebytes' and super anti spyware,

But I think its still lurking in there as some odd things keep happening with the pc,

The main one that bothers me is with no input from me musics starts playing for about 30 secs or so then what sound like part of a tv prog sometimes it only last 30 secs but tonight it stayed on much longer the same track or tv sound is repeated so I not a transmission from outside,

Any ideas guys.

Nick.

magpienja,

I'll cut to the point.

Reformat your computer and start afresh.

In these days of viruses incorporating spyware which provides nasties such as keylogger and backdoor capability, it's really not worth the risk. The creators are also getting much better at hiding their malware in obscure ways. The creators are also getting better at deploying anti-virus countermeasures.

This is even more relevant in cases such as yours, where despite attempts at fixing things with anti-virus/anti-spyware, there still seems to be "something wrong".

Sure, if you're a very experienced user, you can have a go at poking about in the registry, process list and other places. But the average home computer user doesn't know what they are looking for, even with "experts" hinting at what they should look for.

If in doubt, reformat.


P.S. Additionaly, I would respectfully suggest take your infected computer off the internet right now. If your virus is part of a botnet, you are probably spewing out tons of spam or being used for other purposes.

check your registry for the following and delete:


HKEY_CURRENT_USER\Software\WinPC Antivirus
HKEY_CURRENT_USER\Control Panel\don't load "scui.cpl"
HKEY_CURRENT_USER\Control Panel\don't load "wscui.cpl"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "sysav"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusDisableNotify" => 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallDisableNotify" => 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "UpdatesDisableNotify" => 1

Make sure <winav.exe WinPC Antivirus.LNK > does not exist by doing a search in C:

Green Granite when you say look in the registry, is that just a matter of entering the info you provided into a search of my c drive and just delete if found,

Just done a scan with a malware prog and found Trojan. agent and rootkit. trace.

What route into the pc do these things use.

Nick.

What route into the pc do these things use.

You won't like what I'm going to say but here goes ....

In 98% of cases, it generally boils down to the users letting them in, e.g. :

- Inadequate or no anti-virus / anti-spyware / firewall running

- Operating your computer as "Administrator" ( not a "route in" as such, but it's very difficult for them to install themselves from other vectors if you are not running as Administrator)

- Clicking on things you shouldn't

- Not keeping your computer operating system and it's software up to date with the latest patches

Google is your friend, more than enough security advice already out there....e.g.

CERT - Home Network Security (http://www.cert.org/tech_tips/home_networks.html)
Microsoft.com - Security At Home (http://www.microsoft.com/uk/athome/security/default.mspx)
BBC NEWS | Technology | Tips to help you stay safe online (http://news.bbc.co.uk/2/hi/technology/5414992.stm)
The 20 Minute Guide to PC Security - IT Security (http://www.itsecurity.com/features/20-minute-guide-pc-security-021307/)


I would really seriously suggest re-formating and starting with a clean slate.... a trojan, virus AND a rootkit ?? :eek::eek: ..... please don't kid yourself that you can fix it.... your PC is in a real mess. Believe me, your time is much better spent re-formating and re-installing. I certainly wouldn't trust that machine anymore. :ok:

I will leave you to contemplate this quote.....

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, a program manager in Microsoft's security group, told a security conference in Florida. "Detection is difficult, and remediation is often impossible," he said.

magpienja, mixture makes a fairly valid point. If you don't know how to ferret around in the registry and make changes safely, it might be beyond your ability to deal with this.

However, to edit the registry, click "start">"run" and type regedit.exe then click OK or push enter.
The registry editor will open in a Windows Explorer type window. (and it works like windows explorer, too.)
Navigate to and find the keys suggested above, then delete them. Be sure you are in the correct part of the registry. (Match the full path to the key concerned.)

One of the problems is that this type of infection is changing constantly, so the filenames, registry settings and paths used by a new variant are often different to the example reported (which was found on a simple Google search.)

What is your OS, your firewall, and the type of Antivirus used?

Another way of cleaning a computer is to post a HijackThis log at a forum that specializes in fixing this sort of thing. Majorgeeks, Mybleeping computer, etc. Depending on the forum and the type of help offered, there would likely be quite a lot of tools you'd need to download and run, and scan reports to post. For a routine cleanup with no particularly difficult or tenacious malwares, it could typically take one to four days.

Tarq57 and mixture are very probably right, but you can at least learn a bit about the nuts and bolts of the operating system by playing with things such as the registry and control panel.

You can also type msconfig in the run box and go to the start up tab and un-tick any programs you don't recognise

Also be careful what you back up onto DVD before you re-install everything it would be very easy to copy a copy of the virus onto the DVD and transfer it to the new install don't copy any .dll , .exe , or .ini files

Pretty much what green granite says in his last post.....use this as an educational excercise .... :ok:

Other than that, green granite's recommendation of not copying .dll , .exe , or .ini files is a good one. I would extend that list to include .COM; .BAT; .CMD; .VBS; .VBE; .JS ; .WSF; .WSH . You may need to toggle the "hide extensions for known file types" option in Folder Options (Tools -> Folder Options ->View ... in XP).

You should certainly not copy anything from "C: \WINDOWS" (or %windir%), nor any of your existing software from "C: \Program Files" (%programfiles%) or elsewhere.

And before you put ANY of your old files onto your freshly built PC, make sure you've installed all the latest patches, as well as as anti-virus and anti-spam and other items as per security advice linked to above.

Yes it's boring, yes it's like watching paint dry ..... but you'll feel a lot safer in the knowledge that some gastly individual is not collecting your credit card details and passwords whenever you're online. :ok:


As part of your educational curriculum, a brief article from Microsoft on Rootkits...:cool:
Rootkits: The Obscure Hacker Attack (http://technet.microsoft.com/en-us/library/cc512642.aspx)

All very depressing, how on earth can I keep all my photos pdf files ect and the like to install after a re-format and be sure they are safe to use again,

I am using the wife's pc at the moment as you guys say not to use our desk top.

Nick.

Dont PC world have a virus clean service for those who dont know how to really "dabble"?Dunno how effective it is or whether they just run a simple virus scan.I think it comes with some sort of guarantee. I think it's called techguys or something.

Anybody know any more of what x213a is saying.

Nick.

Two secs mate-I'll try and find you a link.

http://www.thetechguys.com/instore.shtmlTheres a techguys counter in PCworlds

All very depressing, how on earth can I keep all my photos pdf files ect and the like to install after a re-format and be sure they are safe to use again,

Burn them to a DVD or CD, don't copy them back to your m/c until you have installed an anti-virus program such as avast or avg (both free)

There are all sorts of online scanning services available, they have varying degrees of success depending on the particular service, and the particular malware.
This particular malware reads like it might not be easily removed without a more tailored approach.
I have no experience with PC Repair, Installation and Help and Support | The TechGuys (http://www.thetechguys.com) , so am unable to comment on theirs. (looks like it might cost something, though.)
All very depressing
Sorry about that. It doesn't actually need to be.

How keen are you to dabble and learn?

Some of the forums of which I speak are very good at helping the technically challenged. (Step by step instructions, screenshots etc.) I could even have a go myself. (But would rather leave it to someone with a formal qualification, for your peace of mind and mine.)
I'll ask again: what AV was installed?

A rather big point worth making here is that PC protection is a multi-pronged beast.
-You have the physical security of the PC. (Won't get stolen. Or if it does, there is no sensitive non-encrypted data on it.)
-You have the software/hardware to protect it from web -based attacks. (Router, firewall, antivirus, everything updated, limited user account for the web facing apps, the list can be as long as you want.)
-And last but not least, you have an imaging program, or backup procedure, that periodically backs stuff you don't want to lose to an external media.

Horse/Barn door. Sorry. But next time.

I'd give Trendmicro's Housecall a go, here (http://housecall.trendmicro.com/). It can be pretty slow, though.

Tarq57 running AVG 8.5, and sygate firewall, win XP os.

Nick.

Hmm. Another nail in the coffin for AVG. (Could have happened with any AV, of course. Some folk actually don't run any.)

Interested in trying out any more free tools that might help fix this?

DrWebCureit (http://www.freedrweb.com/cureit/)
TM rootkit buster (http://www.trendmicro.com/download/rbuster.asp)
These are both fairly user friendly.
Anything DrWeb finds you should perhaps investigate further before quarantining (always quarantine; never delete outright.)
How to investigate? Google the file name.And/or ask here, or at a security forum. Full name and path should be quoted.

Another nail in the coffin for AVG

Indeed, I wish Zone Alarm would get a move on and bring out a version for Windows 7. :(