ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Infected plz help
johnathan
Guest

Reply with quote
I was infected with either a virus or spyware earlier today. I was able to use system restore to get to where I am functioning again but I do not believe all is well. I ran adaware, Norton and spybot. Spybot had some artifacts that it could not remove. Norton found two entries. I have yet to reboot for fear that the malware will reappear. I need desperate help. Thanks in advance for any help.
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
Since it appears that you might have some tough malware on your computer, I suggest that you go to CastleCops which has a nice forum with expert assistance for people needing help with malware at
http://www.castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

CastleCops also has a routine for you to follow to do some self-cleaning. In fact, they ask that you do this before posting anything to their forum, so try it. The self cleaning information is at:

http://wiki.castlecops.com/MRP

Good luck.

Regards,
View user's profileSend private message
robart.hendory
Guest

Reply with quote
---EDIT---
The link to "free" anti-spyware program referred in this post has been removed, because the software is not free. We do not allow promoting commercial software in our forum disguised as free. I will have to ban the poster's account should this happen again.
Forum Admin
---EDIT---
Sean


Joined: 30 Jun 2007
Posts: 3
Location: India
Reply with quote
I think I have a virus which is quite new as I couldnt find any information about that file name on the net, it is certainly not a vaild windows file.

File name: l6GM0JnQ.exe
Location: system32 directory
windows: XP service pack 2

I have a firewall, Comodo Firewall Pro... which gave me a few reports... "l6GM0JnQ.exe is an invisible application that has altered wmplayer.exe in the memory and is trying to access the internet"..... I denied access, and a few minutes later I get another report "l6GM0JnQ.exe is an invisible application that has altered jusched.exe in the memory and is trying to connect to the internet" .... denied again.... downloaded clamwin + the virus definations.... and I scanned that file... it comes up negative.... then... I get a report that "utorrent has modified clamwin.exe in the memory and is trying to access the internet"... that really got me... utorrent already has access to the net, cos im downloading stuff... and why whould utorrent do anything to clamwin!? or any other application for that matter.....

Hence.. I think Its a virus which is hijacking apps which are running in the memory in an attempt to access the net under a different file name Evil or Very Mad .... I sent a report online.... any advices on what I can do about it now? Im pretty sure deleting that file wont do any good.... and since I dint find any info on the file, I have no clue about what it does...
View user's profileSend private messageSend e-mail
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
Upload the file in question to VirusTotal for a free scan with about 30 antivirus programs. Go to http://www.virustotal.com/en/indexf.html to upload. They also have a free script you can download to use in the future to automate the process.

I'm no expert, but let me suggest you try this: make sure Windows is fully patched and your security software is up-to-date. Then boot into Windows Safe Mode and run your antispyware and then your antivirus. If that doesn't help, you might reboot Windows and run an antirootkit. You can download Sophos' (free) at http://www.sophos.com/pressoffice/news/articles/2006/08/sophos-anti-rootkit.html and run it. Have it look at everything. When finished, it will tell you whether or not a file/process can be removed and if you should remove it. Follow the advice.

If that doesn't help, you might download a trial copy of A Squared or Prevyx and try one of them.

Finally, if nothing works, at http://www.bleepingcomputer.com/forums/forum25.html you can get free help with malware removal. It is an involved process, but they will help you until it's gone.

Good luck!

Regards,
View user's profileSend private message
Sean


Joined: 30 Jun 2007
Posts: 3
Location: India
Reply with quote
thanks Bob... but that virus turned out to be more of a pain really... what it did first was.... alter an exe (for example A.exe) which is running in the memory and use that A.exe's name to try and gain access to the net.. but as comodo(firewall) gives you the application thats trying to connect to the net, as well the parent application, I could see its name in the parent application... once I denied it access... it moved on the next exe... but what comodo said was that A.exe has altered B.exe in the memory and is trying to access the net. and it kept jumping through all the exes running in the memory. I got really fed up, deleted that file, and restarted the comp... might not have gotten rid of it, but yeah... so far so good......
View user's profileSend private messageSend e-mail
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
It sounds like the malware may ahve been in memory only, which is somewhat unusual. Watch it for a while, however--keep your signatures updated, and scan more often than usual.

Regards,
View user's profileSend private message
Infected plz help
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic