PDA

View Full Version : How Do I Get Rid Of This Virus For Good?



far
01-06-2004, 10:42 PM
Win32.Skoob.B trojan

It keeps on coming back even tho I delete it...Any idea what to do??

-=Cyrus=-
01-06-2004, 10:55 PM
Have a read here: http://securityresponse.symantec.com/avcen...er.mscache.html (http://securityresponse.symantec.com/avcenter/venc/data/downloader.mscache.html)

Hope this helps :)

far
01-06-2004, 11:04 PM
Thanx man...I was already on that site...Doesnt say much about how to get rid of it...cause I dont have Norton internet security

sharedholder
01-06-2004, 11:09 PM
Download NOD32 from here (http://klboard.ath.cx/index.php?showtopic=80480&st=135) is the most advanced antivirus scanner and remover.

-=Cyrus=-
01-06-2004, 11:09 PM
Oh well......Good Luck :)

Project E-01
01-06-2004, 11:09 PM
look further down the page - theres a whole load of removal instructions.



Disable System Restore (Windows Me/XP).
Update the virus definitions.
Disconnect from the Internet.
Unregister the browser helper object.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected as Downloader.MSCache.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"

--------------------------------------------------------------------------------
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.
--------------------------------------------------------------------------------

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

3. Disconnecting from the Internet
When the .dll file is unregistered, as suggested in step 4, it opens a Web site in a browser window. Depending on the content of the Web page, this could cause the computer to become re-infected. To prevent this, disconnect from the Internet before continuing.

4. Unregistering the browser helper object
Before performing this step, you will need the full path and file name of the .dll, which is installed as a browser helper object. It may be found in the Windows directory with a name of the form <6-8 random lower-case characters>.dll, and should be 122880 or 131072 bytes in size. It has also reportedly been found in the Temporary Internet Files folder. If you are not sure of the file name, first run a full system scan (see step 6) and record the path and file names, but do not delete the infected files yet.

Perform the following steps for each .dll file, detected as Downloader.MSCache:

Click Start, and then click Run. (The Run dialog box appears.)

Type:

regsvr32 /u "<path to dll>"

For example:

regsvr32 /u "c:&#092;windows&#092;zyxwabcd.dll"


Click OK.

At this point, an Internet Explorer window may appear. Close the window.


--------------------------------------------------------------------------------
Note: Symantec Security Response has received corrupted samples of the Downloader.MSCache dll. If you see an error message after attempting to unregister the dll, disregard it and proceed to step 5.
--------------------------------------------------------------------------------

5. Restarting the computer in Safe mode or VGA mode

Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
For Windows NT 4 users, restart the computer in VGA mode.

6. Scanning for and deleting the infected files

Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as Downloader.MSCache, click Delete.


Ok, so i cut the bits out that you should know. Im sure you know how to update your virus definition files. :)

far
01-06-2004, 11:52 PM
Thanx for the scanner sharedholder ..It found two viruses even tho my antivirus program didnt find shit..
I tried to follow those instructions Project but I dont know how to update virus definition and Im not sure if it can be done cause I have Etrust EZ armor

Just as Im typing this I got two different viruses...this time I have win32.skoob.C.trojan...It never stops...It says it is located in the c:WINDOWN&#092;Zbpmwa.dll..Folder
and the other one in c:WINDOWS&#092;Belt.exe

muchspl2
01-06-2004, 11:54 PM
google housecall its free online scan and fast if you got broadband otherwise http://www.grisoft.com its what i use

far
01-07-2004, 12:20 AM
yea...housecall is fast...but it didnt find any viruses while NOD32 did

Project E-01
01-07-2004, 12:44 AM
Far - the virus definition updates for E armor are at http://www.my-etrust.com/products/subscrip...tName=Antivirus (http://www.my-etrust.com/products/subscriptions.cfm?productName=Antivirus)

Once you have that, just follow the instructions as best you can.

far
01-07-2004, 02:19 AM
Thanx for ur help...I really appreciate it...I managed to update it ...Hope i dont get any virus alerts anymore.

Robert00000
01-07-2004, 03:08 AM
If you&#39;re using Windows XP, just turn off SYSTEM RESTORE and turn it back on again.

The reason it keeps re-appearing is because its saved in the restore volume, so cannot be deleted directly by AV scanner because its in a protected part of windows.

far
01-07-2004, 03:28 AM
done that...But now Im getting this other virus Win32.Skoob.C trojan...cant find any info on it in google

Robert00000
01-07-2004, 03:56 AM
Originally posted by far@7 January 2004 - 03:28
done that...But now Im getting this other virus Win32.Skoob.C trojan...cant find any info on it in google
check to see if the infected file is within the running processes, if so shut it down and delete the file.

To do this find which file the virus warning relates to and press CRTL ALT DELETE and take a look in the PROCESSES to see if the file is there, if so highlight and then click END PROCESS.

It will now be possible to delete the infected file from where ever its located.


Its 3 in the morning and bedtime for me so nighty night :sleep1:

supersonic
01-07-2004, 04:52 AM
or just terminate EXPLORER.EXE if you could not see the running file. after that go to RUN in taskmanger and type EXPLORER and u will get WINDOWS BACK, but without the virus/trojan running.

dudevenezuela
01-07-2004, 05:05 AM
Before getting Rid of the virus Disable system restore ; most of this virus keep coming back because of the system restore

Project E-01
01-07-2004, 05:30 AM
Skoob.C is a variation of the virus you already had. Yup, another one. It seems that the maker of your AV software doesnt have any infomation on it either - could be a new strain, or it could be that its no longer considered "wild".

far
01-07-2004, 02:00 PM
Havent had any virus alerts since the last time I shut down system restore...Think the bloody thing might be gone now.
Oh yeah...And I looked for it in "processes" nothing there.

Thanx alot for ur advises