Announcement

Collapse
No announcement yet.

Virus which will NOT go away!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Virus which will NOT go away!

    I have a PC which has a virus on it. The virus details are:

    C:\WINDOWS\curslib.dll
    C:\WINDOWS\SYSTEM32\curslib.dll
    C:\WINDOWS\SYSTEM32\curslib.dll.old
    C:\WINDOWS\curslib.lld
    C:\WINDOWS\curslib.dll

    Virus Name: Mal/Xilcter-A

    The PC has the latest version of Sophos installed but Sophos can not remove it and says it has to be removed manually.

    The other strange thing is that there is a process running in memory:

    C:\Documents and Settings\<USERNAME>\Local Settings\Temp\cmlhqv.exe

    No matter how many times I kill the process, it keeps coming back. I have meticulously checked all running processes using GMER and they all look OK! How does this process re-start itself so quickly???

    Anyone know a sure-fire way to get rid of Curslib.dll?
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: Virus which will NOT go away!

    Format and reinstall has had a 100% success rate for me!

    Have you tried Malwarebytes and various "boot time" AV apps such as McAfee's STINGER?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Virus which will NOT go away!

      Tom, with suggestions like that you should be working for Microsoft!!

      I'm trying out MalwareBytes now. It actually stopped the file Wincert.dll from starting at boot! I think this file is the initial cause.
      |
      +-- JDMils
      |
      +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
      |

      Comment


      • #4
        Re: Virus which will NOT go away!

        Originally posted by JDMils View Post
        Tom, with suggestions like that you should be working for Microsoft!!
        .
        What makes you think I don't -- look at my signature line -- my soul went to them with the first MCP

        Although said jokingly, my "format and reinstall" suggestion had a certain measure of truth in it. In a corporate environment, you cannot afford the time to clean an infected machine, nor the risk that the clean may not be successful. Your key priority is to recover data from the infected machine, then return it to normal service as soon as possible. If you think how long you may have been working with this PC, ask yourself if you could have done a clean install quicker?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Virus which will NOT go away!

          These guys will walk you through a complete removal process (assuming it can be removed). They are malware specialists.

          http://support.emsisoft.com/forum/6-...-removal-help/
          A recent poll suggests that 6 out of 7 dwarfs are not happy

          Comment


          • #6
            Re: Virus which will NOT go away!

            Scan from safe mode and/or from a boot CD. ComboFix / MalwareBytes in safe mode nukes pretty much anything.
            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Virus which will NOT go away!

              Just reinstall. it's much faster and you know you'll be safe again.
              In the time you are trying to fix the machine you already could reinstalled the box
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Virus which will NOT go away!

                Originally posted by Ossian View Post
                If you think how long you may have been working with this PC, ask yourself if you could have done a clean install quicker?
                Originally posted by Dumber View Post
                Just reinstall. it's much faster and you know you'll be safe again.
                In the time you are trying to fix the machine you already could reinstalled the box
                ^Quoted for truth.

                Nonetheless, if you really want to wage the battle, most antivirus companies offer a free boot disc that you can download as an ISO and run an offline scan from (Kaspersky and Avira, for example). I'm not sure about the license terms as many free A/V products have a statement in the EULA that bars the product from being used in a business environment.

                Offline scans are really the next best thing to a reinstall, although you might not be able to boot up once you're done. You may have to do a repair installation with your Windows disc as a last step.
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment


                • #9
                  Re: Virus which will NOT go away!

                  Thanks guys- I managed to get back to the PC and MalwareBytes got rid of the infections from Safe Mode. My pressing question is, how does the malware restart itself each & every time you kill it's process in memory using Task Manager?

                  I could not find another process which was monitoring the malware process so how it restarts itself is a mystery I'd like to understand.

                  I might even use the new knowledge in my programming from now on so that my app can never die unless closed by the user!!!!

                  Any suggestions as to where to go for this info?
                  |
                  +-- JDMils
                  |
                  +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                  |

                  Comment


                  • #10
                    Re: Virus which will NOT go away!

                    Originally posted by JDMils View Post
                    My pressing question is, how does the malware restart itself each & every time you kill it's process in memory using Task Manager?
                    Magic.

                    Originally posted by JDMils View Post
                    I could not find another process which was monitoring the malware process so how it restarts itself is a mystery I'd like to understand.
                    Chances are you've got a rootkit, so you can't trust what you see in Task Manager or any other monitoring program.
                    Wesley David
                    LinkedIn | Careers 2.0
                    -------------------------------
                    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                    Vendor Neutral Certifications: CWNA
                    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                    Comment


                    • #11
                      Re: Virus which will NOT go away!

                      It could also put an entry in the registry that runs a file on boot.

                      Comment


                      • #12
                        Re: Virus which will NOT go away!

                        hidden processes / services pretty much.
                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment


                        • #13
                          Re: Virus which will NOT go away!

                          Originally posted by JDMils
                          My pressing question is, how does the malware restart itself each & every time you kill it's process in memory using Task Manager?
                          MSCONFIG is always worth a look.
                          1 1 was a racehorse.
                          2 2 was 1 2.
                          1 1 1 1 race 1 day,
                          2 2 1 1 2

                          Comment


                          • #14
                            Re: Virus which will NOT go away!

                            First scan it with Hijack this.. so it will disable any trojan or virus at startup and then scan it with quick heal antivirus trial version..... it will surely catch and help u in cleaning the virus......for sure

                            Comment

                            Working...
                            X