Announcement

Collapse
No announcement yet.

undeletable virus

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • undeletable virus

    I hope I'm posting this in the right folder. My problem is that I think I have either a virus or spyware located in Local Settings/Temp/Temporary Internet Files/Content.IE5/1ZIKSXQP

    When I click on Content.IE5 in the left panel of Windows Explorer it shows four folders in the right hand panel of the screen, including 1ZIKSXQP. If I try to do anything to access these four folders I get an error message and Windows explorer shuts down. The error message says "Explorer.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created." This error message appears whether I try to open these four folders from the right panel of Windows Explorer or whether I try to double click on the Content.IE5 folder from the left panel. Even if I try to simply delete the entire Content.IE5 folder I get the same error message.

    The anti-virus programs and anti-spyware programs that I have tried seem to do one of two things in relation to this folder. Either they run without detecting any viruses or spyware or as soon as they get to the Content.IE5 folder I get an error message and the program closes. The results are the same in safe mode.

    I have tried the method of killing explorer.exe and deleting the file from the Command Prompt, but it does not work. When I type in DEL Content.IE5 it asks me if I'm sure. If I type yes then the Command Prompt immediately closes. If I type in "cd 1ZIKSXQP" and then "dir 1ZIKSXQP" the Command Prompt also immediately closes. The results are the same if I try doing this in safe mode.

    I have also tried using the Unlocker program, but I have been unsuccessful with that as well. When I use it it displays two locked paths. The first one is for the process Unlocker.exe. This path locked is to the 1ZIKSXQP folder. This is the reason why I believe the virus or spyware is in this folder. Prior to this time I was not sure which of the four folders the virus or spyware was located. Anyway, the second locked path is Explorer.exe and the path locked is to the Content.IE5 folder. Anyway, if I click "unlock all" it doesn't seem to do anything. If I try to double click the Content.IE5 folder or delete it I still receive the Program Error message. However, in addition I also receive a message that says "Dr. Watson is unable to attach to the process. It is possible that the program exited before Dr. Watson could attach to it. Windows 2000 returned error code = 2 The system cannot find the file specified."

    Any help on getting rid of this would be appreciated.

  • #2
    Re: undeletable virus

    Sometimes a rebuild is the only answer. .....

    Once rebuilt, take some basic precautions like;

    *not downloading / viewing dodgy sites/material

    * log in using a *locked down* account to use the computer for daily tasks

    * keep av definitions up to date.

    * don't let anyone use your computer - without control of what they can do that is.

    Comment


    • #3
      Re: undeletable virus

      Hmm... quite possibly a virus... but maybe not.

      Have you checked the event log?
      I'd also run a disk check.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: undeletable virus

        Reboot into safe mode and delete all your temp files.

        Run you virus scanner from within safe mode.

        Also another thing to check is that there are no hidden devices that the virus has installed as it will just keep installing when you reboot.

        Comment


        • #5
          Re: undeletable virus

          Sometimes i find the best way to fix a problem like this is to remove the HDD from the infected computer, put it in an external HDD case, attach it to an isolated computer and scan the external HDD

          Comment


          • #6
            Re: undeletable virus

            So, how do I check the event log and run a disk check?

            I've tried running a few virus scanners from safe mode, and I still got an error message. Though maybe I just need a better virus scanner. What's the best one that I can get for free? How do I check for hidden devices?

            Comment


            • #7
              Re: undeletable virus

              Originally posted by Master Moron View Post
              So, how do I check the event log and run a disk check?

              I've tried running a few virus scanners from safe mode, and I still got an error message. Though maybe I just need a better virus scanner. What's the best one that I can get for free? How do I check for hidden devices?
              To check the event log:
              Start -> Run -> type in eventvwr.msc and press enter. Look through the logs for errors and post any that you think might be a problem.

              To do a disk check:
              Open My Computer -> right-click your hard drive and select Properties -> click the Tools tab -> click Check Now... -> check both options and click Start -> click Yes and then restart your computer. It will do the check when it boots up.

              I would also go to the Internet Options and try deleting the files through there:
              Start -> Run -> type in inetcpl.cpl ->
              Delete Files (if IE6)
              or
              Delete Browsing History -> Delete Files under the temporary Internet files. (if IE7)


              As for the AV... AVG is usually good http://free.grisoft.com. I know Symantec, McAfee, and Trend Micro have free online scanning. It won't remove it but it will tell you what's infecting your computer. And if you know what's infecting your computer, you can find removal instructions by doing a Google search.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: undeletable virus

                If you're running IE6 or IE7, try this to clear the IE cache:

                http://www.microsoft.com/downloads/d...displaylang=en

                It's stated to work for WXP but I'd give it a try on W2K -- that's just me.

                Also, run an adware / malware detector. May be something your AV isn't picking up.

                Problem w/ earlier post on mounting the drive as a slave on another machine is the registry won't get checked.
                Last edited by rvalstar; 8th June 2007, 18:44. Reason: WXP vs. W2K
                Cheers,

                Rick

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                Comment


                • #9
                  Re: undeletable virus

                  Originally posted by JeremyW View Post
                  To check the event log:
                  Start -> Run -> type in eventvwr.msc and press enter. Look through the logs for errors and post any that you think might be a problem.
                  I'm getting a lot of errors with the removable storage device and the Service Control Manager. The removable storage device errors usually show up as error 17. The Service Control manager usually shows up as error 7000, 7001, 7009, or 7026. I also have a couple DCOM errors 10010.

                  Originally posted by JeremyW View Post
                  I would also go to the Internet Options and try deleting the files through there:
                  Start -> Run -> type in inetcpl.cpl ->
                  Delete Files (if IE6)
                  or
                  Delete Browsing History -> Delete Files under the temporary Internet files. (if IE7)
                  Well, the thing is the folder that's set to my temporary internet folder is not the same folder that has the virus. The folder that is set to my temporary internet folder is Local Settings/Temporary Internet Files. The folder that has the virus is Local Settings/Temp/Temporary Internet Files.

                  Originally posted by JeremyW View Post
                  As for the AV... AVG is usually good http://free.grisoft.com. I know Symantec, McAfee, and Trend Micro have free online scanning. It won't remove it but it will tell you what's infecting your computer. And if you know what's infecting your computer, you can find removal instructions by doing a Google search.
                  Well, I ran McAfee and it found...holy crap...25 files:

                  C:\Documents and Settings\...\ysb_prompt[1].htm Adware-ISTBar
                  C:\kans.reg Reg/LowZones
                  C:\Program Files\buddylinks.net\blpref.exe Adware-BuddyLinks
                  C:\Program Files\...\PSD Tools\BLENGINE.EXE Adware-BuddyLinks
                  C:\Program Files\Ebates_MoeMoneyMaker\README.txt Adware-TopMoxie
                  C:\Program Files\...\Html\popo350a_counv.htm Adware-TopMoxie
                  C:\Program Files\...\Html\popo350a_non.htm Adware-TopMoxie
                  C:\Program Files\...\Html\popo350a_nv.htm Adware-TopMoxie
                  C:\Program Files\...\Html\pref350a.htm Adware-TopMoxie
                  C:\Program Files\...\Html\pref350a_dis.htm Adware-TopMoxie
                  C:\Program Files\...\Html\spec350a_yv.htm Adware-TopMoxie
                  C:\Program Files\...\Tp350\popo350a_counv.htm Adware-TopMoxie
                  C:\Program Files\...\Tp350\popo350a_non.htm Adware-TopMoxie
                  C:\Program Files\...\Tp350\popo350a_nv.htm Adware-TopMoxie
                  C:\Program Files\...\Tp350\pref350a.htm Adware-TopMoxie
                  C:\Program Files\...\Tp350\pref350a_dis.htm Adware-TopMoxie
                  C:\Program Files\...\Tp350\spec350a_yv.htm Adware-TopMoxie
                  C:\Program Files\sysreset\...\addons\moo.dll MotherboardMonitor
                  C:\Program Files\sysreset\k-f_sysreset.exe MotherboardMonitor
                  C:\Program Files\sysreset\k-f_sysreset.zip MotherboardMonitor
                  C:\r.bat Bat/Sdbot
                  C:\WINNT\conscorr.ini IPSentry
                  C:\WINNT\Downloaded Program Files\setup4002b.ini Adware-SAHAgent
                  C:\WINNT\Downloaded Program Files\ysbactivex.inf Adware-ISTBar
                  C:\WINNT\inf\conscorr.inf Generic Adware.inf.a

                  I assume the first one, the Adware-IST bar is the one I'm having trouble with, but I can't be sure since it doesn't show the full location of the file.

                  Well, this website claims to have a tool for removing Adware-IST: http://www.symantec.com/security_res...632-99&tabid=3 but it doesn't work, I get an error message when it gets to the Temporary Internet Files folder.
                  Last edited by Master Moron; 11th June 2007, 06:08.

                  Comment


                  • #10
                    Re: undeletable virus

                    I think this is better left to people that deal with malware all the time.

                    Take a look at this thread from Majorgeeks.com
                    http://forums.majorgeeks.com/showthread.php?t=35407

                    HijackThis is a great tool but dangerous if used improperly. You will probably need to use it so have a read before you do. http://forums.majorgeeks.com/showthread.php?t=38752
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: undeletable virus

                      The time this thread has been running, you could have saved your data, wiped the drive and installed everything clean and have had 2 days of using a clean system instead of still trying to clean it up.

                      Any machine that has spyware I refuse to try and remove the garbage. It is easier to wipe and start again. Easier to spend 2 - 3 hours on a clean install than 15 - 20 hours cleaning and still not get it all. But hey, that is just me.
                      1 1 was a racehorse.
                      2 2 was 1 2.
                      1 1 1 1 race 1 day,
                      2 2 1 1 2

                      Comment


                      • #12
                        Re: undeletable virus

                        Sounds like a good advertisement for an image backup program (Ghost or equivalent).

                        Biggles, I think solving the problem now is really for the sport of it.

                        OP: Can you delete that false Temp\Temporary Files dir? If you can't, take ownership as Administrator and try again.

                        If you can clean out both C:\Windows\Temp and your Local Settings\Temp plus clean out your IE cache, etc. then run something like an Ad-aware or ??? twice -- does it clear the problem?

                        Never needed anything more than that and a bottle of good vino (payment for services rendered) to fix any of my neighbors' machines but your mileage may vary.
                        Cheers,

                        Rick

                        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                        2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                        Comment


                        • #13
                          Re: undeletable virus

                          make yourself a PE CD or use ERD commander and delete the folders in question...

                          kinda hard for windows to lock a file if it was never booted. if for some reason you dont see the folders in question, then you may want to qtparted your way to a fresh install. or use a knoppix disk and ntfscapture to mount the partitions... then delete.

                          i cant stand stuff like this. i have an imaging center and dont hesitate to use it... less than 10 minutes i can have a brand new client out, so no bother.
                          its easier to beg forgiveness than ask permission.
                          Give karma where karma is due...

                          Comment


                          • #14
                            Re: undeletable virus

                            Originally posted by biggles77 View Post
                            The time this thread has been running, you could have saved your data, wiped the drive and installed everything clean and have had 2 days of using a clean system instead of still trying to clean it up.

                            Any machine that has spyware I refuse to try and remove the garbage. It is easier to wipe and start again. Easier to spend 2 - 3 hours on a clean install than 15 - 20 hours cleaning and still not get it all. But hey, that is just me.
                            Unfortunately, reinstalling really isn't an option for me since I don't have a Windows 2000 installation disc. Also, I don't think I have anything large enough to hold on the data on my computer.

                            Comment


                            • #15
                              Re: undeletable virus

                              Originally posted by James Haynes View Post
                              i cant stand stuff like this. i have an imaging center and dont hesitate to use it... less than 10 minutes i can have a brand new client out, so no bother.
                              If only everyone understood and had similar capabilities.

                              Recovery is such an understated, misunderstood process.

                              If we could only get the masses to understand what a system is worth with data or loss thereof, time to recover, et al...
                              Cheers,

                              Rick

                              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                              2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                              Comment

                              Working...
                              X