[Vishnu]

The configuration of my PC include : HP Compaq dx2700 Processor : Intel Core 2 Duo.

I think my computer is infected with a virus. In my all drives, New Folder is created. When I try to delete it, I encounter a message " Access is denied" thus disabling me to delete it. Even, when I try to open Registry Editor, I receive the message " Registry Editor has been disabled by your Administrator".

How can I remove this New Folder from all the drives and how to open Registry Editor?

Kindly guide me on this issue.

Vishnu

[mphenterprises]

Hi Vishnu. Okay, I would agree with you that you are infected. I guess the first thing I would suggest you do is download SuperAntiSpyware, if you do not already have it. You can download the application here.

Once you have the application, restart your computer in Safe Mode. If you are not sure how to access Safe Mode, follow the steps laid out within this Document {document:id=1093} (I would advise selecting Safe Mode with Networking). Once in Safe Mode, make sure that the SuperAntiSpyware is up to date and then run a full scan.

If you cannot 1) download SuperAntiSpyware, 2) get into Safe Mode, 3) update the SuperAntiSpyware application, or 4) run a scan in Safe Mode, this situation may be much more significant.

[Vishnu]

Thank you for quick reply.

I have already installed LAVASOFT Ad Aware 2008. I want to consult from you that Super Antispyware may conflict with it or not. Should I install Super Antispyware?

[mphenterprises]

SuperAntiSpyware is the security application of choice amongst many of the members of this Community. That being said, there is no conflict having both applications installed. I have both of those applications installed on my computer and have never had an issue. Some may like both applications, some may like only one. If Ad Aware is working for you to your satisfaction, keep it. SuperAntiSpyware will be another level of security for you.

Once this issue is resolved, I would highly suggest that you review some of the Discussions within the Privacy & Security Community to see what other free security applications are recommended by members. In addition, I would advise you to review these two Documents regarding security:

{document:id=1830}

{document:id=1141}

[Vishnu]

I installed Super Antispyware and scanned the whole system in safe mode. 6 threats were detected and removed from the system. 2 threats have been detected but not removed (Trojan.Unclassified/RegSVR-Fake). Out of 2 threats, one was found in Registry Editor. How can I eliminate this entry from Registry?

Right now, I am not able to open registry editor. I am still getting the message " Registry Editor has been disable by your Administrator".

What should I do ?
Message was edited by: Vishnu

[mphenterprises]

Okay, this is not my area of expertise but from doing a bit of research, I did find one possible suggestion; however, it appears that this suggestion may be for new Windows Explorer pop ups and not new folders. That being said, it is worth a shot. If you can access Command Prompt, do the following:

http://en.kioskea.ne...ew-window-virus

- Click Start -> Run

- Type cmd and click OK

- Within the Command Prompt window, type the following: ATTRIB -H -S -R cAutorun.inf

- If a file is found, type the following: DEL c:Autorun.inf

- Repeat steps 3 & 4 for each drive you have by changing the drive letter (d:, e:, f:, etc.)

- Type MKDIR c:autorun.inf for each drive. This will create a folder so that a similar attack cannot happen again.







The only other conclusive suggestions out there has to do with editing the registry to remove any instance of svichossst.exe. However, since you cannot get into the registry, that is of no use to you at this time.

Here is a site that may be of use to you: http://tec-updates.b...moval-tool.html

There are two files that are suggested as possible combatants of this issue, ComboFix and SDFix. I must stress the following:

- The suggestion is about a year and a half old

- I cannot vouch for the validity of this site or the quality of these applications

- If after running these two applications you can access the Registry Editor, I stress not to try and edit the registry. If you do attempt to edit the registry, make a backup before you begin and follow the instructions exactly as shown.

[rgreen4]

They might also download and run Malwarebytes Anti-malware. Although I normally run SuperAntiSpyware and it scans on a daily basis, I scan periodically with Malwarebytes. It is free (apparently with limitations now) or the paid version for a one time fee of $25. It can be downloaded here.

[SpiritWind]

:D Hi :

Since SUPERAntiSpyware "detected" 2 Threats that were NOT "removed", it MAY be

helpful to Post its "Log" in the Forum here for us to take a look ; click "Preferences" on the

main GUI, then click "Statistics/Logs", then click the "Log" you want to be "copied, then

pasted", then click the "View Log" button and go from there . May be informative to see

the SPECIFIC 6 "Items" that were "removed" .

IF you use the FREE Malwarebytes' Anti-Malware, do NOT bother to run it in "Safe Mode".

Ad-Aware has NOT been a top performing antiSPYWARE program for several years and

is seldom recommended to be used by Experts on Advanced Removal Support Forums .

[Vishnu]

The log file of my last scan is as under so as to help me for further process. In this log you can see the names of two threats which were not removed.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/24/2009 at 01:49 PM

Application Version : 4.25.1014

Core Rules Database Version : 3811
Trace Rules Database Version: 1765

Scan type : Complete Scan
Total Scan Time : 00:19:59

Memory items scanned : 386
Memory threats detected : 0
Registry items scanned : 4864
Registry threats detected : 1
File items scanned : 17814
File threats detected : 1

Trojan.Unclassified/RegSVR-Fake
[Msn Messsenger] C:WINDOWSSYSTEM32REGSVR.EXE
C:WINDOWSSYSTEM32REGSVR.EXE


Kindly guide me.

[SpiritWind]

:D Hi :

I was looking for the SUPERAntiSpyware "Log" that shows the 6 "Items" that were

"detected" and later "removed"; since the Log you posted is dated 3/24/09 at 1:49 PM,

the Log I am looking for should be earlier .

I will mention that I ran a SUPERAntiSpyware Scan on 3/10/09 that detected a similar

"RegSVR" that was identified as "Gezda/Gaggle Variant Worm Component", which MAY

be part of the "Optixpro" malware.

[coastie65]

Probably be a good idea that once it is cleaned, the System restore files should be deleted as well, to prevent a possible reinfection.

[Vishnu]

The log file of my first scanning is as under.

Application Version : 4.25.1014

Core Rules Database Version : 3811
Trace Rules Database Version: 1765

Scan type : Complete Scan
Total Scan Time : 00:33:27

Memory items scanned : 236
Memory threats detected : 1
Registry items scanned : 4863
Registry threats detected : 1
File items scanned : 17748
File threats detected : 2

Trojan.Unclassified/RegSVR-Fake
C:WINDOWSSYSTEM32REGSVR.EXE
C:WINDOWSSYSTEM32REGSVR.EXE
[Msn Messsenger] C:WINDOWSSYSTEM32REGSVR.EXE

Browser Hijacker.Favorites
E:PREETI DATASHARE DOCADMINSTART MENUADWARE REVIEWS.URL

Kindly guide.

[SpiritWind]

:D Hi :

The "new" Log does not provide any Info where I would be able to help . Would be Best to

ask "Malware Removal Specialist(s)", such as the certified, Volunteer "Microsoft Most

Valuable Professional(s)" that can be found on the Support Forums at aumha.net .

Good Luck .

[mphenterprises]

Hi Vishnu. Before running off to an arbitary site, can you confirm whether or not you have tried to follow the suggestions listed within post #5.

[coastie65]

Hi Vishnu, I didn't see any indication that you downloaded and ran Malwarebytes ( www.malwarebytes.org ). as suggested by rgreen4. I would do that first. I would then completly delete all system restore files and run the scans again ( superantispyware & malwarebytes ). coastie65

[Vishnu]

I installed Malwarebyte's Anti-Malware and scanned the entire system and 9 threats were found and removed.

But, I do not know how to delete all system restore files from the computer. Kindly guide me.

Thank you very much for showing your indication about Malwarebytes.

[mphenterprises]

Vishnu said:

But, I do not know how to delete all system restore files from the computer. Kindly guide me.

Hi Vishnu. The easiest way to delete System Restore files is to turn off the System Restore function. To do this, please follow these steps:



Open the Control Panel and select System*

Within the System Properties window, click the System Restore* tab

Within that tab, you will see the following (Click on the image to enlarge it.)*

!http://www.terryscomputertips.com/images/20060312_systemrestore.jpg|thumbnail=true!

* If you only have one drive (partition) in your computer, place a check mark in the box next to, "Turn off System Restore." It may also say, "Turn off System Restore on all Drives."

If you have multiple drives (partitions) in your computer, select the appropriate drive and click Settings*

# Place a check mark in the box next to, "Turn off System Restore on This Drive."

Click Apply -> OK*








At this point, I would advise you to run the scans again. You may even want to run the scans in Safe Mode. If you are not sure how to access Safe Mode, follow the steps laid out within this Document [d-1093].

Additionally, you still have not indicated whether or not you attempted the steps listed in Post #5.