Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Virus Help

  1. #1
    jeod Guest

    Default Virus Help

    I'm not sure what it is, but I can explain more if you tell me what to look for. I have a major virus on my Windows XP laptop, and it's driving me crazy! Currently, I'm running a spyware scan in safe mode. Here's what always happens:
    1. Whenever I open Internet Explorer, a popup window opens with the message "Download and scan your PC for malicious hardware now!"
    2. iPodService opens at startup as a system process. iTunesHelper.exe opens at startup as a user process. I found that iPodService does not open when I close iTunesHelper, which starts before the system process.
    3. ZoneAlarm blocks many attempts from random IP Addresses, and also blocks something called -AU- Magic. I have no idea what it is.
    Can anyone help?

    Operating System:
    Windows XP Pro
    Software Version:

    Product Name:
    ZoneAlarm (Free)


    EDIT: After going to my popup blocker settings I found that a site called http://www.webstarts.com was allowed. (Don't click that link) I didn't set it like that.

    Message Edited by Jeod on 05-28-2008 03:37 PM

  2. #2
    findley Guest

    Default Re: Virus Help

    Jeod,
    Download, update the file definitions and run SUPERantispyware.
    It is freehttp://www.superantispyware.com/
    Regards,Findley

  3. #3
    jeod Guest

    Default Re: Virus Help

    Thanks, I'll try it.

  4. #4
    findley Guest

    Default Re: Virus Help

    Jeod,

    You are welcome and good luck

    Regards,
    Findley

  5. #5
    jeod Guest

    Default Re: Virus Help

    Ok, I found it. SpyShredder, a copy of the malware Spy Sheriff. Any tips on removing it? SUPERAntispyware found it twice. Once a few days ago, and again today. I also have Zango Shoppingreports on this thing.

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Virus Help

    Manual removal (delete file and registry keys manually) or the do-it-yourself tools, as in the suggestion below, is still one of the best methods....

    Spyshredder removal:

    http://www.bleepingcomputer.com/forums/topic98791.html

    Generalized Zango (180 solutions) removal:

    http://www.pchell.com/support/zango.shtml

    also see:

    http://fix-computer-problem.com/adwa...o_toolbar.html

    and ZANGO shoppingreports (zangocash)...

    http://www.spywaredetector.net/spywa...7;20Report.htm

    {Also hotbar removal...}

    http://www.pchell.com/support/hotbar.shtml

    some CLSID/BHO listings including generic ZANGO...

    http://www.castlecops.com/clsid.php?type=10

    Oldsod.

    Message Edited by Oldsod on 06-02-2008 05:36 PM
    Best regards.
    oldsod

  7. #7
    jeod Guest

    Default Re: Virus Help

    Done all that. Scanning in safe mode, there is one trojan left: ati2dva.dll.
    It says it's spyware/trojan. Researched it online and it's supposed to be a video card file or something. Date created was 2-13-08, but I don't remember doing any video card changes on that day. Was my video card file replaced with a fake? How do I remove it? (It won't let me delete it because it's being run by something, even in safe mode)

  8. #8
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Virus Help

    <blockquote><hr>Jeod wrote:
    Done all that. Scanning in safe mode, there is one trojan left: ati2dva.dll.
    It says it's spyware/trojan. Researched it online and it's supposed to be a video card file or something. Date created was 2-13-08, but I don't remember doing any video card changes on that day. Was my video card file replaced with a fake? How do I remove it? (It won't let me delete it because it's being run by something, even in safe mode)
    <hr></blockquote>


    Right click the file and open the properties. Check the version, vendor, details and the certificates (not signed or improperly signed is also a good sign of it being malware).

    Strong chance this .dll really is malware.

    "The filename ATI2DVA.DLL was last seen on 03.21.2008, and it is considered unsafe.Threat name Win32.X
    Filename [System32Root]\ati2dva.dll
    Filesize Unknown
    Last seen 03.21.2008
    Status Known to RemoveIT Pro as unsafe.


    This file can perform following behavior.

    - Usualy created by unsafe process.

    - Registered as a Dynamic Link Library File.

    - Usualy have random filename and refers to many versions of a dynamic link library.

    - Can be injected/attached to the legitimate Windows process such as explorer.exe or other."

    http://www.incodesolutions.com/threa...ati2dvadll.php
    <hr>
    Start the PC in the safe mode, once again.
    Open the regedit (Start | Run | type in regedit and ok).
    In the View of it's toolbar, open the Find and enter this:

    {2706B6B6-5C80-47A4-B8DA-7CE98F104717}

    and delete what is found (this should the bho registry key for the .dll).
    Then repeat and instead now use the ati2dva.dll in the Find.
    Delete all keys for this .dll.

    Now reboot again back into the safe mode.
    Now the ati2dva.dll should now be deletable.
    Clean the Recycle Bin and boot back to the Normal Mode.

    Oldsod.

    Message Edited by Oldsod on 06-03-2008 02:14 AM
    Best regards.
    oldsod

  9. #9
    jeod Guest

    Default Re: Virus Help

    Actually, the BHO key for the atidva.dll that I have is...
    {B8BFD574-5D96-42DB-9975-4A29C1473377}
    HijackTHIS found that one. I tried deleting it, but access was denied. Note that I was logged in on the administrator account.
    Filename: (Default)Vales: 0000Data: C:\Windows\System32\ati2dva.dll
    I found some other files while searching for ati2dva.dll and deleted them, but I don't think it helped because the BHO isn't gone.

  10. #10
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Virus Help

    While in the regedit, right click the registry key in question and open the permissions.
    Check everything possible in the left column (you will figure it out) and apply and ok. The key should now be deleteable.

    Youwill have to do this not with the key in the right panel of the regedit, but in the left panel. Also sometimes not the listed keys (or the subkeys) but the main key.
    Sometimes the main key immediately deletion attempts does not work, and the little subkeys must be deleted first before deleting the main bho key.

    [It is part of some windows self protection and this is being used by malware for it's own advantage.]

    Oldsod.

    Message Edited by Oldsod on 06-03-2008 10:58 AM
    Best regards.
    oldsod

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •