Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

*Solved* New Virus Impossible to Remove HELP

- - - - -

  • Please log in to reply
9 replies to this topic

#1
1212magicman

1212magicman
  • Member
  • 5 posts
  • Joined 30-December 11
  • OS:XP Pro x86
  • Country: Country Flag
The virus is called Temp:winupd.exe some know it as the popupper. It started Dec. 15, 2011. It is located in User\Local Settings\Temp:winupd.exe

This file is hidden in the users local settings. It's invisible, regardless if you have hidden files and folders turned on, you can't find it. CMD can't find it or delete it. Malwarebytes and Avast found it, but can't delete it. It starts on boot, and it uses a massive amount of ram, the ram it uses goes up exponentially always growing. What it does is hijack the browser and sends you tons of popups in the corner of the screen so that you can't X out of them. I have found no way of deleting this file. However once you end the process via task manager it stays dead until you reboot.

Please help me. I'm attaching a log from malwarebytes, notice all the IP's it blocks and how it fails to quarantine the virus.

Attached Files


Edited by 1212magicman, 31 December 2011 - 05:04 PM.



How to remove advertisement from MSFN

#2
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06
Did you tried to boot to safe mode and then to remove the folder temp in the infected profile(s) ?

#3
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,379 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
Have you run MalwareBytes in Safe Mode (F8)? AFAIK, it should run under Safe. It must have a "RUN" set in the Registry as well. Try that and also download/update SpyBot, set Advanced Mode, and look under "Tools/System Startup" for it and "disable" it if "Safe" doesn't work.

http://www.bleepingc....exe-23850.html

Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.

Hoping its not "hiding" elsewhere under an assumed name and "cloning" itself.

If that doesn't work, come back and some other folks may be able to help further.

edit - URP! allen2 beat me to it. P.S. DO NOT delete your TEMP folder indiscriminately. First, DELETE it, then "Empty Recycle Bin" (make it GO AWAY) , then go BACK and make a "new folder" called "TEMP" where the old one was deleted.

Edited by submix8c, 30 December 2011 - 04:10 PM.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#4
1212magicman

1212magicman
  • Member
  • 5 posts
  • Joined 30-December 11
  • OS:XP Pro x86
  • Country: Country Flag

Have you run MalwareBytes in Safe Mode (F8)? AFAIK, it should run under Safe. It must have a "RUN" set in the Registry as well. Try that and also download/update SpyBot, set Advanced Mode, and look under "Tools/System Startup" for it and "disable" it if "Safe" doesn't work.

http://www.bleepingc....exe-23850.html

Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.

Hoping its not "hiding" elsewhere under an assumed name and "cloning" itself.

If that doesn't work, come back and some other folks may be able to help further.

edit - URP! allen2 beat me to it. P.S. DO NOT delete your TEMP folder indiscriminately. First, DELETE it, then "Empty Recycle Bin" (make it GO AWAY) , then go BACK and make a "new folder" called "TEMP" where the old one was deleted.


No both of you don't understand. There is no folder called Temp. THE FILE IS CALLED TEMP:WINUPD.EXE. It is located under D:\\Documents and Settings\User\Local Settings. That is where the file "Temp:Winupd.exe" should be. It is not there. The only thing in that folder is a folder called Application Data. :( I'M SCREWED.
"

#5
Yzöwl

Yzöwl

    Wise Owl

  • Super Moderator
  • 4,557 posts
  • Joined 13-October 04
  • OS:Windows 7 x64
  • Country: Country Flag

Donator

Your problem then is that you have a file name containing a character, :, which is not allowed in an NTFS file name. There are some utilities available for dealing with such files but you may be lucky using the following in a command prompt window:
del /a /f "\\?\D:\\Documents and Settings\User\Local Settings\*.exe"

BTW there should be a directory named Temp in that location unless you have purposely redirected it to a non standard location yourself.

#6
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,379 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
@$^#!!!!!

Not necessarily. I understand now, but don't remember the terminology or the particular thread that describes it (jaclaz posted in the same topic). It's a "file" or "reference" within a special file. That's the one that needs removed. (Something about a Meta-thingy.)

Sorry, can' help further (I'm old, ya know) but hang in there, there is probably a solution coming now that it's understood.

FOUND IT!!!!
http://www.msfn.org/...-how-do-i-dele/
There must be some kind of confusion going on... Have you tried the Safe Mode (never did say if you did or not...)?

edit!
http://www.threatexp...a0e417f9afff924
Try the Safe Mode, DELETE the TEMP folder, EMPTY Recycle Bin, RECREATE TEMP folder and RUN A MALWAREBYTES SCAN.
All while in Safe Mode...
There IS a RUN/RUNONCE, etc in your registry as well... HAS to be!
Regedit - in HKLM -and- HKCU in either/both Software/Microsoft/Windows/Currentversion/RUN (etc) that should NOT be there! Also get CCleaner and RUN it.
P.S. in Malwarebytes run a FULL scan... (don't forget to Update your definitions)

Edited by submix8c, 30 December 2011 - 05:13 PM.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#7
1212magicman

1212magicman
  • Member
  • 5 posts
  • Joined 30-December 11
  • OS:XP Pro x86
  • Country: Country Flag

@$^#!!!!!

Not necessarily. I understand now, but don't remember the terminology or the particular thread that describes it (jaclaz posted in the same topic). It's a "file" or "reference" within a special file. That's the one that needs removed. (Something about a Meta-thingy.)

Sorry, can' help further (I'm old, ya know) but hang in there, there is probably a solution coming now that it's understood.

FOUND IT!!!!
http://www.msfn.org/...-how-do-i-dele/
There must be some kind of confusion going on... Have you tried the Safe Mode (never did say if you did or not...)?

edit!
http://www.threatexp...a0e417f9afff924
Try the Safe Mode, DELETE the TEMP folder, EMPTY Recycle Bin, RECREATE TEMP folder and RUN A MALWAREBYTES SCAN.
All while in Safe Mode...
There IS a RUN/RUNONCE, etc in your registry as well... HAS to be!
Regedit - in HKLM -and- HKCU in either/both Software/Microsoft/Windows/Currentversion/RUN (etc) that should NOT be there! Also get CCleaner and RUN it.
P.S. in Malwarebytes run a FULL scan... (don't forget to Update your definitions)


Wow thanks for trying so much :) It was not in the registry. I do not have a folder named temp in local settings. And to finally say the truth. This is a school laptop which I get all year. Who knows what in the f*** they did to it, somethings I can't even comprehend, they destroyed the location of "My Documents" and made it so it was only accessible while on their server. Who knows what else they did. But I have administrative access on it because I used Rainbow Tables to acquire the password. Still no luck in deleting the virus. Ran Malwarebytes full scan, it found nothing. However I ran a full scan with Exterminate it and found 13 registry viruses. 12 were linked to something called "Tarma Installer" the other was an anomaly my school put in to stop system restore. Also, Symantec found over 50 attempts to take a file out of its quarantine. All the file extensions start with unp(numbers).tmp Weird thing is that they hide in my Avast Antivirus folder. Even Avast itself thinks itself is a virus with messages "Avastsvc.exe threat detected" Anyways 2 of these files are in quarantine and cannot be deleted. I haven't tried Safe mode because I don't see a point to doing that. I can't find the folder "Temp"...

#8
1212magicman

1212magicman
  • Member
  • 5 posts
  • Joined 30-December 11
  • OS:XP Pro x86
  • Country: Country Flag
OH CRAP!!! OH MY GOD I JUST FOUND SOMETHING!!! I tried creating a folder called "Temp" guess what.... it said that a folder called Temp already existed there..... but I can't see it....... What do I do?

#9
1212magicman

1212magicman
  • Member
  • 5 posts
  • Joined 30-December 11
  • OS:XP Pro x86
  • Country: Country Flag
I DID IT!!! I CAME UP WITH AN AWESOME PLAN!!
Here's what I did to remove the virus.

Step 1:
Safe Mode
Step 2:
Went to local settings
Step 3: Copied "Application Data"
Step 4: Pasted it on desktop.
Step 5: Delete "Local Settings" Folder.
Step 6: Make a new Local Settings Folder
Step 7: Inside make a new Temp folder
Step 8: Paste back your Application Data Folder.
Step 9: enjoy :P

Hope I helped anyone with the same problem :)

#10
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,379 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
Well, FWIW, I suppose that works, however there may have been an additional folder that may need to be kept. This is what I have (Dell Downloader is installed) -
Local Settings\Application Data\ <-- (hidden folder)
Local Settings\Apps\ <-- this folder (see Wiki link below)
Local Settings\History\
Local Settings\Temp\
Local Settings\Temporary Internet Files\
Also, there are (were) many "Desktop.ini" (hidden/system) files that may have been needed.
Within "Local Settings\Application Data\ ApplicationHistory" there are many "*.INI" files that may or may not be needed (I think maybe not but unsure - ComboFix may delete them).
More "Apps" info on Wiki (MS ClickOnce Technology).

If you have no other problems or issues, you might change the title to "Solved - yada yada", unless someone else indicates dire issues with this.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users