Jump to content

*Solved* New Virus Impossible to Remove HELP


Recommended Posts

The virus is called Temp:winupd.exe some know it as the popupper. It started Dec. 15, 2011. It is located in User\Local Settings\Temp:winupd.exe

This file is hidden in the users local settings. It's invisible, regardless if you have hidden files and folders turned on, you can't find it. CMD can't find it or delete it. Malwarebytes and Avast found it, but can't delete it. It starts on boot, and it uses a massive amount of ram, the ram it uses goes up exponentially always growing. What it does is hijack the browser and sends you tons of popups in the corner of the screen so that you can't X out of them. I have found no way of deleting this file. However once you end the process via task manager it stays dead until you reboot.

Please help me. I'm attaching a log from malwarebytes, notice all the IP's it blocks and how it fails to quarantine the virus.

protection-log-2011-12-30.txt

Edited by 1212magicman
Link to comment
Share on other sites


Have you run MalwareBytes in Safe Mode (F8)? AFAIK, it should run under Safe. It must have a "RUN" set in the Registry as well. Try that and also download/update SpyBot, set Advanced Mode, and look under "Tools/System Startup" for it and "disable" it if "Safe" doesn't work.

http://www.bleepingcomputer.com/startups/winupd.exe-23850.html

Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
Hoping its not "hiding" elsewhere under an assumed name and "cloning" itself.

If that doesn't work, come back and some other folks may be able to help further.

edit - URP! allen2 beat me to it. P.S. DO NOT delete your TEMP folder indiscriminately. First, DELETE it, then "Empty Recycle Bin" (make it GO AWAY) , then go BACK and make a "new folder" called "TEMP" where the old one was deleted.

Edited by submix8c
Link to comment
Share on other sites

Have you run MalwareBytes in Safe Mode (F8)? AFAIK, it should run under Safe. It must have a "RUN" set in the Registry as well. Try that and also download/update SpyBot, set Advanced Mode, and look under "Tools/System Startup" for it and "disable" it if "Safe" doesn't work.

http://www.bleepingcomputer.com/startups/winupd.exe-23850.html

Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
Hoping its not "hiding" elsewhere under an assumed name and "cloning" itself.

If that doesn't work, come back and some other folks may be able to help further.

edit - URP! allen2 beat me to it. P.S. DO NOT delete your TEMP folder indiscriminately. First, DELETE it, then "Empty Recycle Bin" (make it GO AWAY) , then go BACK and make a "new folder" called "TEMP" where the old one was deleted.

No both of you don't understand. There is no folder called Temp. THE FILE IS CALLED TEMP:WINUPD.EXE. It is located under D:\\Documents and Settings\User\Local Settings. That is where the file "Temp:Winupd.exe" should be. It is not there. The only thing in that folder is a folder called Application Data. :( I'M SCREWED.

"

Link to comment
Share on other sites

Your problem then is that you have a file name containing a character, :, which is not allowed in an NTFS file name. There are some utilities available for dealing with such files but you may be lucky using the following in a command prompt window:

del /a /f "\\?\D:\\Documents and Settings\User\Local Settings\*.exe"

BTW there should be a directory named Temp in that location unless you have purposely redirected it to a non standard location yourself.

Link to comment
Share on other sites

@$^#!!!!!

Not necessarily. I understand now, but don't remember the terminology or the particular thread that describes it (jaclaz posted in the same topic). It's a "file" or "reference" within a special file. That's the one that needs removed. (Something about a Meta-thingy.)

Sorry, can' help further (I'm old, ya know) but hang in there, there is probably a solution coming now that it's understood.

FOUND IT!!!!

There must be some kind of confusion going on... Have you tried the Safe Mode (never did say if you did or not...)?

edit!

http://www.threatexpert.com/report.aspx?md5=c41b38e843b797192a0e417f9afff924

Try the Safe Mode, DELETE the TEMP folder, EMPTY Recycle Bin, RECREATE TEMP folder and RUN A MALWAREBYTES SCAN.

All while in Safe Mode...

There IS a RUN/RUNONCE, etc in your registry as well... HAS to be!

Regedit - in HKLM -and- HKCU in either/both Software/Microsoft/Windows/Currentversion/RUN (etc) that should NOT be there! Also get CCleaner and RUN it.

P.S. in Malwarebytes run a FULL scan... (don't forget to Update your definitions)

Edited by submix8c
Link to comment
Share on other sites

@$^#!!!!!

Not necessarily. I understand now, but don't remember the terminology or the particular thread that describes it (jaclaz posted in the same topic). It's a "file" or "reference" within a special file. That's the one that needs removed. (Something about a Meta-thingy.)

Sorry, can' help further (I'm old, ya know) but hang in there, there is probably a solution coming now that it's understood.

FOUND IT!!!!

There must be some kind of confusion going on... Have you tried the Safe Mode (never did say if you did or not...)?

edit!

http://www.threatexpert.com/report.aspx?md5=c41b38e843b797192a0e417f9afff924

Try the Safe Mode, DELETE the TEMP folder, EMPTY Recycle Bin, RECREATE TEMP folder and RUN A MALWAREBYTES SCAN.

All while in Safe Mode...

There IS a RUN/RUNONCE, etc in your registry as well... HAS to be!

Regedit - in HKLM -and- HKCU in either/both Software/Microsoft/Windows/Currentversion/RUN (etc) that should NOT be there! Also get CCleaner and RUN it.

P.S. in Malwarebytes run a FULL scan... (don't forget to Update your definitions)

Wow thanks for trying so much :) It was not in the registry. I do not have a folder named temp in local settings. And to finally say the truth. This is a school laptop which I get all year. Who knows what in the f*** they did to it, somethings I can't even comprehend, they destroyed the location of "My Documents" and made it so it was only accessible while on their server. Who knows what else they did. But I have administrative access on it because I used Rainbow Tables to acquire the password. Still no luck in deleting the virus. Ran Malwarebytes full scan, it found nothing. However I ran a full scan with Exterminate it and found 13 registry viruses. 12 were linked to something called "Tarma Installer" the other was an anomaly my school put in to stop system restore. Also, Symantec found over 50 attempts to take a file out of its quarantine. All the file extensions start with unp(numbers).tmp Weird thing is that they hide in my Avast Antivirus folder. Even Avast itself thinks itself is a virus with messages "Avastsvc.exe threat detected" Anyways 2 of these files are in quarantine and cannot be deleted. I haven't tried Safe mode because I don't see a point to doing that. I can't find the folder "Temp"...

Link to comment
Share on other sites

I DID IT!!! I CAME UP WITH AN AWESOME PLAN!!

Here's what I did to remove the virus.

Step 1:

Safe Mode

Step 2:

Went to local settings

Step 3: Copied "Application Data"

Step 4: Pasted it on desktop.

Step 5: Delete "Local Settings" Folder.

Step 6: Make a new Local Settings Folder

Step 7: Inside make a new Temp folder

Step 8: Paste back your Application Data Folder.

Step 9: enjoy :P

Hope I helped anyone with the same problem :)

Link to comment
Share on other sites

Well, FWIW, I suppose that works, however there may have been an additional folder that may need to be kept. This is what I have (Dell Downloader is installed) -

Local Settings\Application Data\ <-- (hidden folder)

Local Settings\Apps\ <-- this folder (see Wiki link below)

Local Settings\History\

Local Settings\Temp\

Local Settings\Temporary Internet Files\

Also, there are (were) many "Desktop.ini" (hidden/system) files that may have been needed.

Within "Local Settings\Application Data\ ApplicationHistory" there are many "*.INI" files that may or may not be needed (I think maybe not but unsure - ComboFix may delete them).

More "Apps" info on Wiki (MS ClickOnce Technology).

If you have no other problems or issues, you might change the title to "Solved - yada yada", unless someone else indicates dire issues with this.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...