Computer Gurus...I need your help! (Virus problem)

[SlamDesigns]

Hey all. Got a virus that I can't get rid of, hoping someone could tell me how. Here's the deal...

I'm using AVG Free virus protection, and every night it pops up a warning saying that it's found a VBS/Agent in one of my files. I delete it, and then do a scan, and it comes up with roughly 9-14 more VBS/Agent infections. I delete them, and then do a scan (or several scans, both with AVG and with online scans) and the computer comes back clean. Stays that way all the next day, until around 11:30PM...then I get the pop-up telling me that it's found a VBS/Agent again....and the whole process starts over.

It doesn't tell me what the infection is (as in an actual name), just tells me that it's a VBS/Agent. Anyone know what I need to do, or how to get this damn thing out of my computer? Any help would be greatly appreciated!! Thanks.

[Linkster]

Get a copy of spybot (free) and the newest definitions - run it and it should take care of those as its actually more of a trojan than a real virus

[Paco, of Large Cash.]

When ever a box becomes infected, I rarely wasted time cleaning. I simply perform multiple low-level formats and reinstall the OS.

However, in the case you are not in to that, I suggest using a different scanner.
Preferably, use an online one, such HouseCall, by TrendMicro.

It is free, has a huge database can not be corrupted as easily as your local virus scanner.

[Helix]

Reboot the computer in safe mode before you scan, that way the virus cannot stay resident in memory and rebuild itself.

[SlamDesigns]

Hey guys, thanks for the suggestions. Unfortunately, none of them worked. Anyone got any other ideas? Thanks!

[czarina]

did you do the http://housecall.trendmicro.com/ one?
It's really good... otherwise, try adaware from lavasoft.nu
Both free and great

[HorseShit]

as czarina mentioned, http://housecall.trendmicro.com

[SlamDesigns]

Quote:

Originally Posted by jdavis

as czarina mentioned, http://housecall.trendmicro.com

Did it. I've scanned the computer with HouseCall, Kaspersky, Spybot, and AdAware. None of them find anything, but AVG does. It says that it deletes it, but then every night, it comes back.

[jimbona]

I recommended superantispyware.com and Nod32.
But as mentioned when pulling scans you have to do them in safe mode so nothing externally can be run or activated while scanning.

if you know the name of the actual virus, google it and see if there is a patch removal tool that will get rid of it directly.

[roly]

don't forget to delete your system restore as well after removing it.

[signupdamnit]

In addition to the system restore: Make sure to boot into safe mode (hit F8 usually when booting before the windows logo appears) and then run a full scan using AVG. Then reboot once more and run another full scan in normal mode. Make sure you are running full scans.

[Peaches]

I've got a guy coming to the store tomorrow to try everything he has to remove a little shit that's tearing up the computer there. I've tried everything and it either says it's not there, or it can't get rid of it. Now I'm getting errors that I've run out of disk space.

Lesson #598: Don't let your employees use the internet from the main sales computer.

[Way3]

Hopefully your guy will be able to get it fixed. If not try Spybot S & D and Hijackthis. It may take a few scans but that should get it. Best of luck!

[Dez]

Fuck all that, reformat is the only true way to be sure.

[eroticsexxx]

Sounds like your PC has been infected by a Smithfraud variant. I deal with those nasty buggers all the time. Those are tough to get rid of because they embed themselves in system processes. You can remove the core, but a benign process simply copies it back into place when you reboot.

Here's what you do to remove them -

Download the smithfraud fix from here:
http://www.bleepingcomputer.com/files/smitfraudfix.php

Download ATF cleaner from here:
http://www.atribune.org/index.php?op...25&Itemi d=25

Download spybot search and destroy from here:
http://www.safer-networking.org

Fully install the spybot search and destroy program FIRST, downloading all updates.

Boot into safe mode and run the "clean" option (#2) of the Smithfruadfix. It will stop all processes while it does its scan, including explorer, so your taskbar and desktop will disappear. It shuts down everything so that the virus doesn't leave any processes to monitors that the core virus was removed.

When it asks to clean the registry, enter "Y".

This will reset your wallpaper, browser search pages, and other elements that these variants target.

Disk cleanup will be started automatically when the clean is done. If you have a lot of time on your hands, let it run. Otherwise, cancel it and run the ATF cleaner, which is much faster. Clear EVERYTHING using ATF cleaner, then run Spybot Search and destroy to clean up the leftovers that may still be present. You can run a viruscan in safe mode while you're at it for good measure.

Reboot and you will be just fine.

[arial]

Quote:

Originally Posted by eroticsexxx

Sounds like your PC has been infected by a Smithfraud variant. I deal with those nasty buggers all the time. Those are tough to get rid of because they embed themselves in system processes. You can remove the core, but a benign process simply copies it back into place when you reboot.

Here's what you do to remove them -

Download the smithfraud fix from here:
http://www.bleepingcomputer.com/files/smitfraudfix.php

Download ATF cleaner from here:
http://www.atribune.org/index.php?op...25&Itemi d=25

Download spybot search and destroy from here:
http://www.safer-networking.org

Fully install the spybot search and destroy program FIRST, downloading all updates.

Boot into safe mode and run the "clean" option (#2) of the Smithfruadfix. It will stop all processes while it does its scan, including explorer, so your taskbar and desktop will disappear. It shuts down everything so that the virus doesn't leave any processes to monitors that the core virus was removed.

When it asks to clean the registry, enter "Y".

This will reset your wallpaper, browser search pages, and other elements that these variants target.

Disk cleanup will be started automatically when the clean is done. If you have a lot of time on your hands, let it run. Otherwise, cancel it and run the ATF cleaner, which is much faster. Clear EVERYTHING using ATF cleaner, then run Spybot Search and destroy to clean up the leftovers that may still be present. You can run a viruscan in safe mode while you're at it for good measure.

Reboot and you will be just fine.

That sounds about right also try Hijack This

http://www.merijn.org/programs.php#hijackthis

What happens is the virus is attached to your windows login, so it cant be deleted sometimes cause its in use. Safe mode may not work. If you are able to delete like you said and it shows back up then there is something installed that will redownload the virus if it is deleted. Run Hijack This then post in their forums and they will help you out.

[webcams_scotchie]

For true peace of mind...nuke your HD.

[Peaches]

Mine's totally fried - buying a new one and hoping the old one holds out until it comes in.

NEVER LET SOMEONE ELSE USE THE INTERNET ON YOUR COMPUTER.

Geeze, what a massive cluster fuck this has been.

[shwsrvcs]

All valid strategies. How bout a new drive? internal terabyte drives are so cheap these days. New OS install.. problem solved. I've found that usually I can re-add the offending drive as an additional internal storage device and grab whatever files I need with no problems as long as I have the virus program installed and have Hi-Jack-this handy. Usually never have to use those programs though...

If the virus is something that gets loaded in start-up then having the new drive but keeping your old drive as a back up works because it's not called into memory until after the base OS load process (MAC or PC). That is at least what I have discovered in my travels in my time from DOS 1.0 to DOS 6.0 to Windows 98 to XP.... and with our g4 and G5's in our office I still havent messed around with Vista much.

I've always been able to recover data from an old drive that way without having to re-format and loosing everything. Then I reformat the bad drive and move the data that I need back there.