How to Remove remaining start up - RUN regestry virus..

[KRISHI101]

I had virus named sservice.exe but i removed it by using IOBIT malware,
but now whenever i start up my PC suddenly error message comes on screen...

cant find C:\WINDOWS\system\sservice.exe

it is so much irritating..

i know it is in registry RUN, but i cant find it..
it is always comes on screen like it is stored in registry to RUN when window starts..

i have WindowsXP service pack 3..
i have used Tuneup utility program to search in registry but cant find it..

sorry for my bad grammar..

[Sam]

iobit antimalware is a joke. use malwarebyte instead.

for the program, try checking if its present in system configuration. else try hijack this. also do a scan with malwarebyte if traces of this virus is still left.

[dashing.sujay]

Check the "sservice.exe" entry in following keys-

1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

2) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce

3) HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

4) HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce

Also search manually "sservice.exe".

Hope this helps.

[Vyom]

Try CCleaner first to remove the culprit program from running at startup.
If that doesn't work, try Autoruns for thorough analysis of which things are running during startup, and disable them.

But, before that you need a scan from a good and updated antivirus.

If all fails then,...

Spoiler:

FORMAT

[thetechfreak]

Get any good free AV like Avira. install it in safe mode. do a full scan. remove virus.
If virus still remains, you might have to use a online AV like- HouseCall - Free Online Virus Scan - Trend Micro USA

[mrintech]

I will highly recommend you to scan your whole PC using following with latest definitions:

* Free Antivirus: Trial Versions
and
* Malwarebytes : Malwarebytes Anti-Malware PRO removes malware including viruses, spyware, worms and trojans, plus it protects your computer

If possible, analyze your PC with HijackThis and analyze the log here: HijackThis Logfileauswertung

There may be multiple malware on your PC

[KRISHI101]

i have installed AVIRA premium trial version + malwarebytes

and i also run msconfig to search sservice.exe startup registry,,,
it was in hkcu-software-microsoft-windowsNT-current version-windows-RUN

and i deleted it,,

and also run quick scan with malwarebytes..
it has found a .dll file with big numbering name..

now at start-up i found only one error "cant find sservice.exe" instead three error before..
it means there is also one hidden registry, which is not showing in msconfig..

and i think there is no virus left in PC..
because nothing unusual is happening in PC only startup error is remained..

[rawgeek]

Use autoruns to cleanuup....its a very powerful utility:
Autoruns for Windows

Use following guide to work with it:
Using Autoruns Tool to Track Startup Applications and Add-ons - How-To Geek

[KRISHI101]

Quote:

Originally Posted by rawgeek

Use autoruns to cleanuup....its a very powerful utility:
Autoruns for Windows

Use following guide to work with it:
Using Autoruns Tool to Track Startup Applications and Add-ons - How-To Geek

Thanks RAWGEEK its a great utility..
i found the last remained registry entry..
it was in HKLM-----windowsNT-currentversion-winlogon-shell-sservice.exe
and delete it..

and one more thing..
my malwarebytes is showing that it has blocked
222.186.42.186
and something 192.... also

what that means?
is there still any virus?

sorry..

as i seen in malwarebytes LOG
2012/01/30 03:04:21 +0530 MASTER Administrator IP-BLOCK 109.235.55.11 (Type: outgoing)
2012/01/30 03:04:24 +0530 MASTER Administrator IP-BLOCK 109.235.55.11 (Type: outgoing)

and..

2012/01/30 20:42:50 +0530 MASTER Administrator IP-BLOCK 222.186.42.186 (Type: incoming)

can anyone clarify me what this mean?

[dashing.sujay]

Attack from 222.* is by some malicious script run on some site which you tried to open.

Attack from 192.* may be DNS Cache poisoning attack. Check your firewall. If antivirus has not inbuilt firewall, enable windows firewall.

[KRISHI101]

I observe a thing..

when i try to download from torrent, at the same time malwarebytes shows these blocking ip addresses..

so i came to know that it was causing by torrent downloading and malwarebytes is blocking some malicious sites..