Wierd Vista Virus!!!

[codeash]

Okay guys am back with a new problem now...I keep you guys so busy...lol

Anyways this is what happened...
I opened my nokia 3110c folder and there i saw a folder named Latest. I had not created the folder so i opened it and to my surprise it turned out to be a exe file which i have executed with a folder icon to fool people to run it. It copied something as i saw that dialog for files getting copied pop up.



The file mainly opens when I am accessing Internet through Mozilla, but it also comes up sometimes when I am using IE7.

Since I am using Vista, the OS keeps on asking me to give permission to access the file or not.

The file that asks for permission is Msupdatehost~9.exe not only "9" but it is from 1-9 randomly sometimes it is Msupdatehost~6.exe Msupdatehost~2.exe or Msupdatehost~7.exe

[Choto Cheeta]

AVG failed to Detect ??

anyway, possible that if can be a virus or can be a spyware, I would say if possible run a online scan from Kaspersky http://www.kaspersky.com/virusscanner or from ESET http://www.eset.com/onlinescan/

also try to download and install SPyBot SnD http://www.spybot.info

PS nice desktop !!! and please check your PM...

P.S dont forget to turn off the system restore when you run the scans

[Faun]

Off topic:
can u give me the wallpaper link.

[codeash]

Quote:

Originally Posted by Choto Cheeta

AVG failed to Detect ??

anyway, possible that if can be a virus or can be a spyware, I would say if possible run a online scan from Kaspersky http://www.kaspersky.com/virusscanner or from ESET http://www.eset.com/onlinescan/

also try to download and install SPyBot SnD http://www.spybot.info

PS nice desktop !!! and please check your PM...

P.S dont forget to turn off the system restore when you run the scans

I have installed AdAware 2007 and updated all the definations but still the virus is undetectable.

About the virus file I deleted it from the phone using phone filemanager so its no more there...

I am downloading spybot right now and will scan with that and see. I think i got this virus from my College computer Lab. I will see if i can get that file for you from there.

[anandk]

... and scan in safe mode !

[codeash]

Quote:

Originally Posted by anandk

... and scan in safe mode !

Scanned with AVG + Adaware 2007 + Spybot nothing has been found.

My AVG seems to have crashed now. I cannot load it. Adaware and Spybot also hang in between. I need urgent help now. No article on google for this problem.

I forgot to mention that I had uploaded the file that contained the virus to yahoo mail to see if Norton can recognise it but Norton too didn't recognise it. Is there any solution to the problem folks....

I am running Kaspersky online scan as reco by CHOTO CHEETA. I will post what ever the result comes out.

[Choto Cheeta]

Quote:

Originally Posted by codeash

Scanned with AVG + Adaware 2007 + Spybot nothing has been found.

My AVG seems to have crashed now. I cannot load it. Adaware and Spybot also hang in between. I need urgent help now. No article on google for this problem.

I forgot to mention that I had uploaded the file that contained the virus to yahoo mail to see if Norton can recognise it but Norton too didn't recognise it. Is there any solution to the problem folks....

I have mentioned online scanner !!! please use those 2 to scan the full system... you may aslo try downloading the TRIAL version of KIS / NOD32 and install to check for virus but 1st go to safe mode remove the AVG from start up loader and then run any scan with System restore turned off...

[codeash]

Quote:

Originally Posted by Choto Cheeta

I have mentioned online scanner !!! please use those 2 to scan the full system... you may aslo try downloading the TRIAL version of KIS / NOD32 and install to check for virus but 1st go to safe mode remove the AVG from start up loader and then run any scan with System restore turned off...

Scanning with Windows Defender also doesn't show up anything. I have turned off system restore and now scanning with Kaspersky online scanner. I hope this thing is atleast detected. God knows what virus is this...pissing me off...

[gxsaurav]

Its Win32.brontok. Download the removal tool from any antivirus vendor & remove it.

[codeash]

Quote:

Originally Posted by gx_saurav

Its Win32.brontok. Download the removal tool from any antivirus vendor & remove it.

The Virus name is Backdoor.Win32.Agent.bfe as detected by Kaspersky. I virus gets executed from C:\USERS\XXX\APPDATA\LOCAL\TEMP\MSUPDATE.TMP\MSUPD ATEHOST~3.EXE here XXX refers to the computer name.

The Virus crashed my AVG so i had to put Kaspersky. I don't understand what to do, cause there is nothing i can find on google about this.

@gx_saurav
Why do you think it is BRONTOK?

[Choto Cheeta]

@codeash

install Kaspersky Trial update it, then turn off the system restore and runa full system scan with kaspersky all settings turned to highest of its value ... kaspersky will it self clean the system

[codeash]

Quote:

Originally Posted by Choto Cheeta

@codeash

install Kaspersky Trial update it, then turn off the system restore and runa full system scan with kaspersky all settings turned to highest of its value ... kaspersky will it self clean the system

Choto Cheeta Kaspersky has already found that thing it cleans it but it comes back again. It even gave me this error some time back.

[Choto Cheeta]

@codeash

Just a question did u turn off the system restore (at all drives) before scanning ?? Delete all previous Restore points also...

[MetalheadGautham]

There is the Ultimate Boot CD For Windows which you can use to recover ny errors.

If all methords in previous posts and the above are of no use, use a light weight Live CD/USB distro and try to back all important data and make a fresh install

[codeash]

Quote:

Originally Posted by Choto Cheeta

@codeash

Just a question did u turn off the system restore (at all drives) before scanning ?? Delete all previous Restore points also...

Ya i have followed all the suggestions you have posted earlier. The Virus name is known now finally that is Backdoor.Win32.Agent.bfe is there any way i can remove this virus? This was detected by Kaspersky only. No other antivirus is able to catch it atleast not AVG, AdAware, Spybot...

I cannot put a fresh install cause i have too many files on my laptop which i cannot lose. I cannot take a backup of them.

I think the virus name is something else but then when i am allowing the msupdatehost~9.exe to execute it tries to download the file from http://microsott.tripod.com/update.jpg and the file name is Backdoor.Win32.Agent.bfe

[Choto Cheeta]

@codeash

Dont mind i am just trying to help, the file will return only if you have the system restore turned on... so please post a screenshot, of the system properties like this,



as I have doubt may be the system restore is turned on

now if it is turned off, then by chance are you running any back and restore software ??

[codeash]

Quote:

Originally Posted by Choto Cheeta

@codeash

Dont mind i am just trying to help, the file will return only if you have the system restore turned on... so please post a screenshot, of the system properties like this,



as I have doubt may be the system restore is turned on

now if it is turned off, then by chance are you running any back and restore software ??

Alright buddy i will do that asap. i am not at home right now. Will get back home and post you the screenshot for that.



Here is the screen shot. I was in SafeMode so could not access the system restore status as you said instead i tried to run it and here it is what it said. I am scanning my system again in safe mode with full settings. Hope this thing goes.

[MetalheadGautham]

@codeash: have you tried sending that exe to norton or some other similar antivirus provider with a facility to accept files and scan them, or if no threat is found by their scanner, report what exactly happened to them along with the file? It may help them release a removal tool for that virus.

I hope you also tried my previous idea of the Ultimate Boot CD For Windows. Go to a friend's computer, and visit http://www.ubcd4win.com/howto.htm for instructions on using the ultimate boot CD for windows. It also tells you what to download.

I would also like to know what are the things affected by the virus. is it only the desktop or does it also include the files? And if files, what files?

Have you finished the scan yet?

[codeash]

Quote:

Originally Posted by MetalheadGautham

@codeash: have you tried sending that exe to norton or some other similar antivirus provider with a facility to accept files and scan them, or if no threat is found by their scanner, report what exactly happened to them along with the file? It may help them release a removal tool for that virus.

I hope you also tried my previous idea of the Ultimate Boot CD For Windows. Go to a friend's computer, and visit http://www.ubcd4win.com/howto.htm for instructions on using the ultimate boot CD for windows. It also tells you what to download.

I would also like to know what are the things affected by the virus. is it only the desktop or does it also include the files? And if files, what files?

Have you finished the scan yet?

Ya the scan is finished. Kaspersky cannot trace the virus now. But when I open Mozilla or IE7 there alert comes up again asking instructions on execution of msupdatehost~9.exe. That dialog keeps on poping up and it floods my computer with that [as shown in the first image i have put]. Not only Mozilla and IE7 but even some system files are crashing. My AVG crashed and then I had to install Kaspersky Internet Security.

I have not submitted any file to the Symantec or any other AntiVirus company. I do not have the virus file that I executed earlier. I deleted it.

That error is not poping up in safe mode right now. I do not know what will be the situation when i login back to the normal mode.

[commando67]

hi, i too got the same problem, from past 4 days i keep getting the pop up. did u find any solution to the problem?

plz help

[commando67]

ok,
i have solved the prolem,

I first installed Hijacthis, then i saw the processs which were running. in that was a process names, iexplorer.exe and spoolvs.exe

founnd them in a folder called c:\Recyler\Recyler

so, i traced the folder containing these files.

And as expected deleting it there, results in they come back again.

So in the hijacthis misc tool section there was a tool, which allowed me to delete files when restarted. so i selected both the files. and restarted.

then again i opened hijackthis, serched the file msupdatehost~9/8/6/2/1.exe and did the same way of deleting it with, delete this on restart.

again i restarted the system.

note: dont run internet explorer or mozilla etc while ur doing the above steps. cos the virus wont go if u have tat running.

then use a nice regisrty cleaner, to clean ur registry,i used registry booster2. fix all errors, restart my comp.

and now my mozilla as well as internet explorer are working fine with no popups.