Major Virus Problem - Tried Fixing (Still Not Fixed)

I has going to also mention that I have exited out of that SQL program but each time I re-boot it re-appears.

 

The following files are infected and need to be deleted.

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Config.Msi\b2912.rbf
C:\Data\Glen's\Personal\ic2share.exe

msconfig.exe is needed to access the System Configuration Utility, so you'll need to search the drive for another copy and replace it. There should be one in C:\Windows\system32\dllcache (hidden folder) or a Windows Update backup folder. Those are hidden folders also, generally located in C:\Windows with names similar to $NTUninstallKB***$ or $NTServicePackUninstall$. Check the filesize before you delete it and try to match it. It may well be replaced automatically by Windows File Protection from the dllcache upon deletion too.


Scan again with HijackThis and place a check next to the following entries, close all other windows then click Fix Checked.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Common Files\Microsoft Shared\MSInfo\MSINF16H.EXE

The following are optional fixes in HijackThis ...... not necessary at startup and may improve performance slightly if not running.

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


Run ATF Cleaner again, making sure to clean the Temporary Internet Files for sure. There are infected items there as well. Make sure the recycle bin gets emptied after deleting the above files. Reboot when done.

That should wrap things up other than infected System Restore points. If you're satisfied that the computer is working properly, clear the System Restore points.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.


I'll do some checking around to see why those security settings are not configurable to be lowered. Not that you should set them lower, but the ability should be there. Let me know if there's anything else that needs to be addressed, and how your computer is running now.

 

Will do when I get home.

Many thanks on this mate - you really have helped out immensly.

Once I'm done I'm definately going to follow the instructions in the stickied thread about prevention.

 

That's good to hear.

 

I have followed all the instructions per your recent post and it all went great except I couldn't locate this file:

C:\Config.Msi\b2912.rbf


I don't even have a directory 'C:\Config.Msi'. I have the option which allows me to see hidden files and folders but that just isn't there.

Other than this and the fact I can't change my security setting if I wanted to (which you're looking into) everything else is working great.

Thanks heaps mate. I really appreciate it. I will visit periodically to see if you've got any news on the above query.

Oh yeah, I'm off to download some anti-virus, firewall and other assorted preventative programs now...

 

My computer seems to be running fine now and are now installing some of the programs which are suggested on this site (although because of current circumstances I'm on an extremely slow internet connection and they're taking forever to download (or even saying half way through the download 'the connection to the server has reset').

Just a question. I am in a situation where there is another computer in the house which uses the modem which is connected to our computer for their internet connection. Now if my computer is off they are still able to be connected but if my computer is turned on they have no connection. Is this got something to do with this? (which I deleted in the last lot of stuff):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>

I'm not sure if I should of mentioned this earlier.

Cheers.

 

The b2912.rbf may just be a file embedded in the C:\Config.Msi file, the msi extension suggesting it is an installation file. Recommend you delete that file.

I wouldn't think the proxy override setting would effect any other computer's connectivity, but you can always test it out. Open HijackThis to the Misc Tools section and select Backup. Locate and select the entry then click Restore. Reboot for it to take effect.

 

OK. I actually tried to do a search for any file which contained '2912' or 'config.msi' and it didn't come up. I have another look tonight (and try the restore on that other file and test it out).

Could it be the firewall settings that I've only recently downloaded effecting the connectivity of the other computer? I downloaded Comodo last night and co-incidently the problem has only surfaced since then.

 

Oh yes ..... firewall could indeed be a problem. I'm guessing you are using Internet Connection Sharing, and you will need to configure the firewall properly to allow it. Not familiar with Comodo so I can't give you specifics, but if you can't figure it out and find nothing helpful in Comodo's help section, check the Comodo support forums or FAQs.

 

Will do. Have a good one mate.

 

Thanks ......... you too