Comments for Spyware-Virus Files and Process

Comment on Classified.exe by melven

melven — Tue, 09 Mar 2010 13:34:00 +0000

hi guys… ive’d been experienced that problem too. thats kind of worm is very dangerous. bcoz once u clik the infected drive it will spreadout. all ur folders, system folders etc.. it will do superhide. it was displayed a same folder.

solution:

1. slave ur infected hardrive to another computer that hav an updated anti-virus. i used eScan antivirus. or u tried nod32, and malwarebytes. just download to internet.
2. scan ur infected hdd… and it will automatically remove all folders infected by clasified.exe
3. show hidden files and folders.
4. back-up ur cleaned files to free disk hdd.
5 reformat and reinstall ur computer…

Comment on Classified.exe by Renz

Renz — Sat, 06 Mar 2010 11:41:06 +0000

Thanks JEFF. You helped us

Comment on winupgro.exe by milc

milc — Wed, 03 Mar 2010 19:33:39 +0000

I met this “nice piece of work” and really had a hard time cleaning it up.
Followed the instructions, but was never able to perform the first step in killing the winupgro.exe. So I downloaded and burned the RescueCD.
1. Booted the infected laptop using RescueCD.
2. started startx
3. created a perl script to do the same MD5 scan of all files on all disks drives that were mounted to /mnt/c and /mnt/d using commands:
mkdir /mnt/c
mkdir /mnt/d
mount /dev/sda1 /mnt/c
mount /dev/sda5 /mnt/d

The RescueCD comes with md5deep so no need to download. I also have a temp dir on my c: drive.
4. The scan found two additional files having matching md5, which is different from the one posted in first post here.
261cf3003f2fa106b4b6812cdd6cbe93 found in /mnt/c/Documents and Settings/Milans/Application Data/drivers/winupgro.exe

261cf3003f2fa106b4b6812cdd6cbe93 found in /mnt/c/Program Files/Microsoft ActiveSync/wcescomm.exe
261cf3003f2fa106b4b6812cdd6cbe93 found in /mnt/d/System Volume Information/_restore{1B979E5A-90BD-4339-A818-E49EB7202A10}/RP993/A0192373.exe

As listed, one file was on d: disk and one on c:. So you have to check and delete all disk as suggested in an earlier post.

Deleted all 3 files.
rm “”
Rebooted to WindowsXP
5. Downloaded the combofix, run it… it cleaned stuff, taking again some time.
6. Uninstalled NOD32 – as I couldn’t repair it
7. Installed NOD32, updated, scanned all.
It seems now I have a clean and running Windows XP.
Thanks for the idea, it saved my WinXP from a painful re-installation.

Here is the perl script I used. I used “find .” to create the listingC.txt with all files, one per each drive.

Once the program completed (perl scan.pl) use:
cat /mnt/c/temp/scan.log | grep ” found in”
to list the matching files.

/mnt/c/temp/scan.pl: (save to this file)
#!/usr/bin/perl -w
use strict;

my $ROOT = ‘/mnt/c’;
my $DATAROOTC = “/mnt/c”;
my $DATAROOTD = “/mnt/d”;

my $myLog = “$ROOT/temp/scan.log”;

my $fileSample = “$ROOT/Documents and Settings/Milans/Application Data/drivers/winupgro.exe”;

# Listings with files created by
# cd /mnt/c
# find . >/mnt/c/temp/listingC.txt
# cd /mnt/d
# find . >/mnt/c/temp/listingD.txt

my $listingC = “$ROOT/temp/listingC.txt”;
my $listingD = “$ROOT/temp/listingD.txt”;

my $md5deepExe = “/usr/bin/md5deep”;

sub Log {
my ($log) = @_;
open (my $OUT, “>>$myLog”);
print $OUT $log . “\n”;
print STDERR $log . “\n”;
close $OUT;
}
sub scan {
my ($md5Lookup, $fileList, $dataroot) = @_;
Log(“Starting scan for $md5Lookup on $fileList”);
open (my $IN, “<$fileList");
my $file;
my $cnt = 0;
my $md5;
while () {
$cnt++;
chomp;
$file = $_;
$file=~s/^\./$dataroot/;
# print “$file\n”;
# last if ($cnt++ > 10);
next if (! (-e $file) || (-d $file));

$md5 = &getMD5($file);
Log(“$md5 $file”);
if ($md5 eq $md5Lookup) {
my $dbg = “$md5 found in $file”;
&Log($dbg);
}
if ($cnt % 250 == 0) {
print “Processed: $cnt\n”;
}

}
close $IN;
Log(“Processed total of $cnt files.”);
}

sub getMD5 {
my ($file) = @_;
my $exe = “$md5deepExe \”$file\”";

my $ret = `$exe`;
my ($md5, $fileName) = split(” “, $ret);
return $md5;
}

############
# MAIN

my $md5 = &getMD5($fileSample);

print “Target lookup MD5 = $md5\n”;

&scan($md5, $listingC, $DATAROOTC);
&scan($md5, $listingD, $DATAROOTD);

print “Done.\n”;

Comment on zxx by zxx of zxx

zxx of zxx — Wed, 03 Mar 2010 18:46:05 +0000

Thank you for your help…

Comment on Classified.exe by Noreen

Noreen — Wed, 03 Mar 2010 15:48:08 +0000

i really need help here,… how can i possibly remove the classified.exe?

Comment on Mourn_Operator.exe by nghi

nghi — Wed, 03 Mar 2010 05:00:10 +0000

delete virus Mourn_Operator.exe

Comment on My Music.exe by Nimish

Nimish — Tue, 23 Feb 2010 12:04:34 +0000

My system is infected by a virus named My music.exe, what should i do to remove it.

Comment on True_Love.exe by Mohammed Fayaz K

Mohammed Fayaz K — Tue, 23 Feb 2010 06:21:45 +0000

If ur facing true_love.exe problem,i hav 1 suggestion for u.
Go to Start—— RUN——(Type) CMD ——–
(Type) CD\ (Enter)
(Type) Attrib(Space) -r(Space) -h(Space) -s(Space) True_love.exe (press enter)
(Type) Del True_love.exe
Proceed Same thing to all drives..

Mail me if u hav any problem

Comment on winupgro.exe by Michael

Michael — Tue, 23 Feb 2010 05:30:29 +0000

alibadia is the tool that worked…..
run the software, reboot and test.
all better now.
it might be written in spanish, but i can can read enough of it to make it work.
and it worked great.

Comment on winupgro.exe by Michael

Michael — Mon, 22 Feb 2010 06:33:15 +0000

Well mine isn’t getting fixed as easily as all of yours….
running windows 7 untimate 64bit…
most of the software will not install or run properly.
did i mention the virus was silly, being a trojan you’d think it wanted internet access….. but it killed all access.
i am using a different computer downloading files and researching, but combofix and xsoftspy will not run, they need internet access to update !

the alibadia is currently thinking about it……
we shall see

Comment on True_Love.exe by Surender Kumar

Surender Kumar — Mon, 22 Feb 2010 05:48:12 +0000

My pen drive(2 gb ) having love.exe virus file in word format what should i do.

Comment on Classified.exe by Trismund

Trismund — Sat, 20 Feb 2010 06:39:36 +0000

Try this… Classified.exe remover

USE AT YOUR OWN RISK!!!
Download:
hxxp://rapidshare.com/files/352192338/Class-X.exe.html

or visit this site http://www.trismund.net.ms

Comment on nissan.exe by nelson buisel

nelson buisel — Fri, 19 Feb 2010 17:01:41 +0000

what is the effect of this virus?and how to remove this virus manually?

Comment on Classified.exe by Cathleya

Cathleya — Thu, 18 Feb 2010 01:41:06 +0000

hello.. i have the same problem too… i’ve tried to do what u said jeff… but in my case… it says… couldn’t find the said location.

Comment on Classified.exe by arnold

arnold — Fri, 12 Feb 2010 10:25:33 +0000

- hey ..what if i can’t run my computer on safe mode.,how can i remove this daprosy virus or otherwise you guys called it classified.exe virus

Comment on Classified.exe by arnold

arnold — Fri, 12 Feb 2010 10:24:40 +0000

- hey ..what if i can’t run my computer on safe mode.,how can i remove this daprosy virus ir itherwise you guys called it classified.exe virus

Comment on True_Love.exe by Bhushan Malik

Bhushan Malik — Fri, 12 Feb 2010 07:14:13 +0000

Hellow sir
Your Anti virus Mbam Not dected True_Love Virus
Problam Is not Solved

Comment on At1.job by Raju

Raju — Thu, 11 Feb 2010 08:24:27 +0000

Thanks

Comment on regsvr.exe by h4x0r

h4x0r — Thu, 11 Feb 2010 00:34:31 +0000

@harish

If you can disable it you can remove it. Get malwarebytes and use the destroy/kill file option, search for the file and remove it.

Fortunately, if you are able to put malwarebytes on your box run it and it will get rid of this very useless, but destructive threat

Unfortunately, I am fighting with this virus on a clients computer. I have removed hundreds of trojans, virii, etc and I can my own trojans. This virus is a real useless bitch of a virus because if the infection is deep enough, it wont let you open any exe files or anything that would provide a fix like regedit,cmd, etc.

To most: Downloading or running an AV scan like Kapersky will NOT fix this virus, and if you are able to download a file then it should be malwarebytes or Combofix, assuming you know what your doing, but if you dont just Download Malwarebytes from another computer to USB, then from USB to your pc, leave your ethernet cord unplugged. Scan w/ Malwarebytes, remove, Run CCleaner restart

Will post a more indepth removal after I remove this from my clients work computer.

Comment on Classified.exe by kk

kk — Thu, 11 Feb 2010 00:24:35 +0000

i dont know how to regedit?? what part will i edit files?? please? and how to show folders like that… HELP:)

Comment on Classified.exe by Joseph

Joseph — Fri, 05 Feb 2010 18:23:58 +0000

I still cannot remove this virus or files (classified.exe) on some directories.. keep saying “The process cannot access the file because it is being used by another process..”? Please help.. Thanks..

Comment on winupgro.exe by srid

srid — Sun, 31 Jan 2010 06:09:39 +0000

another vicitim of this cruel virus. before i found this post, this is what i did. scanned my infected machine from a different machine on the network using mcafee enterprise. the scan is extremely slow but i could find 442656.exe lying under c:\Documents and Settings\padma\Application Data\drivers\downld with w32/Balgle.gen virus and i could the find the nasty winupgro.exe lying one directory above. i was not sure what it was till i read this post. thanks all for posting your experiences and am gonna five few items a shot. from my side, i think doing a network scan , though slow, is also viable idea if all else fails.

Comment on Classified.exe by Rachelle Marie Coranes

Rachelle Marie Coranes — Sat, 30 Jan 2010 07:35:32 +0000

What if I don’t have an internet connection?What should i do?

Comment on sysguard.exe by Max Siles

Max Siles — Wed, 20 Jan 2010 21:15:48 +0000

Hi, I had a Windows XP, SP3 computer infected with the “Antivirus Live” nasty little demon. Here is what I did to remove it:

Logged on as Administrator
Launched msconfig command from Run (remember, this is an XP computer)
Restored the system to a couple of days back

Once the computer rebooted, I installed MalwareBytes and ran the complete scan. In this case, it found 9 entries of malware on the registry. I removed them and rebooted the computer.

I hope this helps someone else out there.

Comment on sysguard.exe by TJ

TJ — Tue, 19 Jan 2010 03:29:53 +0000

Working on fixing a computer that has this. Doesn’t have all the files in windows but had a file named bttfsysguard.exe-050c006a.pt in c:\prefetch and then a bttfsysguard.exe in c:\documents and settings\(user)\local settings\application data\qxgdrs. Then I found 2 reg enteries by searching on the bttf. One was in the run, don’t remember where the other one was.

As for the person that can’t get in to the regedit. Boot the machine in safe mode by hitting F8 when it first is booting up and then pick safe mode, probably best if you do without network support. Then when it is booted up you will not see a run command in your start. What you need to do is and alt ctrl del to bring up your task manager. From there go to file and new task which is pretty much run and type in your regedit and you should be able to do it from there. Sure you have probably fixed it by now but maybe it will help someone else for the future.

Comment on Classified.exe by cherry

cherry — Mon, 04 Jan 2010 15:01:03 +0000

I’m encountring same problem with the virus but i cant follow that suggestions…. pls… help me in most easiest way!!!! pls,,,,pls,,, asap… =pls….

Comment on True_Love.exe by saurabh singh

saurabh singh — Fri, 01 Jan 2010 14:58:21 +0000

i have true love virus in my memory card.how did i can delete it?

Comment on Classified.exe by JULIUS

JULIUS — Fri, 25 Dec 2009 08:27:23 +0000

1. restart your computer…(it is an .exe file nothing will happened if you will not open it.
2. delete the clasified.exe by cmd (you must located it first)(desktop, drive d, c)
3. example(located at d:)
4.now go to cmd type this
d:
dir/w/ah
del/a/f clasified.exe

5its done restart again your computer.

Comment on chrome.exe by johnny

johnny — Tue, 22 Dec 2009 09:26:16 +0000

i have a problem with chrome.exe virus. i removed that from my computer but the information is appear when windows start. the chrome virus is completely removed but the information is still appear. please give me some solution to solve this problem. thank u very much .

Comment on Data Administrator.exe by jhon jairo polo lopez

jhon jairo polo lopez — Sun, 20 Dec 2009 20:35:48 +0000

buenas tardes, lo que pasa es que cuando abro una carpeta, aparece una aplicacion con el mismo nombre,
yo creo que es un virus, pero yo de eso no conozco.
ejemplo:
si abro mis documentos, aparece una carpeta que tambien se llama mis documentos.
si abro mis imagenes, aparece otra carpeta con mis imagenes

Comment on FUvirus.exe by Lex

Lex — Sun, 20 Dec 2009 13:21:18 +0000

thanks guys!!! i do really appreciate ur thoughts here..
thanks again..

Comment on Classified.exe by Dishan

Dishan — Thu, 17 Dec 2009 06:15:20 +0000

Best Solution ……… for classified.exe

1.login from safemode with command prompt
if explorer not loaded then type explorer.exe

2.(remove virus)
download “stinger” from macafee it’s Standalone anti-virus scanner for certain viruses.

run the virus scanner scan all local drivers including external removable disks

restart pc

3. (show hidden files)
last run this command in command prompt:
for /r c:\ %v in (.) do attrib -r -h -s “%v”

Comment on winupgro.exe by gamart

gamart — Mon, 14 Dec 2009 00:13:49 +0000

Flon (59) be sure to download the program in c:\ because the process is MAGIC!!!!

Comment on sysguard.exe by Shawn

Shawn — Sat, 12 Dec 2009 18:03:32 +0000

Well I got this last week and these instructions helped. I now have it on my other computer but it has changed.

New name: yhkosysguard.exe

It has taken away my regedit abilities (no others tho) and so these instructions aren’t helping.

Merry Christmas!!! And feedback be my guest

Comment on sys.exe by mukarram

mukarram — Mon, 07 Dec 2009 08:51:03 +0000

my question is
how to remove a virus nooh from momputer

Comment on sysguard.exe by Sharon

Sharon — Sat, 05 Dec 2009 02:35:36 +0000

I was able to finally get into safe mode and did it all .It worked like a charm .Thankyou so much

Comment on sysguard.exe by Sharon

Sharon — Sat, 05 Dec 2009 00:40:07 +0000

I found the file but are unABLE TO DELETE IT .IT wont let me.tried to get into Regedit and it wont let me

Comment on Classified.exe by kildadivil-vhin

kildadivil-vhin — Mon, 30 Nov 2009 07:45:03 +0000

the most classified virus removal is classified.exe by subatomica all kind of virus like classified, autorun, and try to visit the website ulop.net to more idea you want to know about pc

Comment on Classified.exe by abby

abby — Mon, 23 Nov 2009 11:16:29 +0000

where can i download hitman pro 3.5?? and kaspersk removal tool? ca any1 pLease give me the link. .please. .the ones dat i downloaded, were all corruplted.d.:(

please help me. .

Comment on BOOT.VBS by ramesh bhattarai

ramesh bhattarai — Sat, 21 Nov 2009 04:34:05 +0000

how to solve C:\documents and setting \administrator\boot.vbs
please reply soon as possible

Comment on Ramal Jodoh.pif by devy putri pratama

devy putri pratama — Mon, 16 Nov 2009 09:42:12 +0000

ramalkan saya ttgjodoh saya…dan apa saya bs menikah

Comment on Ramal Jodoh.pif by devy putri pratama

devy putri pratama — Mon, 16 Nov 2009 09:41:20 +0000

ramalkan ttg jodoh saya..

Comment on Classified.exe by bekyo

bekyo — Mon, 16 Nov 2009 05:28:20 +0000

me too..

i coudn’t delete also.

Comment on regsvr.exe by harish

harish — Sat, 14 Nov 2009 06:47:46 +0000

The procedure solves issue to an extent.

It only disable the regsvr virus but kill all the related registry stting. If you open you Regedit in the startup option, you will still see the Regsvr option which can be enabled or disbaled….Any way to remove it from here??

harry_g1979@rediffmail.com

Comment on FUvirus.exe by ega

ega — Thu, 12 Nov 2009 01:21:53 +0000

i’m also having the same problem….malwarebytes is effecitve in removing fuvirus….but all the files converted to .exe files were gone…

Comment on Classified.exe by gan

gan — Tue, 03 Nov 2009 07:19:06 +0000

hi..

i have finished doing steps 1 to 4..

but i couldn’t delete the ff files in step5:

%System%\hlpsvc1.exe
%System%\hlpsvc2.exe
%SystemDrive%\Read1st!.exe
%SystemDrive%\goats.exe
%UserProfile%\My Documents\Classified.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe
C:\Documents and Settings\All Users\Application Data\PolariSys\dirlock.exe

i need help please… thank you.

God Bless.

Comment on winupgro.exe by Flon Klar

Flon Klar — Mon, 02 Nov 2009 14:06:38 +0000

Why is it that when I run the batch file, the DOS window runs a constant stream of “md5deep” is not a valid program, command, or batch file?” The “out” file is also blank at the end of the scan. Am I doing something wrong?

Comment on winupgro.exe by Piotr

Piotr — Sat, 31 Oct 2009 14:42:09 +0000

Thank you, Yasser. Thanks to your post I was able to remove the winupgro.exe. My antivirus, NOD32, as well as Windows Defender got their arses kicked by it. Luckily my PC is now clean.

Comment on True_Love.exe by Zac

Zac — Fri, 23 Oct 2009 03:06:48 +0000

Avast can detect and remove TRUE_LOVE.EXE. But the thing is it wont automatically detect unless you scan the folder that has the virus.

Comment on ogard.exe by CCCP

CCCP — Sun, 18 Oct 2009 21:40:09 +0000

Try to boot in safe mode then find it and try to delete or u can try vista cause im hearing ti doesnt work on vista

Comment on Classified.exe by Jefferson

Jefferson — Fri, 16 Oct 2009 04:45:28 +0000

How to remove this virus…

1. Boot in safe mode with command prompt. Do NOT boot on safe mode with networking. the virus will be active.
>to boot in safe mode>>>start your computer>> while restarting press F8>> then choose safe mode

2. Run regedit (Start >> Run >> cmd)
3. Delete the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”WinSys” = “%Windir%\system.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”LSAShell” = “%Windir%\lsass.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SessionMngr” = “C:\Documents and Settings\All Users\Application Data\PolariSys\dirlock.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “Explorer.exe \”C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe\”

4. Edit the following entries too:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\”DisableSR” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”Hidden” = “2″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”HideFileExt” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “1″
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”Hidden” = “2″
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”HideFileExt” = “1″
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0″
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”SuperHidden” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoFolderOptions” = “1″

Note: “0″ is to disable, “1″ is to enable.

Very Important Note:
Use Attribute Changer first to fix regular folders’ attribute BEFORE fixing the registry.
________________________________________

here’s my regentry for the above:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\”DisableSR” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”Hidden” = “2″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”HideFileExt” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”SuperHidden” = “0″

________________________________________

5. Manually delete the following files
%System%\hlpsvc1.exe
%System%\hlpsvc2.exe
%SystemDrive%\Read1st!.exe
%SystemDrive%\goats.exe
%Windir%\Classified.exe
%Windir%\system.exe
%Windir%\lsass.exe
%Windir%\shutdown.dll
%UserProfile%\My Documents\Classified.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe
C:\Documents and Settings\All Users\Application Data\PolariSys\dirlock.exe

Also clear your startup folder

%Windir%\ is usually Windows (unless you specified a diff one upon OS installation)
%system% and %systemDrive%\ is the drive where your OS is (usually C: drive)

Comment on Classified.exe by kirby

kirby — Fri, 16 Oct 2009 03:16:34 +0000

how do i show all the folders????

Comment on Classified.exe by kirby

kirby — Fri, 16 Oct 2009 03:15:12 +0000

all my foldera are gone. there is no folder options. how do i get it back? pls help jeff

Comment on Classified.exe by kirby

kirby — Fri, 16 Oct 2009 00:11:49 +0000

thanks jeff!

Comment on Classified.exe by weirdzal

weirdzal — Thu, 15 Oct 2009 03:29:02 +0000

can i just copy the “Advanced” folder from another pc and paste it on the directory on my pc?

Comment on Classified.exe by weirdzal

weirdzal — Wed, 14 Oct 2009 01:49:06 +0000

Hi Jeff…what if in the part below where the “Advanced” folder is missing in my case…how do i go around with this?

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\”Hidden” = “2?
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer
Advanced\”HideFileExt” = “1?
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\”ShowSuperHidden” = “0?
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\”SuperHidden” = “1?

Thanks for all the help i could get =)

Comment on zxx by bgeo

bgeo — Mon, 12 Oct 2009 17:54:02 +0000

Just ran a scan with STOPzilla and removed 81 threats – however, there was one with a high threat quotiant, Zxx, which Stopzilla could not remove – what is it? how dangerous? I can’t find it in any component/program list – how do I get rid of it?

Comment on True_Love.exe by loganathan

loganathan — Sun, 04 Oct 2009 09:32:53 +0000

i have avast antivirus.but true love.exe virus cant able to remove by avast .its permanently in my pendrive. icant able to format my pen drive.

Comment on MarioForever.exe by cisso

cisso — Tue, 29 Sep 2009 18:19:06 +0000

je demande le jeu marioforever.zip 18 Mo
ou marioforever.exe 16 Mo

Comment on winupgro.exe by Alex

Alex — Sun, 27 Sep 2009 02:50:15 +0000

Thanks Yasser. Worked for me. Similar file I found was NtuneCmd.exe in Nvidia Ntune folder. Deleted both NtuneCmd.exe and winupgro.exe and their registry entries, and it worked.
Creating checksum lasted about 10 hours, so thanks
to Anish for his workaround tip too.

Comment on True_Love.exe by ragend

ragend — Fri, 25 Sep 2009 13:24:44 +0000

i have true-love.exe on my computer…………………

Comment on winupgro.exe by Anish

Anish — Wed, 23 Sep 2009 06:04:37 +0000

Thanks Yasser and everyone. Your tip was a great help.
My C drive contains huge amount of data and it took more than 3 hours to create checksum for half of the files in hard disk.
I tried a tricky workaround. It worked for me, I hope it might help u guys too.

I looked at the property of [%appdata%\drivers\winupgro.exe] which were following
size:=856064B date:=5/6/2006

I did a search of this specific file using windows search including hidden files.
To my surprise I got the other file withing minutes.
In my case it was [%appdata%\..\Local\Google\Update\GoogleUpdate.exe] which got overwritten.
“GoogleUpdate.exe” uses windows scheduler and calls itself pretty often like when system is idel or when it restarts…

Also one another observation:
Look at these place where the winupgro.exe points to.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
the hidden overwritten exe might be one of the exe listed in these locations.

Regards
Anish

Comment on Data Administrator.exe by ashkan

ashkan — Mon, 21 Sep 2009 03:08:40 +0000

anti adminstrator.exe

Comment on True_Love.exe by Dinesh Babu

Dinesh Babu — Fri, 18 Sep 2009 11:22:02 +0000

Easy Way To Remove True_love.exe is stop Msrun32 services by ending it in taskmanger and find msrun32 and remove the file .

at last delete true_love in drive. then virus problem will be over

Comment on My SeXy.exe by tj

tj — Fri, 18 Sep 2009 10:21:13 +0000

plz i have a problem wit this virus
i need a removal tool that can help me remove it frm my system.

Comment on Classified.exe by Roberto

Roberto — Fri, 18 Sep 2009 10:03:25 +0000

Thanks a lot jeff. It worked.

Comment on Classified.exe by Rem

Rem — Tue, 15 Sep 2009 02:06:45 +0000

thanks jeff !

Comment on ikowin32.exe by Andrew

Andrew — Mon, 14 Sep 2009 21:33:39 +0000

Jason you douche there are people in the world who speak other languages who may not know how to speak English perfectly.

Comment on winupgro.exe by Amundo

Amundo — Sat, 12 Sep 2009 10:01:53 +0000

Thanks to this forum and “ComboFix”, I was able to delete the infected files (unfortunately, I still have some suspicious entries in my registry). On my machine, this is what I found: it behaves like a rootkit and hooks several important system processes. It keeps watch for AV products (including “ComboFix” – when downloading, rename it to something else, like “Combo-Fix”, else you’ll get “invalid Win32 application”) and will corrupt? or intercept? attempts at running them. It will then check your registry and find a program that starts when Windows starts – it will replace it with the Winupgro.exe, renamed as the applications original filename (in my case, I had KeePass password keeper in my startup – it was only by accident I was wondering why it was not autostarting anymore – it had the same icon as the infecting program!! – that’s why I noticed it!!!). So if you know what you’re doing, as has been mentioned previously, use MSCONFIG or AUTORUNS to see what gets executed at startup, and target these for the MD5 checksum, rather that checking the whole of the C: drive. (“ComboFix” does seem to work, though, I just lost track of all the things I did).

Comment on ProtectFile.vbs by Siddharth

Siddharth — Mon, 07 Sep 2009 06:05:15 +0000

When i tried the Move ON boot tool to rename first of all the it says New Name should contain a valid relative local file system path and if oi dont specify the path it says the source file doesnt exist.What to do please help

Comment on braviax.exe by ty

ty — Sat, 05 Sep 2009 19:57:49 +0000

to kill braviax.exe :

1-shut down internet.
2-open task manager
3-end braviax.exe and its creator sys32_nov.exe
4-than open windows/system32/
5-search find and delete with unlocker these found files sys32_nov.exe and braviax.exe in system32 folder..it means you survived braviax.exe))

Comment on Classified.exe by Mike

Mike — Sat, 05 Sep 2009 09:29:04 +0000

Oct 10 2007, 09:24 AM

Here’s a Tip on USB Devices on protecting them.. Hope you want this… Enjoy

1. Check first the Auto Insert Notification setttings. Set it to “prompt user…”.
2. Insert your USB device
3. Open “My Computer” after the USB loads
4. DON’T left-click, but right-click on the USB drive
5. Check: (very important)

if it displays:
QUOTE
Open
Explore
Search
Autoplay

then it’s safe.

if it displays:
QUOTE
Autoplay
Open
Explore
Search

or:
QUOTE
Auto
Autoplay
Open
Explore
Search

or:
QUOTE
0pen
Autoplay
Open
Explore
Search

or:
QUOTE
Open
Autoplay Folder Options. If Folder Options isn’t displayed, then proceed to step 7**
2. Go to the View tab, then enable “Show hidden files and folders”, and uncheck “Hide extensions for known file types” and “Hide protected operating files” (click yes on this part)
3. Apply and Ok
4. Click the address bar
5. Type the drive letter of your USB device (example – F:\)
6. Look for suspicious files… like EXE files that has the icon of a folder, and named after the folder it is in… or VBS files in the root folder… or krag.exe and other unnecessary executables, or the folder RECYCLER. Delete those.
7. Run Notepad
8. Go to File>Save As, go to any folder you want to save.
9. Name it as “autorun.inf”, then save.
10. Copy autorun.inf
11. Paste it on the root folder of the USB drive (example – F:\)
12.Confirm file overwrite.
13. Reconnect your USB device.
14. Finished. No more Autoplay.

**if there is no Folder Options, then it might have been disabled by the administrator, or your system also has already been infected.

===================================

Also dont Reboot PC (pressing restart button.) while your USB Device is inserted. it can corrupt data…

Comment on ikowin32.exe by Jason

Jason — Thu, 03 Sep 2009 23:49:39 +0000

“is still a threat?”

“just hide in usb and moved in my files in startup and avg catched”

“Should I must install an anti-spyware?”

WHAT ARE YOU TRYING TO SAY???

Before you expect someone to fix your issue, learn how to use proper grammar. It goes a long way in being able to understand what someone is trying to say, not to mention it’s just plain lazy and dumb.

Comment on winjpg.jpg by Aman

Aman — Thu, 03 Sep 2009 20:39:13 +0000

Dear
Ven i enter the system password at login it hangs for somtime then enter can u help me out.

Comment on winupgro.exe by francesco

francesco — Tue, 01 Sep 2009 07:56:52 +0000

Hi Yasser, i tried your procedure, it’ ok the OUT.txt file, i found the others files were the winupgro was hidden but the problem is that these file togheter with the winupgro.exe file are not deletable….when i try to delete thme i get the messase “access denied” disk could be full or write protected or the file is currently in use….and it’s true because the winupgro is running as virus gettin the 99% of the cpu resources!
How can i get out of this trick!??
thanks for your help!
francesco

Comment on winupgro.exe by Ozgur

Ozgur — Fri, 28 Aug 2009 23:45:15 +0000

It is working 100%. Thanks again.

Comment on True_Love.exe by Mohan.S

Mohan.S — Thu, 27 Aug 2009 12:36:07 +0000

I am alos effected that the same virus, so please help me.

Comment on vshost.exe by razvan

razvan — Thu, 27 Aug 2009 12:03:30 +0000

hi,guys i have a problem with vshost.exe…when i try to entire in D: partitio i receive a vshost message like zgb..please help me:((

Comment on FUvirus.exe by Sheena Shroff

Sheena Shroff — Wed, 26 Aug 2009 01:09:44 +0000

Hi there I got hit by the FU virus and I was wondering if ISRESET works with AVG. Please help all my important office files got hit.

Comment on rncsys32.exe by rqqt

rqqt — Mon, 24 Aug 2009 11:21:56 +0000

this malware can hijack server files … piggys back to your other network machines.

I has got infected by this pairup:
rncsys32.exe
kovin32.exe

Comment on ikowin32.exe by FND

FND — Sat, 22 Aug 2009 11:43:00 +0000

yes but if moved by usb and was deleted by the avg, is still a threat?
the program virus is not installed on my pc, just hide in usb and moved in my files in startup and avg catched
Should i must install an anti-spyware?

Comment on vshost.exe by mihai

mihai — Fri, 21 Aug 2009 14:00:55 +0000

Hi, my PC does the same thing. I saw that nobody answered at your post for a long time, why is site for anyway?

Comment on Classified.exe by Jeff

Jeff — Thu, 20 Aug 2009 17:43:11 +0000

Guys try this to remove Classified.exe worm

1. Download Hitman Pro 3.5 and run it to your computer
* This will remove threats in windows. Restart your computer

2. Download Kaspersk removal tool and run this in your computer.
* Run this tool after hitman. Remove all the threats that were found

3. Open regedit and do the following
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SystemRestore\”DisableSR” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\A
dvanced\”Hidden” = “2″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\”HideFileExt” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\”ShowSuperHidden” = “1″

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\”Hidden” = “2″
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer
Advanced\”HideFileExt” = “1″
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\”ShowSuperHidden” = “0″
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\”SuperHidden” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
\”NoFolderOptions” = “1″

4. Show all the folders. Open run command and type this to the terminal:

attrib -h -s /s /d

*At this point the folders were back and your computer is now free from Classified.exe

5. Rescan again just to make sure your computer is safe from any threats

Comment on Classified.exe by noelskie

noelskie — Mon, 17 Aug 2009 06:52:47 +0000

I may say, once your pc is infected with this worm, it disable or blocked your antivirus, making it useless…It replace folders with an application with the same name and icon…original folders are set by this wom as super hidden so it appears to be deleted though it is really not.

My solution scan your infected hardrive to another pc with a removal tool…i have use an updated removal tool from kaspersky and it works… here’s the links:
Download 1 (http://downloads1.kaspersky-labs.com/devbuilds/AVPTool/)
Download 2 (http://downloads2.kaspersky-labs.com/devbuilds/AVPTool/)
Download 3 (http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/)
install this on a clean virus free pc then scan your infected hard drive or usb…It will detect and delete the worms…

As to restore the hidden folders, you have to set folder options to show all files and uncheck the hide protected operating system…to be able to view the hidden folders…then you may manually change its folelder attributes by right click the properties… or you may download a software called Attribute Manager 2.6 to ease the work of setting attributes…

Be sure to reset folder options for protections…when done…you may rescan to be sure worms are gone…then test the hard drive on your pc…

Its kinda long process but it works for me…

Hope It helps…God Bless!!!

Comment on winupgro.exe by Ozgur

Ozgur — Sun, 16 Aug 2009 12:58:35 +0000

Or you can try the easy duplicate finder to find the duplicate. The program has a min. and max. file size to search. If you make it look between 820-840 kbs it would find the trojan. Then clean the registry and uninstall the affected program as Yasser says. For me it was the AI Roboform.
One more thing , I have security task manager and it shows the icons for programs working in the background. Roboform is a program working in the background and its icon was the same as winupgro’s. Maybe that can also help.

Thanks for the solution. I will check my system and will post here if this alternative way works 100%.

Comment on vshost.exe by zgb

zgb — Wed, 12 Aug 2009 07:46:07 +0000

My avast cannot delete this “vshost.exe”,even if i choose to delete that file it is still on … and i got 1 more problem..that svhost.exe won’t let me see files on my HDD. When I try to open C:/ message is : “Windows cannot find ‘vshost.exe’. Make sure you typed the name correctly, and try again. To search for a file, click the Start button, and then click Search.” Pls any help or i need to format my HDD?

Comment on Classified.exe by Fernando

Fernando — Tue, 11 Aug 2009 21:13:27 +0000

“try downloading usb disk security…

then make your HD as a flash disk by using a IDE/SATA USB cable to scan it in another computer with the disk security…

that would work i already tried it…”

Nah..It won’t!

Comment on True_Love.exe by ian

ian — Tue, 11 Aug 2009 06:02:30 +0000

my laptop is insfected my classified.exe then i tried to delete using task manager, later on my whole screen invert… what should i do?please help!…

Comment on True_Love.exe by webmaster

webmaster — Sat, 08 Aug 2009 10:28:51 +0000

If it is on memory stick you can use Flash Disinfector.
http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/

Comment on FUvirus.exe by jaymark

jaymark — Wed, 05 Aug 2009 03:13:53 +0000

..uhmmmmmm

..webmaster

..are you sure it can delete the FUvirus

..bcoz my pc is very affected by that virus

..i hope that this Malwarebytes’ Anti-Malware

..is working tnx

Comment on True_Love.exe by mani

mani — Mon, 03 Aug 2009 08:19:54 +0000

i also have the same…
true_love.exe virus
in my memory stick

help me how to remove…

Comment on Classified.exe by Rodel

Rodel — Wed, 29 Jul 2009 14:07:49 +0000

try downloading usb disk security…

then make your HD as a flash disk by using a IDE/SATA USB cable to scan it in another computer with the disk security…

that would work i already tried it…

Comment on True_Love.exe by mamun reza

mamun reza — Wed, 29 Jul 2009 08:12:40 +0000

i have two viruses
true_love.exe

in my pen drive and computer if delete after close and open they are reappeared

help me to remove viruses
i cant open my taskmanager

Comment on Patah Hati.doc .exe by ratheesh

ratheesh — Wed, 29 Jul 2009 07:17:28 +0000

i want removal tool of pathahati.doc

Comment on Classified.exe by hahabelat

hahabelat — Sun, 26 Jul 2009 13:12:15 +0000

i had the same problem too.. my first anti virus was avira.. and also i have malwarebytes.. but it only inactivate my antivirus. then i tried to download kaspersky but it can’t delete the classified.exe.. this folder is locked.. and all the sites of antivirus, malware, spyware and others are also blocked.

Comment on solution.vbs by Ody

Ody — Sat, 25 Jul 2009 08:56:35 +0000

My AVG alerted me that solution.vbs in my usb was potentially harmful. So I moved the file in to the vault.

Now whenever I try to access my usb, the Windows Script Host buble says “Can not find script file “G:\solution.vbs”.

What does this mean and how can I access my USB again?

Comment on chrome.exe by abrar

abrar — Wed, 22 Jul 2009 07:08:25 +0000

i hve got a virus with .exe extensions it creates a folder.exe folder in every pre-existing folder.please advice what to do

Comment on rncsys32.exe by fernanda

fernanda — Wed, 22 Jul 2009 05:23:43 +0000

It happened to me. The site of a client started to going wrong, showing blank pages. When I was searching the code, I saw that it had been mysteriously added a that directs to a site called “q1n.in” in all of my index and default pages. I contacted my host’s support and they said I was hacked. Not understand, because the files were all on the server and the password remains the same. Turning the antivirus on my machine I saw that I was more a victim of this trojan …

Comment on PAV.exe by KeV

KeV — Mon, 20 Jul 2009 22:27:00 +0000

I have a variant on my mates system in a PersonalAV folder and no winexplorer.dll and so I’m not sure if it will still operate quietly. Also, Does it need javascript, activex or something to install as prevention is better than a cure?

Comment on True_Love.exe by anand

anand — Sun, 19 Jul 2009 05:53:08 +0000

hi i also have same virues true love on my pendrive please help me how to remove this. the PC is getting stuck once i plug this in.