# How can I remove this virus remnant?



## t_ski (Dec 20, 2010)

My wife picked up a virus the other day and I was able to remove all of it except for this:







The virus planted a startup file somewhere and I cannot figure out where it is located.  And since the name is not standard characters, I can't do a search for it.  I already tried picking some characters out of the windows character map, but could not find this reference.  Any suggestions?

This is on Windows XP Home SP2.

UPDATE: Case closed.  I was able to find the file calls with Autoruns.  Thanks


----------



## Red_Machine (Dec 20, 2010)

If you download CCleaner from www.piriform.com (it's free, so DON'T pay for it when it gives you the option to), it has a tab where you can disable or delete startup entries.


----------



## Marineborn (Dec 20, 2010)

agreed with red, also you can try to find the startup proggy in the registry i beleive and delete it, unless im thinking of something else


----------



## inferKNOX (Dec 20, 2010)

If you know what's what in your system, Autoruns will help you weed out anything that's not supposed to be attaching itself to your system startup.


----------



## 95Viper (Dec 20, 2010)

inferKNOX said:


> If you know what's what in your system, Autoruns will help you weed out anything that's not supposed to be attaching itself to your system startup.



+1
IMO, definitely look at Autoruns.
Nice tool. Free, too.  Goes a little further than MSConfig and others.

It will show in the lists "File not found" entries.
You can check and un-check items to test and\or you can delete the item after you see if you do not need it.

Be careful with it, you can muck up your OS.


----------



## Mussels (Dec 20, 2010)

that looks like its starting up with windows, have you checked in MSCONFIG?


----------



## t_ski (Dec 20, 2010)

Marineborn said:


> agreed with red, also you can try to find the startup proggy in the registry i beleive and delete it, unless im thinking of something else



I looked for the 7 or so different areas in the registry that have startups (HKLM and HLCU), but only found the stuff in MS config.



Mussels said:


> that looks like its starting up with windows, have you checked in MSCONFIG?



Yes, it is something that startes with Windows, but it does not show up in MSconfig.  That's the first place I looked though


----------



## MxPhenom 216 (Dec 20, 2010)

Malware Bytes, MSE, and CCleaner are your best friends


----------



## newtekie1 (Dec 20, 2010)

I was also going to suggest Autoruns.

Check to make sure it isn't attaching itself to explorer.  It should be the 3rd thing listed in Autoruns, the listing for the Shell.  It should just be Explorer.exe.  If it is anything else, that might be your problem.


----------



## kenkickr (Dec 20, 2010)

Go and grab Hijackthis 2.0.4.  Great tool to see EVERYTHING that is running in the background and to get rid of certain items you do not want running in the background/startup.  If not sure what your removing post a screenshot and we can help you out.

SuperAntiSpyware is pretty good AS app.


----------



## t_ski (Dec 20, 2010)

nvidiaintelftw said:


> Malware Bytes, MSE, and CCleaner are your best friends



I did use Malwarebyte's to remove the virus (had to do it in safe mode as the virus kept blocking mbam).  I dl'ed MSE but did not install it because I was in safe mode at the time, and it would not run in safe mode.  Just plain forgot to run it when I got bak into Windows...


----------



## 95Viper (Dec 21, 2010)

The file reference might be hiding in the boot execute, devices, services, or anywhere, as, your first post is not necessarily showing a exe or com file.
Could be a dll, sys, or other.

I am not nagging you, just trying to help; have you tried autoruns yet and looked through it?
It will show you in the section called image path that the "File not Found".
Chances are one them is your culprit. You can un-check and\or delete it.
Seems like whatever it was... is gone; just a reference to file location is left.


----------



## t_ski (Dec 21, 2010)

95Viper said:


> Seems like whatever it was... is gone; just a reference to file location is left.



That was exactly the case.  However, I am glad to say, Autoruns was able to find both registry entries that were calling the file.  I tried unchecking them to test, and the message went away, so I ran it again and followed the registry path to both locations and deleted the keys (were already in a "disabled" folder in the registry).

Thanks to everyone that gave some input, especially those who suggested Autoruns.  I had not heard of the utility, but I will be telling all my tech buddies at work about it tomorrow.  Case closed!


----------

