# The baddest skype virus got me !



## BulgarianBoy92 (Dec 21, 2009)

*The baddest skype virus | KILLED*

 

Yesterday a trusted friend started writing some idiotic stuff, not having sense at all (i'm sure it was him... he laughs like that "HahAHAhahaaHAHA" or he writes "o" with a "0" for ex.), i asked him "Are you high?" and then he posted me an IP that looks something like that: 22..22.22..2. (ip)/"my skype name" "my country" and some other stuff... i clicked it and it downloaded a file... i didn't even open it because it looked fishy... "myskypename.*scr* (screensaver)... i right clicked the file then properties and it *suddenly closed*, then i deleted the file with shift+delete...

Then anomalies started happening... 10 minutes later my pc froze for 3 seconds, i knew something was wrong, i went to task manager and found 2 new .exe files: sffsafuiagsifgasf.exe and another one... every time i killed it, new exe's were running with random character names...
I tried to locate the .exe's (in hidden files too) and i saw nothing... i knew the path of the exe but it wasn't there... i searched it with the windows7 search engine and didn't find it... i pasted its name in the start menu search box and it found it but when i deleted it nothing happened... it just popped up again

I knew the precise time when the first file was created and i searched for files created at the same time and deleted all that windows found... *but it didnt found the file in task maneger (from witch i saw the creation time) *

I went to C:/ where i keep all installations for AV's and important programs, and went in folder NOD32 Anti*virus * then the folder closed suddenly like the properties window earlier, i navigated there again but it was empty (it deleted all files)... then i googled "skype *virus* changing name" and the browser closed like the folder, and the properties window... Same thing with, another NOD, spyware remover, adware remover... Everywhere it found an antivirus-related name it closed the program or deleted a file... 

I booted up in safe mode, i was disappointed i cant install an antivirus in safemode...
I deleted files with funny names and whatever created in the same day after 7:22 (the precise time it got on my pc) i opened regedit and pasted exe file names from the task maneger in the search box, and deleted the registrities-nothing happened... 

I found a program called "PC Tools Spyware Doctor" and im scaning at the moment... if someone had the same problem or a suggestion feel free to post...


----------



## crazyeyesreaper (Dec 21, 2009)

good example to never click a suspect file not much ican say to help best bet here is malwarebytes 

http://www.malwarebytes.org/

but i would suggest a full system reinstall i dont mess with virus wipe the drive reformat reinstall and dont fall for it again 

also another example of why ppl shouldn't text like idiots


----------



## InTeL-iNsIdE (Dec 21, 2009)

Nasty lil bugger. 

Either get a few different av programs and anti spyware ( I reccommend spybot s+d) loaded onto a USB stick then try running all of them in safe mode, or whip your hdd out and throw it in another pc and boot from the other pc's OS and again scan with multiple av and spyware programs. 


Failing that perhaps you might have to format if its a nasty one and has buggered the registry etc


----------



## BulgarianBoy92 (Dec 21, 2009)

crasyeyesreaper it shows an error when i install it... probably because im in safe mode


----------



## crazyeyesreaper (Dec 21, 2009)

then i suggest a full install ive only had 3 virus in my lifetime and all 3 times i just said screw it and reinstalled problem solved 

either that or do as InTeL-iNsIdE suggested pull the hdd out put it in another machine boot and scan it from that machine


----------



## Mussels (Dec 21, 2009)

sounds nasty


try looking in MSconfig, its got to start with windows somehow


----------



## Error 404 (Dec 21, 2009)

Mussels said:


> sounds nasty
> 
> 
> try looking in MSconfig, its got to start with windows somehow



Agreed, I had a program that was legit, uninstalled it, and then suddenly next reboot after about 3-4 minutes explorer would freeze, completely.
I went into safe mode, had a look at the services in msconfig, and it was the service with no description next to it. I also found the file and deleted it (shift+delete, none of that recycle bin shiz).
Avast! is able to do a pre-boot scan as well, which means it could find the virus before it starts in windows.


----------



## crazyeyesreaper (Dec 21, 2009)

i still suggest a reinstall kill it 100% every time


----------



## DrPepper (Dec 21, 2009)

crazyeyesreaper said:


> i still suggest a reinstall kill it 100% every time



Unless it hide's in ze cpu cache. 

I almost got a virus from skype too but instead it got me


----------



## BulgarianBoy92 (Dec 21, 2009)

Thank you all for your help, i installed XP on my other hard drive to get an AV program and kill it... xp got infected too, when i clicked "end procces tree" in Taskmaneger it killed it( in Win7 it didnt happen)

now im safe, it shows up again when you doubleclick a hard drive in my computer, but thats not a problem... the NOD32 is scaning at the moment.... i got the "Regedit has been disabled by your administrator" error , but i think i fixed it >>>  GPEDIT.MSX; user config; administr. templates; system; prevent acces to registrity tools - disabled it and ill restart after the scan is over

I also removed the startup exe's from msconfig but nothing changed, new ones appeared


----------



## Mussels (Dec 21, 2009)

honestly, back up data and format. this sounds like one nasty virus.

the fact that it somehow spread to the new OS is rather worrying.


----------



## TRIPTEX_CAN (Dec 21, 2009)

Disconnect the PC from your network and format it. If that thing jumped from on HDD and infected another OS then it's pretty lethal.


----------



## BulgarianBoy92 (Dec 21, 2009)

Mussels said:


> honestly, back up data and format. this sounds like one nasty virus.
> 
> the fact that it somehow spread to the new OS is rather worrying.



The nastiest thing is the way it spreads... it records random chat from your friend (you) and pastes it, you think that its some kind of a joke, and then he posts a link with your name, country, some IP and other characters, and because the stuff he is saying are actualy his words you think that your friend is just an idiot, and you think that its not spam and get interested and click on the link... i didnt even open the file, i dont know how it spreaded all over the pc...

I usualy eat for breakfast some viruses, but this one  

If NOD32 doesnt find anything, ill scan with Kaspersky and if nothing happens - full format


----------



## TRIPTEX_CAN (Dec 21, 2009)

Give Malwarebytes a shot too if you feel like testing.


----------



## Marineborn (Dec 21, 2009)

you can run kaspery in safe mode, you have to go into the program files and start its safe mode scanner, it works quite well actually


----------



## dr emulator (madmax) (Dec 21, 2009)

i used malwarebytes (from here) on someone elses machine but had to go into the system 
( whilst in safe mode )then delete the threads it created by using regedit but that's not recomended unless you know what your doing ,and what your looking for

edit 





> i got the "Regedit has been disabled by your administrator" error


wo didn't see that, sounds a bad un, never had malware do that before and i've had to deal with a few


----------



## warup89 (Dec 21, 2009)

Jesus that's one bad virus, It reminds me when i got something similar years ago on my XP PC. I noticed when you deleted some of the virus's file and then they just re-appear is because there's another file somewhere, creating them. Finding that sucker is hard but not impossible. I eventually did and got rid of the whole thing without never using an anti virus, well i did but just to scan. 

hmmm i have an extra machine that i wouldnt mind getting infected by your virus, and then try to kill it.......yeah i have fun doing that (im pc sadistic >=]) but i guess that's just my crazy side talking =P.


----------



## BulgarianBoy92 (Dec 21, 2009)

TRIPTEX_MTL said:


> Give Malwarebytes a shot too if you feel like testing.



I will, after nod finishes scaning. 



Marineborn said:


> you can run kaspery in safe mode, you have to go into the program files and start its safe mode scanner, it works quite well actually



I know i can, but i cant install it in safe mode :S



dr emulator (madmax) said:


> unless you know what your doing ,and what your looking for



I think i know what im doing... if i don't, at least ill learn what not to do next time..


----------



## MK4512 (Dec 21, 2009)

Well, if it's stopping you from opening things, I recommend Unlocker Assistant, and an anti-virus I personally use is Avast. Check out Avast if you are looking to install a new anti-virus to get this thing.


----------



## BulgarianBoy92 (Dec 21, 2009)

99 infiltrations found / 99 files deleted (main hdd)
scanning current HD - 1 infiltration found for now


----------



## BulgarianBoy92 (Dec 21, 2009)

malwarebytes did an awesome job on the smaller hd where i installed XP 

37 infiltrations found and they all were viruses of the kind that bothers me  

its now scaning the win7 hdd its 320 gb so lets wait


----------



## crazyeyesreaper (Dec 21, 2009)

good malwarebytes is doing its job then glad you decided to try it


----------



## DonInKansas (Dec 21, 2009)

Malwarebytes rules, and it can be installed in safe mode.

If you get an error or the virus won't let you install, try renaming the .exe.  Sometimes the virus recognizes it by name and blocks it.  I call mine by my favorite whiskey.


----------



## Marineborn (Dec 22, 2009)

BulgarianBoy92 said:


> I will, after nod finishes scaning.
> 
> 
> 
> ...



thats what i keep a installed version on a jump drive, or have a secondary harddrive with it on there i can make a primary incase some bad shit goes down, switch harddrive boot up scan the other and kilL KILL KILL!!!!


----------



## Espera (Dec 22, 2009)

Not sure if this effects internal HDD connections but did you have AUTORUN disabled before you connected the HDD internally or externally?


----------



## BulgarianBoy92 (Dec 22, 2009)

malwarebytes did the job 

big thank you to all users that posted on this forum, especialy crazyeyesreaper


----------



## DirectorC (Dec 22, 2009)

I don't trust any anti-malware to be up to date enough, if something goes wrong I immediately use HijackThis and nuke all intruders.


----------



## TRIPTEX_CAN (Dec 22, 2009)

Another win for the team at Malwarebytes. That is one kick ass product. 

My "superior" at work decided it was a good idea to buy Norton 2010 for the company when I suggested Malwarebytes. EPIC FAIL. 

I use Malwarebytes to clean the infections where Norton returns an "access denied" when attempting to clean the file. Norton blows old goats. 


MALWAREBYTES FTW.


----------



## YinYang.ERROR (Dec 25, 2009)

I recommend Avira's Rescue System disk: http://www.free-av.de/en/tools/12/avira_antivir_rescue_system.html


It has saved me a couple times.


----------

