Security Software generic fx infection

Status
Not open for further replies.
G

Geekhead83

Contributor
my pc has been infected with the generic fx 'v i r u s' (i cant even type the word 'v i r u s' properly as the browser just closes automatically!!!!

i tried the vcleaner utility for cleaning it. i even tried scanning with avg, but no use.

pelase suggest a remedy as i sick of formatting my hdd and all 3 pc's at my home have been infected with the same v i r u s.
 
the problem is the virus doesnt allow any antivurs s/w to function, interrupting installations midway...corrupting display etc.

and my pc refuses to start in safe mode. (win 98....dont ask why, my dad doesnt like xp!!! )

so is there any dos based scanner which i can run before windows boots or separately via a bootable cd that would do the job for me?

there was one ultimate bood cd which has antivirus etc running off the cd (dos absed). but the problem is we need to create the cd(using the provided exe) which can be done only in xp..

pS : comon generic fx p2p virus actions :

i) creating exe files which have winzip icon in root of each drive. These files have names of other recently opened documents.

ii) creation of winzip.exe either in c:\windows\system or some other random folder.

iii) a norton antivrus icon in taskbar which gives the tool tip 'update..please wait' (i have no symantec products installed on my pc)

so any help would be gr8ly appreciated.
 
Run this http://www.thespykiller.co.uk/files/HJTsetup.exe Hijakthis to check the problems if ur smart enuff.
run ad aware with spy sweeper.
if not effective run in safe mode.
if u dont want hastle format takes 30 mins.
but hjsetup can troubleshoot ur problem if u know what to do as the worm ur infected with puts a password in IE's content manager.
 
ok...here's the logfile of my hijackthis scan ..........

Logfile of HijackThis v1.99.1

Scan saved at 3:35:29 AM, on 6/28/2006

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\POWERSTRIP\PSTRIP.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE

C:\PROGRAM FILES\GRAVITY\RO\XILERO.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

C:\PROGRAM FILES\WINRAR\WINRAR.EXE

C:\WINDOWS\TEMP\RAR$EX00.321\HIJACKTHIS.EXE

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe

O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

O4 - HKLM\..\Run: [ScanRegistry] scanregw.exe /scan

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 203.94.243.70,203.94.227.70
 
geekhead83 said:
ok...here's the logfile of my hijackthis scan ..........

Logfile of HijackThis v1.99.1
Scan saved at 3:35:29 AM, on 6/28/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\POWERSTRIP\PSTRIP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRAVITY\RO\XILERO.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX00.321\HIJACKTHIS.EXE

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ScanRegistry] scanregw.exe /scan
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 203.94.243.70,203.94.227.70
Click to expand...

first run hijack this from its dedicated directory not from temp directory.
then rescan the system and put a check mark on the entry i marked in red and click fix this.then rescan and post the log file here.

for god sake ditch that flahget from your system and use free download manager or mass downloader.

edit :
you can use following links to your use.
AVG Anti Virus: Virus Encyclopedia

http://forums.techguy.org/security/443762-worm-generic-fx-evil-exe.html

Starting your computer in Safe mode

lastly i found this veryusefull to you.
Worm Generic.FX - Cyber Tech Help Support Forums
 
geekhead83 said:
nice post there...but whats wrong with flashget??
Click to expand...
iirc flashget is load full of adwares itself. i had once problems with it on my system and i was advised by experts on forums to remove it and i am using mass downloader since then.
 
hmm...ok, will remove flashget then.

i managed to clean out the virus [i think].

here's what i did :

i) started my comp using ultimate boot cd 3.2 and scanned using mcafee (2003 version )

It listed loads of files as infected with the virus and deleted those.

ii) Next i ran the vcleaner utility(provided by avg i think) after booting into win98 and cleaned out the remaining files.

Now, should scanreg.exe be present in memory?? coz hijackthis is showing it as per the above log. Is the virus still present?
 
Status
Not open for further replies.
Top Bottom