Computer Virus Infection

Free computer virus scans on-line do not do a deep scan, so they might not remove your computer virus infection. However, here are 3 very good on-line scans from F-Secure, Avast, and Trend.

PC Tools: I recommend you download a free virus protection program - either AntiVir or Avast.

Another great antivirus program that is being mentioned as a good fix for the recent threats is one of the most thorough scanners on the market. The Multi-Dimensional Scanning and Process Interrogation Technology will detect spyware other products miss! Easily remove pests such as WinFixer, SpyAxe, SpyFalcon, and thousands more! Repair broken Internet Connections, Desktops, Registry Editing and more with our unique Repair System. Their Dedicated Threat Research Team scours the web for new threats and provides daily definition updates. I'll be writting up more on what this SUPERAntiSpyware anti-virus program (free trial download) can do.

Download and open SuperAntiSpyware from icon and install and Update it.

Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

Under no circumstances should you install more than one anti-virus software. This will compromise your system and leave your PC vulnerable to infection.

If you wish to try out a new anti-virus software, then download the .exe file, uninstall the old anti-virus software through Add/Remove in the Control Panel and then install the new anti-virus software.

System Restore is a protected folder. These are the steps for virus removal in System Restore. If your Anti-virus Scanner has reported viruses in System Restore, but is unable to delete them, then these are the steps to take:

Steps for Resistant PC Infection

The UPS computer virus infection has caused some havoc recently. It's delivered via email as a ups notification of delivery with a zip file attachment. Of course, UPS didn't send it. Don't open the zip file. The virus deploys braviax.exe and burito.exe and the removal procedure might lead to windows corruption.

"Agent.JEN connects to a Russian domain (already used by other banker Trojans) and uses it to send a request to a German domain to download a rootkit and an adware detected by PandaLabs as Rootkit/Agent.JEP and Adware/AntivirusXP2008. This increases the risk of infection even more." So there's Antivirus XP2008 which is the Joke Blue Virus aka 'blue joke virus', which I discuss how to remove also. See 'Remove Blue Joke Screen' (blue star virus removal).

Nasty files turning up are: buritos.exe, karina.exe, karina.dat, and braviax.exe. Karina Virus removal, Buritos Virus, Final Solution.

Please read through all comments in this UPS Computer Virus Module. See Forum SOURCE Final Solution. Note they substituted using F-Prot antivirus with NOD32. I have read through other PC Help forums, but liked their results. I have compiled this information from other PC Help forums, but prefer the results from the the Source's 'Final Solution' (see Red Module).

UPS virus removal:

ComboFix can remove UPS Computer Virus via a special script. Source
Also, F-Prot Antivirus trial can identify the UPS virus and quarantine it.
Download the 30 days fully functional trial from here and try it.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\buritos.exe
C:\WINDOWS\system32\karina.dat
C:\WINDOWS\karina.dat

Folder::
C:\WINDOWS\system32\wsnpoem

Driver::
Ppu54

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Ppu54.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\buritos]
------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again. How to use ComboFix.

You can also read forum comments on this link to see what other people did to get rid of it.

or, try:

This looks like something you'll need a whole arsenal of programs to get rid of.

but first,

Start, run

Type msconfig

Go to Startup tab

Uncheck lphc35dj0e1an
Uncheck rhc75dj0e1an

in General tab, tick 'Selective Start-up', 'Apply', OK

and delete these specific files below if MalwareBytes, ComboFix, or another scanner you ran can't get rid of them:

C:\windows\system32\lphc35dj0e1an.exe
C:\program files\rhc75dj0e1an\rhc75dj0e1an.exe

and if they keep popping back then use Pocket KillBox.

Karina Virus, Buritos Virus Removal - the Source's Final Solution:

Make sure you have 'show all hidden files' enabled, and go into Safe Mode to do the scans.

TR (Trojan Remover)
MalwareBytes
NOD32 Antivirus

Typically the Ahsan virus renames the computer icon to "Ahsan's Computer", renames My Documents to Ahsan's Documents, redirects browser to improper url, changes browser title to : Ahsan Manan Khan Bhutta and renames the recycle bin icon to G.W.Bush.

Well the Ahsan virus removal instructions are hard to follow, or cryptic. I believe Ahsan hails from India, so it was Indian PCs that were hit the hardest. I have compiled this advice from various forum sources and at the end provide what I believe is the Final Solution. So read first steps below, but follow Final Solution. If Final Solution doesn't work to remove the Ahsan Virus, then refer to first steps.

Please note I have not handled removing Ahsan's Virus, so this is not a guaranteed removal.

I've copied from the source the steps you need to take to remove the Ahsan Virus:

"Log in to safe mode as Administrator or System Administrator (whatever is your highest level):

Create and Save files named "Home Video.exe" and "csrss.exe" in all drives with 0 kb(If you can't do it within 5 seconds ,do it from a bootable media)

0th step is to prevent the virus running in background from recreating the specified files.You can do that also by logging in from any live(bootable) cd (For example: http://electronics.wikia.com/wiki/How_to_make_a_Phoenix_live_CD_from_a_Debian_installation)

# Run RRt and disable virus effects : check all tick marks and press 'remove' (note: it appears the RRT tool does not work in Safe Mode)
# Virus is out ; if your cmd.exe is enabled now .Take the command prompt from %system32%\cmd.exe
# Open regedit, search and delete all entries with his damn name "Ahsan" ,his site 110mb.com and that GW Bush
# Enable "Run":
Take regedit : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
and delete NoRun make the same with value 0
# Even now if you are not able to handle the situation do SDFix
# Thats it !!

Detailed steps to remove Ahsan virus :

1. start windows in safe mode with command prompt(user:admin, preferably a user other than having attacked)

2. use RRT Tool to enable run " if disabled".

3. Enable regediting if disabled with following reg key.

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

4. Open regedit, search and delete all entries with name "Ahsan" , site 110mb.com and Bush.

5. If your folder option is disabled enable it with following reg key "

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Explorer

Check if a DWORD value named NoFolderOptions exists in the pane on the right hand side of the screen
Delete it

6. If you are still unable to view the hidden files, which is disabled by virus, enable it with following proc and key.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Find the value "Hidden" . Rightclick it and modify it to 1. If Key value hidden is not present create it

7. Check the following registery values and set the values given below in each registery key.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"CheckedValue"=dword:02
"ValueName"="Hidden"
"DefaultValue"=dword: 02

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword: 01
"ValueName"="Hidden"
"DefaultValue"=dword:02

8. Now enable "show all hidden files / Hidden system files and folders", and search for following files and delete them all.

system.exe
csrss.exe
Home video.avi.exe
autorun

Note: these files will be in parent drives (D:, C:) and in windows folder.

9.Now you are done!"

Here is the Source link that tries to explain Ahsan's Virus.

Note: I believe Ahsan's Virus Renames My Computer on desktop to Another one Like Ahsan's Computer

Final Solution:

Apparently this is not a true virus and if you do a System Restore to the earliest date possible, it will remove AHSAN MANAN KHAN BHUTTA.

1. Go to start menu
--> then All Programs
--> Accessories
--> System Tools
--> System Restore

2. System restore window opens. And just follow the steps.

3. Click next. Select a previous date from calendar on left (it should be in bold characters as mentioned above it), click a restore point on right and click next.

4. Now read the red color text and click next, System restore will now start.

It will also restart the PC automatically, and when that happens, you get your PC back.

If this does not correct the problem, or you cannot do a Restore, then follow the steps below:

a) Download Avast. Don't install yet. Uninstall your old anti-virus program and then install Avast.

b) Follow steps in my blog - Steps for Resistant PC Infection first before proceeding to next steps.

1. start windows in safe mode with command prompt.

2. use RRT Tool to enable Run function " if disabled".

3. Enable regediting if disabled with following reg key.

Code: Select all
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

4. Open regedit, search and delete all entries with name "Ahsan" , site 110mb.com and Bush.

5. If your folder option is disabled enable it with following reg key "

Code: Select all
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Explorer
Check if a DWORD value named NoFolderOptions exists in the pane on the right hand side of the screen
Delete it

6. If you are still unable to view the hidden files, which is disabled by virus, enable it with following proc and key.

Code: Select all
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Find the value "Hidden" . Rightclick it and modify it to 1. If Key value is hidden or is not present create it.

7. Check the following registry values and set the values given below in each registry key.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"CheckedValue"=dword:02
"ValueName"="Hidden"
"DefaultValue"=dword: 02

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword: 01
"ValueName"="Hidden"
"DefaultValue"=dword:02

8. Now enable "show all hidden files / Hidden system files and folders", and search for following files and delete them all.

Code: Select all
system.exe
csrss.exe
Home video.avi.exe
autorun

Note: these files will be in parent drives (D:, C:) and in windows folder.

9. Now restart!

10. Now install Avast anti-virus, update and scan.

11. Reset your Internet Explorer to default.

12. Download Firefox Browser and use that instead of IE.

Source is Final Solution at Discussbits

More links that claim to get rid of Ahsan Virus Kaspersky forum and FixYa.

One blogger writes on the exact paths to computer virus infection with Antivirus XP 2008.

PC infected

Anytime you have a notification on your desktop that you have a virus, and to download such n such, then, you already have a virus or adware, and it's from them! So, why buy from someone who gave you the malicious code in the first place???

This is a rogue anti-spyware program that is advertised through Trojans and other Malware. If you mistakenly downloaded this program it will pop up fake security alerts and warnings. In some cases, this program is installed without any intervention at all from you.

joke blue screen virus removal - blue screen virus fix:

Joke Blue Virus is malicious code that MalwareBytes destroys.

I also had to use SDFix from BleepingComputer.com on one computer infected with Blue Joke Virus and it got rid of the remaining Trojan.

SDFix is for Windows 2000/XP ONLY.

How to use SDFix.

Instructions on how to remove Vista Antivirus 2008.

Worm Removal at Fixya for:

i got a virus for my yahoo messenger. it keeps sending messages to all the people i have in my...
Support for Acer TRAVELMATE 2300, 2310,...

hinhem.scr
problem
Support for Microsoft Windows XP...

Needs Removal tool for w32.imaut

how can i remove funy ust avi.exe virus

Virus Remover at Fixya for:

Funny UST scandal virus
pls help me rid this name sino gusto funny scandal

Malware can also damage Windows files. If you have your original Windows CD then run this scan. In some instances you will not be asked for the Windows CD.

Start, Run, sfc /scannow

(one space between sfc and /)

on some computers you will need to do:

Start, Run, sfc /scannow.exe

How to Use SFC.EXE to Repair System Files

Windows then checks to verify that all protected files are intact in their original versions. Be prepared to insert your Windows CD.

"The main reason for using this utility is when you suspect there may be a problem with a Windows XP system file.

Perhaps you get a dialog box appear informing you of a problem with a .dll file, or your program will just not load! It is therefore worth checking to see if there are any corrupt system files using scannow sfc."

Guide and procedures on sfc /scannow.

Start the System Configuration Utility. Do 'Run', type 'msconfig', then go to 'Startup'. View the list of startup programs. Highlight on the far left the startup program name you do not recognize, copy and paste it into a google search and research it on the internet. If it is questionable or considered malicious then untick it. Do not untick necessary startup programs! Then click 'Apply'. Do not close yet. Go to the tab 'General' and tick 'Selective Startup' and then tick 'OK'.

Right click on your Desktop and select Properties.
Then click the Desktop tab
then click the Customize Desktop button.
Now in the next window that comes up click the Web tab.
Make sure at the bottom that Lock desktop items is unchecked.
Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too.
Then click OK.
Click Apply. And click OK.

Simple Help

Trojans Test

ZoneAlarm Firewall

FREE Spyware Removal and Antivirus Tools

There are several online virus libraries where you can find out about known viruses. These sites often provide instructions for removing viruses--if manual removal is possible--or a free removal tool if it isn't. Check out

Virus Radar
Virus Bulletin
Trend's Virus Encyclopedia
ESET Threat Center
Web Security Guard
Threat Expert

Please follow these initial Steps for Resistant PC Infection