A worm virus

[as1]

As you can understand I have a worm virus on my computer, iI have used Ad-Aware,Malware Bytes,Security Task Manager and Windows Defender and non of them can effectively remove the virus entirely. There's one file that I know exists but have no way of deleting it (my version of Security Task Manager isnt registered so I can't remove drivers and DLLs....can't find a registered one). The file I cant delete is called afmain0.dll and I its the reason why i keep getting other worm-like viruses for a week now... is there anything I can do besides formating the hard-drive?

[Killboy]

Try KernelDetective, great tool for terminating drivers that hide or lock files.

Look for tasks with random or suspicious names. If you terminate the wrong one, it'll bsod but I guess that's better than format C

On the other hand, formatting is safer than just deleting some files, there still might be traces of the virus in the OS.

[as1]

Try KernelDetective, great tool for terminating drivers that hide or lock files.

Look for tasks with random or suspicious names. If you terminate the wrong one, it'll bsod but I guess that's better than format C

On the other hand, formatting is safer than just deleting some files, there still might be traces of the virus in the OS.

I've already gone over the sturtup list (msconfig) and unchecked whatever looks suspicious (googled anything I wasnt sure about), but this damn virus keeps putting the same items on the sratup list.. (smss.dll,empty.pif,sempalong.dll).

I keep deleteing and quarantining them but they just keep coming back, i guess its that damn DLL I cant delete....

BTW, what's BSOD?

Edited March 26, 2009 by as1

[Teddy Rogers]

A quick Google of "afmain0.dll" brings up a lot of interesting results

http://www.prevx.com/filenames/X1317157359...MAIN02EDLL.html

http://www.threatexpert.com/report.aspx?md...8fdcb620c5dbefd

Maybe you can upload your dodgy files in a passworded archive for anyone interested to have a poke around at them?

Ted.

[Killboy]

I've already gone over the sturtup list (msconfig) and unchecked whatever looks suspicious

As you said, it keeps readding them so theres no point in that. You would have to terminate the running process/service and delete the file. Some viruses hide processes/files/folders/reg entries with a driver, that's why I suggested KernelDetective.

BTW, what's BSOD?

BSOD = bluescreen [of death]

[willie]

Turn off the system restore and run scan then after you are sure they are gone re-enable system restore delete them and then try to reboot and see if they come back

worked for me..

willie

Edited March 27, 2009 by willie

[KOrUPt]

Been a long while since I last posted here... Sorry about the inactivity Ted .

I haven't read over this entire post in detail but I do have a few suggestions to aid in removing the aforementioned infections.

Firstly, grab a copy of Autoruns and Process Explorer from SysInternals and verify MD5 hashes to make sure the file wasn't infected or corrupted on the fly.

Now launch Autoruns and a clean install if your browser in safe mode if you feel you'll need it.

Prerequisite note(optional): Use RkUnhooker to check for any signs of a Rootkit, attempt to Unhook any (shadow) SSDT hooks that may be in place, scan your Windows and System directory for any hidden files and also check for load notify routines...

Run Process Explorer and check every process for rouge threads, that is, threads that appear not to belong to the process in question. Google any strange DLL names using the pre-launched browser if needed.

Once you've killed those threads and made sure they're not re-spawning, use Autoruns and search for references to the suspicious files, check your AppInit registry keys and loaded Internet explorer DLL's... Do not run any other executable's/processes during this process, as this may allow the infection cycle to restart.

Once you're confident you've removed all start up entries and the virus is no longer resident in memory, forcefully reboot the machine via the power button and start in safe-mode, delete the infected files from the command prompt.

You may also want to check out Unlocker, as it can be used to kill any process's that may be preventing you from deleting the files in question.

I had to deal with an awkward infection that operated around these lines not so long ago...

It would create around 3 DLL's with random names then randomly inject those DLL files into random process's, it was a lot of trial and error along with a long winded game of cat and mouse before I finally managed to exterminate it from memory and make sure it wasn't starting up with the system again...

It would inject into every launched process due to the modification it made to the AppInit registry keys, so if you double clicked a registry key in AutoRuns just to have it launch RegEdit, you'd of shot yourself in the foot... The things I do for friends ...

I hope this helps and sorry if it's a little long winded.

Nice to be back here. I'll be dropping by from time to time to see how you're all doing .

KOrUPt.

Edited March 27, 2009 by KOrUPt

[ala_borbe]

try ComboFix and SmitFraudFix and scan your pc

they can remove various types of trojans, malware, rootkits and etc... definetly worth a try...

and thay are free

[starzboy]

it would be better if you could provide us with a list of all running processes on your system.

Maybe then we could figure out the rouge this way... just my 2 cents.

[cgates]

i know this threads almost a year old but I found a program that may help somebody with a similar problem

/>http://download.cnet.com/Unlocker/3000-2248_4-10493998.html

It will unload the locked dll so that you can delete it.

[SunBeam]

His problem wasn't the DLL, I bet my *** on it. RkUnhooker OR Kernel Detective would restore any SDT/SSDT hooks, including those the virus set. File can then easily be deleted. Most likely an NtQuerySystemInformation hook..