WIN32 VIRUS!!!

xxtom16 · 12-29-2008, 02:06 AM

Can anyone help me? I managed to got the god awful WIN32 virus and cant get rid of it without reformatting. Does anyone know a simpler solution to get rid of it rather than downloading aton of antimalware programs?

Lady Lamont · 12-29-2008, 06:55 AM

I'd like to make a couple of points beforehand - majority of anti-viruses/etc cannot remove risks or changes to some files due to the particular location (especially, in some cases as the System Restore and the Hosts Files which are considered to be core parts of the Windows System and are basically denied access by the Windows programming, however some threats such as the Win32 Virus are programmed to specifically target said areas).

Not to mention, Win32 Virus is actually a CATEGORY. Not a SINGULAR virus!

A few of these also mainly exploit the process called "explorer.exe", if it's gone up to much more than 10mb, then you need to it manually in the Task Manager, to see the processes click the next tab which says "PROCESSES" and select explorer.exe and then hit "End Process" which will cause explorer to crash, but will hopefully stop the virus from continuing it's exploits so you can then remove it. While you're looking through the directories and/or folders, explorer.exe will start up again but once you've found the location of it then you can crash it again to stop it. The location does normally vary depending on the virus. Such as one that is known as "W32.Dengue" has a random location for each infection.

If you know the name of the virus, can you please post it as there are varying removal strategies.

Other than that, try these, in the following order:

I. Disable System Restore, there should be an article on the Microsoft Website - if I knew what OS you were running, then I would be able to tell you how to disable it. Basically, Win32 Virus sets itself up so it can abuse the System Restore option than normally helps remove most threats (spyware, viruses... etc malware overall).

To stop it from doing so, you have to disable System Restore. That's just step one to removal.

II. Remove risks/backdoors/etc from the "hosts" folder location, go to the following location:

Windows 95/98/Me:
%Windir%

Windows NT/2000/XP:
%Windir%\System32\drivers\etc

The location of the host files can change, some computers may not even have the host files on there. Most cases, the default is %Windir% which is basically the Windows installation folder, the actual default location is the following C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

Then find the "HOSTS" file, double-click it (also, disable the "Always use this program to open this file" box as the Win32 Virus exploits that file too!)

Next, choose the new program to open the file - open it in Notepad, and remove the following entries from the file (if they ARE there, these vary depending on which Win32 Virus has infected your PC) OR these can also be values in the Registry, so you will need to check the HOSTS file (after finding it of course) and the registry via the Registry Editor:

"W23.HLL.ZMK.30030"

Registry values to be removed:

In this location "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run", remove the entry called "CrazyPC"

And in the HKEY_LOCAL_MACHINE\Software location, remove the folder tree (remove the main folder) called "CrazyPC"

Then copy all of the other folders from Win32, excluding ANYTHING with "CrazyPC" in it. After removing those, then I would recommend that you also get an "Absolute Deletion" program to COMPLETELY remove any and all traces of those files, because emptying the recycle bin does not COMPLETELY remove the files it basically makes you think it's gone and denies the computer access to those deleted files.

The one called "W32.Dengue"/"Win32.CTX.10853"/"DHF" is the one with the random location of infection, it's the one that mainly abuses explorer.exe and is a pain in the ass to remove.

Any of the infected files memory usage is ALWAYS divisible by the following numeral - 101, it's a complex virus created by what can be considered as a Viral-Pro who created other nasty Windows Core-attacking viruses in the past since his debut with his Windows 95 Marbug virus.

Anyways, Dengue is a nasty little f*cker... it can change it's location and it also avoids most virus scanners and anti-virus programs. It also checks programs with the first letters in the file name, as the following: DR*, PA*, RO*, VI*, AV*, TO*, CA*, IN*, MS*, SR*, SP*, RP*, PR*, NO*, CE*, LE*, MO*, SM*, DD*, SO*, SQ*, EX*, IE*, CM*, CO*.

It infects everything in the background once it's gotten control of explorer.exe. If my memory is correct, Trend Micro House Call should be able to remove it and all of it's registry edits after doing a complete system scan.

Also, shutting down access to things such as Blutooth and other links can stop it from replicating itself onto things such as Flash Drives and other mobile devices that could enable it to infect other systems.

That's all I can think of currently, other than that... how about reading about it online OR asking in an actual tech forum instead of a GAMING forum? As you'd get a MUCH BETTER response in one of those.

xxtom16 · 12-29-2008, 02:33 PM

Thanks, i did most of what you said (what i could do) and when i scanned, i didnt get as many Trojans. Actually a lot less. So thanks again, and I'm gonna try a tech forum for this autorun.inf virus.

12-29-2008, 02:06 AM	#1 (permalink)
xxtom16 Member Join Date: Dec 2008 Location: cleveland, OH Age: 18 Posts: 79 Rep Power: 2	WIN32 VIRUS!!! Can anyone help me? I managed to got the god awful WIN32 virus and cant get rid of it without reformatting. Does anyone know a simpler solution to get rid of it rather than downloading aton of antimalware programs?

12-29-2008, 06:55 AM	#2 (permalink)
Lady Lamont Senior Member Join Date: Feb 2007 Location: Terra Australis Age: 17 Posts: 2,445 Rep Power: 10	Re: WIN32 VIRUS!!! I'd like to make a couple of points beforehand - majority of anti-viruses/etc cannot remove risks or changes to some files due to the particular location (especially, in some cases as the System Restore and the Hosts Files which are considered to be core parts of the Windows System and are basically denied access by the Windows programming, however some threats such as the Win32 Virus are programmed to specifically target said areas). Not to mention, Win32 Virus is actually a CATEGORY. Not a SINGULAR virus! A few of these also mainly exploit the process called "explorer.exe", if it's gone up to much more than 10mb, then you need to it manually in the Task Manager, to see the processes click the next tab which says "PROCESSES" and select explorer.exe and then hit "End Process" which will cause explorer to crash, but will hopefully stop the virus from continuing it's exploits so you can then remove it. While you're looking through the directories and/or folders, explorer.exe will start up again but once you've found the location of it then you can crash it again to stop it. The location does normally vary depending on the virus. Such as one that is known as "W32.Dengue" has a random location for each infection. If you know the name of the virus, can you please post it as there are varying removal strategies. Other than that, try these, in the following order: I. Disable System Restore, there should be an article on the Microsoft Website - if I knew what OS you were running, then I would be able to tell you how to disable it. Basically, Win32 Virus sets itself up so it can abuse the System Restore option than normally helps remove most threats (spyware, viruses... etc malware overall). To stop it from doing so, you have to disable System Restore. That's just step one to removal. II. Remove risks/backdoors/etc from the "hosts" folder location, go to the following location: Windows 95/98/Me: %Windir% Windows NT/2000/XP: %Windir%\System32\drivers\etc The location of the host files can change, some computers may not even have the host files on there. Most cases, the default is %Windir% which is basically the Windows installation folder, the actual default location is the following C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000). Then find the "HOSTS" file, double-click it (also, disable the "Always use this program to open this file" box as the Win32 Virus exploits that file too!) Next, choose the new program to open the file - open it in Notepad, and remove the following entries from the file (if they ARE there, these vary depending on which Win32 Virus has infected your PC) OR these can also be values in the Registry, so you will need to check the HOSTS file (after finding it of course) and the registry via the Registry Editor: "W23.HLL.ZMK.30030" Registry values to be removed: In this location "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run", remove the entry called "CrazyPC" And in the HKEY_LOCAL_MACHINE\Software location, remove the folder tree (remove the main folder) called "CrazyPC" Then copy all of the other folders from Win32, excluding ANYTHING with "CrazyPC" in it. After removing those, then I would recommend that you also get an "Absolute Deletion" program to COMPLETELY remove any and all traces of those files, because emptying the recycle bin does not COMPLETELY remove the files it basically makes you think it's gone and denies the computer access to those deleted files. The one called "W32.Dengue"/"Win32.CTX.10853"/"DHF" is the one with the random location of infection, it's the one that mainly abuses explorer.exe and is a pain in the ass to remove. Any of the infected files memory usage is ALWAYS divisible by the following numeral - 101, it's a complex virus created by what can be considered as a Viral-Pro who created other nasty Windows Core-attacking viruses in the past since his debut with his Windows 95 Marbug virus. Anyways, Dengue is a nasty little fcker... it can change it's location and it also avoids most virus scanners and anti-virus programs. It also checks programs with the first letters in the file name, as the following: DR, PA, RO, VI, AV, TO, CA, IN, MS, SR, SP, RP, PR, NO, CE, LE, MO, SM, DD, SO, SQ, EX, IE, CM, CO. It infects everything in the background once it's gotten control of explorer.exe. If my memory is correct, Trend Micro House Call should be able to remove it and all of it's registry edits after doing a complete system scan. Also, shutting down access to things such as Blutooth and other links can stop it from replicating itself onto things such as Flash Drives and other mobile devices that could enable it to infect other systems. That's all I can think of currently, other than that... how about reading about it online OR asking in an actual tech forum instead of a GAMING forum? As you'd get a MUCH BETTER response in one of those. __________________ Lamont's Signature Game

12-29-2008, 02:33 PM	#3 (permalink)
xxtom16 Member Join Date: Dec 2008 Location: cleveland, OH Age: 18 Posts: 79 Rep Power: 2	Re: WIN32 VIRUS!!! Thanks, i did most of what you said (what i could do) and when i scanned, i didnt get as many Trojans. Actually a lot less. So thanks again, and I'm gonna try a tech forum for this autorun.inf virus.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Virus protection!	XxVivixX	1001001011	21	02-16-2007 08:42 PM