HKEY_LOCAL_MACHINE\Software\VBS:Malware-gen

[richie]

I have this worm, apparantly its fairly serious as it can send passwords etc for banking etc...

Just downloading a removal tool, but if anyone else has a proven way to rid of it please let me know.

Apparantly its mainly spread by active x etc from Porn sites, but unlike some cider drinking members of this site I don't do porn sites

 

[Billywhizz]

Hi, I'm no expert but I had a similar experience some time ago and got myself into all kinds of trouble using free removal tools. I ended up using these guys who helped me through it all.

http://www.geekstogo.com/

You have to register, and there's a bit of software that checks your PC over. I can only speak from experience that they helped me out. All free with an option to make a contribution if you want to.

 

[Deleted account 190920001]

malwarebytes should do the job and is free http://www.malwarebytes.org/ there are manual ways to do it but its long and laborious f you don't know what your doing.

 

[Padge]

Not sure about this specific threat but I've recently given up on AGV and Norton and gone for Microsoft Security Essentials.
Microsoft seems to have pulled their finger out and made a decent product and it's free....strangly doesn't seem to be a good uptake of it

 

[Deleted account 190920001]

Yes security essentials is pretty good now. I use it on the machines at home despite having free Kaspersky licenses from work. Not sure it will help in this instance mind you.

 

[GunZenBomZ]

www.filehippo.com

Hope you get things sorted, trouble is with computers. Unless you wipe the OS, you never truly know it's gone.

Are you using IE for web-browsing by any chance? *Firefox is your friend*

 

[WiiMW]

There is some chat on the Avast forums about this one and it is picked up by the Free Version of the software with the latest updates ..

I use Avast on 2 different PCs (for a couple of years) - no issues ... maybe worth a look if you lose confidence in your current AV ... I used to use AVG but it started to get on my tits

 

[ovenpaa]

I will PM you a link

 

[Buttso]

trend..

I had something similar on my own PC a while ago..

ran this

http://housecall.trendmicro.com/

work perfect, was a bit paranoid for a while. so ran Windows Defender as well

http://www.microsoft.com/windows/products/winfamily/defender/default.mspx

best of luck with it

 

[Deleted account 190920001]

you can be sure your machine is clean after you have got rid of a virus, you just need to know what to look for and what your doing lol

Simples

 

[richie]

Thanks guys, have just downloaded a recommended cleaner. I am not normaly too concerned, but had been off line for a week and then did some online banking until the pop up message occured.
Avast 4.8 has put some files in the chest, but now I have a pchealth message when booting up the machine.

 

[richie]

Well, still having problems.

Have been running 4.8 avast twice a day using the thorough option and it says no virus found. However the heuristic part says I have a problem in c:\df.exe but says ignore.... even if I ask to delete its still there. If I go into the command prompt and run attrib -h it wont do it but I can see it in the list......

Problems encountered are
keys 2 and 3 on my french key board sometimes wont wok and the mouse sometimes does not respond until I use the windows button on the keyboard.

I am using three different cf cards, recharging two ipods and sometimes a memory stick

Any ideas... df,exe WTF

 

[richie]

by the way tried a system restore and it wont allow it.... probably too late in any case

 

[ovenpaa]

Richie can I have a sample of the df.exe please? Zipped and password protected and mailed to my inbound account and I can analyse it on the spot and compile something to clean it.

 

[richie]

Richie can I have a sample of the df.exe please? Zipped and password protected and mailed to my inbound account and I can analyse it on the spot and compile something to clean it.

Sorry no can do. Its attribs are set and it won't allow me to undo them. Therefore the only way I can see it is to type attrib -h df.exe and it then says it won't allow me to do that but lists it.

So I can't touch it. It is only possible to view from the c prompt. Windows explorer will not allow me to show hidden files.....

Am on line now looking for a solution...

 

[richie]

Slight progress made, have downloaded an update of Avast today. Itow gives me the message that the file df.exe contains malware...

I have tried delete and move to chest, neither work and the message pops up every thirty seconds.

Better than before as the heuristics ould not do anything. At least now I know its malware and in the df.exe file

 

[ovenpaa]

If the process is locked grab Process Explorer, it will allow you to indentify and kill the process.

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

The file name Df.exe is quite widely used for a series of Bot's and Trojans, a quick look shows over 20 different samples by this name.

 

[Deleted account 190920001]

try deleting it in safe mode, press F8 just after you get the initial post boot. If that fails download a copy if Hirens boot CD butn the iso to a cd and boot on that to mini xp and you will definitely be able to delete it from there.

 

[richie]

malwarebytes should do the job and is free http://www.malwarebytes.org/ there are manual ways to do it but its long and laborious f you don't know what your doing.

Richie can I have a sample of the df.exe please? Zipped and password protected and mailed to my inbound account and I can analyse it on the spot and compile something to clean it.

Guys, a combination of updated Avast and the malwarebytes seems to have done it.... But I said that last week too