Contra Virus Malware - Spybot will not fix
I have the very annoying Contra Virus malware on my PC and Spybot finds it, but, doesn't clean it. I've tried it at least twice. Spybot states it has a cleaned it, but it keeps coming back. I run AVG, Spybot and Ad-Aware. Spybot is version 1.4 and I have the latest updates. Someone told me to turn off my restore, because maybe it is hiding there, then clean it, this did no good. Any help is appreciated.
Thanks.
Scott
Contravirus ... New and More Virulent???
I love SBS&D and very much appreciate your program(s). I have not been able to contribute ... I am disabled and eat on less than $1/meal USD ... so each dollar is a meal. However, maybe this will help, both SBS&D and users. I hope so.
Contravirus (hereinafter CV) seems to have made a big push in the last few days. Perhaps it has mutated and grown more infectious. My experience seems to point to that. On 6/2/07 I became infected with this beast. It appears that it may have come to me via a download of a picture (JPEG file). I am on dialup running Win98 SE and Internet Explorer six (IE6) on an ancient machine ... waaaay to slow to run antivirus or firewall, yet this is my first infection and have been on internet since 1995.
I tried S&D but, though it detected CV, it failed to eliminate it. Every time I connected to the Internet, new downloads of the 7.68 MB executable would begin. I searched the WEB for answers but found none. Closest I found was at
.411-spyware.com/remove-contravirus
There they try to sell you a fix, but do offer instructions to "manually remove" CV. That process is 1+ hours of tedious work, including the dreaded registry edit ... and still it doesn't work, not for me. When I finished and got back online, shortly afterward the downloads started again. AAAAAGGGGHHH!!! As far as I can tell no one has a solution to my (and perhaps your) new infection.
I wondered if perhaps my browser, IE6, had been modified to cause the downloads. To investigate I decided to restart and do nothing but dialup a connection. I reasoned that, then, there should be no downloads ... but low and behold in a few minutes the downloads began again (of the CV 7.68 Mb executable). THAT was the needed clue ... it meant there was some independent program, like a mini-browser, running and doing all this.
So I did "ctrl, alt, delete" (to look for running programs) and in the list of running programs was one I did not recognize ... "XPuupdate". Funny thing is, I'm running Win 98 SE!. Then I did "end task" from "Ctrl, Alt Delete" for "XPuupdate" and immediately the blinking Contravirus icon in Systray that I hadn't been able to get rid of (using "411's" instructions or any other) disappeared! THAT appears to be IT! No more downloads in the several hours online since. Had one freezup ... maybe registry problem. Hope S&D will "catch up" on CV now and maybe fix my registry later.
I then used windows explorer to "find files or folders" named "XPuupdate" and found it in my windows\system folder. Deleted it and then went back to search for "residue" of CV. These are mainly copies of the contravirus ".exe" file, and they were all named in the format "saXXXX.exe", for example, "sa21E2.exe" ... all EXCEPT ONE, which was called merely "1759134.exe". The tipoff about "1759134.exe" was its size ... 7.68 Mb, the same as all the "sa" files. In my case all these were in the windows\temp folder (and NOT "temporary internet" folders ... so they can't be "flushed" by emptying the browser cache). One can use windows explorer advanced search and look on the C drive for recent files exceeding 6 Mb., say. Any exe with a size the same as the (completely downloaded) "sa" files ... 7.68 Mb or so right now apparently, should be suspect. "Delete" them to "trash" and should be no problem if found in "windows\temp". If you lose something, restore it (but unlikely).
OK, briefly do "Ctrl, Alt Del" and "end task" for suspicious running programs ... like mine "XPuupdate.exe" (note: the "PTsnoop" program sounds suspicious but is aparently a Microsoft program).
Then use windows explorer "find files or folders" to find that file on your C drive (XPuupdate.exe for me). Then clean out any CV executable (.exe) files you can find, all about 7.68 Mb right now apparently, and most of them start with "sa". Look in "windows\temp" first (Win 98 SE anyway). Anything else abou 7.68 Mb should be suspect. You may have copies that are smaller because you interrupted download if on dialup like me, but I presume they won't function and just take up room. I think if you do something and it gets rid of the systray icon for CV (mine blinked red ceaselessly) you've got it made.
Hopefully SBS&D will catch up on this and clean out any other junk after a while. I will be glad to help SBS&D in any way I can ... let me know. please post this as reply to other inquiries about CV if you like. Thanks again for your work and programs.
I am going to try switcing to Firefox browser (instead of IE6) ... it appears to be more secure, and I suspect the XPuupdate file squeezed thru IE6. Even if you get something like this, it appears Firefox may enable one to stop the downloads. We'll see.
If I have anything new to report I'll post more.
Gotta go ... my house is flooded from hot water heater! Good luck to all !! Pray for hell for all the CV people in the world.