Contra Virus Malware - Spybot will not fix

[ssorenson]

I have the very annoying Contra Virus malware on my PC and Spybot finds it, but, doesn't clean it. I've tried it at least twice. Spybot states it has a cleaned it, but it keeps coming back. I run AVG, Spybot and Ad-Aware. Spybot is version 1.4 and I have the latest updates. Someone told me to turn off my restore, because maybe it is hiding there, then clean it, this did no good. Any help is appreciated.

Thanks.

Scott

[tashi]

Hello.

If you can find the file/s, please zip and send to: detections(AT)spybot.info (Replace AT with @)
Also include the results of a Spybot-S&D scan.

• Open Spybot-S&D and start a scan ("check for problems").
• After the scan, right-click in the results field and choose either "Save full report to file..." or "Copy full report to clipboard".
• Attach the file (or copy the report) to the email.

Then follow the procedure in this link: "BEFORE you POST" -Preliminary Steps
Start your own thread in the Malware Removal Forum

Once you have posted a helper will advise you as soon as available.

Just so you know for the future, generally it is best not to flush System Restore until after an infection has been removed.

Cheers.

[urconsciencespeaking]

I love SBS&D and very much appreciate your program(s). I have not been able to contribute ... I am disabled and eat on less than $1/meal USD ... so each dollar is a meal. However, maybe this will help, both SBS&D and users. I hope so.

Contravirus (hereinafter CV) seems to have made a big push in the last few days. Perhaps it has mutated and grown more infectious. My experience seems to point to that. On 6/2/07 I became infected with this beast. It appears that it may have come to me via a download of a picture (JPEG file). I am on dialup running Win98 SE and Internet Explorer six (IE6) on an ancient machine ... waaaay to slow to run antivirus or firewall, yet this is my first infection and have been on internet since 1995.

I tried S&D but, though it detected CV, it failed to eliminate it. Every time I connected to the Internet, new downloads of the 7.68 MB executable would begin. I searched the WEB for answers but found none. Closest I found was at

.411-spyware.com/remove-contravirus

There they try to sell you a fix, but do offer instructions to "manually remove" CV. That process is 1+ hours of tedious work, including the dreaded registry edit ... and still it doesn't work, not for me. When I finished and got back online, shortly afterward the downloads started again. AAAAAGGGGHHH!!! As far as I can tell no one has a solution to my (and perhaps your) new infection.

I wondered if perhaps my browser, IE6, had been modified to cause the downloads. To investigate I decided to restart and do nothing but dialup a connection. I reasoned that, then, there should be no downloads ... but low and behold in a few minutes the downloads began again (of the CV 7.68 Mb executable). THAT was the needed clue ... it meant there was some independent program, like a mini-browser, running and doing all this.

So I did "ctrl, alt, delete" (to look for running programs) and in the list of running programs was one I did not recognize ... "XPuupdate". Funny thing is, I'm running Win 98 SE!. Then I did "end task" from "Ctrl, Alt Delete" for "XPuupdate" and immediately the blinking Contravirus icon in Systray that I hadn't been able to get rid of (using "411's" instructions or any other) disappeared! THAT appears to be IT! No more downloads in the several hours online since. Had one freezup ... maybe registry problem. Hope S&D will "catch up" on CV now and maybe fix my registry later.

I then used windows explorer to "find files or folders" named "XPuupdate" and found it in my windows\system folder. Deleted it and then went back to search for "residue" of CV. These are mainly copies of the contravirus ".exe" file, and they were all named in the format "saXXXX.exe", for example, "sa21E2.exe" ... all EXCEPT ONE, which was called merely "1759134.exe". The tipoff about "1759134.exe" was its size ... 7.68 Mb, the same as all the "sa" files. In my case all these were in the windows\temp folder (and NOT "temporary internet" folders ... so they can't be "flushed" by emptying the browser cache). One can use windows explorer advanced search and look on the C drive for recent files exceeding 6 Mb., say. Any exe with a size the same as the (completely downloaded) "sa" files ... 7.68 Mb or so right now apparently, should be suspect. "Delete" them to "trash" and should be no problem if found in "windows\temp". If you lose something, restore it (but unlikely).

OK, briefly do "Ctrl, Alt Del" and "end task" for suspicious running programs ... like mine "XPuupdate.exe" (note: the "PTsnoop" program sounds suspicious but is aparently a Microsoft program).

Then use windows explorer "find files or folders" to find that file on your C drive (XPuupdate.exe for me). Then clean out any CV executable (.exe) files you can find, all about 7.68 Mb right now apparently, and most of them start with "sa". Look in "windows\temp" first (Win 98 SE anyway). Anything else abou 7.68 Mb should be suspect. You may have copies that are smaller because you interrupted download if on dialup like me, but I presume they won't function and just take up room. I think if you do something and it gets rid of the systray icon for CV (mine blinked red ceaselessly) you've got it made.

Hopefully SBS&D will catch up on this and clean out any other junk after a while. I will be glad to help SBS&D in any way I can ... let me know. please post this as reply to other inquiries about CV if you like. Thanks again for your work and programs.

I am going to try switcing to Firefox browser (instead of IE6) ... it appears to be more secure, and I suspect the XPuupdate file squeezed thru IE6. Even if you get something like this, it appears Firefox may enable one to stop the downloads. We'll see.

If I have anything new to report I'll post more.

Gotta go ... my house is flooded from hot water heater! Good luck to all !! Pray for hell for all the CV people in the world.

[tashi]

I am on dialup running Win98 SE and Internet Explorer six (IE6) on an ancient machine ... waaaay to slow to run antivirus or firewall, yet this is my first infection and have been on internet since 1995.

Hi there.

You probably know that Win98 is no longer supported by Microsoft, it cannot be updated or patched.
Although IE7 would be more secure than IE6, it is your operating system that has the open gate.

Without an anti virus program and firewall, the machine is extremely exploitable and any other security program is just a bandaid.

You could do the following:

• Open Spybot-S&D and start a scan ("check for problems").
• After the scan, right-click in the results field and choose either "Save full report to file..." or "Copy full report to clipboard".
• Attach the file (or copy the report) and send to detections(AT)spybot.info (Replace AT with @)

Best regards.

[urconsciencespeaking]

You probably know that Win98 is no longer supported by Microsoft, it cannot be updated or patched. Although IE7 would be more secure than IE6, it is your operating system that has the open gate.

Without an anti virus program and firewall, the machine is extremely exploitable and any other security program is just a bandaid.

Alas, yes ... it would break MS, no doubt, to support its once-loyal customers; and yes, I'd love to have tried IE7 ... but, true to form, according to MS regarding sys requirements for IE7 >>>

Operating System
Windows XP Service Pack 2 (SP2) Windows XP Professional x64 Edition Windows Server 2003 Service Pack 1 (SP1)

And yes, your last sentence spells precisely the plight of those who have no avail of the perks of those "on top". In the U.S., you can also write, "Without expensive health insurance, the person needing health care is extremely exploitable and vulnereable, and any other aid he may find is just a bandaid." Or ... lots of other things. Vulnerable as I am, I am one of the "lucky" ones ... I have an ancient computer that I somehow keep running and a roof over my head (with flooded flooring) ... for now.

I have run spybot several times since my cleanup, and so I presume that a scan now will do you no good. If not true, let me know ... and thanks again for "Spybot".

Oh .... still success with no recurrence ... and I will report that I now recognize that the invasion, I believe, started at least weeks ago, when I started noticing unusual amounts of download taking place, but without consequences until last Saturday or so, when everyone else reported same.

I presume the "XPuupdate" trojan had a timer in it to "go off" last week. Presume also possible that our computers were being scanned for info for the previous weeks. Presume we best keep an eye out for identity theft (I keep NO strategic personal info in/on my HDD), too. Do youall need a copy of that file? Or the 7.68 Mb Contravirus executable? I've got them in my recycle bin still (with some trepidation).

[tashi]

Hello.

Do youall need a copy of that file? Or the 7.68 Mb Contravirus executable? I've got them in my recycle bin still (with some trepidation).

Sure, please zip the file/s and send to: detections(AT)spybot.info (Replace AT with @)

You can also send the results of a Spybot-S&D scan, instructions above in post#4.

Our detectives could analyse the log, and someone can try to help you clean up any infection on the machine.

Contravirus is on the Rogue List:: Rogue/Suspect Anti-Spyware Products & Web Sites

uses out-of-date ref database; deceptive scan reporting (Korean) [A: 12-26-06 / U: 12-26-06]

Perhaps they will need additional notes. At any rate, I would advise people not to use any registry fix from Contravirus.

I do understand the dilemma for people who have older Operating Systems, you are certainly not alone.

The technology explosion will affect many.
http://forums.spybot.info/showthread.php?p=25958