DOS mcnew.exe telebos.exe mcc.exe

[sluggo123]

 
My kid was at MSN and clicked a link that causes a trojan to install.
Now these DOS windows keep popping up and install in her My Documents folder and on her desktop.
the files are gsetup.exe  jsetup.exe  mcc.exe  winstall.exe  mcnew.exe  telebos.exe
The last one tried to get on the internet but zonealarm stopped it.
I have tried running avast, and avast with the computer in safe mode. while it claimed to have deleted a number of infected files. It still comes back.
How can I get rid of this thing?

[Lisandro]

It still comes back. How can I get rid of this thing?

If a virus is replicant (coming and coming again), you should:

1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Clean your temporary files.
3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4) Use a-squared, Free AVG Antispyware, SUPERantispyware or Spyware Terminator (trojan removers).

[sluggo123]

 
Well I did the first three steps no problem and nothing found.
Step 4 involved Spyware Terminator (ST).
This found a number of items, that I had it delete.
ST then set itself up for realtime protection.
Upon reboot, the DOS windows came back, this time the new DOS file running and installing to the desktop was called gotgo.exe.
Fortunately, ST warned me that one of the installing DOS programs was trying to install Win32:VB-AXQ associated with MSN Messenger. Surprise surprise!
I then un-installed messenger, then deleted all its folders.
I computer has just finished re-booting.
We shall see if this has killed it.
If so, then I will re-install a clean version of MSN messenger.
Then wait to see if it truly has been purged.
Update to follow.
Scott

[Lisandro]

Step 4 involved Spyware Terminator (ST).
Fortunately, ST warned me that one of the installing DOS programs was trying to install Win32:VB-AXQ associated with MSN Messenger. Surprise surprise!
I then un-installed messenger, then deleted all its folders.

Very good testimony in favor of SpywareTerminator resident 

[laticsforlife]

Did you find a solution, as I have exactly the same virus.

I tried boot schedule scan but my PC just wouldnt play ball, not booting properly, I cannot get into safe mode, BSOD all the time

[sluggo123]

 
Well, the kids computer is still free of any DOS popups,
BUT I did some more checking for the files that this worm/trojan kept dropping into her C:documents and settings folder, and there was MC2.exe and winstall.exe  in C:windows.
I checked their properties and they were both DOS executable files.
I then checked the other "clean" computers in the house and none had these files.
I could delete the MC2.exe file but not the winstall.exe file, it would claim in was inuse.
I booted to safe mode and deleted the winstall.exe file.
Returned to the kids profile.
No DOS windows.
I have now installed Windows Live Messenger. It logs in fine.
So far all is well.
Quite a number of the kids friends have this worm/trojan now.
I did some more web searching and apparently this thing tags a message to the effect of "Is this your picture? click this link" onto the senders messages without the sender knowing it.
The receiving person thinks it is a good link from a friend and clicks it to get the worm/trojan.
I have just been volunteered to 'clean' my kid's friend's computer. Oh well.

[sluggo123]

Did you find a solution, as I have exactly the same virus.

Can you still log into your profile otherwise?
As suggested by Tech, do steps 1, 2 & 4
then:
Search out and delete the exe files mentioned above
Unistall messenger, including deleting the messenger folders.
Empty the recycle bin.
See if that helps.

[laticsforlife]

Oh yes everything works, just these DOS windows with Avast desperately trying to kill them.

I'm in the process of running Kaspersky scanner and posting the logs to Malwareremoval.com to see what help they can give also.

I will uninstall MSN tomorrow including foloders, and try scans to see if can clean it, I'll let you know.

[essexboy]

To get rid of spysheriff use rubby ducky's tool rogue remover here http://www.malwarebytes.org/rogueremover.php

[Lisandro]

I'm in the process of running Kaspersky scanner

I hope you do not try to do it simultaneously with avast.
I mean, both will conflict.
You can use the very best Kaspersky on-line scanning though...
Kaspersky

or, even, Trendmicro housecall or Ewido.