Other > Viruses and worms

WNSO.EXE help please.........

(1/8) > >>

MarkLoehndorf:
I have somehow been hit by a Trojan horse/spyware file that is called WNSO.exe.   It was picked up from Baidu.com (Chinese search engine).  Although Avast detects it, I am not able to remove, move, rename, etc.   >:(    Does anyone know how to remove this file???

DavidR:
Why can't you move, rename, etc. I assume something like the file is in use ?

If so, if you have XP or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php

polonus:
Hi MarkLoehndorf,

Download  SDFix from  http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
 and save it to your desktop.

When you have done this, please boot into Safe Mode (Tap F8 during startup).

Rightclick on the SDFix.zip folder and choose Extract All. Open the extracted folder  - C:\ SDFix  and doubleclick on RunThis.bat to start the script.

Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. When you hit any key, your computer will reboot. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When your desktop loads, the utility will complete the removal and display Finished. Press any key again to end the script and load your desktop icons.
 
Finally open the SDFix folder on your desktop and copy and paste the contents of Report.txt back in this thread along with fresh hijackthis log,  and tell how things are running

If the file WNSO.exe persists, or comes back even in safe mode, we have to consider using avenger.zip,
don't use it yet, first post a Hijackthislog (you may need two postings to post this log)

Please download:
 http://swandog46.geekstogo.com/avenger.zip
 
by Swandog46 to your Desktop.
You must extract avenger. zip to your desktop, before you run it.

Start up Avenger exe.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.
Quote:
 
Folders to delete:
C:\Program Files\Common Files\RGGZS

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

 After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
 
Please copy/paste the content of C:\avenger.txt into your reply along with a fresh HJT log

polonus

MarkLoehndorf:
Thanks for the help.  I must be doing something wrong, though.  I downloaded SDFix.exe and saved it.  Files were extracted OK and restarted in safe mode.  But I don't know about the sdfix.zip folder.  I am able to find the Runthis.bat. But when prompted to press Y or N, it does nothing after I press Y.  I let it sit for 20 minutes and nothing happened.   Any idea where I went wrong???  I'll try again tonight.  Mark

polonus:
Hi MarkLoahndorf,

Did you somehow try in SAFE MODE, and did not this work or you seemed to use 100% CPU and nothing happened. Let's try thie following then. Reboot the computer normally and DO NOT kill any processes. Then, download WinPFind3u.exe from http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop. Now Close ALL OTHER PROGRAMS.
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
Under Additional Scans click the checkboxes in front of the following items to select them:
Reg - Policy Settings
Reg - Security Settings

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
Curious what you will come up with,

polonus

Navigation

[0] Message Index

[#] Next page