Cannot delete 2 virus from computer

[Guest]

My antivirus program has detected 2 virus on computer that cannot be removed.

-Tojan Horse (howiper.exe)
-UnSpyPC (filesafer23.exe)

I have followed the directions provided by Norton requiring me to delete
values from my the registery. It lists subkeys areas that the virus could be
found. Basically it states that I should delete any value that refers to
that particular file name. I have gone thru the subkeys but cannot idenify
anything related to my 2 problems.

The more specific the better.

Thanks
Can you refer me to another location that could address removal of these????
I do not want to delete anything out of the register by accident....

 

[David H. Lipman]

From: "(e-mail address removed)" <[email protected]@discussions.microsoft.com>

| My antivirus program has detected 2 virus on computer that cannot be removed.
|
| -Tojan Horse (howiper.exe)
| -UnSpyPC (filesafer23.exe)
|
| I have followed the directions provided by Norton requiring me to delete
| values from my the registery. It lists subkeys areas that the virus could be
| found. Basically it states that I should delete any value that refers to
| that particular file name. I have gone thru the subkeys but cannot idenify
| anything related to my 2 problems.
|
| The more specific the better.
|
| Thanks
| Can you refer me to another location that could address removal of these????
| I do not want to delete anything out of the register by accident....

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

It always helps to indentify fully qualified path to the infectors, not just their names.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Guest]

From: "(e-mail address removed)" <[email protected]@discussions.microsoft.com>

| My antivirus program has detected 2 virus on computer that cannot be removed.
|
| -Tojan Horse (howiper.exe)
| -UnSpyPC (filesafer23.exe)
|
| I have followed the directions provided by Norton requiring me to delete
| values from my the registery. It lists subkeys areas that the virus could be
| found. Basically it states that I should delete any value that refers to
| that particular file name. I have gone thru the subkeys but cannot idenify
| anything related to my 2 problems.
|
| The more specific the better.
|
| Thanks
| Can you refer me to another location that could address removal of these????
| I do not want to delete anything out of the register by accident....

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

It always helps to indentify fully qualified path to the infectors, not just their names.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Guest]

Dave:

Your program cleaned out all but 1 virus. The UnSpyPC(filesafer23.exe) is
still running. Here is were the file is located: C:\windows\system
32\filesaver23.exe.

One of the reccomendations given was to check the registry and delete files
manually. One of the places to look was:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\Cmd
Mapping. I found something in this subdirectory on the right hand side of
page that may be the problem but not sure.
I have 3 entrees total.
1st line: default
2nd line: {FB5F1910-F110-11d2-BB9E-00C04F795683} REG_DWORD 0x00002000
(8192)
3rd line: Next ID REG_DWORD 0x00002001 (8193)

Rest of register appears to be normal.

Is this the source of my problem????

From: "(e-mail address removed)" <[email protected]@discussions.microsoft.com>

| My antivirus program has detected 2 virus on computer that cannot be removed.
|
| -Tojan Horse (howiper.exe)
| -UnSpyPC (filesafer23.exe)
|
| I have followed the directions provided by Norton requiring me to delete
| values from my the registery. It lists subkeys areas that the virus could be
| found. Basically it states that I should delete any value that refers to
| that particular file name. I have gone thru the subkeys but cannot idenify
| anything related to my 2 problems.
|
| The more specific the better.
|
| Thanks
| Can you refer me to another location that could address removal of these????
| I do not want to delete anything out of the register by accident....

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

It always helps to indentify fully qualified path to the infectors, not just their names.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[David H. Lipman]

From: "(e-mail address removed)" <[email protected]>

| Dave:
|
| Your program cleaned out all but 1 virus. The UnSpyPC(filesafer23.exe) is
| still running. Here is were the file is located: C:\windows\system
| 32\filesaver23.exe.
|
| One of the reccomendations given was to check the registry and delete files
| manually. One of the places to look was:
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\Cmd
| Mapping. I found something in this subdirectory on the right hand side of
| page that may be the problem but not sure.
| I have 3 entrees total.
| 1st line: default
| 2nd line: {FB5F1910-F110-11d2-BB9E-00C04F795683} REG_DWORD 0x00002000
| (8192)
| 3rd line: Next ID REG_DWORD 0x00002001 (8193)
|
| Rest of register appears to be normal.
|
| Is this the source of my problem????


Need more information. What AV modules did you use ?

Did you examine the log file at the end of the scan and was
C:\windows\system32\filesaver23.exe identified but was not removed ?
Or was it the case that you ran all four AV modules and NONE even detected anything ?

If it is the case of C:\windows\system32\filesaver23.exe identified but was not removed,
when you are at the menu of the Multi AV Scanning Tool, hit the leter 'E' or 'e'. It will
bring up a notepad screen with the following shown...
iexplore.exe
firefox.exe

Add the following to the list..
filesaver23.exe

Now it should look like...
iexplore.exe
firefox.exe
filesaver23.exe


Make sure the last line after 'filesaver23.exe' is an empty line then go to; File --> Save,
File --> Exit
Now scan the computer again using the AV module that had identified the file
'filesaver23.exe' before.


Additionally...
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
is a location in the egistry. It doesn't use subdirectories or folders. That is something
that exists for disk files, nnot Registry entries. At this time I do NOT suggest deleting
anything manually from the Registry.

 

[Guest]

DAVE:

The message is that the program can detect the file but cannot repair or
delete it. Here is example of what happens: I have Yahoo as my home page,
sometimes when I click on their travel link I am transferred to another page
with this heading:
http://www.google.com/search?hl=en&q=how to travel cheap. if I close on
the window and try the same link similar google page opens again.

I ran the SYSC Clean program and part of the log states that clean failed. I
will need to check on the other programs.
Thanks.

 

[David H. Lipman]

From: "(e-mail address removed)" <[email protected]>

| DAVE:
|
| The message is that the program can detect the file but cannot repair or
| delete it. Here is example of what happens: I have Yahoo as my home page,
| sometimes when I click on their travel link I am transferred to another page
| with this heading:
| http://www.google.com/search?hl=en&q=how to travel cheap. if I close on
| the window and try the same link similar google page opens again.
|
| I ran the SYSC Clean program and part of the log states that clean failed. I
| will need to check on the other programs.
| Thanks.
|


When you are at the menu of the Multi AV Scanning Tool, hit the leter 'E' or 'e'. It will
bring up a notepad screen with the following shown...
iexplore.exe
firefox.exe

Add the following to the list..
filesaver23.exe

Now it should look like...
iexplore.exe
firefox.exe
filesaver23.exe

Make sure the last line after 'filesaver23.exe' is an empty line then go to; File --> Save,
File --> Exit

Now scan the computer again using the AV module that had identified the file
'filesaver23.exe' before.

Start with the McAfee Module !