none
I can't get rid of this virus on Windows 7.

    Question

  • It creates hidden executables with names like yttd.exe and always sets explorer to not show the hidden files.
    I have avira antivirus and already tried a few other ones but although sometimes it detects them as a virus most of the time it doesn't.

    Please help recommend a good virus remover.
    Thanks
    zminin dot com
    Monday, August 17, 2009 2:09 AM

Answers

  • Hi zmin, thanks for the post. I suggest you also check the following article regarding Windows 7 compatible antivirus program:

    Windows 7 security software providers
    http://www.microsoft.com/windows/antivirus-partners/windows-7.aspx 

    Hope this helps!
    Sean Zhu - MSFT
    Monday, August 17, 2009 9:40 AM
  • i have reinstalled windows (7) and after updating the anti-virus program it managed to detect a virus trace in the file.
    my guess is that this happened because i submitted the file to about five anti-virus companies a couple of days ago (now both avira and avast detect it, although one week ago they failed to do so).

    my only option was reinstalling windows - on my desktop the virus still doesn't get detected because i haven't reinstalled windows on it yet.
    i don't know how i got the virus - i usually don't click on any link that gets in my way, i have some pc experience to know better than that, but then again who knows someone can click on nowadays.

    the virus root is SPR/AutoIT.Gen

    so i guess problem solved with the drastic solution of reinstalling windows, that i wanted to avoid
    thanks anyway though.


    zminin dot com
    • Marked as answer by zmin Monday, August 24, 2009 3:21 PM
    Monday, August 24, 2009 3:20 PM

All replies

  • Hi

    try booting in safe mode and than remove the files.
    Monday, August 17, 2009 6:46 AM
  • Hi zmin, thanks for the post. I suggest you also check the following article regarding Windows 7 compatible antivirus program:

    Windows 7 security software providers
    http://www.microsoft.com/windows/antivirus-partners/windows-7.aspx 

    Hope this helps!
    Sean Zhu - MSFT
    Monday, August 17, 2009 9:40 AM
  • cool but upon removal it keeps reappearing. i dont feel like installing 10 different antivirus software. the virus is detected and removed but it keeps returning. i'll try some anti-spyware.

    zminin dot com
    Monday, August 17, 2009 1:37 PM
  • have you tried Bitdefender, well it looks like the virus keeps a copy somwhere and when you delete it, it re creates the same.
    Also many times these kind of malicious virus attach themself to explorer.exe or any other system resource.
    The only way to remove is use Hijack this or Sysinternals Autoruns and deselect those files from running on the
    next boot.
    Would recommend starting the infected Machine in safemode and using Autorun to remove those files.....

    Monday, August 17, 2009 4:35 PM
  • i tried avast, avira, ms removal tool and anti-malware with no results.
    i've attached a snapshot on the virus on my website, maybe you guys can help submit it to their respective tech centers:

    http://zminin.com/virus.zip (use carefully)
    http://zminin.com/virus.jpg


    zminin dot com
    Friday, August 21, 2009 4:54 AM
  • So you can't remove the virus even in safe mode and by using multiple programs?
    If the virus file always restores itself it must be somehow positioned deep in the system.

    Another option is to delete it by using the real system administrator @safe mode.

    Open the command prompt as an admin, type cmd and than type:

    net user administator /active=yes ,reboot (in safe mode).

    This will enable the administator on the next login.
    Try the same things as above and particularly scan the system files (C:\System and System32, ...).

    Maybe this helps.

    Friday, August 21, 2009 5:45 AM
  • nope, i have admin rights on both pc's in the vpn (a xp desktop and a windows7 laptop). i'm thinking reinstalling windows on both will not sufice since NONE of the antivirus or anti-spyware software even DETECTS the file as being a virus. either that, or the executable has already been cleaned, which i seriously doubt since the symptoms and propagation are still there.

    i'd say this is a pretty serious issue and the companies involved in producing software against such malware should be interested with a solution. the source of the problem seems to be to me either realVNC/tightVNC remote software (which almost everytime i installed ended up in someone hacking my computer) or could be just the fact that i seldom use my laptop to connect to unsecure wifi networks (while file sharing is probably still on).

    thanks from romania.
    zminin dot com
    Friday, August 21, 2009 12:18 PM
  • When connecting using realVNC is the connection encrypted or secure in any way ??
    Would suggest you use a encrypted/secure connection while using and remote access software.....
    Friday, August 21, 2009 12:24 PM
  • I don't mean the standard admin!

    Doing so, you enable the real admin. Keep that in mind.
    Friday, August 21, 2009 12:55 PM
  • Rather than using a virus scanner, I'd recommend doing this "the hard way".

    Download a copy of Trend Micro's "Hijack This!".  It is capable of listing every startup process your machine uses, be it a system service, a registry entry, or a Browser Helper Object (BHO).  I think the issues is that you think you've got all of the virus, but you haven't --and the one bit your missing runs at startup and re-infects your machine again.

    You can use HiJack This! to eliminate the run entry points that execute the virus, but I'd recommend doing it this way:

    Boot into Safe Mode.

    Run HiJack This!.

    When you find a suspicious file, open Command Prompt as administrator.  Navigate to where the file is located.  If the file is hidden using a DIR command, use the following command to show it:

    ATTRIB <filename> -S -R -H

    If you are sure the file is a virus, kill it.  If you aren't absolutely sure, rename it to <FILENAME>.BAK or .VIR or something like that so that it won't execute, but so that you can get it back in case you need to.  Do this for all suspicious files HiJack This! finds.

    If you are unsure if a file is malicious or not, for now use the Services console to disable it (if it is a Service) or MSCONFIG if it is loaded elsewhere.  If you are sure, use HiJack This! to delete the entry point of the file by checking the required box and clicking "Fix".  Once you're sure you've got everything, reboot out of Safe Mode and check your running processes.  While Task Manager can do this, I recommend another tool --Process Explorer, created by the great Mark Russinovich, formerly of SysInternals (now part of Microsoft).

    I hope this helps.
    Everyone gets everything he wants. Me, I wanted to be a sysadmin. And for my sins --they made me one.
    • Proposed as answer by LoneWolf15 Saturday, August 22, 2009 11:37 AM
    • Unproposed as answer by zmin Sunday, August 23, 2009 2:34 AM
    Saturday, August 22, 2009 11:36 AM
  • Hijack didn't work, it seems like it's not resident in memory or startup.
    I sent the virus sample to a few anti-virus companies.

    Thanks..
    zminin dot com
    Sunday, August 23, 2009 2:34 AM
  • In my line of work I have to clean the virus you have at least 2 or 3 times a week.  I suspect you received an email or IM message that looked like someone you knew that said something along the lines of "hey just uploaded the vacation pics" or "check out the new family video" etc......

    The virus trigger is embedded into your system32 folder and you wont be able to clean it because Windows will tell you that it is in use (even in safe mode).

    Here is how I clean the client pc's

    http://www.ubcd4win.com/

    I use the Ultimate boot CD.  It is fairly simple to download and set up.  (**I suggest you download and set up on someone elses pc) and then once you have the CD made, you boot your PC into the CD.  It has its own operating system in the cd so you will not be using windows but you will have full access to your hard drive. (Thats how you get arround the file is in use problem)

    Then as part of the CD you get malwarebytes, spybot seach and destroy, avg and avast among a number of other antivirus and antispyware programs.....basically you run them from the cd and select your hard drive files......you will see more virus files than youve seen so far since none will be able to hide.....delete them all based on the instructions for each of the av or antispyware programs from the cd.

    once completed reboot/eject cd and boot into windows.....you can run a final check with your own programs in windows if you want to double check but this has yet to fail me with what your explaining.
    Sunday, August 23, 2009 4:36 PM
  • i have reinstalled windows (7) and after updating the anti-virus program it managed to detect a virus trace in the file.
    my guess is that this happened because i submitted the file to about five anti-virus companies a couple of days ago (now both avira and avast detect it, although one week ago they failed to do so).

    my only option was reinstalling windows - on my desktop the virus still doesn't get detected because i haven't reinstalled windows on it yet.
    i don't know how i got the virus - i usually don't click on any link that gets in my way, i have some pc experience to know better than that, but then again who knows someone can click on nowadays.

    the virus root is SPR/AutoIT.Gen

    so i guess problem solved with the drastic solution of reinstalling windows, that i wanted to avoid
    thanks anyway though.


    zminin dot com
    • Marked as answer by zmin Monday, August 24, 2009 3:21 PM
    Monday, August 24, 2009 3:20 PM
  • a month and a half and i can still find some traces of it hidden in some root folders (hopefully inactive)

    i've also noticed it leaved a lot of KHV.SYS and KHT.SYS files behind, both empty and also attribbed with +hiddden +system +readonly

    zminin dot com
    Saturday, October 03, 2009 11:07 PM
  • Seems to me a .Dll is reinvoking/recreating the virus code,what u could do is investigate where and what is triggin the virus then if the .dll is not essential/part of the windows u want to remove it...
    hope u can find a proper solution..
    Regards,
    RR
    Tuesday, October 06, 2009 8:02 PM
  • I Googled for this and get here, I also have this on my XP 64bit (disables show hidden files, puts empty files named "khv" in some folders...) and I also have the Avira Premium as the default AV. Tried SpyBot S&D, didn't help.
    I wonder if it could be Avira related ?
    I can't reinstall the system now as I'm in the middle of some project... I'll try scanning with SUPERantispyware when I get home as someone suggested on the net.
    Wednesday, October 21, 2009 8:25 PM
  • Hi!
    I'm also experiencing this virus. Their is a khv (System file) on my C: and D: and a .exe file named lkpbgk.exe.
    I didn't noticed this until just this week after I downloaded from the Avira site an Avira AntiVir Personal. I'm also wondering if it is related to Avira.

    As of now, I don't know what this virus doing but a notice that whenever I delete it, it keeps on returning after rebooting or replugin a HD.
    Any new information regarding this?

    --Thanks,
    Tuesday, November 24, 2009 5:18 AM
  • To follow up, I have tried several methods (can't remember which exactly) and SuperAntiSpyware did the trick for me.
    I am still using Avira and everything is OK, its just that I started doing occasional scans with SuperAntiSpyware and it hasn't found anything since.
    Sunday, November 29, 2009 9:22 PM
  • Or how about you download Microsoft security essentials, problem solved...
    OMERadio Forum manager & Administrator.
    Monday, November 30, 2009 2:04 AM
  • I swear I just said that..

    Yep there it is 2 wee boxes back wink,

    But, yep, good idea Smile
    Drew - MS Partner / MS Beta Tester / Pres. Computer Issues
    Monday, November 30, 2009 3:12 AM