Worst virus I've ever seen...


Oct 12, 2008
Wow. This is terrible. The most malicous virus I've ever seen...
I downloaded a file, not so suspiceus. Since it was .exe file, and to be sure - I scanned it with my AV (KIS 7.0 - Kaspersky Internet Security)
The file came out clean. I clicked on it, and for a moment - nothing happend.

THEN - the storm begin...
Kaspersky pops up with a message about this file changing somthing (dont remmeber exactly what). I immedietly clicked on 'Terminate'.
Then I got another pop-up from KIS, about that I should roll-back to the state it was b4 the file was exuctable. Of course, I choosed 'Roll-back'
Then, all of a sudden - my PC began to shot itself down. It closed all the programs, and seems to do a complete shot-down.

I reseted it just to find out:

When I log-on to Win - KIS won't load up as it use to do. Just missing from the background. wont work anz more.
When I tried to operate it manually by clicking on the avp.exe file - ive got a message - this file is not legal in win32 - or something like that...
When I tried to search the internet for HiJackThis - Just writing this word in the explorer - cause the explorer to crash, no matter if it was IE, FF, or even Maxthon.
When I tried to load the PC in SAFE MODE - it crashed and started over again. Non-Safe mode works just fine.
When I Alt-Ctrl-Del - I found somtimes wired filenames appearing for seconds, like 2423235.exe

Anyway - I manage to load the PC through old-german-rescuse-disc I found in my home, called Windows-XP-Virus-Editon.
I scanned the PC with AntiVir & BitDefender, both updated virus sign., but came out with nothing.
More than that - When I scanned with SpyBotS&D- After 10 sec the scan was stopped, claiming User Aborted - Even I didnt touched anything!!

I consider myself as someone who something or two about computers, and mangaed to handle complicated situtations, but this time its seems that im in real ****.

Any Help on how to move on will most appriciate!!


Jan 6, 2010
Have you tried limiting what programs start up with the operating system Using msconfig in safe mode or normal mode?? Try this. Or if you can get to safe mode with networking you maybe able to activate your kis or install malwarebytes.


Problem here is it's not a virus.

The 'Op' got hit with a Drive by Security Exploit which seeks out any known security holes in your system, browser or loaded plugins/addons. Once it finds a hole, it's install a worm whose job it is to download other malicious packages to the system until finally the system ends up with as part of a BotNet with a RootKit on it to protect the Bot.

Best way to handle this situation will be to keep the infected system completely disconnected from the network.

Next, pull the driver from the infected system and use either an external drive enclosure or an EIDE/SATA to USB adapter so you can connect it directly to another system as an external drive. BUT before you connect the drive, make sure you have the other system configured to scan removable drives and that AutoRun is set to always Ask.

Now with the drive connected to a different system, you will be able to scan the drive with an Anti-Virus program and you'll also be able to visually scan through the various locations for anything which doesn't belong there.

One trick to use in Windows Explorer when viewing a directory is to select list view, then in the menu bar, choose View > Choose Details...

This way you can select "Company", then arraign them in this order:
Name : Size : Company : Date Modified : Type

I only do this with such folders as Windows, System32 and SysWOW64. This way when viewing the files, you can click on any one of the detail items to sort the files/folders to see whats what such as a bunch of small files all the exact same size or all from the same date such as the date the problem started or even the company. Just be careful what files you remove.

You won't be able to scan the registry, but you will be able to check any .ini files.

Once you have finished with doing what you can with the drive, replace it in your system and keep the system disconnected to keep what ever may still be on it from connecting online and trying to reinstall what ever you may have removed.

Now Open the Task Scheduler
Start > All Programs > Accessories > System Tools > Task Scheduler then look through what is listed noting what is present. In the menu bar select View > Show Hidden Tasks. Now check through the list again for any scheduled events which previously weren't showing. If you find any which are not legitimate, delete them as hidden scheduled tasks is one of the tricks that Malware purveyors have been using to reinstall their garbage.

Now that that is out of the way, using the other (clean) system, download the newest version of MalwareByte's-AntiMalware, SpyBot-Search & Destroy with the newest definition updates and HiJackThis 2.0.3 to a flash drive.


When you install or reinstall SpyBot, do not use the TeaTimer as it's more trouble than it's worth.

Run MalwareByte's first, letting it fix anything it finds and be sure to save your log.
Same thing applies to SpyBot, Run the program, let it fix what it finds, then save the log.

Now install HiJackThis, run the program and save the log, then use the clean system and go over
to the Spywareinfo Forums - Home of the Boot Camp. Look for the Malware Removal subforum. You'll want to create a new post there with information about what happened and include your logs in the post. You can use the flash drive to transfer the logs between systems.

After you finish your post, take the time to read the pinned topics in the Malware Removal sub-forum and you may want to check out the other sub-forums there too as there is plenty of useful information.

Good Luck


Nov 3, 2012
wow that is scary! i had a virus from www.youareanidiot.org (dont go to it) it stoped my Avast! from working and then i got it to work again and did a scan had viruses. thank god i got out ok...


Oct 4, 2012

I recently got a nasty one called Trojan-zbot.... It caused random changes to the system causing many programs to not work and slowed the system down tremendously. I had to wipe it to get rid of it.
