is it safe to delete tok-cirrhatus?

Discussion in 'ewido anti-spyware forum' started by tapyboy, Jul 24, 2006.

Thread Status:
Not open for further replies.
  1. tapyboy

    tapyboy Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    4
    i have scanned my brother's computer using AVG before and detected brontok virus. however when i installed ewido 4, and opened analysis of the startup iems, i noticed tok-cirrhatus which is probably a remnant of the virus. can i safely delete this? how can i remove a pop-up searching for explorasi.exe using ewido?
     
  2. cupez80

    cupez80 Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    605
    Location:
    Surabaya Indonesia
    yes its safe to delete the remnant. you can also search for explorasi.exe in registry entry. :D
     
  3. tapyboy

    tapyboy Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    4
    thanks for the quick reply. After running ewido 4 analysis, i noticed the following process names:
    lsass.exe
    winlogon.exe
    scrss.exe
    explorer.exe
    smss.exe
    services.exe

    is it safe to terminate these applications?

    what is a prefetch? these things are suspicious files right? how can i completely remove remnants of a brontok.ae virus which appears to infect my computer before? should i leave the remnants alone for they are already harmless?
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The following are legitimate windows files and if you delete them you will end up without a functioning computer!:-

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\Explorer.exe

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\services.exe

    Please note that the above are the correct file paths for XP, if you have different file paths (on XP) then yours could be baddies; they should not appear as autostarts either.

    scrss.exe is different though, if that appears as a Service it could be this:-

    http://www.softwaretipsandtricks.com/dangerous_files/4273-scrssexe.html

    http://www.sophos.com/virusinfo/analyses/trojhacdefr.html

    I don't think you've adequately cleaned your machine, please do the following:-

    1) Download and run the latest version of CCleaner from here:-

    http://www.filehippo.com/download_ccleaner/

    Before running CCleaner you should configure it by clicking Options/Advanced and unchecking the box for 'Only delete files in Windows Temp folders older than 48 hrs'. (CCleaner will get rid of your old Prefech data by the way).

    2) Boot into 'safe' mode:-

    http://www.bleepingcomputer.com/forums/tutorial61.html

    now do a full system scan with AVG first, then ewido (ensuring you are using latest definitions). Quarantine anything found.

    3) Finally do an online scan:-

    http://www.kaspersky.com/service?chapter=161739400

    If that finds anything, or you still have things in ewido's analysis you think you shouldn't have, let us know.
     
  5. tapyboy

    tapyboy Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    4
    thanks for all the help. i got rid of the explorasi.exe pop-up and computer appears clean.
     
Thread Status:
Not open for further replies.