Chess.exe worm removal?

briloto

I googled it as well, guys (that's how I got to you) and saw http://www.auditmypc.com/process/chess.asp , but not sure how to remove the worm. I am really not that good with computers and any help will be appreciated! As for the not - what confuses me is that in safe mode it doesn't run as it does in normal. As I said it comes up in ms-dos window and the only thing i can get is the message I posted earlier. Is this normal? or am I doing something wrong?

thirascule

A handy tool I've used in the past is Trend Sysclean LINK. You also need the pattern file. Download link.

If you download them into a new folder, say on the desktop and unzip the pattern to the same folder. Make sure your USB stick is plugged in and run sysclean, it will take a while but has always been very sucesful in my experience.

briloto

Hi thirascule, did that, but still the same - the chess.exe is still there. Even if I format the usb sticks and they come up clean as soon as i plug them back again - the same chess.exe comes up. Please guys, heeeellllppp

thirascule

If you have system restore enabled it could be lurking there.

No AV/Malware programs that I'm aware of can scan within the system restore folder. By disabling it you do lose all of your restore points but you may get rid of this pest.

briloto

I did it - I've disabled it before I posted the first post here and haven't enabled it yet

pacman24

Hi,

My company submitted the chess.exe and Autorun.inf files to McAfee Avert Labs last week. After 4 days wait, Avert decided that it was a new variant virus. They released an extra DAT to cover the infection. The virus is called "Generic Dropper.aj" by McAfee. At this time we're STILL waiting McAfee to release a full DAT that will clean the infected PC's. Hope it won't take them too long.

We noticed that it also creates possible spyware entries in the system32 folder, it seems hard to delete these dll's as they recreate themselves.

Good luck with removal of what I believe is the "Generic Dropper.aj" virus.

Pacman24

pacman24

Hi.

We have now found that AVG free (running the latest updates as of 26 August 2008) will clean the infected computer.

After a scan it reboots and kills the ritz8.dll file.

Until all other AV companies (McAfee) catch up I will use AVG FREE!

Regards,

Pacman

totalsolutions

I use Sophos AV and it looks like its called W32/Oror-B

They have a removal proceedure HERE

moo2me

Hi! I have the same chess.exe problem on my external usb hard drive and usb stick! tried a lot of things to get rid of it and nothing worked so far. I have the free AVG anti-virus and that fails to detect it and does not fix the problem....... Anyone knows any other way of getting rid of this thing?

Reluctant_spender

try this -

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

• Double click SDFix.exe and it will extract the files to %systemdrive%
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
• DO NOT use it just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe