Possible virus

By glhglh
Apr 19, 2008
Topic Status:
Not open for further replies.
  1. my daughter is unable to connect to our mail server. i think i found a worm and deleted it, and have followed the instructions.

    is there anything left?
  2. kritius

    kritius TechSpot Guru Posts: 2,087

    Re do the AVG scan and make sure that it quarantines the results.

    Also do not go into safe mode with network support any more, run HJT from normal mode and then post a new HJT log back here followed by a fresh ComboFix log.
  3. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    rescan in reglar mode

    rI rewscanned in regular mode. is that OK?
  4. kritius

    kritius TechSpot Guru Posts: 2,087

    Run HijackThis from normal mode again.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    FYI: while the following are all legitimate processes, auto-updates contact the internet numerous times during the day 'looking' for updates- there may be none for months. I suggest you disable these features:

    HP Software Update- HPWuSchd2.exe
    SunJavaUpdateSched- jusched.exe
    TkBellExe- realsched.exe
    Google Updater- GoogleUpdaterService.exe
  6. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    Rescanned and deleted per Bobbye

    i rescanned hijackthis after i deleted the following per Bobbye


    HP Software Update- HPWuSchd2.exe
    SunJavaUpdateSched- jusched.exe
    TkBellExe- realsched.exe
    Google Updater- GoogleUpdaterService.exe

    also, if i remember from acouple of years ago when my wife's computer had problems, the three R1 entries to "go.microsoft" may be problems that are redirecting communications to microsoft. i'm getting old sl i don't know if my memory is correct.

    Thank you for taking your time to help.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I'm waiting for kritius to continue. The R1s look okay to me. They direct to MSN Live Search.
  8. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    Kritius's response

    Bobbye, did i place my last posting in the wrong place for Kritius to see?
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You're okay. Kritius is exceptionally busy and will catch up to you. May request new hijack logs then-wait. Thank you for your patience.
  10. kritius

    kritius TechSpot Guru Posts: 2,087

    I dont really see anything in that log, lets dig a little deeper,

    : Download and Run DSS

    Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
    • Close all applications and windows.
    • Double-click on dss.exe to run it, and follow the prompts.
    • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
    • Attach the main.txt and the extra.txt in your reply.
  11. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    Maybe we are fixed.

    I have attached the Main.txt.

    we may not need this. when i started, i could not get this computer to our mail server. now it is OK. the computer is also not redirecting the windows explorer to ads instead of google links. my daughter had this computer in Mexico from march 16th to April 14th. there is where the problems started.

    at some time printed process of using the various anti malwell programs, i also restored the computer to a restore point prior to their trip to Mexico. That may have done the trick, but i'm afraid that the problem is still on the computer somehow, but not being loaded. i'll go through the history and try to find anything saved to the computer during that period and delete it.

    i accidently closed the advanced.txt, and when i reran dss twice more, the advanced.txt did not run.
     
  12. kritius

    kritius TechSpot Guru Posts: 2,087

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please Attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
  13. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    Here are the results of the two scans

    Here are the results of the two scans.
  14. kritius

    kritius TechSpot Guru Posts: 2,087

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      [kill explorer]
      C:\Users\Hannah Marie\AppData\Local\VirtualStore\Windows\System32\dmpmo.tmp
      C:\Users\Hannah Marie\Documents\no purpose\Limewire\New Folder (4)\lauren hannah\little miss sunshine.mp3
      C:\Users\Hannah Marie\Documents\no purpose\Limewire\New Folder (4)\limewire 2\New Folder\chainsaw daniel merriweather.mp3/Setup.exe
      C:\Users\Hannah Marie\Documents\no purpose\Limewire\New Folder (4)\limewire 2\New Folder\leader phantom planet.mp3
      purity
      [start explorer]
          
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  15. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    I'm having problems with this step

    Kritius,

    after following the directions for OTmoveit2 many times, i keep getting the following response each time.

    "Invalid time flag! [setup.exe]. Must be numerical."
    at this time i exit the program.

    the only way to get bace a taskbar is to use control alt delete and reboot.

    in the OT directory, there are no log files, but i put the directories it created in the attached log file.

    i also use ccleaner to uninstall limewire (i have told my daughter several times over the years not to use this, but... teenagers....

    also, during this process, i have tried to look at "documents and settings" directory in "my computer" but get the message "access denied", even when i am logged on as the administrator, and (note this computer is Vista) and if i turn the firewalls off for a short time. i have also tried to change the properties of the file to allow the administrator to make changes, but that is also not allowed.

    what do i do next?

    Again, thank you for your time, as always.
  16. kritius

    kritius TechSpot Guru Posts: 2,087

    Can ypu run DSS again and ill have a look.
  17. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    Here is the dss scan

    Here is the dss scan. there is no extra.txt at least for this scan, even in the Decard directory.
  18. kritius

    kritius TechSpot Guru Posts: 2,087

    thats clean enough apart from the p2p stuff,

    To get an Uninstall List from HijackThis:
    • Open HijackThis, click Config, click Misc Tools
    • Click "Open Uninstall Manager"
    • Click "Save List" (generates uninstall_list.txt)
    • Attach it here.
     
  19. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    uninstall list

    here is the uninstall list.
  20. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    as far as the documents and settings, i have always chosen not to "show hidden files" and folders in the folder options box.

    this computer of my daughters is the only computer that i cannot get to the "documents and settings"
  21. kritius

    kritius TechSpot Guru Posts: 2,087

    Java(TM) 6 Update 3
    Viewpoint Media Player

    Just the two things to unistall. Ill look over the log properly tomorrow, pretty tired now.
  22. glhglh

    glhglh TechSpot Maniac Topic Starter Posts: 387

    Are we done with this computer?

    Are we done with this computer?

    just checking if we are done and i can give this back to my daughter.

    also, i want to check my computers, can i send a log on the two computers i use the most. and if so, which log is the best to send?

    also thank you for all of your help.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.