I am running an Avast scan and under current scanner status is says… infected. What does that mean… ??? :-[ am i in trouble yet again!
Thanks
Sasy
This is what has come up on my avast scan
c:\documents and settings\hp-owner\desktop\internetgamebox
name:Win32:agent-ROU[trj]
c:\suspect\eighties classic[grandmas].wma
name:win32:wimAD-1[trj]
c:\suspect\rare recording.wma
name: Win32:wimAD-1[trj]
c:\suspect\wicked remix.wma
name: win32:wimAD-1[trj]
c:\systemvolume information_restore{DDE3EB95-4B24-44D8-AD
win32:agent-ROU[trj]
In Addition to that there were im not sure even how many files that came back unable to scan!
Thanks Susie
Hi. I have no idea what those files are, other than some type of media, songs perhaps. Check them at virutotal. Did you create the folder “suspect”, when previously checking files?
Please submit these files for analysis
To submit a file to virustoal, please click on this link
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
c:\documents and settings\hp-owner\desktop\internetgamebox
c:\suspect\eighties classic[grandmas].wma
c:\suspect\rare recording.wma
c:\suspect\wicked remix.wma
scroll down a bit and click “send file”, wait for the results and post then in your next reply.
I also ran an SAS scan but for some reason it didn’t give me a log at the end to post here for you. It found 2 trojans as well and it had many many files that it was unable to scan.
Susie
Ok, test those files at virustotal amd then well have a peek inside.
Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt
“0 bytes size received / Se ha recibido un archivo vacio” is what visus total came up with…did i do something wrong… I one by one droped it into the uplaod window and each file came up with that response!
Ok, You did it right. I would say you have some bad guys. Go ahead with the DSS.
It just means the current status of that scan is infected as it detected malware (and you I assume dealt with it by sending it to the chest). If you restart the Simple User Interface again you won’t see infected, it is just an indication that something was detected on that particular scan.
I ran the DSS scan and will post the results… I thought you might like to know why i ran the avast scan to begin with… yesterday when i had to restart my computer when it came back on it was on a diffenent login page than usually comes up when i start my computer and when i would double click on my internet exployer a different page came up there as well. I ran the avast scan and sent all 5 virus’s to the chest… when i restarted after that it was back to normal but has left me wondering …so that is why im here… and it worries me too when my avast and the SAS scan have several files its telling me it can’t scan … is that normal? Well attach the DSS log here and get back here after i get home from work…
Many Thanks as always
Susie
It looks like whatever you had is gone. From your description it seems like it was a possible homepage hijacking. You can guard against this with SAS. Open SAS, click the prefence button, click the Hijack protection tab. Ensure your homepage is in the box and check both boxes.
Check the avast log for the reason why the files can’t be scanned. You should be able to see the file name and path along with the reason. Avast can’t scan other security program’s quaratined files. That message will be “password protected”
Open avast, from the menu, select last scan results.
The same holds true for SAS, though I’ve never seen anything in the logs. It may appear on the screen during a scan but I’ve never whatched it scan.
So, if no problems, you can clean up and update.
- Please download
OTMoveIt2 by OldTimer.
Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.
- Create a new restore point
You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create
- Remove old restore points
- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
- Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to “Java Runtime Environment (JRE) 6 Update 5…allows end-users to run Java applications”.
Click the download button on the right.
If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.
You do not have to install the Java Web Start ActiveX Control
Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u5-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.
When the download is complete, Open Control Panel > Add/Remove Programs:
Uninstall anything that says Sun Java, Java JRE, or similar.
Close Add/Remove Programs.
In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.
Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
Reboot your computer.
Double-click on the saved file to install the update.
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
Ok good idea about going into SAS to protect my homepage…because when i just now went into do it and My home page was changed again! Same as yesterday… but now i did the steps you told me to do in SAS preferences and its back to the one i normally use.
Now to do the rest of what you told me to do…
Thanks so much Oldman!
Sasy
ugh this is so crazy… I did go to SAS and followed your directions this what they had as my home page, http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome, which is the one i have used forever…and that is the one that would come up each and every time i clicked on my Interet Explorer on my desktop… I did make sure it was the right page and then i made sure both boxes were checked…i tested it and sure enough when i clicked the Intenet Explorer that page came up… No i just went back to open a page… and its back to the page i have never used… it keeps taking me to this page http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1204752545&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855
Its confusing me and not sure why that would be happening if i didn’t ahve something going on with my computer… let me know what your thoughts are on that… Ill wait to clean things up til i hear back.
Thanks
Susie
Hi sasysusie,
Probably it is a Windows Media Video file that explores Windows vulnerabilities inside IE.
http://www.sophos.com/security/analyses/viruses-and-spyware/trojwimada.html
http://www.sophos.com/security/analyses/viruses-and-spyware/trojwimadb.html
Look in C:documents and settings/shared
polonus
ok ill try to check that out… if i can understand all that i really need to be way more computer literate that would help im sure!! Sometimes it opens to the right window and sometimes it does not. Thank you for the tip.
Sasy
I’m not saying you aren’t having problems, but I don’t see anything in the logs.
If you didn’t create the folder c:\suspect , then something else did.
So we’ll have a peek inside.
Copy and paste the following text into a new notepad
Dir c:\suspect >> ndis.txt
Start ndis.txt
Click file, click save as. Set it to save in Desktop. Name the file (including the " " marks) “seek.bat”
Click save.
You should now have a icon like the image below. Double click it and post the contents of the notepad that will pop up.
Also check in comodo and see if something out of the usual is connecting.
Pol, you see anything in the DSS log?
Some time ago I believe I suggested sasysusie created a suspect folder, perhaps sasysusie hasn’t emptied it after confirmation at VT. This folder should also have been excluded from avast scans, so she could upload suspect files to virus total, etc. This way they aren’t in the original location when extracted from the chest.
Thanks DavidR for the explaination of the folder. Any thoughts on this?
here is the contents of the notepad
Volume in drive C is HP_PAVILION
Volume Serial Number is D43D-86F2
Directory of c:\suspect
03/04/2008 07:22 PM .
03/04/2008 07:22 PM …
01/30/2008 07:11 PM 4,494,360 T-4494360-LimeWireWin4.16.1.exe
1 File(s) 4,494,360 bytes
2 Dir(s) 51,314,032,640 bytes free
Also I am seeing something I don’t recall seeing in my Comodo before
Shoot it was just there and when i went back to get the name for you it was gone… hmmmm! Its like it knew i was coming to get it! grrr!
If I see it again ill send it on to you.
Thank you all for your help once again!
Hugs
Sasy
DavidR mentioned he had you make that folder to test some files. You can delete the whole folder and empty the recycle bin.
Like I said, I don’t see anything of note in the DSS log. If you can track down that file name in comodo, it may point us in this critter’s direction.
Maybe opening some new pages might bring it to view? Does comodo have a logging feature that will allow you to review internet activity history over a time frame?
At times I think im just to hard to help :-\ sorry. Im not sure if i ever did create that folder or not… my older “not old” brain does not always remember all of this… if i did where would i look for the suspect file… sorry im sooo exasperating!
Thanks Sasy
PS is there anyway other than what we did to get my old home page back?