Not sure if this is a problem or not...

Viruses and worms
1

I have avast! 4.8 professional edition installed. I’ve recently noticed my machine has been much slower than usual especially in regards to internet usage. I am running Windows XP and my machine is up to date with all of the latest updates. I installed Spybot and it detected over 32 spyware/malware problems which I had Spybot deal with. After running Spybot, I had Avast run a thorough scan of my entire computer. Avast did detect one virus which was listed as a Win32:Trogan-gen {Other}. I moved the infected file to the Virus Chest and then deleted it. I then had Avast run another thorough scan of my entire computer. Here is the scan report from avast!.

  • avast! Report
  • This file is generated automatically
  • Task ‘Simple user interface’ used
  • Started on Sunday, April 05, 2009 11:18:36 AM
  • VPS: 090405-0, 04/05/2009

C:\WINDOWS\Temp\Perflib_Perfdata_5e0.dat [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\Temp\Perflib_Perfdata_d94.dat [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\CmnIds.vbs [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\images\arrow_right.gif [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\images\btn_signup_52x20.gif [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\images\more_info.gif [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\images\sidetable_bottom.gif [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\images\sidetable_bottom_red.gif [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\images\sidetable_top.gif [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\images\sidetable_top_red.gif [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\images\transpix.gif [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\images\watermark_mys_150x130.gif [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\oemcfg.vbs [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\OEMIds.vbs [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\valert.htm [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\valert_old.htm [E] Archive is password protected. (42056)
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTI3GDA3\valert[1].ui\hs~valert.htm [E] Archive is password protected. (42056)
C:\WINDOWS\Temp_avast4_\Webshlock.txt [E] The process cannot access the file because it is being used by another process (32)
Infected files: 0
Total files: 20
Total folders: 12
Total size: 149.3 KB

  • Task stopped: Sunday, April 05, 2009 11:18:36 AM
  • Run-time was 0 second(s)

When I first ran the scan, I did not have the scan report option turned on, so the above report is from another scan that I ran on my C:\Windows\temp directory only. The original scan report was basically the same.

The item I am concerned about is all of the references to valert[1].ui. Does anyone know if this is a virus that I need to remove? If so, what steps do I take to remove it since Avast is not able to scan the files?

Thanks for your help - Kim

2

I would be more interested in what S&D found, file name, location and malware name ?

I haven’t the slightest idea what the valert[1].ui is, but my friend google might, http://community.mcafee.com/archive/index.php/t-161716.html.

This link is indicating this is related to McAfee, so what was your previous AV ?
If as I suspect you need to uninstall it and make sure all remnants are gone, I will go into that when you report that it was McAfee you used before.

But all that is being reported is that it can’t be scanned (not that it is infected) as the archive is password protected.

3

When I purchased the computer from Dell (3 years ago now), it came with a trial verson of McAfee 7.0. I uninstalled it and installed Avast instead.

Here is the log file from S&D after I had it fix everything (mostly tracking cookies):

— Report generated: 2009-04-03 22:11 —

CoolWWWSearch.Svchost32: [SBI $7C91BE16] Autorun settings (SVCHOST.EXE) (Registry value, fixed)
HKEY_USERS\S-1-5-21-3504013680-3450057429-3224357512-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVCHOST.EXE

Fraud.VirusDoctor: [SBI $5920B6C3] Downloaded program file (File, fixed)
C:\Documents and Settings\Kimberly\Local Settings\Temp\killti.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

MediaPlex: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

Right Media: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

DoubleClick: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

CasaleMedia: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

Statcounter: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitBox: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitBox: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

Tradedoubler: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitBox: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

Adviva: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

BurstMedia: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

MediaPlex: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

FastClick: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitsLink: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

CoreMetrics: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

Clickbank: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

BlueStreak: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

WebTrends live: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitBox: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitBox: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

Zedo: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitBox: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitBox: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitBox: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitBox: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

DirectTrack: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitBox: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitBox: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

HitBox: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

LinkSynergy: [SBI $E260DC63] Tracking cookie (Internet Explorer: Kimberly) (Cookie, fixed)

— Spybot - Search & Destroy version: 1.6.2 (build: 20090126) —

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-04-03 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-22 Includes\Adware.sbi ()
2009-03-25 Includes\AdwareC.sbi ()
2009-01-22 Includes\Cookies.sbi ()
2009-03-31 Includes\Dialer.sbi ()
2009-03-25 Includes\DialerC.sbi ()
2009-01-22 Includes\HeavyDuty.sbi ()
2009-02-10 Includes\Hijackers.sbi ()
2009-03-03 Includes\HijackersC.sbi ()
2009-03-17 Includes\Keyloggers.sbi ()
2009-03-17 Includes\KeyloggersC.sbi ()
2004-11-29 Includes\LSP.sbi ()
2009-03-25 Includes\Malware.sbi ()
2009-03-31 Includes\MalwareC.sbi ()
2009-03-25 Includes\PUPS.sbi ()
2009-03-31 Includes\PUPSC.sbi ()
2009-01-22 Includes\Revision.sbi ()
2009-01-13 Includes\Security.sbi ()
2009-03-23 Includes\SecurityC.sbi ()
2008-06-03 Includes\Spybots.sbi ()
2008-06-03 Includes\SpybotsC.sbi ()
2009-01-28 Includes\Spyware.sbi ()
2009-01-28 Includes\SpywareC.sbi ()
2009-03-25 Includes\Tracks.uti
2009-03-30 Includes\Trojans.sbi ()
2009-03-31 Includes\TrojansC.sbi ()
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

4

Tracking cookies are a minor pain in the rear and aren’t a security issue, so no big deal there, avast doesn’t look for tracking cookies. Block third party cookies in your browser and periodically clear cookies.

I would also suggest that you periodically clear your temporary internet files also.

McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe Or http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html

2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

Also see - How do I uninstall SecurityCenter? http://ts.mcafeehelp.com/faq3.asp?docid=71525

5

I ran the McAfee uninstall tools and saw from the log file that it did find some stuff to delete. I also deleted everything in my C:\Windows\Temp\Temporary Internet Files\ folder (which included the valert[1].ui archive file). I’ve also now blocked all third party cookies in IE.

Thanks very much for your help - Kim

6

No problem, glad I could help.

Welcome to the forums.

7

Hi :

Since One of Spybot “Detections” was a “Fraud.VirusDoctor”, it would be wise to
see IF there MAY be other “Fraud(s)” on your computer undetected by Spybot by
using Malwarebytes’ Anti-Malware ( www.malwarebytes.org/mbam.php ) , which
comes in a FREE Version and is the Top “Fraud Detector” nowadays . Most experienced, certified, Volunteer “Malware Removal Specialist(s)” recommend the
Malwarebytes program over Spybot nowadays .