Virus?

[evilfantasy]

Go to Start > Run and type Notepad.exe then click OK.

Copy and paste the following text within the code box into the new Notepad file.

Code: [Select]

@ECHO OFF
net stop winmgmt
cd /d %windir%\system32\wbem
ren repository repository.old
net start winmgmt
exit
In Notepad select File and Save as
Choose the Save to location to be the Desktop and for the File name: type in fixsecurity.bat making sure that the Save as type field says All files.

Next double click fixsecurity.bat to run it.
A black box should open and close after a short time, this is normal.
Do not continue until the black box has closed
Delete fixservice.bat from the Desktop.

----------

Also let me know how the computer is running now.

.

[TriciaM]

Prior to completing the last task, the TrueVector, Tacore, and google chrome messages (I cannot remember if I told you about this one or not.) were still coming up.  I don't think google chrome is a threat....but it was just trying to gain access to my computer to update. 

I think I deleted the MSN programs (again, I may be using the wrong term) that deal with being able to send out emails to MSN addresses, by mistake. I went to respond to an email that was sent to me from a MSN address, and it got sent back to me, rejected by Hotmail.

Anyway, this morning I called Earthlink to inquire about the Total Access messages. They supposedly removed that.  I did a search of my system for total access last night and came up with TONS of their files (I may be using the wrong term there.), even though we do not have Earthlink.  Must be remnants of when we did....Also some of those files were associated with Taxcut.

Thanks for all your help.......I really appreciate it. 

[TriciaM]

Well.....I just got another Truevector message. At the time, I was on a City's website (goverment).

C:\Docume~1\TRICIA~1\LOCALS~1\Temp\WERbd44.dir00\vsmon.exe.mdmp

same as above.................................. ..................................\appcompat.txt

Also got this off of the error message :       BEX - Event type
                                                                    vsmon.exe

[evilfantasy]

even though we do not have Earthlink.

Go to Add or Remove Programs and uninstall:

• EarthLink Accelerator
• EarthLink Common Authentication
• EarthLink MailBox
• EarthLink Wireless High Speed

.
----------

TrueVector is indeed part of the Zone Alarm software. VSMON.exe is also part of the same process.

Have you updated Zone Alarm lately?

[TriciaM]

I've looked for those applications, and they are not under the control panel/install uninstall.  I'm thinking that those are the applications that Earthlink told me that they uninstalled this morning.....

[evilfantasy]

How about Zone Alarm. are you still getting the errors from it?

[TriciaM]

Yes, the True Vector is still doing it's thing.  "True Vector must shut down".

Total Access or Tacore is still coming up, not wanting to be closed out. Saying that I am doing something invalid.

Having a hard time loading....slow...thought it was ok yesterday...

[evilfantasy]

Can you try reinstalling Zone Alarm?

You might also try their support site. http://www.zonealarm.com/security/en-us/support/zonealarm-customer-service.htm

We need to finish up with the malware cleaning also.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[TriciaM]

I got the warning of :  "it is not safe to continue, Combofix was compromised. You may be infected by the virus "VIRUT".

[evilfantasy]

ComboFix told you that?

[TriciaM]

It looks like a blue/grey box...with just "error" in the blue part on the top and told me to go to Bleeping Computer ? to download the new combofix. I have not even touched or closed out that window, for fear it is a virus...

[evilfantasy]

Delete the copy of ComboFix on your desktop.

Now download the new version to your desktop. http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Don't run it but instead use the combofix /u command.

[TriciaM]

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\evhbbweu.ini.vir   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mxrqrqwp.ini.vir   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1748\A0197294.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1754\A0201434.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1754\A0201435.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined

[evilfantasy]

OK that looks fine.

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

How is the computer running now?

[TriciaM]

Seems to be ok now.  I was blocking all cookies and pop ups on my Zone Alarm, which was causing the True Vector errors.  They told me to turn those filters off.

The OSI is still going, although it is telling me that there is a problem with Java Applet.