close

Privacy guaranteed - Your email is not shared with anyone.

Need help figuring out a virus situation

Discussion in 'Tech Talk' started by NRA_guy, Nov 27, 2006.

  1. NRA_guy

    NRA_guy Unreconstructed

    Messages:
    1,706
    Likes Received:
    1
    Joined:
    Jun 20, 2004
    Location:
    Mississippi, CSA
    I run Symantec Corporate Edition antivirus. Part of that is something called "Realtime".

    I also run Ad-Aware and Spybot and ZoneAlarm religiously.

    Of late, Realtime has been finding viruses. They are always in my TEMP folder and always ".exe" files. They are always the "Downloader" virus.

    Realtime always quarantines them, but I am wondering what's up.

    Regular Symantec scans never find anything---even booted in safe mode. I have also run some of those on-line scans with no findings.

    I also run Windows 2000 with the latest Service Pack and Internet Explorer 6.0 with the latest Service Pack.

    Here is what is in my quarantine now. I deleted the first 3 from quarantine before I started saving them.

    I have researched the Downloader virus at Symantec. Their advice (quoted below) is totally useless (does not work.)
    ----------------------------------------------------
    .........Date.............Filename...........Virus.Name..........Status
    11/17/2006.7:48.......qitvaxqo.exe.......Downloader.......Infected
    11/18/2006.8:18.......ctmguhod.exe.......Downloader.......Infected
    11/19/2006.7:48.......ecxviyyf.exe.......Downloader.......Infected
    11/20/2006.7:48.......kwbtquav.exe.......Downloader.......Infected
    11/21/2006.7:53.......tebkknvt.exe.......Downloader.......Infected
    11/21/2006.7:53.......aeavxqgn.exe.......Downloader.......Infected
    11/22/2006.7:54.......ifqkhivj.exe.......Downloader.......Infected
    11/23/2006.7:54.......dumetect.exe.......Downloader.......Infected
    11/23/2006.15:36.......lhobhtif.exe.......Downloader.......Infected
    11/24/2006.21:20.......ogvycjta.exe.......Downloader.......Infected
    11/25/2006.19:13.......hdudtsmg.exe.......Downloader.......Infected
    11/25/2006.19:50.......rjxclnqn.exe.......Downloader.......Infected
    11/26/2006.19:14.......lsthogny.exe.......Downloader.......Infected

    ----------------------------------------------------
    Any insight would be appreciated.

    Here is Symantec's removal advice:

     
  2. IndyGunFreak

    IndyGunFreak

    Messages:
    26,839
    Likes Received:
    2,204
    Joined:
    Jan 26, 2001
    Location:
    Indiana
    Reboot into Safe Mode, run your virus software from there, and ALWAYS delete, don't quarantine...

    IGF
     

  3. NRA_guy

    NRA_guy Unreconstructed

    Messages:
    1,706
    Likes Received:
    1
    Joined:
    Jun 20, 2004
    Location:
    Mississippi, CSA
    Thanks.

    I have done that about 50 times.

    You see, something is putting the infected files in my TEMP folder.

    Removing the infected files is not the solution.

    And the infected file name in my TEMP folder is always a different name, and never a file name that can be found by Google.

    The safe mode scan never, ever finds a problem.

    I suspect that some software (possibly some web site being visited) is putting the infected files in my TEMP folder.

    Of late, I have reset IE to empty my TEMP folder every time I exit IE. But that only deletes the files at the end of IE sessions. And even then, not all files seem to be deleted from my TEMP folder.

    OK. Maybe I just need to let Symantec delete them (not quarantine them) and suppress the user notice when it finds one. That way I won't even know they were ever there.

    Thanks.
     
  4. Washington D.C.

    Washington D.C.

    Messages:
    5,218
    Likes Received:
    1
    Joined:
    Oct 13, 2003
    Location:
    Woestyn Kusdorp
    Explorer is a huge risk.Use Firefox.The best malware scanners are AVG AntiSpy and A-Squared.I find AVG anti virus has better detection than Norton but don't install both anti virus programs at the same time.

    Firefox 2.0

    http://majorgeeks.com/Mozilla_Firefox_d2248.html

    AVG AntiSpyware

    http://majorgeeks.com/AVG_Anti-Spyware_d5287.html

    A-Squared

    http://majorgeeks.com/a-squared_a%B2_Free_edition_d4281.html

    AVG anti virus(uninstall Norton if you use this one)

    http://majorgeeks.com/AVG_Free_Edition_d886.html

    To properly uninstall Norton

    http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html

    Extremely useful program

    http://www.majorgeeks.com/Advanced_WindowsCare_v2_Personal_d4991.html


    To clean up Java and update to safest version uninstall all Java programs listed in Add/Remove Programs and run the MS Java uninstaller program afterwards

    http://www.majorgeeks.com/MSJVM_Removal_Tool_d4158.html

    then install latest Java program

    http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html
     
  5. Washington D.C.

    Washington D.C.

    Messages:
    5,218
    Likes Received:
    1
    Joined:
    Oct 13, 2003
    Location:
    Woestyn Kusdorp
    Another good one to have

    http://www.majorgeeks.com/AVG_Anti-Rootkit_d5249.html


    and AVG Anti Spyware finds everything Adaware and Spybot find and MORE.

    http://www.majorgeeks.com/AVG_Anti-Spyware_d5287.html

    I use it in place of those two now.


    Advanced Windows Care and/or Ccleaner will clean up a lot of things.

    http://www.majorgeeks.com/AVG_Anti-Spyware_d5287.html

    Ccleaner with Yahoo tollbar includes Norton AntiSpy which is one of the better ones.

    SpywareBlaster will protect against many things but AWC seems to do about the same.

    http://www.majorgeeks.com/SpywareBlaster_d2859.html
     
  6. NRA_guy

    NRA_guy Unreconstructed

    Messages:
    1,706
    Likes Received:
    1
    Joined:
    Jun 20, 2004
    Location:
    Mississippi, CSA
    Many thanks, Washington, D.C.

    Some very good info you have there. And I always prefer advice based upon experience, rather than theory. Sounds like you have tried them all.

    Any idea what might be saving garbage files to my TEMP folder?

    I.e., would it be:

    a. Something on my machine (don't see how that could be the source and not get detected by some of the stuff I have run) or

    b. Some web site I am visiting daily (My wife uses the same PC; so I am not 100% sure where she surfs, but we don't go to those porn sites. She does do Yahoo IM some with her friends.) or

    c. Some web site that is just hacking my PC and getting past my firewalls (don't think that would be happening with so much regularity).

    It all started when a "friend" came over and used my PC (unsupervised) a couple of weeks ago. Not a good idea.

    One should take the name "Personal Computer" very literally---with major emphasis upon the "Personal" part.
     
  7. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    6
    Joined:
    Oct 7, 2002
    try running this:
    ftp://ftp.f-secure.com/anti-virus/tools/fsnimda3.exe

    (1.4MB)

    eta: all of the file names are 8 characters + suffix.

    open regedit and go to

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    if any of the programs listed to on the right pane don't come up from a google search, they may be part of the virus.
     
  8. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    6
    Joined:
    Oct 7, 2002
    it wouldn't be the first time that I've seen Norton Corporate remove the files that a virus creates, but not the original virus itself.

    in fact, it'd be the third time.
     
  9. grokdesigns

    grokdesigns

    Messages:
    507
    Likes Received:
    0
    Joined:
    Dec 23, 2004
  10. NRA_guy

    NRA_guy Unreconstructed

    Messages:
    1,706
    Likes Received:
    1
    Joined:
    Jun 20, 2004
    Location:
    Mississippi, CSA
    Thanks all.

    David_G17 - my "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" looks OK. And I ran the file in safe mode, but it did not find the nimda worm.

    But right now, after I set Norton to just delete them (thanks Indygunfreak) and not quarantine or even notify me, no more infected files have shown up in the Norton virus history.

    That's 3 days now I have had no new virus discoveries by Norton's REALTIME. From 11/18/06 to 11/26/06 it was finding 1 or 2 every day.

    (I suspect that Yahoo IM is the culprit; the other PC user has not been doing Yahoo IM lately.)

    Grokdesigns - If it returns, I will go the HIJACKTHIS route.

    PS: I use Firefox portable, but I have to keep IE on the machine.