unknown malware

[LonnyRJones]

That logs looks fine

Lets pull out a big gun so to speak

Run it while in safe mode

MicroWorld - Free AntiVirus standalone scanner
Download/save mwav.exe http://www.mwti.net/antivirus/free_utilities.asp
Run mwav.exe which will start run mwavscan.com select all files, press scan when it is completed view log,
but here is the catch since the log is so large, we only need to see the lines with "action taken" in them.
It will only report but is very thurough. *Dont* post sections if they are in antimaleware backups,
Quarantine or Restore folders, or in C:\System Volume Information. or C:\_restore folders.
Also Edit out sections which "refer to invalid object" please, no need to post them.
*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware,
just close out the prompt and let it continue scanning.

[fallingrock]

Hi. That app is amazing - so thorough. It took over 7 hours to scan the pc. Among other things, it found "Trojan-Clicker.Win32.VB.kb" virus in that "setup.exe" that I executed (and emailed you).

The log is attached as a text doc.

Thanks for all your excellent work.

[LonnyRJones]

I suspect we wont be able to clean up that pc untill all the cracked software is uninstalled.

File C:\Documents and Settings\Administrator\Desktop\offending spyware file\Google Earth Pro Map With CRACK FULL.zip C:\Documents and Settings\Administrator\Desktop\offending spyware file\setup.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for BadCopy_Pro_v3[1].75_build_0608 .infected by "Trojan-Downloader.Win32.INService.gen"
D:\stuff\downloads\unsorted\Lotus Notes Key v6.5.918.zip
infected by "Trojan.Win32.Crypt.e" Virus! Action Taken: No Action Taken.

[fallingrock]

Okay, of course. I will delete those files, and uninstall that software and get back to you once it is done. I've learned a serious lesson from this.

[fallingrock]

I have removed that software and deleted the installation files etc. Do I have to buy escan or mwav now? if there is another solution, I would prefer it as I am a poor student....

[LonnyRJones]

Hi

Escan didnt show me what i wanted to see rather it pointed out the probable couse.

1. popups with advertisements which open in internet explorer windows around the centre of the screen.
2. very small internet explorer windows which open in the top left of the screen with no content in them - just white windows.

Even when at known safe websites ?

Possible these logs will be to large to attach if so zip up each and attach in two posts
Download this zip.
http://www.downloads.subratam.org/pv.zip
unzip it to the desktop.
Open the folder and Double click on the runme.bat
choose option 6, hit enter, post that then do option 1
zip up and attach that
Wait for those popups you mention then do an option 2 while atleast one internet explorer is open and attach that text please.

[fallingrock]

I think the popups were happening even at known safe websites but I can't be sure. Since deleting the files that mwav found, I don't seem to be having any popups though.

I know you said that escan didn't show you what you wanted to see, but I know that last week I did execute "setup.exe" which mwav found to be infected with "Trojan-Clicker.Win32.VB.kb" Virus. So adware aside, is it possible to remove this virus from the system?

Did you notice that the "setup.exe" virus had copied itself to the C:\ root directory? I deleted this file.

Re: the mwav log, I have a couple of questions.

1. What do these mean/do I need to do anything about them?

Object "searchexe Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "clientman Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "tencent qq Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.

2. What does this mean: "tagged as "not-a-virus"?

Thankyou again for your generous help.

[fallingrock]

I think the popups were happening even at known safe websites but I can't be sure. Since deleting the files that mwav found, I don't seem to be having any popups though.

I know you said that escan didn't show you what you wanted to see, but I know that last week I did execute "setup.exe" which mwav found to be infected with "Trojan-Clicker.Win32.VB.kb" Virus. So adware aside, is it possible to remove this virus from the system?

Did you notice that the "setup.exe" virus had copied itself to the C:\ root directory? I deleted this file.

Re: the mwav log, I have a couple of questions.

1. What do these mean/do I need to do anything about them?

Object "searchexe Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "clientman Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "tencent qq Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.

2. What does this mean: "tagged as "not-a-virus"?

If escan could fix my problems I would buy it as I really would like a clean computer!


Thankyou again for your generous help.

[fallingrock]

PV log (option 1)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

[fallingrock]

pv log option 1 attached

(previous post was actually pv log option 6 - my mistake)