riddled with malware?

[km2357]

Could the restore points be what's eating up my space? bearing in mind that the last 2gigs was from ESET and so not included in the problem? I will del restore points.

Depending on how many restore points you have and how big you make them (the max size is 12% of total HD space) they can definitely eat up some space.

To remove the old restore points and set a new one, do the following:

• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and Ok it.
• Next, go to Start > Run and type in cleanmgr
• Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
• Select the More options tab
• Choose the option to clean up system restore and OK it.
• This will remove all restore points except the new one you just created.

I'm confused, I thought the problem was word acting as a server, not ZA??

I just wanted to make sure you had the latest version and were fully updated with ZoneAlarm.


Those links you got from ZoneAlarm did help.

I noticed the following words in each link: No breach in your security has occurred. Your computer is safe. And looking over the ZA links for Winword.exe and engine.exe, you have the legit versions of both. When the allow/deny message pops up for those two programs, you can go ahead and click Allow to allow it.

 

[ecosarah]

Found the laptop not hybernated again. tried to hybernate again, via several different methods. Then tried to shut down. It got as far as saving my settings but took several mins to get there, then the screen went blank and just the mouse arrow was there. No buttons did anything and I had to pull the plug again.

I dont think it can be hardware as I tried several different methods. Also screen shutdown didn't work and nor did standby. These are the same symptoms as before. I'll let you know if it happens again.

 

[ecosarah]

Service load:
0% 100%
File: WINWORD.EXE
Status:
OK
MD5: b6720721182610d39a6a9b9306a8cba4
Packers detected:
-
Scanner results
Scan taken on 01 Nov 2008 19:39:58 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

 

[ecosarah]

just waiting for engine.exe.

can you explain to me why word needs to act like a server. It seems really annoying because it just takes it longer to open and all I'm doing is typing something into it as a WP.

I'm very glad my computer is so free of Malware, tho that still seems strange! And I will follow those links you gave me to the forums to try to work out what is eating the space and making everything so slow.

as you predicted, all ok:
Service load:
0% 100%
File: engine.exe
Status:
OK
MD5: 5ae8d009317f5be3ee742eff24b32036
Packers detected:
-
Scanner results
Scan taken on 01 Nov 2008 19:46:11 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

 

[ecosarah]

I've got an icon on my desk top AdbeRdr811_en_US(2) that leads to Adobe Reader set up. But when I look in Add/remove Programs, to remove it so I can re-install it, its not there. Do I just del it off my desk top or look for it in prog files and del?

there are 2 other adobe icons:
AdbeRdr811_en_US
AdbeRdr811_en_US.exe.part

can you advise?

thanks

 

[km2357]

Edit:

Just delete AdbeRdr811_en_US, AdbeRdr811_en_US.exe.part and AdbeRdr811_en_US(2) from your Desktop. Then just redownload the setup file to reinstall Adobe.

Found the laptop not hybernated again. tried to hybernate again, via several different methods. Then tried to shut down. It got as far as saving my settings but took several mins to get there, then the screen went blank and just the mouse arrow was there. No buttons did anything and I had to pull the plug again.

I dont think it can be hardware as I tried several different methods. Also screen shutdown didn't work and nor did standby. These are the same symptoms as before. I'll let you know if it happens again.

What brand of laptop do you have? I'll do some more research once I know to see if there is anything, otherwise it'd be best to bring this up in the general troubleshooting forums.

As for Word acting like a server, it could be checking in to see if there are any updates or a part of it may need to connect to the Internet to work/function. As the scans showed, both files came back ok, so nothing malicious/worry about there.

 

[ecosarah]

IBM Thinkpad (T45 I think)- thanks

thanks for all your help and patience

if we have finished with hunting for Malware, there are some things I need to do before I say goodbye. eg teatimer was disabled, do I leave it?

and I have a lot of setup exe type icons on my desktop, what do I do wiht them?eg Mbam-setup and several more

and I need to know which of all the progs I've downloaded with you, to keep or uninstall. If you say keep I assume they are ok for me to use without your instructions

will del all the adobe icons meantioned.

thx v much

 

[km2357]

Sorry for the delay.

IBM Thinkpad (T45 I think)- thanks

I found a link that may help with your hibernating problems:

Your IBM ThinkPad portable computer may not hibernate as expected in Windows XP.

It says in the link to upgrade to the latest SP release which you have already done. It also says there is a speific hotfix for it, and for further information on it you should contact Microsoft Product Support Services for more info.

if we have finished with hunting for Malware, there are some things I need to do before I say goodbye. eg teatimer was disabled, do I leave it?

You can renable Teatimer now.

and I have a lot of setup exe type icons on my desktop, what do I do wiht them?eg Mbam-setup and several more

You can delete Mbam-Setup.exe and I'll tell you how to remove some of the other tools that used in this thread shortly.

and I need to know which of all the progs I've downloaded with you, to keep or uninstall. If you say keep I assume they are ok for me to use without your instructions

As mentioned above, I'll let you know which ones to delete. I would keep ATF Cleaner and MalwareBytes' Anti-Malware. Use ATF Cleaner every few weeks to keep your computer free of junk. And use MalwareBytes' every few weeks or so to scan your computer for malware, just be sure to update it before doing a scan.

To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /u & click OK


Please open OTMoveIt3.

• Click on the CleanUp! button. If your Firewall gives a warning about OTMoveIt wanting to download a file, allow it.
• Answer Yes to the prompt.
• The program will ask for a reboot. Answer Yes.

Empty your Recycle Bin.


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:


Make your Internet Explorer more secure This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it asks you if you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Set correct settings for files that should be hidden in Windows XP

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please checkHide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

• Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
• Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
• Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
  Computer Safety on line Anti Malware
• Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
• Please read Tony Klein's excellent article: How I got Infected in the First Place
• Please read Understanding Spyware, Browser Hijackers, and Dialers
• Please read Simple and easy ways to keep your computer safe and secure on the Internet
• If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
  Opera.
  If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
• Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
• If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.

Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Please reply one last time so that I know you have read my post and this thread can be closed.

 

[ecosarah]

I found a link that may help with your hibernating problems:

thanks for that. I think we are still misunderstanding each other: it wouldn't shut down either, or go to stand by or even turn off the monitor!

You can renable Teatimer now.

please give me instructions how

I'll tell you how to remove some of the other tools that used in this thread shortly...As mentioned above, I'll let you know which ones to delete....Please reply one last time so that I know you have read my post and this thread can be closed.

am confused because you havent' told me which ones (just given instructions for uninstalling combofix and OTmoveit.) but not meantioned some of the others. Please could you instruct me about the rest. thx

Make your Internet Explorer more secure

I use firefox, please instruct me for that?

SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings

will this work with firefox too? is htere anything I need to do differently

also how do I update firefox? An update notice poped up from near my clock (bottom right)offering an update but went again before I could click on it.

You say to update Windows by going to hte site regularly: I've got it set to automatic update, is that good enough?

thanks! again

 

[km2357]

thanks for that. I think we are still misunderstanding each other: it wouldn't shut down either, or go to stand by or even turn off the monitor!

Sounds like the whole hard drive is freezing/locking up, not sure though. Best to mention this as well as the hibernating problems whenever you post to one of the general troubleshooting forums.

You can renable Teatimer now.

please give me instructions how

To renable Teatimer, do the following:

Open Spybot - Search and Destroy
Click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Put a check in the Teatimer box (click the box to make the check appear).
Click Allow Change box.

am confused because you havent' told me which ones (just given instructions for uninstalling combofix and OTmoveit.) but not meantioned some of the others. Please could you instruct me about the rest. thx

OTMoveIT3 and ComboFix are the tools that I wanted you to remove, sorry if I wasn't being clear. The only tools I had you download were ATF Cleaner, MalwareBytes' Anti-Malware, ComboFix, and OTMoveIT3. I said to keep ATF and MBAM and gave you instructions on how to remove ComboFix and OTMoveIt. Were there other tools you were referring to?


To make FireFox more secure, read through and follow the suggestions in the following website:

Configure Firefox's settings to strengthen security

SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings

will this work with firefox too? is htere anything I need to do differently

Yes, SpywareBlaster will work with Firefox too. It has its own Firefox section. Here's a tutorial on how to setup and use SpywareBlaster:

http://www.bleepingcomputer.com/tutorials/tutorial49.html

also how do I update firefox? An update notice poped up from near my clock (bottom right)offering an update but went again before I could click on it.

To update Firefox, do the following:

Open up Firefox. Once loaded, click Help, then Check for Updates.

You say to update Windows by going to hte site regularly: I've got it set to automatic update, is that good enough?

That's good. It's always good to get in the habit of checking for updates manually everyonce in awhile. Microsoft sends out updates the 2nd Tuesday of every month, so you know when to check for updates.

 

[km2357]

Hi ecosarah.

eg I couldn't find hte teatimer where he told me to go

Let's do it this way then.

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, check the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

eg comboFix didn't uninstall

Did you do the following:

Go to Start > Run - type in ComboFix /u & click OK

Note that there is a space between the x and the / and there is no space between the / and the u.

If you did enter ComboFix /u (with the proper spacing) and clicked OK, what happened? Did any progress bars appear on the screen?

eg I have other software that I need instructions for

What other software do you need instructions for?

 

[ecosarah]

thx, have reset teatimer - was i then meant to click off Advanced Mode? your instructions just said to exit? SB then asked about 10 progs that were changing: I accepted all of them, I hope that was right. I didn't understand them, a couple were google, MS,in the path.

tried uninstall combofix again, progress meter went all the way this time, but combofix icon still on desktop after re-start system. what do I do please.

The other icons/programs that I dont know what to do with, that we put onto my desktop:

Findfile winzip
wpsetup (maybe that was from the slow computer forum?)
hjtInstall
hijackthis
Findfile (with envelopes)

havent removed OTmoveit because when I click on the icon it gives option to run. I dont know where the icon to open it is? I didn't removed it because I didn't think I would want to run it. please advise about all of the above.

big thanks, sarah

 

[km2357]

You did fine with Teatimer. You can keep it in Advanced Mode if you wish.

tried uninstall combofix again, progress meter went all the way this time, but combofix icon still on desktop after re-start system. what do I do please.

Let's remove it manually.

Delete ComboFix.exe from off your Desktop.

Using Windows Explorer, delete the following folders, if found:

C:\ComboFix\
C:\QooBox\

The other icons/programs that I dont know what to do with, that we put onto my desktop:

Findfile winzip
wpsetup (maybe that was from the slow computer forum?)
hjtInstall
hijackthis
Findfile (with envelopes)

You can delete the Findfile winzip icon, the Findfile (with envelopes) icon, the hjtInstall icon and the wpsetup icon off your Desktop.

To remove HiJackThis, do the following:

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

HijackThis 2.0.2

havent removed OTmoveit because when I click on the icon it gives option to run. I dont know where the icon to open it is? I didn't removed it because I didn't think I would want to run it. please advise about all of the above.

You'll need to run OTMoveIT in order to remove it. Double-click on the icon to run/open the program and do the following:

• Click on the CleanUp! button. If your Firewall gives a warning about OTMoveIt wanting to download a file, allow it.
• Answer Yes to the prompt.
• The program will ask for a reboot. Answer Yes.

Finally, empty your Recycle Bin.

 

[ecosarah]

thanks, I will post back when I have followed all those to let you know if I am successful or have any further quieries.

Just to confirm, the instructions for making IE safer: can they be transfered straight to Firefox. Its a little tricky as they are setout a bit differently.

thanks again

 

[ecosarah]

Have followed your instructions.

couldn't find any combofix progs but then didn't understand where you meant me to look "using Windows Explorer". saw that cleanup! listed some. do you want me to look again for them and if so where/how?

I didnt do things in the order you put them and wonder if I should have so that clearup was the last? did HijackThis last...is that ok?

have emptied recycle bin

thanks

 

[km2357]

Just to confirm, the instructions for making IE safer: can they be transfered straight to Firefox. Its a little tricky as they are setout a bit differently.

No, as they are different browsers you can't use the instructions for making IE safer on Firefox.

The following website has good tips on how to configure Firefox:

http://news.zdnet.co.uk/security/0,1000000189,39203958,00.htm

couldn't find any combofix progs but then didn't understand where you meant me to look "using Windows Explorer". saw that cleanup! listed some. do you want me to look again for them and if so where/how?

To go into Windows Explorer, do the following: Right-click on the Start button and choose Explore. That will open up Windows Explorer. In the left-hand window, click on the + next to C:\ so that it expands down. Look for the ComboFix and Qoobox folders under C:\ and if they are there delete them.

I didnt do things in the order you put them and wonder if I should have so that clearup was the last? did HijackThis last...is that ok?

That's fine.

 

[ecosarah]

just went into explore and expanded c:/ but there are loads of folders. do I need to expand all those folders to look for the combifix stuff???!!!

thank you very much, I really appreciate all your help and patience!

 

[km2357]

No, you don't need to expand any more folders. The two folders you want look for are ComboFix and Qoobox. Just look through the folders under C:\. If you don't see them there, that means they've been deleted already.

 

[ecosarah]

no meantion of those 2 folders. must be gone!

big thank you to you for being so great and talking me through it all so well, step by step. have started a long process of trying to work out what else is going on!!

take care, and have fun. carry on the good work if you have time!!

sarah

 

[km2357]

You're welcome. I'm glad I was able to help out.

Good luck.