We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
The Forum is currently experiencing technical issues which the team are working to resolve. Thank you for your patience.
Real hassle from virus/spyware
Comments
-
Delete them. The only thing that will stop working is the Lop program.rosy wrote:The Four Book Grim Noun files - I right clicked each one and chose delete and I got a message saying they were all system files and if deleted them some programs/ the PC might not work properly.
VCThird Ace doesn't look like a normal Lop related folder and none of the scanners we've tried that detect Lop have identified it as such. Look inside this folder and tell me what's in it please.rosy wrote:I didn't try to open them either in case I unleashed something! Hovering over them, the first three on the list are about 2kB. The last one (VCThird Ace) is about 129kB.
Has Skype recently updated to a new build version? If so, that would explain the McAfee warnings.rosy wrote:Something is still going on though - McAfee has asked several times if I want to allow Skype access saying the application has changed since I first allowed access. I decided to block it for just now and up popped up a chat conversation I had had on it a while ago.
Don't know if it's just a blip or part of this stuff.
PS: You need to empty your recycle bin.
0 -
I have just deleted the three files. I tried to look inside the VC Third Ace but I can't - it asks me what program I want to open it with. The icon looks like a white square with blue bar across the top, with three coloured symbols ( red, blue, green(too small for me to read ). My son just told me has seen the same on some music - it's an OMA file ?? What do I use to open that? The rest seem to have been deleted fine.0
-
Oops sorry. ( Now I feel like I do when I get visitors and I haven't tidied the house:o ) Will go and do so right away.Alfonso_Skinarelli wrote:PS: You need to empty your recycle bin.0 -
I would leave the VC file then.
So everything is fine on this account now then?0 -
Should I delete the V Third Ace thing? Apart from that think everything is OK on my account.0
-
Nope, it has nothing to do with Lop if it has an OMA file extension.
OMA file extensions are connected to Sony Music files.
http://filext.com/detaillist.php?extdetail=OMA
Are there any issues remaining on the other user accounts?0 -
It doesn't have an OMA file extension - it doesn't have any extension on it, it's just that the icon looks exactly the same as the one in my son's account with OMA after it. It does say it's a system file when I try to delete it. I'm sorry, I've probably given you all the wrong info here. Wish I was more computer literate!
I ran another panda scan - results posted at the foot of this post. Also did a check in ewido and noticed it has in quarantine the following:
C:\ Program Files\Virus-Burst\virbur.ini
C:\ Program Files\Virus-Burst\Virus.Burst.exe
C:\Documents and Settings\Michael\Start Menu\Virus-Burst 6.1 lnk
There is still a Virus Burst reference on the Panda Scan on Michael's account, but if these above have all been quarantined, does this mean it can't run anyway? He still has the Virus Burst icon on his desktop. He also seems to have some persistent tadware thing called "Pesttrap".
There still also seems to be the 180degrees / hhico and search centrix on there. Ewido has some references to 180 degrees stuff in quarantine ( the list starts with HKU...).
Would it work if I just went to the folder in Windows explorer and deleted remaining things from there or would I have to use the Kill box program ? ( I'm not sure if some of the tools it would use will now be quarantined in the Dr Web and inaccessible though).
Once again , sorry - I feel I am not making your job any easier because I don't really have much of a clue what I'm talking about.
I am learning a heck of a lot from this though and would really like to get to the bottom of it all. Much appreciation for your patience!
Here's the Panda scan
Incident Status Location
Spyware:spyware/web3000 Not disinfected c:\windows\hh.ico
Adware:adware/ncase Not disinfected c:\windows\180Solutions
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Potentially unwanted tool:Application/VirusBurst Not disinfected C:\Documents and Settings\Michael\Local Settings\Temp\vb19EE.exe
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\SB5JAQ3X\theuptodatesafety[1].htm
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ros\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\A0000148.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\A0000153.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\A0000154.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\A0002940.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\A0002947.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\A0002948.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\Dc12.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\Dc7.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\Dc8.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\oozeobj.bk!
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\Process0.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\Process1.exe0 -
What is the file extension? If you right click the file and select "Properties" it will give you the file extension. If the Properties window has a "version" tab, it may also give you the vendor's name that it relates to.rosy wrote:It doesn't have an OMA file extension - it doesn't have any extension on it, it's just that the icon looks exactly the same as the one in my son's account with OMA after it. It does say it's a system file when I try to delete it. I'm sorry, I've probably given you all the wrong info here. Wish I was more computer literate!
I'd like to see a new HijackThis log on Michael's account along with a SmitfraudFix log which I'll give you instructions for in a minute. Anything quarantined by Ewido will not run...correct.rosy wrote:I ran another panda scan - results posted at the foot of this post. Also did a check in ewido and noticed it has in quarantine the following:
C:\ Program Files\Virus-Burst\virbur.ini
C:\ Program Files\Virus-Burst\Virus.Burst.exe
C:\Documents and Settings\Michael\Start Menu\Virus-Burst 6.1 lnk
There is still a Virus Burst reference on the Panda Scan on Michael's account, but if these above have all been quarantined, does this mean it can't run anyway? He still has the Virus Burst icon on his desktop. He also seems to have some persistent tadware thing called "Pesttrap".
You may not need to use Killbox.rosy wrote:Would it work if I just went to the folder in Windows explorer and deleted remaining things from there or would I have to use the Kill box program ? ( I'm not sure if some of the tools it would use will now be quarantined in the Dr Web and inaccessible though).
We'll download any tools again as they're updated on a regular basis.
We all have to start somewhere Rosy and this is most certainly the best way to learn!! By the time we've finished, you'll feel much more confident about using computers in general!rosy wrote:Once again , sorry - I feel I am not making your job any easier because I don't really have much of a clue what I'm talking about. I am learning a heck of a lot from this though and would really like to get to the bottom of it all. Much appreciation for your patience!
===========
Running from Michael's account......
Download SmitfraudFix by S!Ri from either of these mirrors to your desktop:
SmitfraudFix Mirror 1
SmitfraudFix Mirror 2
Right click SmitfraudFix.zip and Extract (unzip) the SmitfraudFix folder inside to your desktop.
Open the SmitfraudFix folder and double-click "smitfraudfix.cmd"
Select option #1 - "Search" by typing 1 and pressing "Enter".
Copy & paste the contents of the text file which appears back here please.
=========
Please also post a HijackThis Uninstall List:
Go to Start > Control Panel > Add/Remove Programs and place a check in the box at the top of the window - "Show Updates".
Open HijackThis and click 'Config' (bottom right)
Click 'Misc Tools' and then 'Open Uninstall Manager'
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents in your next reply.
=========
Don't forget a new HJT log as well please. 0 -
I'm going to do the rest of the stuff in a minute but to let you know about the Vc Third Ace thing - in properties it says:
Type of file - System File
Description of file: Vc Third Ace
Size 129KB
Size ion Disc 132 kB
Created 16 Jan 05 ( in case its relevant the rest of the stuff in the Four Book Grim Noun folder was created in 2004 )
Modified 20 Sep 06
Accessed 26 Sep 06
Can't see any file extension anywhere.0 -
The Smitfraud text file:
SmitFraudFix v2.100
Scan done at 15:45:50.85, 26/09/2006
Run from C:\Documents and Settings\Michael\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Michael
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Michael\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\Michael\STARTM~1\Programs\Virus-Burst FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Michael\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
C:\DOCUME~1\Michael\Desktop\Virus-Burst.lnk FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350K Banking & Borrowing
- 252.7K Reduce Debt & Boost Income
- 453.1K Spending & Discounts
- 242.9K Work, Benefits & Business
- 619.8K Mortgages, Homes & Bills
- 176.4K Life & Family
- 255.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 15.1K Coronavirus Support Boards