I need some help please.

Well, after mentioning this morning that I have a virus problem on my work computer, I've performed the instructions in the thread about how to remove spyware, trojans, etc, I'm back with the same problem, so I'll tell you what's happening.

Two days ago I searched on Google for garden design programmes, of all things, having just moved into a new house. One link I clicked caused flashing windows with dubious-looking titles. I tried to close them all down quickly, ran a virus scan (which had only just updated anyway), and carried on as normal. My browser has not been hijacked and everything else on the computer appears to be working normally, as far as I can tell.

Yesterday morning I switched on the computer and a message box came up saying a virus had been detected. I did a search and found very little information about the culprit, or what to do about it.

I've tried Windows Update, but I'm not able to download anything from there - error 0x80072EE2. I've been through all the suggestions on the Windows Update site to bypass that problem, but it's not worked.

I am running Windows XP Pro (SP2 not installed), Command AV, Sygate free firewall. A Sygate scan said that some of my ports were vulnerable. I have since blocked those - horse bolting, stable door and all that!!

The virus in question is called JS/SillyDownloader. There are two versions mentioned - .M and .AA. The application affected is down as dvprpt, which seems to be connected with Command AV.

One filename affected, according to the screen after the virus warning flashes up, is downloads_manager[1].htm and this is indicated as the virus having been deleted (having had the .M version).

The other filename is mtrslib2[1].js - the status of this is 'infected' with .AA version.

So, as I said, I have followed all the instructions, downloaded all the spyware detectors and other stuff recommended, run them, deleted anything they found, but the virus warning is still appearing on boot up.

The Trend online scan found nothing.

Symantec Security scan found that my Hacker Exposure was 'At Risk' and said that no AV product could be found, which I thought was strange, since I do have one.

Ad-Aware found 3 critical objects - all connected with Alexa and were in the registry. I have quarantined these.

Spybot found: COSMI - 1 entry; Alexa related - 1 entry; DSO Exploit - 5 entries. All were fixed.

CWShredder found nothing.

Kill2me said no sign of any infection found and asked if I wanted to continue anyway. I said yes and it said the Look2me infection was about to be removed then confirmed that the infection had been 'removed if present'.

I didn't bother with HSRemove and about:Buster as they were not relevant.

I have not performed the alternative scans yet, but will do so shortly if you think they are worth trying.

I've downloaded Hijack This and have a log waiting should you need it.

Phew! What a day. Hope someone can help and that I've done everything correctly.

 

Welcome

It is very important that you at least try to do everything in the TUTORIAL. If you still have a problem then do the following:

Please try to turn OFF any applications that are not needed It makes it much easier to look at the HJT log.
Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

Thanks for the reply.

I have just performed the Bitdefender online scan, which showed no infections.

I have performed all the instructions in the tutorial to no avail, so I have run Hijack This and my log is (hopefully) attached.

 

Well, I'm at home now, so I can't do anything more till Monday.

If there appears to be no solution to this, then is my only option a reinstall of Windows?

 

Thanks for that, chaslang. As I say, I'm at home now, so I'll have to give that a try on Monday.

The two O16 references are familiar to me - one is connected with my AV programme and the other one with a company in Italy who we have been working with on a database project.

Having said that, the AV reference could be a problem, as the virus could be connected with the AV programme, as mentioned in paragraph 6 of my original post.

The O15 ref to Windows update was added to my trusted sites AFTER the virus was on my system. I tried to run Windows Update, as I mentioned in paragraph 4, but it wouldn't let me. One of the solutions recommended on the Windows site was putting the update page in the Trusted Sites, but that didn't allow me in to the updates either. It does mention in the suggested solutions that some viruses can cause this inability to update.

I've only seen the one virus referenced in the warning message as the computer boots up. All as mentioned in paras 6,7 and 8 in original post.

I'll let you know how I get on on Monday.

 

OK, I'll remove the Trusted Zone entries tomorrow.

Any thoughts on the Hijack This log? Especially as one reference you suggest removing is connected with my AV programme.

Do you think it would be a good idea to uninstall Command AV and download AVG? As it seems this is the application affected in the virus warning.

 

OK, trusted zone entries removed. I've left the other HJT entries mentioned as they are known to me and not suspect at all. Another log attached, but it won't look much different to the last one.

The Sophos link looks interesting, but refers to the .AB version of my virus.

I've been happy so far with Command AV and have never had the problems you mention. It was a free programme on the coverdisc of a computer magazine, giving free updates for life. It's been regularly updating definitions - mostly every day a pop-up appears that there are updates. The programme itself has had updates added as well.

I'm still getting the same warning message on boot up. Screenshot also attached.

 

Well, we have a result, although not from where I expected.

After asking the opinion of an acquaintance, I downloaded yet another programme, which again turned up absolutely nothing, yet the warning message was still there at startup. Frustrated by it all, I ended up emailing Command for advice.

The first email reply told me that the updates and support for my free magazine version had actually expired - it should only have been for a year. Nevertheless, he agreed to help. I think he was a little surprised that I was still able to get the definition updates.

I followed some more instructions, not unlike those advised here. Turn off System Restore, boot into Safe Mode, run the virus scanner, selecting to disinfect if anything found. The only part of his instructions I couldn't follow was to download the Windows Updates - that I still can't do.

Then I had to clear out the Temp and Temp Internet Folders, boot into normal mode and run the scan again to ensure it is clear. As it was clear before, and has always been clear, this seemed rather pointless, but I did it anyway.

As before, the warning message appeared. I emailed explaining what had happened and thanked him for helping me, not expecting any further contact.

Now here, I decided to take the bull by the horns. I uninstalled Command, taking all settings and quarantine files with it, and downloaded AVG free version. Lo and behold - no warning message on boot up!

Then I received another email from Command support with yet further instructions! I was to boot into Safe Mode, redo the scan, but this time selecting to delete rather than disinfect. This, he said, would remove the virus. Then reboot to normal mode and clear the log, then reboot again. All should then be OK. Apparently, my computer was not infected, as the 'dvp is blocking the files from working' in his words.

Obviously, I am unable to tell whether this final instruction would have worked, as I had already got rid of Command and installed AVG. I am almost tempted to do a system restore and see what happens. But I think I'll get some real work done instead!!

Thanks again for all your help and advice.

 

Well, I'm not sure if I still have the problem with the Windows Updates - didn't have time to try it before leaving work last night. I'm at home this morning, so won't be able to try that till this afternoon, if I go in.

I suspect this is something to do with my firewall, but it's worked before. In fact I'll try it now on this computer with the same AV and firewall. If it works here, then I will have to do some more digging as to why I can't do it at work. I don't have SP2 on this PC either.

I'm also going to put all that other spyware stuff on here. Don't want the same thing happening at home!

On that subject, are all those spyware programmes now running in the background, or do I have to configure them in some way?

 

Apologies for my bad terminology. Of course, I would never want to purposely put 'spyware stuff' on my PC. I did mean scanner/blocker/removal tool, as you correctly point out.

I have printed out the page on how to protect against malware, so I will get my computers protected to the hilt now.

I managed to get Windows Update at home yesterday, with the same AV and firewall, but was unable to get the page at work this morning. I managed to get the updates only by temporarily disabling the firewall, so I must have something set differently here than at home. I will have to check through some time, but I'm now busy trying to catch up with all the work that's backed up while I've been trying to sort out this problem!

Thanks for all your help.

Diane.

 

I've checked all the programme access settings and I can't see anything that looks to be doing that. It's all very similar to the setup at home, where I managed to get the updates with no problem at all.

Could be that someone else who's used my computer when I have been off work has seen a firewall message come up and clicked to deny access without knowing what they were denying. Highly possible. Now all I need to do is find out which setting is the appropriate one! I'll check through at home and try and figure out what I need to be looking for.

 

I was merely pointing out how the blocking may have happened. I certainly haven't blocked the updates within the firewall myself.

I've checked all the programme access rules and set the majority to ask or allow and still no joy with the updates. I can see the Sygate icon in the toolbar flashing red when I'm on the update page, so it's obviously blocking it, but I don't know why.

Since downloading the updates yesterday (with the firewall turned off) I now have an update icon in the system tray and a balloon pops up telling me I have updates available. When I click on it it's the SP2 that it wants to download. I haven't tried that to see if that will work, as I have SP2 on a disc that I'd rather use.

Anyway, I won't say anything further here, as it's the wrong section for this particular problem and it is obviously unrelated to my original query.

 

I will post back if I find the answer.

I have been on the Sygate forums and been thoroughly confused, as it appears that it may be something to do with Generic Host Process svchost.exe. Some are saying that it should be selected to run as a server and others are saying it shouldn't, but unticking it has cured this problem for other people. It doesn't work either way for me so that's not the answer in my case.

I have downloaded the last (allegedly) stable version and will upgrade when I have a chance.

 

I have the instructions from Sygate for uninstalling the current version first before installing the update.

I checked at home last night, and I actually have a different version on my home computer - same version as the update I've downloaded at work, but a different build number. I did install this at home a long time after the one at work. I'd been struggling with Norton Internet Security for some time at home, before ditching it for Sygate. But that's another story!

Also, svchost is set to Allow and Act as Server is unticked, which is almost the same setting as at work (I think it's set to Ask).

Anyway, can't do anything till Monday now.

 

All better now!

I uninstalled the old version of Sygate, installed the new (but not the latest) version, and I can now get Windows Updates. I used version 5.5, build 2710, which was recommended as the last most-stable version. A lot of users were having problems with v5.6.

Thank you very much for your help and support.

 

OK, I take that back!

After achieving the update the first time, I updated all my network settings within Sygate and now I'm not able to get the updates again. So I need to look at the settings again.

This is strange that I'm having all this trouble at work and the home PC gets the updates fine. Although that's not networked. Having said that, this one has worked before despite being networked, so when and why it stopped getting updates is a mystery.

 

OK, solved again.

It was some settings that I'd added to the svchost rules to allow access from the other office computers to file and print sharing without leaving the network open to outside attack. Removing those settings allows Windows Updates.

I added these rules after reading a post on the Sygate forum some time ago about a security issue and just followed their instructions. Apparently, I don't need to have those rules set as long as I am fully patched and protected, which I think I am now.

Thanks again.