mail worm

Discussion in 'Malware Help (A Specialist Will Reply)' started by krylinost, Feb 25, 2008.

  1. krylinost

    krylinost Private E-2

    Kaspersky anti-virus found:
    detected: Trojan program Trojan.JS.Redirector.f URL: http://desktopenhancers.ezthemes.com/pcenhance/ms/preview.phtml?blank+5487
    deleted: virus Email-Worm.Win32.VB.dp File: D:\System Volume Information\_restore{E044C1A7-B646-425B-9033-990254458C18}\RP168\A0012235.exe/data.rar\soremgu_.exe

    So i came to you for help in making sure i no longer have these things. I followed the read and run me first thread and here are the 3 logs it tells me to attach.

    PS combofix did NOT change my clock back to standard time, it left it military time. can i change this back myself or is there a reason it has done this? LOL

    Thanks again
     

    Attached Files:

    krylinost, Feb 25, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This can only be removed by turning off System Restore on drive D and then turn it back on. Otherwise it will always be there. This removes restore points.

    You can fix your clock from Control Panel ->Regional and Language Options and then on the Regional Options tab click the Customize button then on the next form click the Time tab. Then change the Time format to what you want. It explains there what the lower case and upper case letters will do. Upper case H is giving you 24 hour clock settings.


    You have a few things to take care of.
    1. You have remnants from Symantec AV hanging around and you are running Kaspersky now. Run this: Norton Removal Tool (SymNRT)
    2. You have ewido anti-spyware 4.0 installed which is no longer supported as it was purchased by Grisoft and has become this AVG Anti-Spyware You should uninstall Ewido and use AVG AS if you liked Ewido.
    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

    After clicking Fix, exit HJT.

    After doing the above, run the C:\MGtools\GetLogs.bat file by double clicking on it. I want to make sure Symantec is gone.

    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Feb 29, 2008
    chaslang, Feb 27, 2008
    #2
  3. krylinost

    krylinost Private E-2

    good to know im learning a little from using your site so much. I had already figured out the part about turning off system restore and rebooting from something i read awhile back and i knew the symantec was still hanging around but I didn't think i was causing me any issues... (im curious as to why it needed to be removed? was it or could it have caused any issues? just want to know as part of learning)

    As far as how is everything running, to be honest my system has been running just fine. But i pay attention to what kaspersky is telling me when it pops up with anything and i try to understand so i know whats going on with my computer. I saw the mail worm thing pop up twice in 2 days and wasnt sure why cause i haven't opened any email with downloads other then what pictures show up as part of the email. And i figure with a mail worm its not going to have/show any symptoms to alert a person to get rid of it so it can silently spread itself. of course thats just thinking out loud cause i have no idea how mail worms really work.

    Anyway, heres the log.

    chris
     

    Attached Files:

    krylinost, Feb 28, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It was still running and interfere with proper operation of Kaspersky. Remember the early part of the READ ME...... it said only one antivirus should be installed. This is very important. Also it was wasting system resources. It is gone now though! ;)


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN
      • Now type combofix /u in the runbox and click OK.
      • Note: The space between the X and the /U, it must be there.
    2. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    3. After doing the above, you should work thru the below link:
     
    chaslang, Feb 29, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds