Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advice On This Please!


  • Please log in to reply
10 replies to this topic

#1 waterface

waterface

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 10 September 2007 - 10:37 AM

Hi
I've been experiencing a tempramental pc.
It started the other night when i downloaded 'Shareaza' to share files etc. I've since uninstalled this programme.
My AVG free edition found several trojans whiles file sharing which i deleted.
After uninstalling Shareaza, i ran AVG & Spybot Search & Destroy.
Avg found nothing, but Spybot found:-
5 entries of Virtumondo
It said it had deleted them, hence the big green ticks.

I googled Virtumondo & saw instructions from this site on how to erase this problem with Vundofix & Virtumondobegone.
I ran Vundofix & it found 4 files & VBG found nothing, i then ran Vundofix again & it was clear, so i guess Virtumondo has gone!

Since i used 'Shareaza', i've had a Zone Alarm Programme alert that appears when i reboot my pc!
This has coincided with the Virtumondo presence.
It appears before i go online which is unusual, as it says it's wasnting to access the internet!

It says:-

tmp24.tmp.exe is trying to access the internet!!

What could this be? I've googled it & it says its a trojan, but AVG can't see it.
I clicked start/search/file or folders & i entered this & it found:-
TMP24.TMP.EXE-35EACD.pf
PF File
In folder C\:WINDOWS\prefetch
modified on 9/9/07 ( the day i noticed on my pc via the ZA programme alert)

What can this be, should i attempt to erase this & how?

Many thanks
wf

BC AdBot (Login to Remove)

 


#2 jwinathome

jwinathome

  • Members
  • 1,360 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, Georgia
  • Local time:04:09 PM

Posted 10 September 2007 - 10:43 AM

Please download ATF Cleaner by Atribune.
(This program is for XP and Windows 2000 only)
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Edited by jwinathome, 10 September 2007 - 10:43 AM.


#3 waterface

waterface
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 10 September 2007 - 12:59 PM

jwinathome
thank, but i did as you said & i'm still getting the Zone Alarm security alert when i start my pc & all desktop icons have loaded up!

I downloaded the ATF cleaner, ran it & it said it had freed 6, 640.000 items.
I rebooted pc & ran it again & it had then freed another 2, 400.000 items.

The ' tmp24.tmp.exe' is still wanting to access the internet

wf

#4 buddy215

buddy215

  • Moderator
  • 13,419 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:09 PM

Posted 10 September 2007 - 02:58 PM

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

SAS will remove a lot of Vundo malware.

Let us know the results of the scan, please.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 waterface

waterface
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 10 September 2007 - 05:17 PM

Since i ran AFT Cleaner, this website looks different & so do many more i open. Could AFT Cleaner have removed somethings that i wouldn't want removed??
Things are scattered about & there are no segregations between each post! Things are in different places!!
Under each username, there is nothing too!
I've tried a system restore, but it won't allow me to do that unless i use todays date!!

#6 waterface

waterface
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 11 September 2007 - 06:27 AM

I ran this last night :-

Please download the OTMoveIt by OldTimer
.

* Save it to your desktop.

================

Go to Start > Run and type

cmd

and OK. Type the below commands and hit "Enter" after each line

sc stop DomainService
sc delete DomainService


Type Exit to close.

========================



* Please double-click OTMoveIt.exe to run it
.
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


C:\Documents and Settings\user\Application Data\tmp24.tmp.exe




* Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
* Click the red Moveit! button.
* Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

It worked as after i rebooted, the ZA security alert didn't appear!! I thought all was ok, but not!
This morning it came back.

After running AFT Cleaner, some sites including this one don't seem to load up properly. There is no segregation between posts & it is all spaced out & no boxes around posts! Could AFTCleaner have removed anything i don't want removing
Help

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:09 PM

Posted 11 September 2007 - 12:56 PM

Caution: OTMoveIt is a powerful program, designed to move highly persistent files and folders and is normally used by malware removal experts who are helping others to investigate and remove malware infections in the Hijackthis forum. It is intended to be used under the guidance and supervision of an expert. Using this tool incorrectly could adversely impact your system and prevent it from ever starting again.

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 waterface

waterface
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 11 September 2007 - 01:20 PM

Thanks
I posted on an PC web forum ages ago about my issue & was given the responce above as how to use the OTMoveIt.
I shall post my hijackthis log on the appropriate forum.

I just don't know why the tmp24.tmp.exe went away & has returned!

I just did a Panda NanoScan & it said i have a trojan downloader!! & my Spybot said i have a Coolwebsearch issue!!aagh.
I ran CWshredder & it said i was fine though, confusing to say the least!!

wf

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:09 PM

Posted 11 September 2007 - 01:32 PM

Yes, some malware infections can be confusing and can be difficult to remove without assistance from an expert. Good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 waterface

waterface
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 11 September 2007 - 05:15 PM

buddy 215, this is what superspyware found :-
Adaware Azula
Malware Drive Cleaner
Malware System Doctor

Should i delete them or keep them in quarantine??

wf

#11 buddy215

buddy215

  • Moderator
  • 13,419 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:09 PM

Posted 11 September 2007 - 05:30 PM

You can delete them. Those are "rogue" programs. You should also post the Hijack This log in the Hijack This forum.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users