Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

my love worm and lock1.exe


  • Please log in to reply
15 replies to this topic

#1 divchrome

divchrome

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 04 October 2005 - 05:56 PM

I recently acquired a worm i guess called my love or something. It sent a link to all the buddies on my AIM buddy list saying look at me along with it. I have McAfee program but it is a year old. It has detected the program and apparantly cleaned and deleted it around ten times. Since these ten times I havent noticed it going through the scenario where it send it to all my buddy's so I am unaware of the current situation. Along with it when I boot up my computer I now get a prompt to run a lock1.exe program which i have been canceling but my computer has been running incredibly slow since. I am not sure of the current situation with my computer and I could use some help

BC AdBot (Login to Remove)

 


#2 HappyShiner

HappyShiner

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 04 October 2005 - 06:01 PM

Hi there and welcome to Bleeping Computer,

Download and run McAfee AVERT Stinger tool

http://vil.nai.com/vil/stinger/

*WARNING*You will be prompted to disable System Restore during the installation procedure of the Stinger tool. Please do not disable System Restore!

Scan with it and let it remove all it finds, at the same time let us know 'what' if anything it removes.

Big Smiles

HS

#3 divchrome

divchrome
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 04 October 2005 - 06:07 PM

I have Ad-Aware SE Personal. Will it achieve the same result?

#4 HappyShiner

HappyShiner

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 04 October 2005 - 06:24 PM

Hi there,

In short...'no' The two scanners are created for completely different purposes. One is to detect spyware/'some' trojans (Ad-Aware), the other viruses (Stinger). What you describe as having been infected by is a virus. Having said that, running Ad-Aware will cause no harm at all and is worth doing..it certainly may help....but run both. If both scanners come up positive, then we need to take some more steps...let me know :thumbsup:


Big Smiles

HS

#5 divchrome

divchrome
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 04 October 2005 - 07:46 PM

well I ran both and my adaware program found two files designated worm files which I quarantined and deleted. Nothing was found by stinger. My computer still seems a little slow but nothing extreme. Hopefully thats all there is to it. Thanks for the help.

#6 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:04:48 AM

Posted 04 October 2005 - 07:59 PM

Hi, and :thumbsup: to BC.

Try Ewido Security Suite. It is full verison for 14 days, and is an excellent tool. After the trial it is still a full scanner, you just can remove the spyware/virus' after 14 days without buying it.
"2007 & 2008 Windows Shell/User Award"

#7 HappyShiner

HappyShiner

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 04 October 2005 - 08:14 PM

Hi, and :thumbsup: to BC.

Try Ewido Security Suite. It is full verison for 14 days, and is an excellent tool. After the trial it is still a full scanner, you just can remove the spyware/virus' after 14 days without buying it.

Yes, excellent advice...please scan with Ewido....the reason..you have found stuff on your machine...it's still not running right..something is causing that. We need to find what it is and remove it...then you'll have your computer back :flowers:

Big Smiles

HS

#8 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:48 AM

Posted 04 October 2005 - 08:15 PM

I agree, it finds more than other programs.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#9 divchrome

divchrome
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 06 October 2005 - 02:24 PM

I downloaded and ran ewido. it found a lot of programs that the worm i had infected. I ran it again and nothing was on it. My computer was working fine afterwards until yesterday. It is slower than ever and has freezed twice were I had to manually turn it off. I dont know if the worm is capable of still copying. I checked the quarantine file on ewido and saved them. I am unsure wether to hit the "remove finally" button in the quarantine section. Is there anything else I can do?

#10 HappyShiner

HappyShiner

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 06 October 2005 - 03:37 PM

Hi there,

It won't do any harm to remove those in quarantine, it won't make any difference either. There are clearly elements of the trojan or worm still on your machine that is reinstalling itself once cleaned, therefore, we need to get rid of all of it. But, since it was fine for a while after cleaning with Ewido we know that malware is the cause ;)

Please perform an online virus scan with at least two of the sites below (more won't hurt):


BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options

Panda ActiveScan
http://www.pandasoftware.com/activescan
Make sure you tick Disinfect automatically under Scan Options

Housecall at TrendMicro
Trend Micro Anti-Spyware-scan
Click the Scan and Clean your PC and save it to your desktop.

* Doubleclick tmas-web-scan.exe-icon on your desktop
* Click agree to accept the terms of the license.
* After loading the definitions, click Start Scan
* When the scan is done, click Scan Results
* Check every item that was found (normally they are checked by default, so make sure they are all checked) and click Clean Threats Now
* A confirmation prompt will appear. Click OK
* Click Exit.

Reboot your computer.
After reboot, you'll see that the tmas-web-scan.exe-icon on your desktop will be gone, but there will be an Antispywarelog instead. It's a textfile.
Copy and paste the entire content of it in your next reply.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan

Or, if using Firefox,

TRENDMICRO-better for firefox

If you could make one of those scans by Panda and copy and paste in here the Panda log that would be great.


Then:

Please run full scans with Ad-Aware SE and Spybot-S&D as follows:
(If you already have Ad-Aware SE 1.06 and Spybot 1.4 installed, you can skip the installation steps. If you don't, please uninstall your old versions and install the new ones from the links below.)

Full Ad-Aware Scan
Please download Ad-Aware SE from here:
http://www.lavasoftusa.com/support/download/
Install Ad-Aware and run it. In the bottom-right hand corner, click "Check for updates now". Click "Connect" to download the newest reference file.

Now we will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom right side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects. Then please restart your computer.


Spybot Full Scan
Next, please download Spybot-S&D 1.4 from here:
http://www.safer-networking.org/en/mirrors/index.html
Install Spybot-S&D 1.4 and run it. Select "Search for updates" and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click "Download updates". When all updates have downloaded, close Spybot-S&D, and then run it again. Click on "Check for problems". When the scan has finished, select any entries listed in red and click "Fix selected problems". Then please restart your computer again.

Note: The Ad-aware and Spybot scans will yield better results if after updating them you run them in Safe Mode. Please post up anything that those two scanners find that are more serious then tracking cookies. If after those scans you want to run Ewido again that will help too, just update it first and running Ewido in safe mode will also yield better results.

Post up the Panda log and the other items requested and let me know if it has helped your problem :thumbsup:

Big Smiles

HS

#11 divchrome

divchrome
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 06 October 2005 - 07:16 PM

I have not done all the steps yet. I have scanned with TMS and found nothing but cookie files. Although with the Panda program it detected a or (the) worm that was infecting my computer below is the type of worm.

Common name: Sdbot.EFG

Technical name: W32/Sdbot.EFG.worm

Threat level: Low

Type: Worm

Effects: It spreads and affects other computers.


Affected platforms: Windows XP/2000/NT/ME/98/95


First detected on: July 1, 2005

Detection updated on: Sept. 30, 2005

In circulation? Yes

Proactive protection: Yes, using TruPrevent Technologies

It says it was disinfected but then gives me instructions reguarding deactivate restore steps. Im not sure what these steps are or if they apply I downloaded the new AdAware and the spybot but have not rebooted my computer and ran them in safe mode. What is my next step?

#12 divchrome

divchrome
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 07 October 2005 - 01:08 PM

I have downloaded Spybot and Adaware and ran them in safe mode along with Exido but nothing else has surfaced regarding the worm only spywares. My computer is starting to run faster but I wanted to inquire about the restore steps that were suggested by the one program. Is this something I should do to guarantee the worm not coming back or is all well now?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:48 AM

Posted 07 October 2005 - 03:08 PM

If your satisfied with your system's performance and there is no evidence of any other infections then you should purge your system restore points and start with a fresh restore point. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside.

Disable System Restore and then Enable System Restore to purge the old restore points. When done SET A NEW RESTORE POINT.

Instructions for XP: http://www.bleepingcomputer.com/forums/ind...showtutorial=56
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 divchrome

divchrome
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 12 October 2005 - 01:18 PM

After cleaning out the virus I have not done a system restore disable/enable process. I have just turned my computer on for the first time in 5 days hoping that all would be back to normal but my computer took 15 minutes to start up fully and enable me to open applications. I dont know how I can get my computer back to the way it originally was before I was infected with the worm. I am running all the processes again to hope that maybe the more I run them the more of a chance my computer will return to normal. Please let me know if there is anything else I can do.

#15 HappyShiner

HappyShiner

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 12 October 2005 - 01:35 PM

Hi there,

Glad to hear there is no virus remaining....sorry to hear things aren't working right. It looks like the worm may have corrupted some files. Let's see if we can fix them up :thumbsup:

Please download CCleaner from here:
http://www.ccleaner.com
Before first use, check under Cleaner Settings, Windows and ensure "Empty Recycle Bin", "Temporary Files", "Memory Dumps", "Old Prefetch Data", "Cookies" and "Temporary Internet Files", are checked. Please also go in under Options, Advanced and ensure the box next to "Only delete files in Windows Temp folders older then 48 hours" is 'unchecked'.

Then open it and select any other items you wish to clean up. This will remove any malware hiding in your Temporary Folders as well as freeing up a large amount of disc space :flowers:

Then:

Do a Disk Check
Go to properties of your C: (ALT + Click / Right-click)
Go to the "tools" tab.
At the first section, the "Error-checking" section, Click "Check Now"
Check both boxes and click start.
Click Yes at the prompt.
Reboot your computer.

Let it run through the check,.....then log into your account, then:

Start > Run > copy and paste in:
sfc /scannow
Click 'OK'
You will need your XP/2000*Grinler disk. If you don't have it and instead only have a recovery CD, there is a work around. View the following link for a tutorial:

http://www.updatexp.com/scannow-sfc.html

sfc - system file checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right click My Computer > manage, expand event viewer > system.


Then, check Windows Update and downnload and install all available updates. Finally, defragment.

Let me know if that solves the issue :trumpet:

Big Smiles

HS




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users