Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just Got Infected From A Myspace.com Profile That Was A Direct Link To A Virus That Auto-downloaded Itself, Help Please.


  • Please log in to reply
28 replies to this topic

#1 Arma

Arma

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 24 May 2006 - 04:30 AM

Hi,

I need help, I have BitDefender on and my firewall was on (the firewall of my computer, not the firewall of bitdefender) but the virus still got himself unto my Temporary Internet Files and each time I do: Tools, Internet options, Delete the files, I get 2 warnings from BitDefender saying that BitDefender blocked the virus and that my computer didn't get infected.

The names of those 2 virus are: Trojan.JS.Obsq.Gen and Exploit.Win32.WMF-PFV

I am running a scan with Ewido and so far it's at 60.1% and it found 31 Infected objects :/

Please, someone let me know what should be done, what I think is those virus didn't get any further then my Temporary Internet Files (since BitDefender was on) but I am just not sure...

Somone help, please.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:07 PM

Posted 24 May 2006 - 04:38 AM

Let Ewido finish its scan and fix everything it finds.

Then download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Arma

Arma
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 24 May 2006 - 04:41 AM

Thanks! But... it didn't work :'( didn't thought it was gonna be that easy though...

#4 Arma

Arma
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 24 May 2006 - 04:53 AM

I ran a secdond scan with Ewido, it didn't found anything this time. But I still get those 2 Virus warning each time I do: Tools, Internet Options and Delete Files...

#5 Arma

Arma
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 24 May 2006 - 05:14 AM

Ok more info, I think the viruses are located here:

C:\Documents and Settings\XXXXXXX*\Local Settings\Temporary Internet Files\Content.IE5

(*the XXXXXXX represents my name)

and in there, there are 21 folders + a DAT file that is of 8.43 Mo

The 21 folders have name such as: 0ZUUL8V6, 3USZRDWH, 6B8J2XEX etc...

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:07 PM

Posted 24 May 2006 - 07:49 AM

Exploit.Win32.WMF-PFV is a WMF (Windows Meta-File) rendering exploit. The rendering bug that is exploited lies in the Windows Picture and Fax Viewer.

See Microsoft Security Bulletin MS06-001 for the patch.

BitDefender detects this exploit so let BitDefender delete detected files.

You should be able to safely delete everything inside your Temporary Internet Files. Clean out your Temporary Internet files as follows:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Run Disk Cleanup and make sure all the boxes are checked. Go to Start > Run and type: cleanmgr
Let it scan your system for files to remove. Put check marks in the boxes for all Temp related files and the Recycle Bin.

Download and scan with Ad-Aware SE Personal. Setup & Configure as shown here.
Download and scan with Spybot S&D 1.4. Setup & Configure as shown here.
[DO NOT choose the option to install TeaTimer]
Note: If you encounter any error messages while downloading the updates, manually download them from here.

Perform these online Virus scans:
[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]
Trend Micro Housecall Scan
Panda ActiveScan [ActiveScan Panda does not remove adware/spyware but will autoclean for viruses & worms.]
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Arma

Arma
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 24 May 2006 - 09:48 AM

Ok, I went as far as starting the scan with Ad-Aware SE but it seems it's stuck at that point: C:\Documents and Settings\XXXXXXX\Local Settings\Temporary Internet Files :/

When you say: "Quit Internet Explorer and quit any instances of Windows Explorer." you mean close every internet pages? or is it something else? Cause I did like you said and it didn't seem to delete the Temporary Internet files (since the virus made his nest in them)...

So yeah basically Ad-Aware is stuck and wouldn't get past this point...

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:07 PM

Posted 24 May 2006 - 09:55 AM

Try doing the Ad-aware and Spybot scans in SAFE MODE.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Arma

Arma
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 24 May 2006 - 09:57 AM

Thanks I'll try that! ^^

#10 Arma

Arma
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 24 May 2006 - 10:22 AM

Okay, I did like you said and Ad-Aware only found 3 Treats (while not in safe mode it found around 28 treats O_O) so I removed them and I tried again to erase the Temporary internet Files and I get same result. I am gonna run an Active Scan Pro now.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:07 PM

Posted 24 May 2006 - 10:27 AM

OK. Let us now how the scan goes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Arma

Arma
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 24 May 2006 - 10:52 AM

ActiveScan Pro found said:

Malicious software has been found!

1 Spyware and

4 Hacking Tools and potentially unwanted tools

I can get rid of them for... 12.95 =_=

Here is the saved scan report:

1. Potentially unwanted tool: Application/Processor

C:\Documents and Settings\COLLINS\Bureau\AntiPuper.exe[P]

2. Potentially unwanted tool: Application/Processor

C:\Documents and Settings\COLLINS\Bureau\l2mfix\Process.exe

3. Potentially unwanted tool: Application/Processor

C:\Documents and Settings\COLLINS\Bureau\l2mfix.exe[l2mfix/Process.exe]

4. Potentially unwanted tool: Application/Processor

C:\Documents and Settings\COLLINS\Bureau\VirtumundoBeGone.exe[]

5. Spyware:Cookie/Com.com

C:\Documents and Settings\COLLINS\Cookies\collins@com[1].txt

#13 Arma

Arma
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 24 May 2006 - 10:59 AM

Actually none of those are viruses

they are programs that I installed when I was infected before, but this one I dunno

5. Spyware:Cookie/Com.com

C:\Documents and Settings\COLLINS\Cookies\collins@com[1].txt

I guess it is showing it as infected since, I might be infected with Tracking Cookies.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:07 PM

Posted 24 May 2006 - 11:18 AM

No need to pay. These are all legit programs used to rid specific malware infections like L2Me and Vundo. You can delete them or move and save to a new folder elsewhere. If you leave them on your system, scanning tools are going to pick them up again so it may be best to just delete them. Besides, these types of fix tools are updated from time to time so you should always check for and download the newest versions prior to using.

The collins@com[1].txt cookie is just a tracking cookie which you can safely delete.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Arma

Arma
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 24 May 2006 - 07:31 PM

Okay, but besides those stuff. What else can I do about my other problem? The other viruses are not showing up, it's in the temporary internet files and it won't go away...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users