Author Topic: Please Help......very strange LoveLetter.vbs worm!!!!  (Read 3943 times)

0 Members and 1 Guest are viewing this topic.

GFC

  • Guest
Please Help......very strange LoveLetter.vbs worm!!!!
« on: January 19, 2008, 10:09:30 PM »
Hi there

I've discovered a few problems linked to LoveLetter.vbs but can't get rid of it. It's a bit complicated to explain so please bear with me whilst I try to explain the issues...........

Each time I opened Firefox and started to surf, I'd get various other Firefox windows opening with adverts. I scanned with Avast 4.0, AVG, Ad-Ware SE (all 3 are Home Editions) and Spybot S&D. I found nothing with any of these scans including Avast Boot Time Scan. However,  I knew something was there as my system was so slow, my desktop photo had been overwritten and I kept getting the adverts opening in other Firefox Windows.

A friend suggested using ClamWIN anti-virus which I did. Whilst using ClamWIN (in Normal XP mode) Avast suddenly found LoveLetter.vbs in C:\Documents and Settings\"My user name"\Local Settings\Temp\clamav-fcd948e599fd513b7fceeb9929cac426d.00000dc0.clamtmp. When I looked in the Avast Chest the file that had been quarantined was called 'script.html'

I ran ClamWin again and again it found LoveLetter.vbs in the same folder but the file name had changed the alpha-numeric string between clamav- and -clamtmp

This continued each time I ran ClamWIN with the alpha-numeric string changing. I also found another version of the file in the Chest called 'comment.html'

At the same time I found some strange files (WHICH I CAN'T DELETE) in C:\Documents and Settings\"My user name"\Local Settings\Temp called 'Perflib_Perfdata_948.dat' and 'Perflib_Perfdata_f5c.dat' etc etc.....

Other strange files in the same folder are '~DF6D7D.tmp' and '~DF8AEA.tmp' etc etc......

I have deleted any files and registry keys associated with LoveLetter.vbs (as suggested in the Avast help pages about Worms etc) and since ran numerous scans finding nothing but I'm still worried that there may be something in the background. Each time I run ClamWIN the LoveLetter.vbs worm is still found by Avast On-Access scanner.

The only applications I've downloaded recently are VEOH and a Windows Media Player that lets you watch streaming TV (which I've now deleted).

I have now deleted ClamWIN, and ran, AVAST, AVG, Ad-Ware SE, Spybot S&D and Zone Alarm scans and found nothing.........however the strange files mentioned above still exist............


SHOULD I BE WORRIED OR NOT????????.............PLEASE HELP





 

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Please Help......very strange LoveLetter.vbs worm!!!!
« Reply #1 on: January 19, 2008, 10:18:13 PM »
I'd suspect avast! detected something in the Clam files- an virus signature rather than a real virus.

The adverts are probably the result of Adware.

Can you post a HijackThis! log please?

     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

GFC

  • Guest
Re: Please Help......very strange LoveLetter.vbs worm!!!!
« Reply #2 on: January 19, 2008, 11:12:19 PM »
Thanks FWF for your reply. I've heard of Hijack before but not sure how to do it. Can you point me in the right direction please?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Please Help......very strange LoveLetter.vbs worm!!!!
« Reply #3 on: January 19, 2008, 11:19:31 PM »
There was a link in my previous post:

Can you post a HijackThis! log please?

 :)
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

GFC

  • Guest
Re: Please Help......very strange LoveLetter.vbs worm!!!!
« Reply #4 on: January 19, 2008, 11:32:00 PM »
Sorry, a few beers have blurred my vision ;D

I can't download Easy SpyRemover.......any ideas why??

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Please Help......very strange LoveLetter.vbs worm!!!!
« Reply #5 on: January 19, 2008, 11:38:05 PM »
I've never heard of it. Seems to have been classed as a 'rogue' in the past:

http://www.spywarewarrior.com/rogue_anti-spyware.htm#esr_note

I'd recommend you stick to one of the well-known and trusted anti-spyware programs:

AVG Anti-Spyware Free (Requires Win2k/XP)

Ad-Aware Free

Spybot Search & Destroy

SUPERAntiSpyware Free

a-Squared Free



Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.



Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

GFC

  • Guest
Re: Please Help......very strange LoveLetter.vbs worm!!!!
« Reply #6 on: January 20, 2008, 01:26:15 AM »
See attached Hi-jack.......sorry for the wait ???

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Please Help......very strange LoveLetter.vbs worm!!!!
« Reply #7 on: January 20, 2008, 10:04:04 AM »
Well, there's nothing obvious in the log. This dead entry seems to be legitimate:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

http://www.castlecops.com/tk32132-htc_8_1_0178_00_dll.html

I think Easy SpyRemover is a waste of time: it has no proven track record and in fact a dodgy history:

O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart

If you decide to remove it, do so from Add/Remove Programs.

Your Sun Java application is out of date (the current version is jre1.6.0_04), which can lead to infection through security vulnerabilities.

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

Scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.

The ads you are seeing suggest a Virtumonde infection, which often arrives through security holes in Java and can be hidden.

Run the two removal tools mentioned here:

http://www.bleepingcomputer.com/forums/topic18610.html

There is a new sneaky version that evades even these tools. ComboFix may help if the ads persist:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#use

Post the ComboFix log and one of the visiting experts will give you further advice if needed.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

GFC

  • Guest
Re: Please Help......very strange LoveLetter.vbs worm!!!!
« Reply #8 on: January 20, 2008, 10:53:58 AM »
Thanks very much for all your help FWF, I'll post the Combo Fix log later