A virus problem, please help!!!

[Serilda]

1. Don't restore without confirmation, extract it to a temp location and scan it at VT as in my first reply with instructions.

I did and only one other scanner that caught anything(besides avast!) was this one:

VBA32   3.12.6.7   2008.06.09   suspected of Trojan.StartPage.41 (paranoid heuristics)


I ran the uninstall tool you gave me for getting rid of that mcaffe file but after running the 2007 one from the link you gave, the file "O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -" is still in my HJT logfile. Is this something I need to be concerned about?

5. I would hope that one of them is your ISP, what is your ISP ?

My ISP is http://clearwave.com/main.php Clearwave Communications. It's a local company...I'm not sure how much that helps you ^^;

That is why I gave instructions on what to do if you jumped in with both feet and you lost your connection, you would at least be able to reverse the fix.

And I greatly appreciate that! Thank you for being patient with me.

[DavidR]

OK it might still be a false positive detection as the other detection is using heuristics and a step further paranoid heuristics, which would be even more prone to false detection.

Since the avast detection was also a generic detection you should send it to avast for analysis and correction as required.

If it is indeed a false positive and I believe it is, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

OK now for the O17 entries:
Well this is the range of IP addresses for clearwave.com  64.83.240.0 - 64.83.255.255 so none of the O17 entries exactly match that range.

However this one is likely to be legit as it is at least in the USA. It is a similar case to my own, where my ISP gets customers but uses a major Internet Provider for its services, that may be the case for you with clearwave getting its service from ATT.

O17 - HKLM\System\CCS\Services\Tcpip\..\{B42876B7-90B1-42FD-B0C1-9B890D930532}: NameServer = 12.127.16.83,12.127.17.83

So I would say these ones are suspect:
The IP Location:  Ukraine  Ukraine Ukrtelegroup Ltd (as it relates to the IPs in these entries below) ?
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178

So I want you to ensure that in the Config section of HJT that the Make backups before fixing items, see image. Now put a check mark to the left of the two entries above and now click the Fix selected button. Run HJT again and ensure the two entries have gone.

Disconnect from the internet and try to connect again, hopefully you should be able to connect and that should be the end of it.

If you can't and I think this would be a big if, then you would have to restore those fixes as I outlined in a previous post.

Before you do any of this I would suggest you print out everything in this topic so that you have the information to hand if you should need it.

That is me for the night as it is a little after 1:45 a.m. here, good luck.

[Serilda]

OK it might still be a false positive detection as the other detection is using heuristics and a step further paranoid heuristics, which would be even more prone to false detection.

I've restored both files and sent a password locked zipped archive file with both in it to virus@avast.com. I've also added them to the exclusions list in avast.

Now, all of that stuff is new to me and I'm gonna run through what I did to make sure I didn't mess anything up. OK, so I wasn't sure how to make exclusions in Avast so what I did(I'm using the 4.8 home edition with the simple user interface) and the link you sent me had directions that were slightly different than what I did. I went to Settings tab, Settings..., Exclusions. And typed in the file location where it asked me to "enter mask." And I wasn't sure what a "mask" was so I wanted to check with you and make sure I didn't mess that one up.

I didn't really know how to make a regular folder into a zipped one. So I looked around the forum and in my help on my comp. The help section talked about making a new zipped folder the same way you make a new folder but for some reason when I look where I make new folders there is no option to create new zipped folders, like there's supposed to be apparently, but no matter! I opened up winzip and looked around it's help a little and figured out how to make a new archive. And so I encrypted that with a password and sent it to avast! (I couldn't use the emailing from the chest for some reason. I just kept getting an error message. I looked in the forums for help with that and no one really had a solution. I know you had success when changing it to MAPI instead of SMTP or vice versa. But I couldn't get either one to work for me. Both gave me error messages.)


Also, that McAffe file was still in my HJT logfile after I ran the uninstaller.

However this one is likely to be legit as it is at least in the USA. It is a similar case to my own, where my ISP gets customers but uses a major Internet Provider for its services, that may be the case for you with clearwave getting its service from ATT.

O17 - HKLM\System\CCS\Services\Tcpip\..\{B42876B7-90B1-42FD-B0C1-9B890D930532}: NameServer = 12.127.16.83,12.127.17.83

Yes, I'm sorry, I should've told you sooner though I didn't pay attention. These IP address are most certainly clearwave's. I had to manually put these in at the instruction of a tech person from clearwave who helped my get my wireless to start working.

So I would say these ones are suspect:
The IP Location:  Ukraine  Ukraine Ukrtelegroup Ltd (as it relates to the IPs in these entries below) ?
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178

I've deleted these and my connection still works fine. Thank you so much! I don't know why in the world I had IPs from the ukraine on my comp but I'm glad they're gone. Thank you.

[Serilda]

I'm sorry, I'm dumb...I realize where the standard Shield is now. Should I not have used that other area for typing in the exclusions?

[DavidR]

Re sending sample via the chest:
You a) need to be using an email client and pop3/smtp email and not webmail where you view your email via a browser and b) have completed the Program Settings, SMTP section. If I send from the chest I have to leave it on the default setting of MAPI, if I change it to SMTP my email would also fail.

If you can't send it from the chest it isn't an issue if you have been able to send it zipped and password protected.

The reason we suggest using the copy in the chest is it avoids having to zip and password protect, which some find more difficult.

You now need to run HJT again and fix the McAfee entry to remove that in the same way you did the O17 entries.

Re the O17 entries:
Some infections put entries directing you at servers to maintain control over your system so you are going through their servers to access the internet. Now they are gone that shouldn't be an issue.

Re Exclusions:
You need to add it to both locations, as the standard shield handles on-access scanning, if you or something else tried to open this it would be scanned by the standard shield. The Program Settings, Exclusions handles on-demand scans, which is where this was first detected.

[Serilda]

Ok then, all of that is done. There's no more McAfee file and things seem to be running fine. And the "viruses" don't seem to be hurting anything, so probably nothing to worry about. I think it's pretty much fixed for now. Thank you sooooooooooooooooooooooooo much!!! I only have one more favor to ask.

I'm still having a little trouble with aim video chatting. You wouldn't happen know of any forums that might help? If you don't it's no big deal, I'm just curious. And I don't want you to go looking anywhere on the web for me, you've done enough. I just didn't know if you knew anything off the top of your head?

Thank you soooo much once again! You've been an amazing help, you have no idea! Thank you, thank you, thank you!

[DavidR]

Sorry I don't use any chat application so I can't say I have had a look at any forum/s like that.

Try this google search http://www.google.co.uk/search?q=trouble+with+aim+video+chatting modify it to be more specific to the problem you are experiencing.