Author Topic: My mom's computer is infected. Help please?  (Read 22973 times)

0 Members and 1 Guest are viewing this topic.

wyrmrider

  • Guest
Re: My mom's computer is infected. Help please?
« Reply #30 on: August 27, 2008, 01:25:28 AM »
great news
system should be running better
as DavidR suggested that was most likely a false positive  and now we know it was (Unless it was so new that you are the first victum)
so ignore all of those hits
Please  zip and upload the file to virus@avast.com
put a link to your virus total results in the text
If avast will not let you do it then disable avast standard scanner for a moment
then turn it back on

What is this CCU_Suite from AOHell that is causing this issue ?
best search for this and Nuke it

Let's re-run Kaspersky to make sure the hit's it found are gone
you could also run a scan with Super Anti Spyware -quarantine- do not remove/delete
run the secunia software inspector and get Mom up to date
« Last Edit: August 27, 2008, 01:31:19 AM by wyrmrider »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: My mom's computer is infected. Help please?
« Reply #31 on: August 27, 2008, 02:20:52 AM »
Yes most certainly a false positive.

Since you have the sample in the suspect folder, avast will let you zip and password protect it.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Periodically check it (scan it in the chest, as you can't scan it in an excluded location), there should still be a copy in the chest even if you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

ahullsb

  • Guest
Re: My mom's computer is infected. Help please?
« Reply #32 on: August 27, 2008, 04:06:27 AM »
Thank you very much for the help everyone! I have run secunia and all of her software should be up to date. I also finally got her to agree to join the 21st century and stop using aol. I will run another online scan tomorrow and post the results. I will try and remove every bit of aol software that I can find. And lastly I will send the file in question to avast the first chance I get!

wyrmrider

  • Guest
Re: My mom's computer is infected. Help please?
« Reply #33 on: August 27, 2008, 04:48:15 AM »
go TEAM
I'll be looking for the Kaspersky and SuperANtispyware results
new version out today- good timing
then we'll talk some about prevention for mom

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: My mom's computer is infected. Help please?
« Reply #34 on: August 27, 2008, 02:59:00 PM »
You're welcome, glad I could help.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

ahullsb

  • Guest
Re: My mom's computer is infected. Help please?
« Reply #35 on: August 28, 2008, 04:25:02 AM »
Here is my moms kaskersky report

Wednesday, August 27, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 27, 2008 19:57:46
Records in database: 1151889
Scan settings
Scan using the following database    extended
Scan archives    yes
Scan mail databases    yes
Scan area    My Computer
C:\
D:\
E:\
Scan statistics
Files scanned    77567
Threat name    1
Infected objects    1
Suspicious objects    0
Duration of the scan    01:12:53

File name    Threat name    Threats count
C:\Program Files\Magentic\bin\magentic_install.exe   Infected: not-a-virus:Downloader.Win32.ImLoader.f   1   
The selected area was scanned.

wyrmrider

  • Guest
Re: My mom's computer is infected. Help please?
« Reply #36 on: August 28, 2008, 04:47:11 AM »
can you go online to virustotal and upload that file

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: My mom's computer is infected. Help please?
« Reply #37 on: August 28, 2008, 02:55:06 PM »
I think the key points here are a) Kaspersky pre-fixes the name with not-a-virus b) did you install Magentic whatever that might be ?
« Last Edit: August 28, 2008, 03:00:53 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

wyrmrider

  • Guest
Re: My mom's computer is infected. Help please?
« Reply #38 on: August 28, 2008, 08:14:29 PM »
However the not-a-virus thing can also mean that since we- Kaspersky- are an Anti-Virus company do not expect us to fix this for you :)
so let's check it out
as David R says is that file from a trusted source?

ahullsb

  • Guest
Re: My mom's computer is infected. Help please?
« Reply #39 on: August 31, 2008, 11:10:04 PM »
I don't know. It appears to be some sort of wallpaper program so it's probably anything but trusted. It is not available in add/remove programs. I was just going to delete the folder but I will wait for advice first. Here is the log from virustotal. I hope it isn't too long. There was a lot of information on it.

Antivirus     Version     Last Update     Result
AhnLab-V3   2008.8.29.0   2008.08.29   -
AntiVir   7.8.1.23   2008.08.31   SPR/Dldr.ImLoader.F.1
Authentium   5.1.0.4   2008.08.30   -
Avast   4.8.1195.0   2008.08.31   -
AVG   8.0.0.161   2008.08.31   -
BitDefender   7.2   2008.08.31   -
CAT-QuickHeal   9.50   2008.08.29   Downloader.ImLoader.f (Not a Virus)
ClamAV   0.93.1   2008.08.31   -
DrWeb   4.44.0.09170   2008.08.31   -
eSafe   7.0.17.0   2008.08.28   Downloader.Win32.ImL
eTrust-Vet   31.6.6057   2008.08.29   -
Ewido   4.0   2008.08.31   Not-A-Virus.Downloader.Win32.ImLoader.f
F-Prot   4.4.4.56   2008.08.30   -
F-Secure   7.60.13501.0   2008.08.31   Downloader.Win32.ImLoader.f
Fortinet   3.14.0.0   2008.08.31   -
GData   19   2008.08.31   -
Ikarus   T3.1.1.34.0   2008.08.31   not-a-virus:Downloader.Win32.ImLoader.f
K7AntiVirus   7.10.433   2008.08.30   not-a-virus:Downloader.Win32.ImLoader.f
Kaspersky   7.0.0.125   2008.08.31   not-a-virus:Downloader.Win32.ImLoader.f
McAfee   5373   2008.08.29   -
Microsoft   1.3807   2008.08.25   -
NOD32v2   3401   2008.08.30   -
Norman   5.80.02   2008.08.29   W32/DLoader.FSLC
Panda   9.0.0.4   2008.08.31   Adware/KeenValue
PCTools   4.4.2.0   2008.08.31   -
Prevx1   V2   2008.08.31   Malicious Software
Rising   20.59.61.00   2008.08.31   -
Sophos   4.33.0   2008.08.31   -
Sunbelt   3.1.1592.1   2008.08.30   -
Symantec   10   2008.08.31   -
TheHacker   6.3.0.6.068   2008.08.30   Aplicacion/ImLoader.f
TrendMicro   8.700.0.1004   2008.08.31   -
ViRobot   2008.8.30.1357   2008.08.30   -
VirusBuster   4.5.11.0   2008.08.31   -
Webwasher-Gateway   6.6.2   2008.08.31   Riskware.Dldr.ImLoader.F.1
Additional information
File size: 484928 bytes
MD5...: dcda3fe4e38b44b7c4f9c560afd6b459
SHA1..: c79bed56fb09875434ff1b9be3a14874d08b3f89
SHA256: 311c03a96fa0645f4f09248df267aeabe8f995bd128f6b7c793e9f91b66828fe
SHA512: 31b043397dc6a5327d06fd8bfed2769e2990da8a93b3a409dbe1c07cb2872967
9ef63f8813eeca7cbf3fd5895c2d584ff98012384a520c4090da177c4b97553f
PEiD..: Armadillo v1.71
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x43899b
timedatestamp.....: 0x45e2dbc5 (Mon Feb 26 13:08:21 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x430a4 0x44000 6.53 6de93ca20a01840fdedcbf3992ffb68d
.rdata 0x45000 0x7d34 0x8000 4.90 abbf0b94d52edebb44c3adc2395d349d
.data 0x4d000 0xa684 0x7000 4.88 e46b00c9fd1c474c60f600319d9b3104
.rsrc 0x58000 0x20550 0x21000 6.20 900e44b2ffbf9b550c83f3e26e6aedee

( 12 imports )
> urlmon.dll: URLDownloadToCacheFileA
> WININET.dll: InternetSetOptionA, InternetCloseHandle, InternetOpenUrlA, DeleteUrlCacheEntry, HttpQueryInfoA, InternetReadFile, HttpSendRequestA, HttpAddRequestHeadersA, HttpOpenRequestA, InternetConnectA, InternetAutodial, InternetGetConnectedState, InternetGetCookieA, InternetOpenA
> VERSION.dll: GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA
> SHELL32.dll: ShellExecuteExA, SHGetSpecialFolderLocation, SHGetMalloc, SHGetPathFromIDListA
> COMCTL32.dll: ImageList_Draw, ImageList_Destroy, ImageList_Create, ImageList_Add, InitCommonControlsEx, ImageList_AddMasked
> KERNEL32.dll: CloseHandle, CreateFileA, CreateDirectoryA, SetFileAttributesA, SetFileTime, DosDateTimeToFileTime, WideCharToMultiByte, FindNextFileA, FindClose, FindFirstFileA, MultiByteToWideChar, lstrlenA, lstrlenW, GetShortPathNameA, GetModuleHandleA, GetModuleFileNameA, SetEvent, InterlockedDecrement, WaitForSingleObject, CreateThread, CreateEventA, QueueUserAPC, ReleaseMutex, Sleep, lstrcmpiA, GetCurrentThreadId, GetCommandLineA, GetLastError, CreateMutexA, InitializeCriticalSection, HeapDestroy, DeleteCriticalSection, FreeLibrary, GetProcAddress, LoadLibraryA, lstrcpyA, lstrcatA, InterlockedIncrement, LeaveCriticalSection, EnterCriticalSection, TlsSetValue, OutputDebugStringA, WriteFile, TlsGetValue, GetLocalTime, SetUnhandledExceptionFilter, GetCurrentProcess, GetSystemDefaultLangID, GetSystemDirectoryA, SetCurrentDirectoryA, SetThreadPriority, WaitForMultipleObjects, GetExitCodeThread, ReadFile, GetFileSize, GetExitCodeProcess, GlobalUnlock, GlobalLock, GlobalAlloc, GetTickCount, DeleteFileA, RemoveDirectoryA, GetVersionExA, GetTempPathA, GetEnvironmentVariableA, SleepEx, SetFilePointer, LocalFree, FormatMessageA, CopyFileA, GlobalFree, TerminateProcess, lstrcmpA, FlushInstructionCache, LocalLock, LoadLibraryExA, GetPrivateProfileStringA, GetPrivateProfileIntA, GetPrivateProfileSectionNamesA, TlsAlloc, TlsFree, RtlUnwind, GetFileType, HeapFree, HeapAlloc, InterlockedExchange, GetVersion, ExitProcess, LCMapStringA, LCMapStringW, GetCPInfo, CompareStringA, CompareStringW, HeapSize, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, SetStdHandle, GetStartupInfoA, SetEndOfFile, SetHandleCount, GetStdHandle, GetFileAttributesA, ExitThread, HeapReAlloc, RaiseException, SetLastError, FlushFileBuffers, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, GetStringTypeA, GetStringTypeW, GetACP, GetOEMCP, IsBadReadPtr, IsBadCodePtr, SetEnvironmentVariableA, GetCurrentThread, GetLocaleInfoW
> USER32.dll: CallWindowProcA, UnregisterClassA, DrawFocusRect, CopyRect, EnableWindow, GetNextDlgTabItem, GetFocus, GetKeyState, CharLowerA, CreateDialogParamA, wsprintfA, IsChild, FillRect, GetDesktopWindow, CreateAcceleratorTableA, ReleaseCapture, SetCapture, InvalidateRgn, GetWindowPlacement, InflateRect, EndPaint, ScreenToClient, MoveWindow, LoadImageA, LoadBitmapA, ExitWindowsEx, DialogBoxParamA, RedrawWindow, InvalidateRect, DestroyIcon, SetRectEmpty, GetParent, GetWindow, GetWindowRect, GetClassInfoExA, MapWindowPoints, GetDC, GetWindowTextLengthA, GetDlgItem, GetWindowLongA, SetWindowLongA, GetClientRect, LoadIconA, ReleaseDC, SetWindowPos, GetSystemMetrics, EndDialog, GetActiveWindow, PeekMessageA, CreateWindowExA, GetMessageA, DispatchMessageA, IsWindow, DestroyWindow, RegisterClassExA, FindWindowA, GetWindowThreadProcessId, EnumThreadWindows, PostMessageA, IsWindowVisible, GetClassNameA, IsIconic, ShowWindow, SetForegroundWindow, PostQuitMessage, GetSysColor, GetForegroundWindow, WaitForInputIdle, MsgWaitForMultipleObjectsEx, DrawTextA, GetSystemMenu, RemoveMenu, LoadCursorA, SetCursor, SetRect, SendDlgItemMessageA, GetWindowTextA, SetWindowTextA, RegisterWindowMessageA, DefWindowProcA, CharNextA, PostThreadMessageA, LoadStringA, SendMessageA, SetDlgItemTextA, SetFocus, BeginPaint, SystemParametersInfoA, DrawIcon, TranslateMessage
> GDI32.dll: SetBkColor, CreateCompatibleDC, SelectObject, StretchBlt, GetObjectA, DeleteObject, SetBkMode, GetStockObject, CreateSolidBrush, CreateCompatibleBitmap, SetTextColor, BitBlt, CreateFontIndirectA, DeleteDC, ExtTextOutA, GetDeviceCaps, GetTextExtentPoint32A
> ADVAPI32.dll: RegCloseKey, RegDeleteKeyA, RegEnumKeyExA, RegNotifyChangeKeyValue, RegSetValueExA, RegOpenKeyExA, RegDeleteValueA, RegQueryValueExA, RegCreateKeyExA
> ole32.dll: CoTaskMemAlloc, OleLockRunning, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, CoRegisterClassObject, CoRevokeClassObject, CoDisconnectObject, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoTaskMemFree, ProgIDFromCLSID, CLSIDFromProgID, CLSIDFromString
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: PathFindFileNameA, UrlUnescapeA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=A8C89B3A40FAC9026602072FC2B06200E179546B

wyrmrider

  • Guest
Re: My mom's computer is infected. Help please?
« Reply #40 on: August 31, 2008, 11:54:38 PM »
Bingo
What's incredimail?
do you have a paid for version of IncrediMail XE and Gold Membership?

If it's nothing you need
search for incredimail and remove  anything you recognise?  did you google?


examples from another post- yours will be different

C:\Program Files\Magentic\bin\magentic_install.exe
D:\IM Stuff\incredimail_install.exe                                        do you have this folder???
D:\PROGZ Group\  >>>do you have this folder??  who is PROGZ Group? if there  Could be on any drive
D:\PROGZ Group\IncrediMail\Build 2154 Info\incredimail_2154_install.exe
D:\PROGZ Group\IncrediMail\Build 2180\incredimail_instal_2180.exe
D:\PROGZ Group\IncrediMail\incredimail_install_Build 1888.exe

you might upload the file to--- virus at avast.com  with a link to your VT results

D:\PROGZ Group\  >>>do you have this folder??  who is PROGZ Group? if there

ahullsb

  • Guest
Re: My mom's computer is infected. Help please?
« Reply #41 on: September 01, 2008, 01:31:24 AM »
She isn't sure exactly what incredimail is, and the same for magenta. Neither of the programs are available in the add/remove programs. I do see folders for each in program files. Should I just delete the program files for each or should I be running some other tool?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: My mom's computer is infected. Help please?
« Reply #42 on: September 01, 2008, 02:25:10 AM »
Incredimail is an email program that makes use of lots of eye candy, smilie icons, etc. and IMHO more style than substance and we see lots of topics in the forums about problems with it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

wyrmrider

  • Guest
Re: My mom's computer is infected. Help please?
« Reply #43 on: September 01, 2008, 03:41:38 AM »
First try start>programs and see if there is a listing with an uninstall
second  check the folders for an uninstall\
anything in "program files'?
Actually this might be one where genuine Lavasoft AD-Aware would work :)
I'm not going back and look but did you scan with spybot search and destroy??
It migh also get this one and is a good scanner to have around in any case

if no luck with those to or if you just want to do it by had use search on all possible combinations and zap
then search the registry with regedit search function
if any questions post back
this may be adware but it does come up as a problem child
and once you click the EULA who knows who their "affiliates" and "partners" are