at a loss to find the virus -- SOLVED!!!

[theladyupstairs]

i get unwanted webpages opening while i'm online, my computer is very slow, most of the time i need to force a shut down because it stops along the way.  

i have run avast & malwarebytes, normally & in safe mode many times.  

the only clue, maybe, is while shutting down, i get a message that daemon.exe is still closing down & that i should wait.  i went to a website that claims to explain daemon.exe and it tells me i have a virus called W32.selotima.A  i don't know how it knows that!  nevertheless, i don't know what to do.  

please help!

[polonus]

Hi theladyupstairs,

Read this: http://searchtasks.answersthatwork.com/tasklist.php?File=Daemon

Manual removal:
To recognize this infestation:

Files

1a) Copies itself to the following files in the default Windows\location:

daemon.exe
Infect.drv
Infectate.reg
Muerte.drv

N.B. location: location C:\Windows or C:\Windows\System
These are the standard installation locations , depends on type and version:

C:\Windows for (Windows 95/98/Me/XP) of C:\Winnt bij (Windows NT/2000).

C:\Windows\System for Win95/98/Me & c:\Windows\System32 bij Win2000, XP en NT)

Registry

2a) Adaptation of the registry-key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

With the value:

"Daemon" = "%Windir%\daemon.exe c daemon2.exe"

2b) Adaptation of the registry-key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "0x00000000"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "0x00000001"

polonus

[DavidR]

I somehow doubt it knows at all and is after money to clean it up (you may end up worse off), there are many such scams going on, don't run any scan offered and most certainly don't input any payment information.

Can you give some examples of these unwanted pages, change the http or www to hXXp or wXw so as to break the link and avoid possible exposure to malware ?
Does avast happen to alert when these sites are displayed ?
What is the general content of these unwanted web pages ?

What version of avast are you using avast 4.8 or 5.0 ?

Check this tool RuBotted to see if you have become part of a Zeus Bot net, http://majorgeeks.com/Trend_Micro_RUBotted_d5882.html

Also see, http://threatinfo.trendmicro.com/vinfo/web_attacks/ZeuS_ZBOTandKneberConnection.html.

[theladyupstairs]

thank you.  i found the same website.  and that's where i found the name of the virus.  but i don't know how to remove it.  avast doesn't pick it up, nor does malwarebytes.  what should i do?  please know i'm a simpleton so i need a somewhat simple explanation.  i appreciate your help.  thank you!

[theladyupstairs]

david - i'm using avast 4.8 free version.  i didn't save any of the pages, but i did check them on nortons website check & they were all considered "safe."  they've been related to some of my searches, like yellow pages, or spyware removal sites.  i'll save the names from now on.  meanwhile, what to do?

[theladyupstairs]

p.s. to david - no, avast didn't signal anything when the pages popped up.  it did block some malicious pages, but i didn't write down their names because it goes away so fast.  thanks for your help!!

[theladyupstairs]

p.p.s to david - after your good advice & warning, do you suggest i download HouseCall, which i found on the second site?

[DavidR]

I suggest that you install avast 5 (if you aren't using win9.x or winME that is, unsupported OSes) as it has additional detection routines and functions/features. It has been out for over 5 months now and avast 5.0.594 is the latest version.

Download the latest version of avast, 5.0.594 http://files.avast.com/iavs5x/setup_av_free.exe - Avast! Free antivirus Quick Start Guide http://files.avast.com/files/documentation/quick-start-guide-free-en-ww.pdf

You can install that over avast 4.8 and it will retain your registration info, uninstall avast 4.8 and install avast 5.0.


What is your OS ?

I wouldn't go for housecall right now, that should also be an on-line scanner and all it should need is to download some signatures and limited files, but it is still I would imagine a big download.

[DavidR]

david - i'm using avast 4.8 free version.  i didn't save any of the pages, but i did check them on nortons website check & they were all considered "safe."  they've been related to some of my searches, like yellow pages, or spyware removal sites.  i'll save the names from now on.  meanwhile, what to do?

Given that about the sites being related to your searches, it is less likely to be Zeus bot activity, so I would hold fire on that also.

I would suggest running an avast boot-time scan - From the avastUI (left click the avast orange icon), Scan Computer section, Boot-time Scan, Schedule Now button and reboot.
 
Look in the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt file, check this file using notepad for info on the scan/detections, etc.

[theladyupstairs]

thanks, david. in the meanwhile, i actually did download trend micro housecall & ran a scan.  it found nothing!  now, i understand you suggest i uninstall my current avast & install the 5.  version.  but what will happen in the time of rebooting - which takes forever, or doesn't happen at all?  won't i get flooded with viruses?  i'm scared.  i can't seem to restart without forcing a shut down.

[DavidR]

No need to uninstall the current version first, I didn't mention that at all in my Reply #7 - download the setup_av_free.exe link I gave (save it so you can find it again). Disconnect from the internet then run the file and it will take care of the uninstall of 4.8 and install of 5.0.

So whilst downloading this file you still have avast 4.8.

Obviously you can't do this if you have a housecall scan running.

What do you mean "i can't seem to restart without forcing a shut down." Surely you haven't done anything yet or is this a pre-existing condition ?

[theladyupstairs]

dear david - it's a pre-existing condition that started when my troubles began last week with the opening of unwanted web pages & lots of little glitchy stuff.  sometimes it shuts down and restarts & sometimes it doesn't.  meanwhile, i did install the 5.0 version of avast, as you suggested, on top of the old one & ran a boot scan.  no viruses detected.  how can that be?  i know it's not true.  anyway, i've picked your brains for a long time & just want to say thanks.  let me know if you have any other ideas.

best regards,

[DavidR]

Well what you are seeing may not be classed as a virus, it could be browser hijacking which is getting past not only avast but everything else that you have tried.

Are there any strange entries in windows Task Manager, Processes or in msconfig startup tab ?

That's me for the night, a after 4am here.

[theladyupstairs]

thanks for all your time, david.  sorry i kept you up so late.  i tried everything you suggested & then some.  i'm going to check all those things you mentioned tomorrow morning -- after i figure out how to look for them.  i haven't a clue as to how to locate "windows task manager, processes" but i will ask google in the morning.  i think i can find msconfig startup but i doubt i could recognize what a strange entry looks like.  nevertheless, i'll give it a try & will report back to you.  you've been a great guide. 
thank you!

[mrreg]

install screenshot captor and irfanview to take screenshots if it helps, it is free but lengthy to install.

lady, when avast gives you the pop up, trojan blocked (or whatever) and then disappears. fear not, because if you click on the avast maintenance tab and then click on chest, avast will have it stored in the chest keeping your computer safe.

about msconfig, davidr mentioned. this is to see if any unwanted processes are running.
to do this click on start. in the run box type msconfig and click on it. ( i am using windows 7) this opens a box system configuration/ click on tools/ scroll down and click on task manager to highlight it and click on launch. this will list the processes you have running and you could post a screenshot of anything suspicious. ALSO try d/loading ad-aware pro free version from majorgeeks