An invisible virus

[mehndeke]

So I'm more than a little confused. I scan my computer regularly with McAfee AV and don't find any problems. A few days ago, I decided to also run Bit Defender and double check my comp since it seemed to be running a bit slower than normal. While Bit Defender didn't find anything either, while it was running, McAfee popped up a notice that it had found a "new poly win32" virus that could not be cleaned, quarantined, or deleted. The path only exists when that notice has popped up, and does not appear in safe mode. McAfee and Bit defender do not find anything on its own. I have also ran Norton, Avanti, Stop-sign, and probably a few others. None find it on their own, and only the Bit Defender/McAfee combo find it. I'm sure there is something on there since a lot of files are now write protected that didn't used to be, and things like Ventrillo don't remember their passwords and cannot write the INI file associated witht the passwords I put in. The Hijackthis file that I ran also found a ctfmon32.exe program, also undeletable. What am I missing? I'm more than confused and have no idea what to do next. I can post the hijackthis file as well if needed.

[jholland1964]

Hi!
Let's start by having you run a NEW HiJackThis scan and save the log and post it here. That will at least give me a place to begin. Then we will go from there.
The ctfmon32.exe is usually an indication of CoolWebSearch but don't do any cleaning yet until we can see the log. The new poly win32 virus can be something difficult to clean but don't worry, we will get to the bottom of it. It has also been reported that McAfee has been known to falsly report this virus in some programs when using the Heuristics Option in their program. Can you recall what the path is when it does show in McAfee? Give us the new HJT scan ok?
Judy

[mehndeke]

Here is the new hijackthis output in the attachment, I hope.
The path for the one detected by McAfee is C://documents and settings/(User Name)/local settings/Temp. The file name changes on the scans when I restart, but normally starts with tmp0000xxxx.

[PhilliePhan]

Uninstall eAcceleration / Acceleration Software

Then run the Avg Anti-spy step and the Kaspersky Online Scan step in the Read Me First Sticky Post at the top of the forum and submit those two logs.

Also, I'd like to double-check something:
Download FindAWF by noahdfear and save it to your Desktop.

--Double click FindAWF.exe and follow the instructions.
-- When the tool has finished running, a log should pop up on your Desktop (awf.txt).
-- Please submit that log for us as well.


I imagine Judy will check back soon.

PP

[mehndeke]

OK, here are the results of the three scans. I have not cleaned or done anything else with the cookies and such that were found.

[mehndeke]

Looks like the AVG report didn't attach, and it's giving me error reports when I try to do so, I'm not sure why. But AVG found a bunch of tracking cookies that I've taken no action on as yet.

[jholland1964]

Try uploading the file as a text file, not as a word file

[jholland1964]

Maybe it was too large to begin with, can you zip it and try it? We really would like to see it.

[mehndeke]

There we go.

[jholland1964]

Lordy! Don't think I have ever seen so many tracking cookies in one AVG log!!! Or 18 PAGES of cookies on ANY computer! Have you EVER emptied your cookies before any of these scans? Heavens, how much space are you alloting to cookies? Too much, that is for sure!
All of these cookies were in Firefox, don't you have any cookies blocked in Firefox? Virtually every one of the ones shown in the AVG log are on my Blocked Cookie list in Firefox. Which version of Firefox are you using?
In Firefox, cookie permissions are controlled in "Tools -> Options -> Privacy -> Cookies". You may choose to accept all cookies that websites wish to set or, in Firefox 1.5 and earlier, you may choose to accept cookies "for the originating site only", which will block third-party cookies that are often set by other companies who advertise on those sites.
If you are using Firefox 2 then Firefox 2 users who wish to limit allowed cookies to those set by the originating website can use about:config to modify the preference network.cookie.cookieBehavior to "1".
DEFINITELY block all cookies except for the originating site. Follow the above directions depending on which version you are using.

Now while we await PP's look at the FindAWF log (I have not used this program yet so I cannot advise on that log and we will wait for PP to weigh in on his take of it) I would STRONGLY suggest that you go to his sticky
and follow ALL of his instructions for the preliminary cleanup of your machine, because obviously this has not been done.
Follow his instructions for the use of • ATF-Cleaner.exe by Atribune which is available from his sticky.
and since you have all ready used the AVG I would also like you to use Spybot and another free one I like and that is AdAwareSE.
Download and install all three of the above programs. Update them but do not run them yet.
Reboot to Safe Mode and run ATF first.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT
Next run Spybot. Have it fix all items noted in RED
Exit the program.
Next run AdAwareSE using these instructions;
* Click "Scanning".
* Select:
- "Scan within archives"
- "Scan my IE Favorites for banned URLs"
- "Scan my hosts file"
* Click "Tweaks".
* Click "Cleaning Engine".
* Select "Automatically try to unregister objects prior to deletion".
* Click "Proceed".
* Click "Start".
* Select "Use custom scanning options".
* Click "Next" and wait for the scanning process to complete.
* Select all the items found for removal. ("Removal" actually puts things in quarantine, so you can generally recover them if you need to.)
Following all these instructions then reboot the computer into NORMAL mode.
Run a new HJT scan and post the NEW log here.