An invisible virus

[mehndeke]

So I'm more than a little confused. I scan my computer regularly with McAfee AV and don't find any problems. A few days ago, I decided to also run Bit Defender and double check my comp since it seemed to be running a bit slower than normal. While Bit Defender didn't find anything either, while it was running, McAfee popped up a notice that it had found a "new poly win32" virus that could not be cleaned, quarantined, or deleted. The path only exists when that notice has popped up, and does not appear in safe mode. McAfee and Bit defender do not find anything on its own. I have also ran Norton, Avanti, Stop-sign, and probably a few others. None find it on their own, and only the Bit Defender/McAfee combo find it. I'm sure there is something on there since a lot of files are now write protected that didn't used to be, and things like Ventrillo don't remember their passwords and cannot write the INI file associated witht the passwords I put in. The Hijackthis file that I ran also found a ctfmon32.exe program, also undeletable. What am I missing? I'm more than confused and have no idea what to do next. I can post the hijackthis file as well if needed.

[jholland1964]

Hi!
Let's start by having you run a NEW HiJackThis scan and save the log and post it here. That will at least give me a place to begin. Then we will go from there.
The ctfmon32.exe is usually an indication of CoolWebSearch but don't do any cleaning yet until we can see the log. The new poly win32 virus can be something difficult to clean but don't worry, we will get to the bottom of it. It has also been reported that McAfee has been known to falsly report this virus in some programs when using the Heuristics Option in their program. Can you recall what the path is when it does show in McAfee? Give us the new HJT scan ok?
Judy

[mehndeke]

Here is the new hijackthis output in the attachment, I hope.
The path for the one detected by McAfee is C://documents and settings/(User Name)/local settings/Temp. The file name changes on the scans when I restart, but normally starts with tmp0000xxxx.

[PhilliePhan]

Uninstall eAcceleration / Acceleration Software

Then run the Avg Anti-spy step and the Kaspersky Online Scan step in the Read Me First Sticky Post at the top of the forum and submit those two logs.

Also, I'd like to double-check something:
Download FindAWF by noahdfear and save it to your Desktop.

--Double click FindAWF.exe and follow the instructions.
-- When the tool has finished running, a log should pop up on your Desktop (awf.txt).
-- Please submit that log for us as well.


I imagine Judy will check back soon.

PP

[mehndeke]

OK, here are the results of the three scans. I have not cleaned or done anything else with the cookies and such that were found.

[mehndeke]

Looks like the AVG report didn't attach, and it's giving me error reports when I try to do so, I'm not sure why. But AVG found a bunch of tracking cookies that I've taken no action on as yet.

[jholland1964]

You should have allowed the scans to CLEAN or Quarantine every BAD item found as PP's sticky requests. Tracking cookies are included. Did you uninstall eAcceleration / Acceleration Software
as PP requested?

AVG report didn't attach, and it's giving me error reports

What are the EXACT wording of these error reports and where are they coming from?

[mehndeke]

Ok, cookies are all deleted, yes I uninstalled the other program, and the exact wording on the managing attachments is Report-Scan-20070128-210303.txt:
Upload of file failed. I tried to look at it in Word, but it comes up as squares and dots...

[jholland1964]

Try uploading the file as a text file, not as a word file

[mehndeke]

I copy/pasted the scan report from AVG into Word, it comes out to over 1800 pages of size 12 font saying this cookie is in this location and no action has been taken. It looks a lot like this:

:mozilla.168:C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\h857i7ci.default\coo kies-42.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.390:C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\h857i7ci.default\coo kies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.391:C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\h857i7ci.default\coo kies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.392:C:\Documents and Settings\User Name\Application Data\Mozilla\Firefox\Profiles\h857i7ci.default\coo kies.txt -> TrackingCookie.Zedo : No action taken.