Help with identifying virus please

PaulR

Dazed and Confused Admin
Staff member
Joined
Jun 28, 2003
Messages
18,023
Reaction score
4,046
Points
113
My Satellite Setup
-----------See sig-----------
My Location
Wirral, NW UK and Vaucluse, France.
My daughter does a lot of talking on MSN Messenger using my old W98 desktop machine and I am fairly sure she has managed to get it infected with something.

I have Command ant-virus (fully updated) installed and the memory resident portion keeps telling that there is infection in setup.exe contained in c:\program files\c2media. If I delete setup.exe and remove c2media then the next time it boots up it reappears.

When I look at the report from CAV it tells me that the program is called by ¦¦¦) or something similar, which I assume is the source but I can't find it.

If I run CAV from the system tray it only ever finds the setup.exe and, if I have deleted it, it then tells me that there is no infection. Even booting into DOS and running the DOS based f-prot AV program gives no further information.

I've been battling against it for a week now and I must admit I'm stumped. Is there a cure or is a format ind install the only answer now?

PaulR
 

PaulR

Dazed and Confused Admin
Staff member
Joined
Jun 28, 2003
Messages
18,023
Reaction score
4,046
Points
113
My Satellite Setup
-----------See sig-----------
My Location
Wirral, NW UK and Vaucluse, France.
Adaware finds lots of cookies but nothing that would seem to point to the problem and anyway after clearing the cookies the problem still exists. Will try spybot when I get a moment to download it.

Not heard of Hijack but will try to find it. I'm supposed to know what I'm doing with computers but this has got me tearing what's left of my hair out!

PaulR
 

jimbo

Retired Mod
Joined
Jan 1, 2000
Messages
3,482
Reaction score
1
Points
0
Age
74
My Satellite Setup
Sky HD, TM6800HD, Manhattan Plaza ST550 and TM1500 CI+. 1.0m dish and 36v motor, Panasonic DVD HDD recorder and Panasonic video/DVD recorder. Sony G800 HD TV stand/surround system + Sony KDL40W2000. Infinity USB, Elvis, CAS1, CAS2.
My Location
Greater London

PaulR

Dazed and Confused Admin
Staff member
Joined
Jun 28, 2003
Messages
18,023
Reaction score
4,046
Points
113
My Satellite Setup
-----------See sig-----------
My Location
Wirral, NW UK and Vaucluse, France.
I'm on the machine in question at the moment and have just logged onto the Panda web site. I'll see what that brings up.

I've done an Explorer search and DOS DIR and neither found anything like lop*.* so that route's out.

It takes quite a while to download the Panda software on 56k you know...

PaulR
 

waverider

Salty Tech Monster Bod
Joined
Nov 17, 2003
Messages
1,729
Reaction score
0
Points
0
Age
69
My Satellite Setup
Protek 9750 HD IP, Spiderbox 9000HD. Cryptik Digital H-H Mount with1.2m Oval Dish and a box in the garage consisting of 2 obsolete STBs, various Cards and a couple of cams!
My Location
South East England
Have you tried a search for the file with 'Find files or folders' Paul?.....It's possible it could be a hidden file downloaded into system!.....I have a program on my computor at work that may find it if it is a virus m8 I could upload it to you.
 

PaulR

Dazed and Confused Admin
Staff member
Joined
Jun 28, 2003
Messages
18,023
Reaction score
4,046
Points
113
My Satellite Setup
-----------See sig-----------
My Location
Wirral, NW UK and Vaucluse, France.
WR, sorry when I said Explorer search I meant Find File. I may need your program soon though...

Well I got I onto the Pandasoft site and downloaded the program which then ran. It said that it had found 1 infection but, when it got towards the end of the scan the modem connection started disconnecting. After doing this about 3 or 4 times I then couldn't get the modem to work at all. I then decided to run the Command AV from the system tray but whatever is there blocked me and flashed up the message "Access to the specified device, path or file is denied".

I tried to go in through Explorer but was blocked again "The object that C:\windows\.....\.lnk refers to has been removed or is inaccessible". A similar message flashed up when I tried to open a DOS box. At this point I had to reboot and so lost my link to the report that Panda had prepared for me on their web site.

I'm going to try to get Spybot now but if I recall correctly it doesn't offer any means of removing an offending file after identifying it until you cough up some dosh.

Anyway, I'll give it a go.

PaulR
 

waverider

Salty Tech Monster Bod
Joined
Nov 17, 2003
Messages
1,729
Reaction score
0
Points
0
Age
69
My Satellite Setup
Protek 9750 HD IP, Spiderbox 9000HD. Cryptik Digital H-H Mount with1.2m Oval Dish and a box in the garage consisting of 2 obsolete STBs, various Cards and a couple of cams!
My Location
South East England
I'll try and PM you the prog tommorrow m8
 

PaulR

Dazed and Confused Admin
Staff member
Joined
Jun 28, 2003
Messages
18,023
Reaction score
4,046
Points
113
My Satellite Setup
-----------See sig-----------
My Location
Wirral, NW UK and Vaucluse, France.
WR thanks. I'm in the middle of running Spybot as we speak (type?) so I'll see what comes about.

Following on from reading Simplythebest I had fored up add/remove programs. Amongst the ones I know I found some strangers. I tried to remove them with negative results as follows:

Fun Web Products Easy Installer - Failed to uninstall the FWPEI
Jordan's Hardcore - An error occurred while trying to uninstall ... It may have already been uninstalled.
Livewebcam - As Jordan's
Pornoland - As Jordan's
My Web Search (Smiley Central) - said that it was unable to make a link to the website
Search Assistant My Web search - same as My Web Search

Spybot has just finished and there's a rook of stuff there including C".LOP. I'll go and clean it all up - or at least hope that I do.

WR - hold on the program for the moment. Thanks for the offer anyway, if Spybot fails me I'll Be Back.

PaulR
 

waverider

Salty Tech Monster Bod
Joined
Nov 17, 2003
Messages
1,729
Reaction score
0
Points
0
Age
69
My Satellite Setup
Protek 9750 HD IP, Spiderbox 9000HD. Cryptik Digital H-H Mount with1.2m Oval Dish and a box in the garage consisting of 2 obsolete STBs, various Cards and a couple of cams!
My Location
South East England
Do you use firewall m8......cos with that you can log IP's an send the offenders crap too m8 :D
 

PaulR

Dazed and Confused Admin
Staff member
Joined
Jun 28, 2003
Messages
18,023
Reaction score
4,046
Points
113
My Satellite Setup
-----------See sig-----------
My Location
Wirral, NW UK and Vaucluse, France.
Yes, ZoneAlarm. I'm not on this macjine enough to return crap but I must admit I thought I had it well covered. Command AV, AdAware and ZoneAlarm. Just goes to show that 14 year old girls can get round anything!!!


UhOh, just tried to open a DOS box and was refused permission. I was hoping to remove the C2media directory and contents. Looks like I'll have to reboot to do it.

Will it never end?

PaulR
 

jimbo

Retired Mod
Joined
Jan 1, 2000
Messages
3,482
Reaction score
1
Points
0
Age
74
My Satellite Setup
Sky HD, TM6800HD, Manhattan Plaza ST550 and TM1500 CI+. 1.0m dish and 36v motor, Panasonic DVD HDD recorder and Panasonic video/DVD recorder. Sony G800 HD TV stand/surround system + Sony KDL40W2000. Infinity USB, Elvis, CAS1, CAS2.
My Location
Greater London
BTW Spybot is freeware but donations welcome.

One other thing Paul....in my opinion and many others Spy Sweeper by Webroot is the best tool. That does cost a few bucks but well worth it. Just for future reference.
 

waverider

Salty Tech Monster Bod
Joined
Nov 17, 2003
Messages
1,729
Reaction score
0
Points
0
Age
69
My Satellite Setup
Protek 9750 HD IP, Spiderbox 9000HD. Cryptik Digital H-H Mount with1.2m Oval Dish and a box in the garage consisting of 2 obsolete STBs, various Cards and a couple of cams!
My Location
South East England
A good place for free programs is pcworld.com take a look at the downloads there...and only a couple of pop ups too :D
 

PaulR

Dazed and Confused Admin
Staff member
Joined
Jun 28, 2003
Messages
18,023
Reaction score
4,046
Points
113
My Satellite Setup
-----------See sig-----------
My Location
Wirral, NW UK and Vaucluse, France.
Update.

Spybot seems to have done the business. It found a whole rook of stuff and after dealing with them I was able to delete the C2media directory without it coming back.

I was also able to uninstall the 2 web searchers so that just leaves the entries which seem to say that they have already been removed. I'm loath to delete the entries in case it's a double bluff of some kind.

Yes Spybot is freeware and pretty damn good at that. I obviously used something which I confused the name. As far as I can remember when I ran it the program found a load of things but said that I would have to subscribe in order to use the removal facilities. At about that time I found Adaware and used it ever since.

Thanks to everyone for their help.

PaulR
 
Top