Results 1 to 5 of 5
  1. #1
    5 Star Lounger
    Join Date
    Mar 2010
    east coast
    Thanked 8 Times in 8 Posts

    Question clues to this virus and how to get rid of it

    the problem started a week ago on xpprosp3 machine

    at first it was a brand new file that tried to phone home
    now different dlls are trying to do it too
    one in java
    another in my email program
    plus the original mystery file
    as well as one in the c/recycler folder

    it seems as if a virus is randomly picking something and trying to use it to phone home and slip by the security software and firewall.

    not sure if they are faking the name or replacing these programs with their scumware code

    system is 7 years old
    nothing has tried this before

    unless microstuff has some scumware code with delayed time release then this is new
    and i suspect it came from a bogus email that i thought was from linkedin and clicked a link
    anyway. saw it was bogus and stopped the comm link, but some code may have gotten in and is trying to finish its job.

    how to find this scumware and get rid of it?
    anyone heard of anything like this phonehome problem virus?

    now i find a program named weyj.exe trying to do something
    just showed up today
    i think that win patrol deleted that one after a reboot

    search of .exe files showing up in last week also showed a m02.exe
    in docs settings/user
    that i could delete
    this seems to be a known virus
    and i also found a file named n. that was new

    i think i deleted mo2 and n.
    using winpatrol

    thought i had deleted weyj.exe using win patrol
    but it is back and in the recycler folder
    why wuold any legitimte ms program be calling home from the recycle folder ?
    this has to be related to some virus probably the mo2.exe
    Last edited by speedball; 2013-02-14 at 14:33.

  2. #2
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Thanked 937 Times in 856 Posts
    Have you tried to boot to safe mode and run MalwareBytes and/or Spybot Search and Destroy. I would also uninstall all versions of Java (There has been a lot written about Java exploits recently).

    I assume you looked into a System Restore from before this happened. usually a simple System Restore will not work, but might be worth trying.

    Any chance you have a full system Image from before the problem started?

    This did not come from MS.

    As a last resort you might have to reinstall with a format as part of the reinstall. As I said, last resort.

    Edit: I see your other thread. Is this the same problem? Did anything that came out there work? It's generally not a good idea to start a second thread about the same problem as you might get the same answers again.
    Have a Great Day! Ted

    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)

    Complete PC Specs: By Speccy

  3. #3
    5 Star Lounger
    Join Date
    Mar 2010
    east coast
    Thanked 8 Times in 8 Posts

    i am thinking the problems are related

    that the scumware is the real problem
    not being able to delete a file/folder is a symptom of the virus protecting itself

    it seems to keep moving around
    and using other programs as a cover
    unless it is taking them over

    i still need to try the safe mode
    but ran all those programs and more and found nothing that made them unhappy

    i have java turned off
    but need javascript for hotmail

    it is more of an annoyance than a real problem
    norton gets stuck in a loop blocking it
    every time i say to block it the scumware tries again

    never happened for the 6-7 years we had this pc
    all new stuff since last week
    and i suspect the bogus email that faked a linkedin address did it

    we got another bogus email from
    said to click on link
    but checkign the link it is a company in italy not the irs
    and the link name said to upload stuff so clearly it was a phishing scam to infect our pc

  4. #4
    Lounge VIP
    Join Date
    Apr 2011
    Thanked 134 Times in 115 Posts
    Both threads are describing the same thing: presense of a Trojan dropper infection. It will keep returning unless you deal with the underlying infection.

    Possible sources include the fake LinkedIn email (I've seen many of these blocked by our AV recently), but there are others too - think about compromised websites, Java, and Adobe products.

    One of the best ways to address this kind of problem is a careful and methodical approach:

    Download MalwareBytes Anti Malware
    Boot into Safe Mode (Without networking)
    Run a system restore to a time before the infection occurred
    When the System Restore reboots the PC, it is essential to return to Safe Mode, failure to do so will not complete the restore and the infection will still be present.
    Now you can boot back into normal mode.

    System Restore will often be enough to get rid of the worst of the infection, but you still need to make sure:

    After completing System Restore, use Autoruns to look for signs of any left over infections. Follow Mark Russinovich's excellent guide to its use for eradicating malware.
    Download and run a raft of Rootkit scanners such as Kaspersky TDSS Killer and Sophos Anti Rootkit.
    Next run Malware Bytes to clean up any final traces.

    After following those steps you should be clean. If the infection shows up again, repeat the above taking care to look for system restore points that you know are clean and using autoruns to search for signs of infection.

    There are other methods: Medico mentioned an image based backup, but I am guessing that you don't have that. I would however recommend that you consider it for the future.

    Fundamentally, infections such as these are deployed for one of a very few purposes: theft of sensitive user details, recruitment of the machine into a larger botnet that may be sold as a resource, or extortion of the user by social engineering.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  5. #5
    5 Star Lounger
    Join Date
    Mar 2010
    east coast
    Thanked 8 Times in 8 Posts

    i will be doing that

    i hope that winpatrol helped me find all the places where it was hiding and let me remove it by hand
    but if not then i will be doing the other things you suggested

    norton appears to be blocking all teh outbound attempts
    if that shows up again then i will know i did not get all of the scumware

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts