My McAfee VirusScan is detecting potential worm activity from our computer. We continually get the message: The last few sent e-mails contained similar subject or body content. E-mail subject: Report of MEDIAROOM\<user name>. It appears to be a SC-keylog virus. We can't get rid of it. Help!
Greetings!
Hi, Nicholas. This thing is driving us crazy. The VirusScan alert comes up continuously anytime we are logged onto the web.
Please do the following:
1. Download SYSCLEAN.COM from Trend Micro site:
http://www.trendmicro.com/ftp/products/tsc/sysclean.com
2. Create a temporary folder and copy SYSCLEAN.COM into this folder
NOTE: This temporary folder should be created on a local or mapped drive
3. Download the latest pattern file (as in lpt482.zip where the last 3 digits indicate a virus pattern number) from Trend Micro site:
http://www.trendmicro.com/download/pattern.asp.
This file is in ZIP format and contains virus pattern descriptions.
4. Extract the downloaded ZIP pattern file into the created folder
NOTE: To extract the zip file archive you can use the built-in features of Windows Me/XP or any unzip utility. For example, you can download and install WinZIP from: http://www.winzip.com/ddchomea.htm
So, after all the abovementioned steps your local folder should contain two files as follows:
5. Close all applications running on your system and restart your computer in Safe Mode:
a. Restart your computer
b. Press and hold down the F8 key key when the PC restarts and completes the power-on self-test (when you see data on your computer before Windows starts).
c. Choose Safe Mode from the startup menu that appears
6. Run the System Cleaner by double-clicking the executable file SYSCLEAN.COM in Windows Explorer:
7. Make sure "Automatically Clean Infected Files" is checked and click "Scan"
8. At the end of the scanning process this fix tool generates a log file, SYSCLEAN.LOG, in its current folder. You can take a look at it by clicking the "View Log" button. To view the summary results scroll to the bottom of the log.
On the second hyperlink, it doesn't have "Virus Pattern Files" in the header. Instead it says "Trend Micro Pattern Files".
Please use the following virus pattern:
http://www.trendmicro.com/ftp/products/pattern/lpt131.zip
I've downloaded the pattern. Now it says "Required file "C:\Documents and Settings\Kurt\Desktop\TSC.BIN" is missing.
Please do instructions exactly as given.
You should have two files in one folder:
SysClean.Com and lpt$vpn.131
I do
Please reboot your computer in Safe Mode, and run SysClean.com
Alright.
I'll get back to you afterwards.
Ok.
Did as instructed.
No help. It's still there.
Sorry to hear that.
Can you please send me the SysClean.log file?
It is located in the same folder as SysClean.
it is too long to send
do you have an e-mail address where I can send it?
Please use the Send File button, which is located in the right-top corner of the screen.
I have sent you a file C:\Documents and Settings\Kurt\Desktop\temp\sysclean.log (24.2 Kb).
Download
get it?
Yes.
Thank you.
Mr. Pollack, have you ever sent the email with the title you have indicated?
E-mail subject: Report of MEDIAROOM\<user name>
No.
Ok.
I would like to Screenshare.
Is this Ok with you?
It's fine.
Thank you.
Your Expert has sent you a request to launch a ScreenSharing session. Please hold while the ScreenSharing window appears.This may take couple of minutes.
It seems that you have no TekLink installed.
For faster and more efficient problem resolution, I recommend you to download and install TekLink™, LiveRepair’s proprietary software that collects diagnostic information on your computer.
You can download it from 'Downloads' section of our site.
During TekLink™ installation you will be asked to enter a “Setup Code”.
You can find this code at the same section, under TekLink links.
Note: Please be sure to stay on-line while installing TekLink™, since it will need to download certain components from web site.
As soon as the file is downloaded, please double-click it and follow the on-screen instructions to install TekLink™. Do not hesitate to contact me if you have a question or problem during installation.
Should there have been a download window?
Ok
Please let me know when you are ready.
download "primary" or "mirror"?
Either one.
error message: could not load dll library.
am trying again
Please remove Temporary Files and Internet Temporary Files before you proceed:
In order to delete the Temporary Internet Files, please do the following:
1. In Internet Explorer on the Tools menu , click Internet Options.
2. Click General, and then click Delete Files in the Temporary Internet Files area.
3. In the Delete Files dialog box, click OK.
For removing windows temporary files, please do the following:
1. Click Start -> Run
2. Type "%temp%" without quotation marks and press Enter. %=percent (Shift + 5).
Window with content of the temp files folder will appear
3. Press "Ctrl"+"A" keys to select all files.
4. Press "Shift"+"Del" keys to delete files without moving them to the Recycle Bin
"invalid access to memory location"
help!
OK, will try the above
Ok.
did as instructed
I was unable to delete one file from the Windows temporary files: MCE00000
and I still get an error message trying to install TekLink
It's ok you can't delete all files.
"The application failed to initialize properly (0xc0000005). Click on OK to terminate the application."
If you say so . . . but I still can't install TekLink!
Just a moment please.
1. Please download and install the following spyware removal utility
SPYBOT
ftp://ftp.download.com/pub/win95/desk/spybotsd14.exe
2. After Spybot is installed Run it and follow the Spybot wizard to Download all updates.
3. Run Search and Destroy, check for problems
4. When scan is done press Fix checked.
scanning with SpyBot now . . .
first report (still scanning): "All known bad products are blocked."
Ok.
OK, done. Should I retry installation of TekLink now?
Yes please.
will attempt now
worm warning popup has apparently stopped
Good.
still unable to install TekLink but worm awrining still gone
I will do the temp files delete again
In order to solve your problem we need some additional information about your computer configuration.
1. Download HijackThis to your computer in a location that you know where to find it again.
HijackThis Download Link
http://www.wilderssecurity.com/supportfiles/HijackThis1991.exe
2. Create a folder where you would like the HijackThis file to reside. Once it is downloaded navigate through Windows Explorer or My Computer to the location your downloaded it to and double click on the icon for HijackThis.exe
3. To have HijackThis scan your computer for possible Hijackers, click on the Do a System Scan and save a log:
At this point, you will have a listing of all items found by HijackThis.
4. Save Log , and save the log to your computer somewhere you will remember later.
5. Send us this file using Send File option of our site or just copy and paste the content of Hijackthis log file into our chatlog.
still unable to install TekLink
will do Hijack This now
Ok.
I have sent you a file C:\Documents and Settings\Kurt\Desktop\hijackthis.log (8.3 Kb).
Download
done
still no worm warning
Ok.
are you still there?
Yes, I am.
Please check to Fix the following items:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\system32\iexplorer.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk037
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O20 - Winlogon Notify: iexplorer - C:\WINDOWS\SYSTEM32\iexplorer.dll
done
Please do HiJack again, and send me the new log file.
OK
Ok.
I have sent you a file C:\Documents and Settings\Kurt\Desktop\hijackthis.log (7.9 Kb).
Download
Thank you.
you bet
I am viewing the log file.
Please reboot your PC, and check the original problem with emails.
done
that worm warning pop-up is no longer there
It has been my pleasure assisting you.
If this Question is solved please close it. Please open a new Question now or later if you need our help with a new issue. We appreciate your feedback. Thank you for using your HelpDesk-Now service.
Yours sincerely,
Nicholas
Wow. This was awesome. Thank you, Nicholas.
You are welcome.
(Closing Call by User) Was question answered? 1 - Yes
