Event logging

[Squeezy99]

Hi,
I a running XP64 and I as hit by a virus the other day. It affected my 32
bit browser (IE8) and ran multiple copies that tried to connect to
advertising sites. all seems clear now BUT...
the browser seems a little slow and somtimes does not connect to a site.
Eventvwr.msc has a log installed for explorer but I never see any errors
repotred. i cannot find how to set this on. Any ideas please?
Regards,
Dave

 

[Ken Blake, MVP]

Hi,
I a running XP64 and I as hit by a virus the other day. It affected my 32
bit browser (IE8) and ran multiple copies that tried to connect to
advertising sites. all seems clear now BUT...
the browser seems a little slow and somtimes does not connect to a site.
Eventvwr.msc has a log installed for explorer but I never see any errors
repotred. i cannot find how to set this on. Any ideas please?

*What* virus did you have? How did you know you had it?

You say "all seems clear now." Exactly how did you get rid of the
virus?

 

[Jose]

Hi,
I a running XP64 and I as hit by a virus the other day.  It affected my32
bit browser (IE8) and ran multiple copies that tried to connect to
advertising sites.  all seems clear now BUT...
the browser seems a little slow and somtimes does not connect to a site.
Eventvwr.msc has a log installed for explorer but I never see any errors
repotred. i cannot find how to set this on.  Any ideas please?
Regards,
Dave

It is always empty unless you:

http://msmvps.com/blogs/spywaresucks/archive/2007/01/21/508759.aspx

Be prepared for lots of events that you can research.

I imaging logging will not speed up your browsing since there is more
I/O.

Of all the browser in the world, IE is probably the slowest - Try
Firefox and/or Chrome.

 

[Squeezy99]

Hi Ken,
my 32bit browser showed up about 6/8 instances in WTM processes when I
opened one instance. After killing all the copies, when I re stared it
asked me if I wanted to restore the original session. I replied yes and
then they all re opened attemting to visit advertising sites.
I googled a couple of the names and Symantec's site gave me the name of a
trojan with exactly the same profile. I ran a couple of malware programmes
plus my AV and it found a couple. I also checked and deleted a couple of
the .exe's that symantec spoke about plus a 'strange' programme reffered to
in the startup section of msconfig.

Now the 32 bit explorer runs slow at times - just hoping to spot something
by getting the logging working.

Regards,
David

 

[Ken Blake, MVP]

Hi Ken,
my 32bit browser showed up about 6/8 instances in WTM processes when I
opened one instance. After killing all the copies, when I re stared it
asked me if I wanted to restore the original session. I replied yes and
then they all re opened attemting to visit advertising sites.
I googled a couple of the names and Symantec's site gave me the name of a
trojan with exactly the same profile. I ran a couple of malware programmes

Malware programs are very bad to run. I recommend that instead you run
*anti*-malware programs. If you did run anti-malware programs, which
ones did you run?

plus my AV

What AV program did you run?

and it found a couple. I also checked and deleted a couple of
the .exe's that symantec spoke about

Deleting exe files are hardly ever an effective way to get rid of an
infection.

plus a 'strange' programme reffered to
in the startup section of msconfig.

What strange program?

Also please answer my original question below: "*What* virus did you
have?" And since you apparently had several infections, tell us the
names of *all* of them.

Two additional points:

1. Deleting exe files isn't good enough, and almost certainly you are
still infected.

2. Since you apparently had/have multiple infections, it's very likely
that the only way you can get rid of them all will be to reinstall
Windows cleanly.

Now the 32 bit explorer runs slow at times - just hoping to spot something
by getting the logging working.

 

[Squeezy99]

Hi Ken,
many thanks for your time.

The 4 sites that my hijacked IE was trying to access were added to my hosts
file;
127.0.0.1 reduxmedia.com
127.0.0.1 ad.seeknet2.com
127.0.0.1 ad.questmedianet.com
127.0.0.1 ww2.megawebfind.com

Malware programs are very bad to run. I recommend that instead you run
*anti*-malware programs. If you did run anti-malware programs, which
ones did you run?

yes, I meant 'anti malware' - one was reccomended by a few people on
google - a-squared free, and Malwarebytes' Anti-Malware.

What AV program did you run?

My AV is avast and they responded very quickly with some advice. As you
think I still have an infection I will take up their offer of a check via
HijackThis.

Deleting exe files are hardly ever an effective way to get rid of an
infection.




What strange program?

The startup programme was called 'u' and the path was
c:\windows_syswow64\tgffhhv.exe /u

Also please answer my original question below: "*What* virus did you
have?" And since you apparently had several infections, tell us the
names of *all* of them.

My googling for answers ended up at:
http://www.threatexpert.com/report.aspx?md5=05c772c993de5ea134d458b537f8ff79
I found the Temp/100.dat it reffered to and every time I managed to delete
it it re appeared immediatley.

Two additional points:

1. Deleting exe files isn't good enough, and almost certainly you are
still infected.

2. Since you apparently had/have multiple infections, it's very likely
that the only way you can get rid of them all will be to reinstall
Windows cleanly.

 

[Ken Blake, MVP]

Hi Ken,
many thanks for your time.

You're welcome. Glad to help.

The 4 sites that my hijacked IE was trying to access were added to my hosts
file;
127.0.0.1 reduxmedia.com
127.0.0.1 ad.seeknet2.com
127.0.0.1 ad.questmedianet.com
127.0.0.1 ww2.megawebfind.com


yes, I meant 'anti malware' - one was reccomended by a few people on
google - a-squared free, and Malwarebytes' Anti-Malware.

Malwarebytes Anti-Malware is one of the two best such programs
available. The other one is SuperAntiSpyware; I recommend that you run
that too.

My AV is avast

A good choice!

and they responded very quickly with some advice. As you
think I still have an infection I will take up their offer of a check via
HijackThis.

Can't hurt.

Deleting exe files are hardly ever an effective way to get rid of an
infection.




What strange program?

The startup programme was called 'u' and the path was
c:\windows_syswow64\tgffhhv.exe /u

Also please answer my original question below: "*What* virus did you
have?" And since you apparently had several infections, tell us the
names of *all* of them.

My googling for answers ended up at:
http://www.threatexpert.com/report.aspx?md5=05c772c993de5ea134d458b537f8ff79
I found the Temp/100.dat it reffered to and every time I managed to delete
it it re appeared immediatley.