HijackThis

G

Guest

My wife's computer is infected with Think-adz.lnk (that's an L). This is
listed in the detected files, but was permitted and not removed. I have
updated AVG antivirus on her computer, but it could still not find it and
remove it. I would appreciate ideas for a solution. Also, I have an entry
WINNNTT\System32\twinpooa.exe. Bill Sanderson MVP, suggested that I to to
www.virustotal.com and try that site for a solution to the exe file.
 
G

Guest

Hello Lou_makemyday,

It would be nice if you stay with your previous post.

Beside virustotal try http://virusscan.jotti.org and paste the result here.


This is a AndyManchesta or Ron Kinner case beacuse I cannot find any good
advice within any forum without using HijackThis and to be carefully guided.
Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
http://computercops.biz/HijackThis.html

Save it to C:\hjt (new folder) then Open it and select Scan and Save Log.
Note where you saved the log then send it to him as an attachment. Put
Hijack in the subject so he'll know it's not spªm.

Alternatively you can post it on the Dell Forum ªt:

http://forums.us.dell.com/supportforums/board?board.id=si_hijack

Put Ron in the subject so he will see it. You do not need to have a Dell to
post but you will need to register.

Ron Kinner at rkinner(AT)att.net (Replace (AT) With @)
Microsoft MVP 2004 & 2005

AndyManchesta(AT)hotmail.co.uk (Replace (AT) With @)
AndyManchesta at andyorange334(AT)hotmail.com (Replace (AT) With @)
AndyManchesta(AT)hotmail.com (Replace (AT) With @)
Feel free to mention that I sent you.

For the benefit of the community reading this post, please rate the pºst.

I hope this post is helpful.

Let us know how it works ºut.

Еиçεl
 
G

Guest

Thanks, Engel, for the advice. Sorry about the posting. I was a bit
confused on where to post my first posting and misunderstood ... thinking I
should use the Spyware sigantures group. I'll try to use the ideas you gave
me.
 
B

Bill Sanderson MVP

Lou - both Engel's site and the Virustotal one I gave are sites which will
take a sample you supply--i.e. that executable on your wife's machine, and
test it against a large collection of antivirus engines. That should give
us a name for the bug and that name should allow research on how to get rid
of it effectively.

It's pretty easy, if you can find the executable on the machine--and you
posted the complete path and filename. You just go to either site-, click
on the browse button near the top of the window, and browse to that file on
your wifes system. It will upload the file to the web site and test it
against a large variety of commercial antivirus engines, in a matter of
minutes--and give back results.

Basically--what we need out of this process is the name of the virus or
trojan as found by one of the major antivirus vendors--say, Symantec,
McAfee, F-secure.


--
 
G

Guest

Bill-I struck out in trying to find the files in the paths that Defender
identified, but I searched all of C:\ and found some information after I
changed the folder options to show hidden files and unchecked "protected
operating system files" (after searching, I rechecked "Hide protected
operating system files" to protect the system.). During the searches I found
the "Think-Adz.lnk" file in C:\WINNT\pss\Think-Adz.lnk (LNKSTARTUP file),"
but the "twinooea.exe" files were shown in no directory, but as
"results.aspx?q=twinooea.exe&mkt=en-US&form=QBNO&go.x=8&go.y=10". Do I focus
on the Think-Adz.lnk STARTUP file? I don't think I can use a virus search on
the twinooes.exe "results," right? Sorry, but I haven't had much experience
with this and the "expert" that I used could not find or eliminate these even
editing the registry. Am I close to having something to work with? Thanks
for your patience. I don't want to mess things up anymore than they are!
I'll try to run the Think-Adz.lnk against one of the sites I have been given.
 
B

Bill Sanderson MVP

Did you try those scans in safe mode?

You can certainly delete anything related to think-adz in \winnt\pss.

I'm not sure I understand what happened with the twin?? file--I'm not sure
what tool gave you that result. That looks like it might be an internet
search result, rather than something really on your system.

It is quite possible that the executable file is being generated by
something which regenerates a different random name each time your system
starts.

So--the way to get a handle on it will be to do a virus or antispyware scan
and see whether a new executable is spotted. If so, use the path from that
scan result to try to upload the file to virustotal or jotti.org.

Once you have the name of the virus or trojan involved, we can look for
better cleaning instructions.

However--since both bugs were identified by your current protection--Windows
Defender and AVG--but not cleaned, I'd strongly recommend restarting in safe
mode and scanning with both those products--that has a good likelyhood of
completing the cleaning properly.

--
 
G

Guest

I tried scans in safe mode and did not find them with AVG. Defender does not
remove anything once it is in the system (as I understand the program); so, I
did not try it in safe mode. I went online to SpyBot site and searched for
the two names, but it did not recognize the two files in its database. I am
going to submit these names of the threats to Spybot to see if they can help.

When you say that I could delete anything in c:\WINNT\pss, did you mean that
I could click on the file and merely delete it? Do I have to do this in Safe
Mode?
Thanks again for your support.
 
B

Bill Sanderson MVP

Yes--deleting that file, if found or other executables in that folder, in
safe mode--would probably be a good thing to do, but may not solve the
problem.

Windows Defender should be capable of removing anything it detects. Removal
operations are more likely to be successful in safe mode because some
startup areas are not used when starting in safe mode.

The executable name that you posted garners no hits in Google. That--by
itself--is definitely an indicator for suspicion. In this case, it probably
indicates something which is named randomly, and perhaps changes its name
with each startup of the machine--which makes it harder to remove, and to
find information about. You have to look for the "characteristics" of the
file, rather than the name.

By all means scan with Spybot search & destroy.

I think I'd recommend an online antivirus scan as well, at this point. AVG
is a useful product--I've certainly used it a good deal of the time myself,
but I don't expect it to be at the leading edge--I've yet to have an
antivirus in place that caught all the bugs I could see in, say, attachments
to email.

So--I'd try an online scan--you can choose--every vendor has one.
Microsoft's can be found at:

http://safety.live.com



--
 
G

Guest

Thanks, Bill,
I'll try your suggestions tomorrow and seen what I can solve. I sure
appreciate you patience!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

False postive? (Zonelog) 5
For MVP: Trojan-horse associated with C:\WINDOWS\system32\wdmaud.s 1
Virus Infected..plz help 1
Windows XP Regedit and taskmanager will not stay open 3
Disabled registry from new trojan 2
PC Infected Full of TROJANS......Can’t Delete & Keep Coming Back!! 1
Desperate Explorer Error after using MWAS! 1
Nod32 10

Top