Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: wrmrwgn on March 01, 2007, 10:34:27 PM

Title: Hiberfil.sys Zipper 2778 Worm
Post by: wrmrwgn on March 01, 2007, 10:34:27 PM
Hi - I am new here and I have a problem that's driving me nuts. My PC has the Avast screensaver and it keeps intercepting the Zipper 2778 worm , recommended action: quarantine. Every time I quarantine it the warning comes back, with the radioactive symbol and siren.

Please help.

Thanks
Rob
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: FreewheelinFrank on March 01, 2007, 10:54:40 PM
It may be a false positive in your hibernation file- it seems to be an old DOS virus. Try hibernating your system and restarting- hiberfil.sys is just a memory dump, so maybe there was a pattern in the dump that resembled the virus.

If it persists, try a boot time scan- right click the scanner screen, select schedule a boot time scan and reboot when requested.
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: wrmrwgn on March 01, 2007, 11:19:40 PM
I just went to the power options in control panel and tried to check the enable hibernation box and access was denied with a pop-up that says " the file is being used by another process" or something like that.
I did 2 boot-time scans but no.  This Avast Alert only happens in screensaver mode- scanning has found nothing .
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: Lisandro on March 02, 2007, 03:59:07 AM
As a workaround, you can add this file to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...

Also, use the You need to use the on-demand scanning exclusion list for the screen-saver or the Simple User Interface:
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button...

Hope Alwil team correct the detection.
Maybe you should disable the hibernation option. Boot. Enable it again.
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: wrmrwgn on March 02, 2007, 04:20:29 AM
I added hyberfil.sys. Is that good enough? I'll report if this is finished. I think you may be right about an old virus in DOS. This computer just got back from the shop with a clean install- my kernel32.dll was missing.

Still in the Avast! virus chest are these system files: Kernel32.dll. winsock.dll,and wsock.dll.

When the technician reinstalled windows, most of my program files were lost.
Yet when I looked in my virus chest last night, there was over 18,000 viruses, worms and trojans that had been quarantined after I bought this computer at a thrift store.
I ran Avast on it fist thing when I bought it last October and it spent several hours scanning and quarantining viruses in boot-mode.

I left these in the chest.
All of them were deleted exepth the three above, and I am leaviing it as is .

Just before the computer crashed, I removed those very files. Once in XP repair mode, I disabled automatic restart and when it tried to reboot the message came up saying that kernel32.dll was missing. The I went into XP despair mode.
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: Lisandro on March 02, 2007, 04:29:28 AM
I added hyberfil.sys. Is that good enough?
Should be...

I'll report if this is finished.
I'll be waiting for you...

Still in the Avast! virus chest are these system files: Kernel32.dll. winsock.dll,and wsock.dll.
They're there for backup purposes only. They're not infected at all, they're on System folder of the Chest.

Yet when I looked in my virus chest last night, there was over 18,000 viruses, worms and trojans that had been quarantined after I bought this computer at a thrift store.
Wow... are you sure that all that infections come from the store?

I ran Avast on it fist thing when I bought it last October and it spent several hours scanning and quarantining viruses in boot-mode. I left these in the chest.
All of them were deleted exepth the three above, and I am leaviing it as is .
It's ok...

Just before the computer crashed, I removed those very files.
avast will add them again later...

Once in XP repair mode, I disabled automatic restart and when it tried to reboot the message came up saying that kernel32.dll was missing. The I went into XP despair mode.
avast does not move the files from the computer to Chest. It just copies them, as a backup.
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: wrmrwgn on March 02, 2007, 04:44:44 AM
Yes- over 18,000 bugs. That's my guess why it ended up in a thrift store.
Of course, there was NO AV program installed. The previous owner appears to have been a young person who did'nt know.

So now things are making sense maybe- a couple weeks ago I removed those system back ups, and the very next day it would only boot up to the XP Gui screen.
IS it just a coincidence or had the back up not been removed , it would still have the kernel32 file? 

I know better now to leave them alone.
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: Lisandro on March 02, 2007, 04:55:58 AM
the very next day it would only boot up to the XP Gui screen.
Well, avast does not mess your computer... the infections did it (or could did it).

IS it just a coincidence or had the back up not been removed , it would still have the kernel32 file?
The problem will be that you won't be able to boot and extract the file from the Chest, so, probably you'll need the original CD or a way to boot the computer and replace that file. Maybe XP Console recovery could do something here...
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: wrmrwgn on March 07, 2007, 01:01:10 AM
Uberevangelist, My PC crashed again Sunday . On Monday I was able to run CHKDSK and repair the boot record, and my PC booted back up. Now that dumb ZIPPER viruys alert is testing my patience. Is there anyone on this board that may know how I get this virus or what ever it is to stop. Hibernate has been turned off.
I am not sure if this virus is causing my computer to crash but it seems to be a logical assumption at this point.
I'll check again to see if there it's in the exclusion list . I may not have had the time to do that as Saturday and SUn are busy days .

Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: Lisandro on March 07, 2007, 01:51:18 AM
alert is testing my patience
Which file is infected? Did you try to delete the hyberfil.sys file, maybe using Unlocker (http://ccollomb.free.fr/unlocker/) or Delete FXP (http://www.jrtwine.com/) or MoveOnBoot tool.
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: wrmrwgn on March 07, 2007, 06:52:20 AM
MoveOnBoot tells me "incorrect file name "when I paste hyberfil.sys into the box. I haven't figured out how to use unlocker yet.
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: mauserme on March 07, 2007, 06:57:27 AM
I think the problem doesn't originate in hiberfil.sys but ends up there when Windows hibernates.  Zipper is a memory resident virus so it would be a part of the "snapshot" that Windows saves.

If an avast! boot scan doesn't help try a Trend Micro or Kapsersky on line scan

http://housecall.trendmicro.com/

http://www.kaspersky.com/virusscanner
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: polonus on March 07, 2007, 07:57:20 AM
Download this removal tool to get the worm from your computer:
http://www.downloadtopc.com/get/62/42378/W32Stration_worm_removal_tool.html

This is a simple virus which stays resident in memory and infects COM and EXE files when they are accessed. \COMMAND.COM and \DOS\FORMAT.COM are infected on the first execution.

If you run PKZIPFIX against an infected COM or EXE file, it will create a PKFIXED.ZIP, which contains an assembly source file called ZIPPER.ASM.

The virus contais this texts, which is never displayed:

   >>*>> Use PKUNZIP *.EXE immediately! <<*<<

Zipper contains several bugs which might corrupt the infected files.
To remove the virus from your system, change DOS=HIGH to DOS=LOW in
   your CONFIG.SYS file.  Reboot the system.  Then run each .EXE file
   less than 62k.  The virus will remove itself from each .EXE program
   when it is executed.  Or, leave DOS=HIGH in you CONFIG.SYS; execute
   an infected .EXE file, then use a tape backup unit to copy all your
   files.  The files on the tape have had the virus removed from them.
   Change DOS=HIGH to DOS=LOW in your CONFIG.SYS file.  Reboot the
   system.  Restore from tape all the files back to your system.

polonus
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: wrmrwgn on March 07, 2007, 07:56:37 PM
How do I find the CONFIG.sys file?
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: wrmrwgn on March 07, 2007, 08:12:57 PM
Are you saying I should use PKzipfix immediately? You can tell I don't know my way around this. I'm worried that this thing is going to crash my co puter again if I don't get it off.
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: mauserme on March 07, 2007, 09:03:25 PM
The zipper virus contains the line
Quote
>>*>> Use PKUNZIP *.EXE immediately! <<*<<
within its code.  Its mentioned in the quote polonus posted as a way to identify the virus.

Those instructions appear to refer back to the days of DOS since the files \command.com and \dos\format.com normally do not exist under Windows XP.  There are files of the same name in a different directory in XP but I don't know if they would be infectable by a DOS virus.

There will probably be a config.sys in your root directory under XP ( C:\ ) but I'm guessing it will be empty.  In any event I don't believe the dos=high or dos=low commands will have any meaning in an XP environment.

Maybe somebody else can comment - its been a long time since I've worked in DOS.

Have you tried the boot scan yet?  If you open the avast! simple user interface and let the memory scan run it might provide confirmation of a memory resident virus.
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: polonus on March 07, 2007, 09:09:13 PM
The info below the toollink, is rather old info because the virus is old, so in that time XP was not around yet.. Download this file to work on, just to compare, nothing else:
http://www.techadvice.com/specs/files_st1.asp?fnid=3398288

XP has MSCONFIG not the config.sys, if you are not familiar with these proceedings just run the tool from the link givenm to see whether it can resurrect the infected executables.

polonus
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: mauserme on March 07, 2007, 09:42:30 PM
Thanks polonus

Keith  :)
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: wrmrwgn on March 08, 2007, 04:37:08 PM
Hi I have been at this two days and so maybe I should just uninstall AVAST? The damnable hyberfil.sys Zipper 2778 alert keeps popping up in screensaver mode .
None of he advice given so far has worked or I don't know how to use it.
I am afraid this virus is already starting to do more damage. This morning's computer boot was missing the Dell 782p monitor driver and the screen now flickers. I reinstalled the driver but the flickering won't stop, no matter how high I set the resolution. I've gone round and round with this and I'm ready to sing the "Stop the computer and let me off" song.

My computer crashed last weekend and this Virus alarm and then monitor flickering preceded it.  I would'nt doubt the next thing you hear is that my PC crashed.
I know a bunch of you evangelists have offered advice geared for the techie, but maybe you got a preacher in charge that you have been covering for?
 SOmebody has got to know why Avast won't qaurantine this Zipper virus.
To further confuse me , some say it's not a virus and some say it's corrupting my files. It's starting to corrupt my mind!
Please help- I don't think I have much time left before she blows
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: FreewheelinFrank on March 08, 2007, 06:15:00 PM
Have you tried deleting the hyberfil.sys file to see if that gets rid of the problem?

You will need to enable 'view hidden files and folders':

http://www.bleepingcomputer.com/tutorials/tutorial62.html (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

If the technician who reinstalled Windows for you did not do a completely clean install, you may have instability problems left over from all the malware removed previously. As this is an old computer, you may also have hardware problems: it's difficult to know if your problems are down to malware or a video card on the blink.

You could try a registry scan with TuneUp utilities to look for problems in the OS. You could also try posting a HijackThis! log so we can look for any malware still active on your computer:

http://www.tune-up.com/ (http://www.tune-up.com/)

http://www.bleepingcomputer.com/tutorials/tutorial42.html  (http://www.bleepingcomputer.com/tutorials/tutorial42.html)
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: Lisandro on March 08, 2007, 06:59:19 PM
If you can't delete the hyberfil.sys file, try:
Unlocker (http://ccollomb.free.fr/unlocker/), Delete FXP (http://www.jrtwine.com/) or MoveOnBoot.

If you want a free registry cleaner, check PowerTools (http://www.jv16.org/). Very powerful registry power tools, with lots of extra options. Unfortunately, it's a shareware. But the free version is in a lot of places in the web for download.
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: wrmrwgn on March 09, 2007, 06:03:36 AM
Everyone, thanks again for your very many ideas.
Some things solved today.
The video resolution- all due to a faulty surge protector.

No more flickering monitor.
I read that surge protectors can cause monitor problems.
I had been thinking the video card was the problem.

Screensaver ?

I also simply turned off the AVast screensaver. That of course doesn't mean the virus is gone, just that the siren and the announcer have both ceased.

I learned a lot this week- saved a trip to the shop.

Ok- yes, I tried to delete the hyberfil.sys file- it says that the file is not found.
I will try your suggestions.
By the way, I cannot turn the hibernate feature back on.
I'm not sure about how to implement your Hijackthis suggestion
Title: Re: Hiberfil.sys Zipper 2778 Worm
Post by: FreewheelinFrank on March 09, 2007, 09:33:44 AM
Quote
I'm not sure about how to implement your Hijackthis suggestion

Follow the instructions in the tutorial I posted. It has screenshots to help you.

Did you enable view hidden files and folders before looking for hyberfil.sys?