Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: lee20 on July 20, 2004, 02:14:49 PM

Title: videons
Post by: lee20 on July 20, 2004, 02:14:49 PM
hi,
i have just done a scan with Trend Micro online and it said i have a possible virus called videons32.exe in C:/videos32.exe.
I have scanned with Avast! and it said it was clean, but i stuck it in the   virus chest anyway, i would like to email it to ALWIL software for testing, is there anything i need to do it first like zip it up?

EDIT: by the way when i did stick it in the virus chest i noticed it was still in C:/videons32.exe, is this suppost to happen?

--lee
Title: Re:videons
Post by: Eddy on July 20, 2004, 02:21:04 PM
videons32.exe is not the name of a virus, it is a filename. Can you post the virus name as reported bt Trend here? Also run some other online scanners to see what they say about it and post the results here.

If you would like the Avast people have a look at it, send it to virus@avast.com
Title: Re:videons
Post by: lee20 on July 20, 2004, 02:29:57 PM
i don't no the name because it is only a possible virus, where the name should be it says "possible virus" , RAv online file scan and kaspersky read it as clean aswell, but i would still like to send it to ALWIL software to be safe, am i right in saying you have to password Zip the file/virus first?

--lee
Title: Re:videons
Post by: Eddy on July 20, 2004, 02:40:23 PM
No need to password zip it, just send it.
Title: Re:videons
Post by: lee20 on July 20, 2004, 03:54:44 PM
well i send it via virus chest, it sent though outlook express and said error but it still said it was sent to avast!, so just need to wait and see really.
Do avast! reply when you send them a sample to test?

--lee
Title: Re:videons
Post by: bob3160 on July 21, 2004, 01:12:54 AM
Hi Lee
The virus is W32.Gaobot.AZT
You can learn more about it here:
http://sarc.com/avcenter/venc/data/w32.gaobot.azt.html (http://sarc.com/avcenter/venc/data/w32.gaobot.azt.html)
Let us know how you make out.
Title: Re:videons
Post by: lee20 on July 21, 2004, 12:54:52 PM
well i started in safe mode and the regisry keys weren't there, so i just deleated videons32.exe and now my system seems clean (i tryed scanning with avast and trend micro again), so i think its safe to leave it at that.

EDIT: no wait, its come back on a restart, damn

--lee
Title: Re:videons
Post by: Eddy on July 21, 2004, 12:59:47 PM
1) Disable system restore
2) Reboot
3) Clean the system
4) Reboot
5) See if the system is clean
Title: Re:videons
Post by: lee20 on July 21, 2004, 01:08:51 PM
Well before i saw your reply i had scanned again with trend micro and pressed deleat this time and it seems to of gone (i tryed restarting), but that advice did help me with another problem with something called sdbot[trj] so thanks there artras, i appriciate it  ;)

--lee
Title: Re:videons
Post by: lee20 on July 22, 2004, 09:30:34 PM
Hmm its back again, i just scanned with something called jotti scanner and it got these results

AntiVir  No viruses found (1.23 seconds taken)
BitDefender  No viruses found (4.35 seconds taken)
ClamAV  No viruses found (6.03 seconds taken)
Dr.Web  Win32.HLLW.Agobot (6.03 seconds taken)
F-Prot Antivirus  No viruses found (2.26 seconds taken)
F-Secure Anti-Virus  Backdoor.Agobot.uo (3.47 seconds taken)
Kaspersky Anti-Virus  Backdoor.Agobot.uo (3.47 seconds taken)
McAfee VirusScan  W32/Sdbot.worm.gen.p (4.92 seconds taken)
Norman Virus Control  No viruses found (54.70 seconds taken)

Anyone care to help me please.


--lee
Title: Re:videons
Post by: Stephan123 on July 22, 2004, 10:14:59 PM
do a online scan by mcafee or Housecall ;D

housecall.trendmicro.com
Title: Re:videons
Post by: lee20 on July 22, 2004, 10:20:01 PM
jotti has many virus scanners on it.

mcafee is in it (McAfee VirusScan  W32/Sdbot.worm.gen.p (4.92 seconds taken) )

And trend micro identifies it as possible virus.

But what i decied to do was send it off to Alwil software (did that yesterday) then disable system restore, restart, send to chest, deleat it, restart, reenable system restore, restart, i think it gone for good now.

--lee
Title: Re:videons
Post by: Eddy on July 23, 2004, 08:35:20 AM
If you want to make sure your system is clean, click on the link in m signature and follow the steps there.
Title: Re:videons
Post by: lee20 on July 23, 2004, 12:03:52 PM
What part of it? It suggests many things, and yes, it seems to be back yet again

EDIT: BTW i have just scanned with kaspersky and it identifies it as Backdoor.Agobot.uo , but when i look in there virus encyclopidia its nowhere to be found, can someone advise please.
I have stuck it in the virus chest bu it still seems to be working.

--lee
Title: Re:videons
Post by: Eddy on July 23, 2004, 01:02:37 PM
As clearly stated on that page, you have to do ALL parts.
Title: Re:videons
Post by: lee20 on July 23, 2004, 01:17:20 PM
Hijack log: could you tell me if anything about it is in here artras?

Logfile of HijackThis v1.97.7
Scan saved at 12:09:42, on 23/07/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.halflemon.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.halflemon.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/blueyonder/index.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.halflemon.com/search.html
R3 - URLSearchHook: SearchHook Class - {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} - C:\PROGRA~1\HALFLE~1\HALFLE~1.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\PROGRA~1\INTERN~1\Plugins\NPUPano.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38167.0752430556
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://www.midasplayer.com/midasa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} (SearchHook Class) - http://www.halflemon.com/Halflemon.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab


I downloaded the hijack log program from your website, i also analysed it with another website and it said this at the top "Shows the version of HijackThis an. The newest version is: v1.98.0!" is this important?

--lee
Title: Re:videons
Post by: centaur on July 29, 2004, 02:16:50 AM
I've followed this thread so far, after finding an infected videons file on my own PC. I believe I'm suffering a similar problem to lee16. Suspected virus is Agobot.26.B I took the advice given of running the hijackthis program - this is my log.

Logfile of HijackThis v1.98.0
Scan saved at 1:12:25 AM, on 7/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\system32\PwsTray.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Simply Transparent 7\SimplyTransparent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\svchosts.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\downloads\apps\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.homechoice.co.uk:3128
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\tffkr5mb.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] svchosts.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svchosts.exe
O4 - Startup: Simply Transparent.lnk = C:\Program Files\Simply Transparent 7\SimplyTransparent.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm Pro\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\Program Files\NeoTrace Express\NTXcontext.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\Program Files\NeoTrace Express\NTXtoolbar.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.webproworld.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8C548F0C-0193-11D5-8929-0080AD303E97} (Miner3D Viewer) - http://miner3d.com/m3Dsite/miner3D.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - file://C:\Inetpub\wwwroot\TSWeb\msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup.cab
O16 - DPF: {E99D3E39-5D92-4360-BA86-2C563B3CFFEB} (Microsoft CMS HTML Editor Toolbar) - http://tmsw.itshed.com/NR/System/WBC/Internals/PageTemplate/PlaceholdersSupport/NRDHtml.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

None of it makes much sense to me.. can anyone shine any light on this?
Title: Re:videons
Post by: Eddy on July 29, 2004, 06:57:01 AM
Click on the link in my signature, run the HijackThis log analyzer and follow the instructions in the result.log which it will create. On that same page is also a link to a explanation of the HJT log.
Title: Re:videons
Post by: centaur on July 29, 2004, 02:04:41 PM
Okay, no problem.. I thought you might have been able to spot something obvious for the HJT log that I posted above.
Not to worry, I'll check through the registry for anything suspicious