Avast WEBforum
Other => Viruses and worms => Topic started by: BarbeeGee on August 07, 2004, 11:55:51 PM
-
OK... read all the Trogen-gen post although they get very confusing with so much input from different people some off topic but here is my question.
My Avast alarm keep going off while I am idle. I am connected to cable so am always connected. My mail was closed and so was my Internet.... yet my alarm went off 3 times saying I have a virus. How can this be?
I did a scan and nothing shows up. I looked in the chest and the last virus I got was that Trogen-gen and in the chest it should not cause the alarm should it???
I contacted Adelphia, my cable service, and they said there must be a virus still on my computer and that sometimes you have to do more than just delete or put the virus in a chest.
So what do I do?
-
Files in the chest can't do any harm anymore. You can safely remove the files that are in it.
But what virus is reported?
What version of Avast do you use?
What vps version?
What file(s) are detected as infected (as you say it) again and again?
Where are they located?
Did you disable system restore and rebooted? If so, does the problem still exist?
-
First of all while deleted the Trogen-gen I noticed the time it arrived and it was NOT a repeat but a new virus... which goes completely against what my cable tech told me. He said you can't get hit with a virus when nothing is open. I swear to you I was sitting idle with just my desktop up.
Secondly you say: Did you disable system restore and rebooted? If so, does the problem still exist?
At the bottom the blue " I " was spinning and I instructed it to merge with the regular icon because I have no idea what to do with it... is that disabling?
I did not reboot.
-
PS
Therefore I was not accurate saying that Avast was repeatedly sending an alarm for same virus... looks like today I had 3.
-
Please answer the questions I asked so I (we) can give apropiate help. What you have told sofar is not much to go on.
Click on the link in my signature and follow the steps as explained there. After doing so, let us know if you still have a problem or if it has been solved. If you still have a problem after doing so, provide more deetail please.
-
But what virus is reported? Trogen-GenWhat version of Avast do you use? 4.1 Home EditionWhat vps version? Not sure what that is
What file(s) are detected as infected (as you say it) again and again? My last post clear it up... it was a new one not an old one again and again
Where are they located? RestoreDid you disable system restore and rebooted? If so, does the problem still exist? Nothing is happening
I am afraid to do all that stuff with my restore. If it really needs to be done I will have my son do it. I'm a bit afraid of screwing my computer up as I'm not a guru.
I was wrong that the Avast was going off again and again for the same virus... I thought it was because it warned me of a virus 2 or 3 times when I wasn't on the Internet and did not have my mail program open. My computer was idle with only the desk top showing. My Avast alarm sounded... I was in another room and came running to find a virus. I deleted the first 2 and then put this one in a chest . I contacted my cable tech and he said it is impossible to be hit with a virus while idle and not in mail or on the web.
-
I contacted my cable tech and he said it is impossible to be hit with a virus while idle and not in mail or on the web.
[/quote
Then your Computer-Tech is being paid too much..
you can get hit with a virus as soon as you're connected to the inet.. and a virus can be detected by avast if it's activated on boot-up...
what we all want to know.. :
the path & filename avast tells you about the infection..
something like
c:\Windows\system32\badvirusfile.exe or
c:\_RESTORE\gjsctilgen.dll
or similar..
Please read the link "VirusRemoval" below in my sig and come back with some useful info, e.g.
- path/filename of the infected file
- results of onlinescanners (KAV, RAV, Trend) on the file
- a hijackthis-Log
;)
-
Name: A0056544.exe
Original Location: System Volume Information\_restore {b762f5be-40da-9793-f321c2185d05}\rp381
Virus: Win32: Trojan-gen {VC}
I don't have that cleaner program.
I have ZoneAlarm Firewall
I have StopZilla PopUp stopper
I have ADaware
Sorry I'm so computer dumb but I think most of us are or we wouldn't be here asking for help. Thanks for being so patient.
-
hi,
please disable RESTORE and reboot..
a how-to you can find in my "virusRemoval"link
-
OK, but why can't I simply delete the virus from my chest like I did all the rest??
In other words (and I think a lot of people will want to know this) How do you know when you have to disable system restore and reboot and when can you simple delete the virus from the chest or from the warning screen?
I'll see if I can get someone more adapt at computers to do it tomorrow if it is really necessary.
-
Well I tried to follow those steps and got so confused.
I turned off the restore and downloaded a file from one of the places to scan my file but I can't find where it was downloaded to.... I kept reading and those directions are very hard from a novice to follow.
Control/Alt/Delete and remove what? How do I know which to remove.
This has got to be made easier. Anyone know of a place with directions a dummy like me can follow?
-
I went into the chest, highlighted the line with the virus in my restore file, clicked on RESTORE in Avast and got this message:
Restoring of selected files
Action was completed successfully!
So am I good to go now?
-
So am I good to go now?
No ...
you maybe just reactivated a virus..
*
please do a full-scan with avast, and report results..
also reread the "VirusRemoval", and the "User's FAQ"'s in Off-Topic forum..
and post a hijackthis-Log
.
-
OK, but why can't I simply delete the virus from my chest like I did all the rest??
you can of course....
but imho even avast can't remove a file from WIN's _RESTORE folder...
that's why you had to disable restore..
and ask yourself.. is restoring a (formerly deactivated) virus from avast's chest a good idea ?
;)
-
OUCH
I thought restore would restore it to what it was...like repair.
Ok doing a scan.
Not sure what a hijack is.
These virus spreaders are really making it tough for us
non tech people
-
OK scan is complete and no virus's were found.
What next? Am I clear then?
-
So I reread your last post and decided you must be right and even though my Avast scan came out perfectly clear I went into the chest, highlighted the virus again and this time chose: Scan So I scanned the virus and the alarm went off.
I'm back to square 1
-
OK I turned off the restore from My Computer, I rebooted now when I tried to take the check off the box to turn restore back on my computer froze. How do you get it back on?
-
Please the page I have in my signature. I think that will make some things clear for you. If you want, also follow the steps mentioned there to make sure your system is clean. Keep us informed.
-
I followed the steps... now how do I turn the restore function? When I tried it last night my computer froze.
-
now how do I turn the restore function?
--> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
read the last lines at the bottom of the page..
maybe it works better if you do it in SafeMode (F8-Boot):
CLick-here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam)
Also you might want to postpone this until we've seen your hijackthis-Log;
follow the intructions here:
http://hjt.klaffke.de/en
-
I can't send log file... it tells me it is too long.
It won't go as an attachment either.
-
when you follow the instructions, you will get a text file with the log..
normally, it even opens automatically..
mark & copy all the text, and then paste it here in a posting..
if it's really too long: mark, copy and paste the log in split parts.. like 30 lines apiece..
P.S.: a very long hijackthis.-Log is often a reaaallyyy bad sign
;)
-
I play Pogo a lot and most of the files are Pogo.
OK here is the beginning:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
-
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\WinZip2\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\UNZIPFOLDER\hijackthis[1]\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=1928356723113218
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.simartshop.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\Program Files\ISSS\ZILLAbar\ZILLAbar.dll/options.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchwww.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zillafind.com/getPageResults.do?doProcessing=true&query=%s
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: comments (such as these) may be inserted on individual
-
O1 - Hosts: 255.255.255.255 www.casinoxo.com
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZILLAbar - {8FC8AE66-AC15-4C0D-9E9A-51296A0C52FA} - C:\Program Files\ISSS\ZILLAbar\ZILLAbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: GStartup.lnk = ?
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Search.vbs
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip2\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
-
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Ali Baba Slots TM by pogo - http://temp35.pogo.com/applet/slots/alibaba-ob-assets.cab
O16 - DPF: Animal Ark by pogo.com - http://play23.pogo.com/applet/animal/animal-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-5.8.2.19/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Cribbage by pogo.com - http://crib.pogo.com/applet/cribbage/cribbage-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-5.8.5.21/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Dominoes by pogo.com - http://temp36.pogo.com/applet/domino/domino-ob-assets.cab
O16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet-5.8.5.21/videopoker2/doubledeuce-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire.pogo.com/applet-5.9.0.25/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire46.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet/hearts/hearts-ob-assets.cab
O16 - DPF: Hearts by pogo.com - http://hearts.pogo.com/applet/hearts/hearts-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://hspoker02.pogo.com/applet/drawpoker/drawpoker-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo.com - http://hspoker05.pogo.com/applet/drawpoker/drawpoker-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke.pogo.com/applet-5.8.5.21/videopoker2/jokerswild-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo.com - http://vpjoke02.pogo.com/applet/videopoker2/jokerswild-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-5.9.1.18/gin/gin-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: lass414 - https://onlinegames2.lasseters.com.au/classes/lass414.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet-5.8.6.20/mahjong/mahjong-ob-assets.cab
O16 - DPF: NASCAR Web Racing by pogo - http://nascar.pogo.com/applet-5.9.1.18/nascar/nascar-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.9.0.25/freecell/freecell-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-5.9.0.25/waterwheel/waterwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.8.3.20/flinger/flinger-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://solitaire27.pogo.com/applet-5.8.3.26/piratesgold/piratesgold-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
-
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit23.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://temp92.pogo.com/applet/slots/scifi-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Spades by pogo.com - http://spades12.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://temp40.pogo.com/applet/sweettooth/sweettooth-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo.com - http://sweet04.pogo.com/applet/sweettooth/sweettooth-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.8.2.19/holdem/holdem-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo.com - http://simball02.pogo.com/applet/simball/simball-ob-assets.cab
O16 - DPF: Top Down Baseball Challenge by pogo - http://topdown2.pogo.com/applet-5.8.2.19/topdown2/topdown2-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.9.1.18/peaks/peaks-ob-assets.cab
O16 - DPF: Triviatron II by pogo.com - http://triviatron2.pogo.com/applet/triviatron2/triviatron2-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-5.9.0.25/jumbee/jumbee-ob-assets.cab
O16 - DPF: Tumble Bees by pogo.com - http://jumbee.pogo.com/applet/jumbee/jumbee-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://temp35.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo.com - http://turbo01.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-5.8.5.21/videopoker2/videopoker-ob-assets.cab
O16 - DPF: Word Riot by pogo.com - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet-5.8.3.26/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.9.0.25/whackdown/whackdown-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.8.6.20/worldclass/worldclass-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_40/QDow.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldwinner.com/games/v41/jigsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://cobia.livehelpcasino.com/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://mirror.worldwinner.com/games/v49/bjattack/bjattack.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldwinner.com/games/v40/freecell/freecell.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldwinner.com/games/v40/focus/focus.cab
O16 - DPF: {957BDEC2-50EA-4B01-ABF5-22F86364A914} (Trivia Control) - http://mirror.worldwinner.com//games/v41/trivia/trivia.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v48/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v44/sol/sol.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v50/swapit/swapit.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version6/dlhelper.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://fptest.onisak.com/software/v7/gp0/setup.exe
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbuddy.com/characters/gar.exe
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {C5142630-9BC9-4236-BAC9-2E3C24566EC8} (XWord Control) - http://mirror.worldwinner.com/games/v40/xword/xword.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.zillabar.com/toolbar/bin/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/211/webolr/OCX/FlashAX.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldwinner.com/games/v41/golfsol/golfsol.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
the end
-
Hi,
good...
please also post the beginning/the header of the Log..
*
((EDIT: PS2.exe is probably ok if you got a HP-computer))
O4 - Global Startup: Search.vbs
check the above file with Onlijnescanners from KAV, RAV and Trend (see link "VirusRemoval" below) and report the results..
also fix all R0, R1, O1 & O2 entry that you don't know or need
(except this one:
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
)
"fix" means: place a checkmark in the square in front of the respective line and then click the button "fix checked" in hijackthis..
reboot, and post a new log..
without listing the O16 ..POGO entries..
;)
-
welll the last list is not quite so good..
if you trust POGO then don't list them, but list all the remaining O16 - DPF ... entries again
-
Logfile of HijackThis v1.97.7
Scan saved at 1:12:57 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
I downloaded one of those scanners last night and can't find it on my computer. It didn't give me the option of where it should go or would go. I'll try again.
-
wheres the log??
-
There are at least 2 trojan-downloader in your O16 - DPF entries:
QDow.cab infected by "TrojanDownloader.Win32.QDown.l" Virus.
UCSearch.CAB infected by "TrojanDownloader.Win32.VB.bn" Virus.
the best way would be to clear them all out, or at least the ones you don't know
(they will all be redownloaded next time you need to play and visit the respective site....)
-
OK I'm scnning with RAV now.
When I check the 016 will that do it (get rid of them?)
This gets more confsing all the time
-
when you check them, and then click "FIX checked" and then reboot..
;)
please REread "VirusRemoval" below with special care on how to secure your system & browser better..
-
Fix all lines starting with 016 - DPF
Also fix these lines :
\progra~1\adelph~1\smartb~1\motivesb.exe
\progra~1\hpinst~1\plugin\bin\pchbutton.exe
r1 - hkcu\software\microsoft\internet explorer\main,search bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=1928356723113218
r1 - hkcu\software\microsoft\internet explorer\main,search page = http://www.searchwww.com/
r0 - hklm\software\microsoft\internet explorer\search,searchassistant = http://www.searchwww.com/bar.html
o1 - hosts: 216.93.168.167 auto.search.msn.com
o1 - hosts: 216.93.168.167 auto.search.msn.com
o1 - hosts: comments (such as these) may be inserted on individual
o1 - hosts: 255.255.255.255 www.casinoxo.com
o1 - hosts: 216.93.168.167 auto.search.msn.com
o1 - hosts: 216.93.168.167 sitefinder.verisign.com
o2 - bho: (no name) - {0000607d-d204-42c7-8e46-216055bf9918} - (no file)
o2 - bho: (no name) - {4e7bd74f-2b8d-469e-dff7-ec6bf4d5fa7d} - (no file)
o4 - hklm\..\run: [motive smartbridge] c:\progra~1\adelph~1\smartb~1\motivesb.exe
o4 - hklm\..\run: [kernelfaultcheck] %systemroot%\system32\dumprep 0 -k
o4 - startup: powerreg scheduler.exe
o4 - global startup: gstartup.lnk = ?
o4 - global startup: precisiontime.lnk = c:\program files\precisiontime\precisiontime.exe
o4 - global startup: search.vbs
o8 - extra context menu item: web savings - file://c:\program files\websavingsfromebates\system\temp\ebateswebsavings_script0.htm
Then create a new log and copy/paste it HERE (http://hijackthis.de/index.php?langselect=english)
Fix also all the things that site report as bad, and research the things unknow to see what they are. If bad (spy/-adware, virus, trojan etc related) fix them also. After doing so, reboot and run a full system scan with Avast.
-
\progra~1\adelph~1\smartb~1\motivesb.exe
\progra~1\hpinst~1\plugin\bin\pchbutton.exe
o4 - hklm\..\run: [motive smartbridge] c:\progra~1\adelph~1\smartb~1\motivesb.exe
o4 - hklm\..\run: [kernelfaultcheck] %systemroot%\system32\dumprep 0 -k
[EDITED]
Hi Artras, please recalibrate your HJT-Analyzer..
why would you fix those ?
these items are not necessary, but not evil..
-
I don't want to touch any files that begin with Adelphia because that is my cable company.
-
The scan is still in progress but so far it found this:
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Search.vbs - VBS/Krepper.A* -> Infected
-
I saw at least 4 virus's on the log and then when the scan was done... the window closed and was gone.
Now that scan took over an hour... do I have to do it all over again and why did it close before I could copy it?
-
This is scary. I thought if I purchased AVAST I'd be virus free and I wouldn't have to go through all this rigamarro.
Now I discover 4 or 5 viruses? Just what exactly is AVAST doing?
-
NO virus-scanner detects everything..
-> you also have to exercise some caution and common sense when using your PC / surfing / emailing..
please 1st follow the advice from Eddy and me to clean up your Hijackthis-Log
then reboot and post a new log..
the Onlinescan shouldn't close unless you clicked the wrong button.. try the one to the lower right where it says "REPORT"
-
You are not going to be happy with me.
I closed Hijack and now the report is gone. I'll have to wait until the scan finishes and redo that too.
I went into Startup and disabled the place where the scan said there was a virus:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Search.vbs - VBS/Krepper.A* -> Infected
-
you say: you also have to exercise some caution and common sense when using your PC / surfing / emailing..
I never open an attachment EVER. How do you use caution surfing... I go to medical site, I go to The Sims sites and forums, I go to Pogo ( a reputatble game site).
I don't do much of anything else.
So what am I doing wrong?
-
Scan started at 8/8/2004 3:23:18 PM
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Search.vbs - VBS/Krepper.A* -> Infected
C:\WINDOWS\pss\Search.vbsCommon Startup - VBS/Krepper.A* -> Infected
C:\WINDOWS\system32\ATPartners.dll - TrojanDownloader:Win32/Rameh.C -> Infected
C:\WINDOWS\system32\bolae9.dll - TrojanDownloader:Win32/Rameh.B -> Infected
Scanned
============================
Objects: 125730
Directories: 7118
Archives: 22191
Size(Kb): -1959519
Infected files: 4
Found
============================
Viruses found: 3
Suspicious files: 0
Disinfected files: 0
Mail files: 1176
-
Logfile of HijackThis v1.97.7
Scan saved at 4:35:41 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\WinZip2\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Owner\My Documents\UNZIPFOLDER\hijackthis[1]\HijackThis.exe
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZILLAbar - {8FC8AE66-AC15-4C0D-9E9A-51296A0C52FA} - C:\Program Files\ISSS\ZILLAbar\ZILLAbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip2\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
-
you went to
h**p://www.armbender.com/
h**p://dst.trafficsyndicate.com/
or were redirected to it (maybe BAD Browser settings) or installed dubious software that downloaded stuff from there..
--> both obviously BAD sites, since they host/spread trojan files..
AND your Browser (InternetExplorer ?) is configured insecurely that it could download the trojan-files (probably in the background/unnoticed by you...)
P.S.: Both trojans are imho not really that dangerous, but are probably just adware/spyware/Search-page-hijackers.. related
Info:
QDOWN (http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=QDown&product=0)
VB-bn (http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=TrojanDownloader.Win32.VB.bn&product=0)
;)
-
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Search.vbs - VBS/Krepper.A* -> Infected
C:\WINDOWS\pss\Search.vbsCommon Startup - VBS/Krepper.A* -> Infected
C:\WINDOWS\system32\ATPartners.dll - TrojanDownloader:Win32/Rameh.C -> Infected
C:\WINDOWS\system32\bolae9.dll - TrojanDownloader:Win32/Rameh.B -> Infected
if a THOROUGH scan with UPDATED avast really cannot detect these, then please send the above files to
virus (at) avast.com
(best in a password-protected ZIP-archive)
*
try deleting the files in SafeMode (F8-Boot) or follow the red linsk to instructions here:
Krepper (http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=VBS%2FKrepper.A&product=16)
Rameh.B (http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=Win32%2FRameh.B&product=16)
Rameh.C (http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=Win32%2FRameh.C&product=16)
--> SPYBOT & Ad-AWARE could also help, see "VirusRemoval"
AFTER you've scanned & fixed with Spybot & ad-Aware AND had a go at the Removalinstructions...:
reboot, then UPDATE Hijackthis to version 1.98.2 via its internal Updater: -> config -> MiscTools -> Update
best unpack the downloaded ZIP-file into to same folder as before.
*
P.P.S.: before, fix
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
as instructed..
-
I have been to neither of those sites and I don't see them in my history.
I don't even know what they are. Despite my popup stopper I do get a lot of popups.
-
I have automatic update so there is no reason to believe I am not up-to-date on my AVAST.
I will send them.
-
Can you give me the correct setting for Explorer?
-
According to this, the virus put me at those sites unbeknownst to me.
Home > Security Info > Virus Encyclopedia > Search Results
Virus Encyclopedia Search Results
<< Search Again
1 - 1 of 1 records match your query
VBS_KREPPER.A
Aliases: VBS/Krepper.A*, TrojanClicker.VBS.Krepper, Trj/Krepper.E
Upon execution, this Trojan opens a new Internet Explorer window with a height and width value of zero, making the said window invisible to users. It then accesses the following site using ...
What I want to know is how the heck did I get it in the first place since I don't open attachments.
-
Can you help me with these?
I don't recognize any of them... can I safely "FIX" them?
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_40/QDow.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldwinner.com/games/v41/jigsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://cobia.livehelpcasino.com/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://mirror.worldwinner.com/games/v49/bjattack/bjattack.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldwinner.com/games/v40/freecell/freecell.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldwinner.com/games/v40/focus/focus.cab
O16 - DPF: {957BDEC2-50EA-4B01-ABF5-22F86364A914} (Trivia Control) - http://mirror.worldwinner.com//games/v41/trivia/trivia.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v48/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v44/sol/sol.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v50/swapit/swapit.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version6/dlhelper.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://fptest.onisak.com/software/v7/gp0/setup.exe
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbuddy.com/characters/gar.exe
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {C5142630-9BC9-4236-BAC9-2E3C24566EC8} (XWord Control) - http://mirror.worldwinner.com/games/v40/xword/xword.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.zillabar.com/toolbar/bin/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/211/webolr/OCX/FlashAX.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldwinner.com/games/v41/golfsol/golfsol.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
-
I don't do live chat so I have no idea why I have Yahoo and MSN chat's here.
I just don't want to screw anything up. Looks like things are pretty clean.
Thanks for all your help!!!!!!!!!!!!!!!!!!!!!
-
DPF is short for Downloaded Program File. These are things you downloaded. And you do visit quiet some ad-/spyware spreading sites. That is most likely why you get into trouble.
-
Decided to do one more scan with RAV and already I got a new virus and I haven't done anything!!!!!
Scan started at 8/8/2004 6:46:13 PM
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YXNCTK7A\UCSearch[1].CAB->UCSearch.ocx - TrojanDownloader:Win32/VB.BN -> Infected
-
and I haven't done anything!!!!!
Yes you have done something. You visited malicious sites, that's why/how. See this entry in the HJT log. You where there!
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
-
I went there out of curiousity... to see what it was that I was supposed to have visited but didn't. And it was a blank page!!!! It had a #1 on it.
I would never have gone there if you hadn't insisted I'd been there and I knew I had not.
Back to the beginning.....
Curiosity killed the cat... MEOW
-
You can safely delete / fix any or all of the entries beginning with 016 as they are downloaded from sites when u visit. If you need them then you may have to wait an extra few seconds next time you visit for it to reload but removing them does no damage and may clear up your HJT report a little ;)
-
Thank you!!!! Some of them were very old.
-
BarbeeGee,
you had problems, we helped you with it. we say it is harmfull and still you go there? That isn't really smart and is asking for problems :-\ You wondered where msn and yahoo came from. Well you or someone that is using your comp went there and installed things. Elves don't excist so they can't have done it.
-
Some of them were very old.
No they are not. Your HJT log was clean and now is dirty again. So they are very new !
-
OK.... How do I find this virus?
In SafeMode I couldn't find it. Can I just delete all the Temporary Files. There is none named
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YXNCTK7A\UCSearch[1].CAB->UCSearch.ocx - TrojanDownloader:Win32/VB.BN -> Infected
I meant that some of the Downloaded sites 016 were very old.
-
yes by all means one of the first things you should do is dump all your temp internet files , if you clean out all your cookies you may lose some saved passwords for your gamesites so do it with caution but this is important step in staying clean . ;D
-
Eddy, Sorry if I sounded like I was blaming you guys for my stupid curiosity... I wasn't, I'm just frustrated.
Here is my new log:
Logfile of HijackThis v1.97.7
Scan saved at 7:51:04 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
C:\Program Files\WinZip2\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Owner\My Documents\HIJACK\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZILLAbar - {8FC8AE66-AC15-4C0D-9E9A-51296A0C52FA} - C:\Program Files\ISSS\ZILLAbar\ZILLAbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip2\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_40/QDow.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version6/dlhelper.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://fptest.onisak.com/software/v7/gp0/setup.exe
15F98C42E04C} (Downloader Class) - http://www.zillabar.com/toolbar/bin/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/211/webolr/OCX/FlashAX.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-
-
is the toolbar some thing you need
O3 - Toolbar: ZILLAbar - {8FC8AE66-AC15-4C0D-9E9A-51296A0C52FA} - C:\Program Files\ISSS\ZILLAbar\ZILLAbar.dll
because these things are notorious for having extra unseen content as is incredimail i might add . if you feel comfortable now with the feel of the system then thats great . if you want to secure yourself a little more i might suggest some spyware protection like spywareblaster and spybot SSD these are freeware and available all over the place check the links topic in general topics forum . good luck 8) if you want some more reassurance maybe another online scan from PANDA might find something else
-
First of all I did not go to those sites of my own free will except today for curiosity.
Virus Encyclopedia Search Results
<< Search Again
1 - 1 of 1 records match your query
VBS_KREPPER.A
Aliases: VBS/Krepper.A*, TrojanClicker.VBS.Krepper, Trj/Krepper.E
Upon execution, this Trojan opens a new Internet Explorer window with a height and width value of zero, making the said window invisible to users. It then accesses the following site using ...
Secondly, the programs you listed... are they something different than what I already have?
Stopzilla (I think that is the Zilla toolbar)
Avast
ZoneAlarm Firewall
Ad-Aware
Also I cleaned out my temp files and that virus file doesn't appear in the new log. Hopefully it is gone. I'm doing another RAV scan to be sure.
Thanks.
-
the programs i mentioned SPYWAREBLASTER, and SPYBOY SSD are just to add another layer of defense to your PC . they both have resident sheilds which detect things that AVAST might struggle with and best of all is that there are no conflicts and they use very little resources. No program will do everything but the more you have the better your chances .Just remember about once a week to update them and then run them to see what they find.
keep the programs you have as they are important as well and dont forget to visit windows update regularly and get all those patches . Good Luck 8)
-
I got a sparkling clean report from RAV.
BEtter that I had to do everything twice because know maybe I'll remember how when ithappens again.
Thanks for all your help: Who Cares, Galooma, and
Eddy.
You are the best!
-
I also have that trojan. Does anyone know a safe way of removing it without stopping windows restore?
Thanks
-
I also have that trojan. Does anyone know a safe way of removing it without stopping windows restore?
What tells you, you have the same trojan? NOTHING DOES! gen=generic!
Did you already have followed the things we told in this thread?
Disbaling system restore ain't a bad thing, since system restore is almost plain BS. You get a virus (or other infection) whitout knowing it. You install other things, make (setting) changes and such and then the harfull process starts. You remove it and reboot. System restore will put it back! So you are still have the problems.
Much better than system restore is using COMMON SENSE and create a regular backup.
-
I had similar problems a while ago, when I was doing scans I had over 42000 restore files, it took well over an hour to scan, so following advice I disabled restore and it now only takes me minutes to do any scan, I would never use restore again, hope this helps :)
-
I am in an absolute panic. I also did the turn off System Restore routine and then turned it back on after rebooting. Once I said OK to system restore my PC totally froze, can't even turn it off!!! I've got photos on it that I can't replace and hadn't yet gotten burn to a disc. panicsville!!!!
-
The clever guys will be able to help you on that, I didn't put restore back on, as I was told there was a problem with it and Microsoft were bringing a patch out for it, would rather just back up instead, I'm sure one of the boys will help you........
-
can't even turn it off!!!
if
- CTRL ALT DEL or
- the reset button or
- pressing the power-button for 4 seconds doesn't help:
pulling the plug persuades even the most stubborn PCs to shut down.. ;D
afterwards:
- try rebooting to last known good configuration or in SafeMode (F8-Boot)
- if that doesn't help: can you boot from XP-CD and see your data then ?
and give us more info about the virus location and system/Win-info ;)
-
atp2007,
panic will only make things worse. So have a deap breath, calm down {if needed take a beer :)} and tell us exactly what your problem is and what you have done sofar.