Avast WEBforum
Other => Viruses and worms => Topic started by: bassman on August 21, 2004, 04:43:54 PM
-
I have tried everything...how do I get rid of this thing??
-
I have tried everything
No you did not, or it would have been gone ;D
Send it to the chest and remove it from there. Also post a HijackThis log here and let us have a look at it.
-
It seems that Ad-Aware has nuetralized it enough that Avast took care of it. Boo-ya for the home team!!
-
I have the same :'( :'( :'(
I am running an Avast scan and he keeps finding infected files, I erase them and then the scan goes on again....
What should I do?
How did you get rid of it??
What does it do to the computer?
-
Click on the link in my signature and follow the steps on that page.
-
Thanks Eddy.
Kind of you to help me out. (on a Sunday!)
I'm trying to follow the instructions, but I won't be able to install a firewall...
Do we know the effects of this trojan to the computer?
-
but I won't be able to install a firewall...
Why not?
The effects are the same as with any trojan.
-
I don't know the first thing about installing a firewall.
I have a router connecting both a pc and a mac to the adsl ( I don't if this is relevant...)
I have just rebooted my pc after having run all scans by Avast and Adaware, and I don't hear that terrible warning that I am infected, so maybe I'm fine.
Do trojans all do the same thing? I thought some were more harmful than others... I guess I'm just too old for this stuff...
-
HERE (http://82.74.128.67/forum/index.php?act=ST&f=6&t=6&s=952bd6b52feeee658cd1bc23384464f1) are some definitions about trojan, worm, virus etc. I think that will explain it to you.
It could be your router already has a firewall build in. Check the manual I would say. If not it is very much recommended to isntall one.
Free software firewalls can be found at:
ZonaAlarm (http://www.zonelabs.com)
Kerio (http://www.kerio.com)
Sygate (http://www.sygate.com)
-
OMG! I was scanning with Avast when at one point the scan kinda stopped while scanning Windows. I waited and nothing happened, so I stopped and I'm starting again...
-
It has appeared again! I deleted it and I didn't get the message saying it couldn't be deleted like yesterday before doing the procedure.
I'm running another scan...
Is this trojan very harmful?
-
Click on the link in my signature and follow the instructions on that page. That will remove all malware.
-
But yesterday I ran several scans after following your instructions, and avast didn't find the virus anymore, so how can it just reappear today?
-
Either you didn't remove it properly, or you got infected again. What file is reported as infected and what is its location?
-
You havent gotten rid of it, you didn't delete it or even better put it in the chest.
so how can it just reappear today?
Magic? ;D I don't think so. You re-started your computer!!!!!
Please follow Eddy's instruction so you can get rid of it and report back here if you need more help.
-
I stupidly deleted it immediately without taking the time to copy the exact path of the infected file when I got the alert. All I can remember is that it was a restore file. So yes it must have come back when I restarted the computer.
OK I'll go through the procedure again although I'm wondering why it didn't work the first time...
-
If you are sure it was in the %sytem%\restore folder. Just disable system restore and the problem is solved.
-
altar
Don't forget to re-activate System restore after you reboot provided you still intend to use SystenRestore.
-
!? What do you mean? That once I'm sure I got rid of the virus I should re-activate system restore?
I used another method to disable it this time, via the Use Group Policy Editor...
But yesterday I thought I had done it using the Registry Editor...
So if I want to re-activated must I undo both disabling procedures?
Also, nobody has told me anything about the effects of this virus. Can it damage my discs or anything?
Ok, I disabled the restore system, I restarted the computer, ran a scan and it found nothing: so is the virus gone?
-
!? What do you mean? That once I'm sure I got rid of the virus I should re-activate system restore?
Yes
So if I want to re-activated must I undo both disabling procedures?
Probably..
if you don't know this, then you probably shouldn't mess with Group Policies anyway..
Is the RESTORE folder gone or all empty now ?
VirusInfo:
VGREP (http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=trojano-247&product=0)
might just be an ADWARE-Downloader
Trojano-247 is a GENERIC identification, so:
without the full path/folder/filename (see Avast Reports/logs or Windows' event-log) and best the results of onlinescanners on the file, no more info is possible..
;)
-
if you don't know this, then you probably shouldn't mess with Group Policies anyway.
Do I have an alternative if I want to get rid of this virus???
I attached a log from avast, dunno if its useful....
-
yes, by ...
- supplying more info
- Read the link "VirusRemoval" below in my sig and secure your System & Browser better !!
- read here: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
;)
-
I attached a copy of the avast log...
-
You not only having that trojan, but also other malware. Please post a HijackThis (http://members.home.nl/edeijl/download/hijackthis.exe) log here.
-
here it is, sorry if I did it wrong, I saved it as a notepad document...
And thx for all your help guys!
-
==========================================================================
ANALYZER INFORMATION
==========================================================================
bad.dat version : 15
good.dat version : 15
rec.dat version : 8
dasb.dat version : 1
sus.dat version : 3
==========================================================================
VERSION INFORMATION
==========================================================================
==========================================================================
GENERAL INFORMATION
==========================================================================
All items in the log file which are not shown here
as to be deleted or safe to keep need to be investigated.
This website has a link to a tutorial on the hijackthislog:
http://members.home.nl/acred/cleaning.htm
Also use www.google.com to find out more on items not listed here.
==========================================================================
THESE ITEMS SHOULD BE REMOVED:
==========================================================================
\windows\system32\resetservice.exe
\program files\ttxg\atnmtgo.exe
\program files\windupdates\winupdt.exe
o2 - bho: v3boh class - {76eae03c-f2b1-4397-97e8-390920b7c2dc} - c:\program files\ahnlab\v3\v3bar.dll (file missing)
o2 - bho: nls urlcatcher class - {aeecbfda-12fa-4881-bdce-8c3e1ce4b344} - c:\windows\system32\nvms.dll
o2 - bho: (no name) - {c18517da-ca70-46ce-86f4-882f6b62e975} - c:\windows\system32\drivers\user\bms.dll
o4 - hklm\..\run: [windupdates] c:\program files\windupdates\winupdt.exe
o8 - extra context menu item: web savings - file://c:\program files\websavingsfromebates\system\temp\ebateswebsavings_script0.htm
o16 - dpf: {15ad4789-cdb4-47e1-a9da-992ee8e6bad6} - http://public.windupdates.com/get_file.php?bt=ie&p=d25687639c9299a76b6a9158ac30f213893caa80138c732235a7f84005dbbdff536e8347975315f82756783740bad9cd433dd9:7e9a9bb989c56a97bbde5ad8573197fa
o16 - dpf: {1de9bb01-b121-401d-8877-bcd5ed5b7ee5} (tpwin control) - http://www.crezio.com/test/leeyunho/alwayson/alwayson.cab
o16 - dpf: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (yinststarter class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
o16 - dpf: {51c99f40-9e0e-4bf1-a92a-77121cc01ad0} (imbcclient control) - http://touch.imbc.com/ocx/touch.cab
o16 - dpf: {62475759-9e84-458e-a1ab-5d2c442adfde} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/quicktimeinstaller.exe
o16 - dpf: {6414512b-b978-451d-a0d8-fcfdf33e833c} (wuwebcontrol class) - http://v5.windowsupdate.microsoft.com/v5consumer/v5controls/en/x86/client/wuweb_site.cab?1093175798015
o16 - dpf: {66b30ea0-c033-4d4b-9f90-ea0af07363af} (bugsmediaplayer control) - http://so.bugs.co.kr/bugsoggplay_11.cab
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
o16 - dpf: {7c9edeb2-a2e8-417a-85ec-fc10e9d64e1f} (stonemakeiconctrl class) - http://inc-image.stoneradio.com/activex/stoneicon/stoneradioicon.cab
o16 - dpf: {90231c0e-765e-4429-8f70-f4e9a0f8d348} (webctrl class) - http://www.mukebox.com/mukeplayer/p3aodsvr.cab
o16 - dpf: {a1cccff4-0df9-4ffc-99a3-a37a0f3d8e18} (p3bgset class) - http://player.bugs.co.kr/install/bugsloader20040811.cab
o16 - dpf: {cf362bdb-4ea2-11d5-ab47-000102913414} (setglb control) - http://so.bugs.co.kr/setglb.cab
o16 - dpf: {d8f001c6-43b1-4cfd-9daf-c8beae0e2b6d} (touch control) - http://touch.imbc.com/ocx/online.cab
==========================================================================
THESE ITEMS ARE NOT NEEDED TO LOAD AT BOOTTIME FOR
THE SYSTEM TO WORK, IT IS RECOMMENDED TO REMOVE THEM:
==========================================================================
o4 - hklm\..\run: [tkbellexe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
o4 - hkcu\..\run: [rsd_hddthermo] c:\program files\hdd thermometer\hdd thermometer.exe
o4 - hkcu\..\run: [msmsgs] "c:\program files\messenger\msmsgs.exe" /background
==========================================================================
THE FOLLOWING ITEMS ARE NOT KNOWN. IF YOU HAVE ANY
INFORMATION ABOUT THEM, PLEASE LET US KNOW.
==========================================================================
\mykeyword.exe
\program files\mvq\dgc.exe
o2 - bho: cb urlcatcher class - {ce188402-6ee7-4022-8868-ab25173a3e14} - c:\windows\system32\mscb.dll
o2 - bho: adp urlcatcher class - {f4e04583-354e-4076-be7d-ed6a80fd66da} - c:\windows\system32\msbe.dll
o4 - hklm\..\run: [hncupdate] c:\windows\system32\hncupdate.exe /a
o4 - hklm\..\run: [idv] c:\program files\ttxg\atnmtgo.exe
o4 - hklm\..\run: [winagent] c:\mykeyword.exe
o4 - hklm\..\run: [nea] c:\program files\mvq\dgc.exe
-
:ooh my god, what a headache
-
Don't worry. We are here to help you and I have seen much much much worse :D
-
altar
To enable or disable System Restore, go to ControlPanel and select System
Then select SystemRestore.
-
why do these idiots at microsoft give an ultra complicated procedure to do that?
-
Eddy, should I delete the files directly from within the hijackthis log panel?
-
Bob, I don't have the sytem restore tab
Must be because I disabled it using the Group Policy Editor and the Registry Editor before that, following Microsoft's stupid advice!!
Now I should try and undo all that and I'm not too shure how!!
-
altar
Must be because I disabled it using the Group Policy Editor and the Registry Editor before that, following Microsoft's stupid advice!!
Please clue me in, I'd like to know where that advice is?
I just did a search in the Windows Helpfile and this is what it says???????
I believe that's exactly where I took you.
-
I think he is refering to one of the two following pages.
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405 (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;283073 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;283073)
-
altar
Now I should try and undo all that and I'm not too shure how!!
A STRONG word of advice. The Registry isn't a toy to play with. It's the fastes way I know to wind up doing an F-disk and a format and starting from scratch.
If you do make changes to the registry, the first thing to do is make a backup of the registry so incase you make a mistake, there is at least a posibility to repair the damage.
Group Policy Editor- Is another place where you can wind up with an unbootable operating system.
Please be careful if you arent sure, ask. It's better than having to start from scratch. :)
-
Eddy,
The first article uses the conventional method for shutting down System restore.
The second method requires the use of both regedit and Group Policy Editor.
However the 1st sentence states the following:
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
Hopefully that was done.
-
You got it, it's the second article I followed, thinking it was the only to disable system restore...
And... no I didn't do a backup.... :-X
I know the Registry isn't a toy to play with, actually I'd rather never have anything to do with it at all. I was only trying to get rid of that virus...
Can I just go back and do exactly the opposite of what I did to reverse things and re-activate system restore?
-
Only if you remember exactly what you did.
-
well I just followed the instructions... I can delete the new key I created in the Registry, uncheck the tabs in the Group Editor...
Then I shall use only the control panel to disable sytem restore...
-
I was running a scan including the archives and Avast found Win32:PurityScan-C [Trj] in here: C:\Documents and Settings\Sechan\Local Settings\Temporary Internet Files\Content.IE5\ZA4NR905\MediaTicketsInstaller[1].cab\MediaTicketsInstaller.ocx
Since I have not yet re-activated system restore, is it actually being deleted when I delete it?
-
If your not getting an error message and the delete is being made, then it's gone.
-
Hi its me....... AGAIN!
I ran a scan including the archives, and at the end there are a number of files wich Avast says it could not scan.
Most of them look like this:
C:/Documents and Settings/All Users/Application Data/Spybot-Search&Destroy/Recovery/DSOExploit1.zip/sbRecovery.reg
some other files are the same but end by .ini
What is weird is that I ran the same scan a couple of hours earlier and it didn't show anything.... I don't understand...
Do you know this type of files?
Can I delete them safely?
-
altar
I ran a scan including the archives, and at the end there are a number of files wich Avast says it could not scan.
Most of them look like this:
C:/Documents and Settings/All Users/Application Data/Spybot-Search&Destroy/Recovery/DSOExploit1.zip/sbRecovery.reg
Password protected files in a safe folder created when you did a scan with Spybot. After your system has rebooted for a few times and you aren't having any problems, you can use Spybot to get rid of the backup files.
You can also add this folder to the Avast Exclusions. That way the files in this folder will be bypassed.
some other files are the same but end by .ini
You need to be more specific about these files. Thanks