Author Topic: Help needed! please!  (Read 6387 times)

0 Members and 1 Guest are viewing this topic.


  • Guest
Help needed! please!
« on: February 18, 2004, 03:42:42 PM »
I just found out about avast and I ran home edition 4.1 with a thorough scan and it says it found no infected files.

found no viruses & lavasoft6.0 adware says I'm clean.

AVG anti-virus tells me I have 6 infected files!:

AVG Anti-Virus
Program version 7.0.211
Virus base 261.9.5
Release date: 17/02/2004

File h4ck3d.exe
Result/Infection Trojan horse Downloader.Zdown
Path C:\WINDOWS\system32\7oob.exe:\h4ck3d.exe

File root.sys
Result/Infection Trojan horse IRC/BackDoor.Flood
Path C:\WINDOWS\systems32\7oob.exe:\root.sys

File secure.BAT
Result/Infection Could be infected BAT/Generic
Path C:\WINDOWS\systems32\7oob.exe:\secure.BAT

File secure.exe
Result/Infection Trojan horse HideWindow
Path C:\WINDOWS\systems32\7oob.exe:\secure.exe

File spread.bat
Result/Infection Could be infected BAT/Generic
Path C:\WINDOWS\systems32\7oob.exe:\spread.bat

File system.sys
Result/Infection Virus found IRC/BackDoor.Flood
Path C:\WINDOWS\systems32\7oob.exe:\system.sys

Another online scanner gives me the following results:

\Addons\clones3.ini - Flooder:IRC/Clonman* -> Infected
C:\mf-polaris2001\polaris2001\System\remotes\connect.ini - IRC/Generic* -> Suspicious
C:\WINDOWS\fps.exe->(ASPack 2.12) - Win32/Dumaru.H@mm -> Infected
C:\WINDOWS\system32\7oob.exe->(CABSfx)->h4ck3d.exe - TrojanDownloader:Win32/Zdown.1_01 -> Infected
C:\WINDOWS\system32\7oob.exe->(CABSfx)->secure.exe - Tool:HideWindows -> Infected
C:\WINDOWS\system32\dtxservice.exe - TrojanSpy/Win32.ProAgent.1_2 -> Infected
C:\WINDOWS\system32\jcxpif.exe->(UPXW) - Win32/HLLW.SpyBot -> Suspicious
C:\WINDOWS\system32\mirc.ini - Trojan:IRC/Flood.gen* -> Infected
C:\WINDOWS\system32\sysmgr.exe->(UPXW) - Win32/HLLW.SpyBot -> Suspicious
C:\WINDOWS\system32\Temp.scr - IRC/Flood -> Infected

Avast does give me pop-up warnings about the following:

Win32:Trojan-gen. {UPX!}

win32:Trojen-gen. {other}

win32:Trojan-gen. {other}

It won't let me do anything with these files. Can't repair/delete/move.

AVG tells me I have Trojan Horse PWS.Proagent.B.. I ask to delete it, it says it does but whenever I reboot it's there again?!

Any help appreciated!!



  • Guest
Re:Help needed! please!
« Reply #1 on: February 18, 2004, 04:40:45 PM »

is your avast uptodate ?
1) Please mail any files not detected by uptodate avast to:

virus at asw dot cz

best put them in a passwort-protected zip-file; including the password and a system/problem description in the mailtext..

2) loads of malware there: if you have important/sensitive data on your PC, or use it for online-banking, ebay or other privacy critical stuff:

backup your data, format, and reinstall Windows XP, securing it better this time..


maybe test the file with OnlineScanners e.g. from  KAV (see below) to get some more specific names
(you need to temporarily disable AV-Resident Shields/Monitors to be able to scan the file online)

-remove the Virus/Malware and it's system modifications according to VirusInfos from Avast, VGREP, TrendMicro, Kaspersky; you might also try searching for the virus name or filename with google

general removal procedure:
- disable system restore on Win ME/XP
- kill respective Backdoor/Trojan process with task manager
- search for the file/process names in the registry; remove the malware's startup entries in the registry
- disinfect or (if disinfection is not possible) delete the file; this may be possible only after a reboot

-Secure your system (change passwords, secure shares, install patches/updates for WIN, IE etc..)
-scan your whole system with updated avast and maybe a 2nd scanner ,e.g. RAV to check whether your PC is clean ;)

-reenable system restore on Win ME/XP ;)


  • Guest
Re:Help needed! please!
« Reply #2 on: February 18, 2004, 04:59:55 PM »
Hello thanks for reply! :)  :)

I got the latest version of avast on Monday when I first heard about it.

Task manager does not work, I press crtl+alt+delete and it just pops up for about a second and dissapears.

When I try and run regedit.exe this also just dissapears after a second...

System restore won't work anymore (maybe because I've used it already going back 2 weeks then again moving forward 3 days). I had already tried disabling it to try and delete the bad files but it doesn't work.

I don't have a Windows XP disc either  :(

Maybe I should just delete the entire folder C:\WINDOWS\system32\7oob.exe, it is in hidden format, or just the infected files listed?



  • Guest
Re:Help needed! please!
« Reply #3 on: February 18, 2004, 07:52:55 PM »
I don't have a Windows XP disc either  :(
why not ? even with XP-preinstalled you should get an XP-recovery disk from your vendor / the guy who sold the system to you
if your XP is not legit, then you shouldn't post statements like the above here..

Maybe I should just delete the entire folder C:\WINDOWS\system32\7oob.exe, it is in hidden format, or just the infected files listed?

it's not a folder, but a self-extracting archive that CONTAINS several trojans/malware items

you could try deleting it in safe Mode (F8-Boot), but that might not work/it might get reinstalled

it would really be better, if you removed the malware according to the proper virus infos..

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11822
    • AVAST Software
Re:Help needed! please!
« Reply #4 on: February 18, 2004, 08:19:50 PM »
Why can't you delete the files with avast! - what happens? Isn't there e.g. an option to delete the file after restart there?

Btw, aren't you running avast! together with AVG resident protection enabled?


  • Guest
Re:Help needed! please!
« Reply #5 on: February 18, 2004, 09:19:00 PM »
I should have a recovery disc but I don't. I may have when I first bought it two years ago but I have moved residence five times since then. The computer came with XP already on it.  :P

I'll post back a bit later once I try deleting in safe mode. Last time I tried booting in safe mode (few hours ago) I deleted win32.kuang2 and win95.matyas whatever they are  :D Nothing else was found.