Author Topic: Zhuge Liang Virus  (Read 9095 times)

0 Members and 1 Guest are viewing this topic.

chm1

  • Guest
Zhuge Liang Virus
« on: April 12, 2005, 09:50:13 PM »
I am new to the forum, however, I would appreciate any help anybody can give me.  While connected to the internet, my Avast On-Access scanner notified me that "a virus was found".   The name of the virus is SDFE-ZhugeLiang-4784.  It is a virus/worm.  The VPS version is 0515-0, 11/04/2005.  No matter what website I visited i was getting the same alarming notices

I have since scanned the machine using Avast.  (Avast is completely up to date on my machine.)  But nothing was found. I have also scanned the machine using Ad-aware but i found nothing there either.

I have searched for every permutation of the virus name using Google but i cannot find much useful information here either.  Can anybody please advise me - is my machine infected with a virus and if so how do I remove it.  If it is not infected was this a false positive or simply a case that my PC was being attacked by a worm, but Avast prevented infection.  Thanks for any help you can give me.

Offline Tonanet

  • Sr. Member
  • ****
  • Posts: 353
  • I'm a llama!
Re: Zhuge Liang Virus
« Reply #1 on: April 12, 2005, 10:53:46 PM »
Hello and welcome to the forums.

This virus is a very old DOS virus... Dated from 1998...
Unfortunatly no antivirus web site have a description for it... It appears on each antivirus vendor website (with different names) but without description.. jut the name...

Did you still receive warnings about this virus in your machine or they sttoped?

Please, tell us what is your windows version and also the path where the file is being detected (if it stills being detected)...

Thanks for your time,

Elminster

Wight

  • Guest
Re: Zhuge Liang Virus
« Reply #2 on: April 12, 2005, 10:55:07 PM »
Hello

OK, here are few questions:

1. Is your OS up to date and what OS do you use?
2. Do you use a firewall?
3. Have your run full scan with avast(with scan archives enabled)?
4. Can you give us the whole path of the malware file?
5. Download, update and run Spybot S&D on your computer.
6. Post your HijackThis log here after your have scanned your computer with avast! Ad-awareSE and Spybot S&D.

If you do not have a firewall download it here: Kerio PF www.kerio.com/kpf_download.html

If you do not have Spybot S&D download it here: www.spybot.info/en/download/index.html

If you want virus name information use Vgrep(www.virusbtn.com/resources/vgrep/index.xml)

And if you have some file on your machine, submit it to jotti(http://virusscan.jotti.org/)

chm1

  • Guest
Re: Zhuge Liang Virus
« Reply #3 on: April 13, 2005, 10:28:17 AM »
I use Windows XP Home (SP2 fully patched).  It is up to date - it downloads updates automatically.  I use Avast for anti-virus, Sygate Personal firewall, I also have a hardware firewall as well.  I used the new MS Antispyware program as well.  I keep all definitions up to date.

I have conducted both "Thorough" and boot-time scans using Avast - and found nothing.  I have scanned using Avast, MS Antispyware, and Ewido and found nothing.  I have Spybot S&D - I will scan using this as well.

The warning message only occurred when I connected to the internet - it actually occurred immediately upon connecting to a specific website.  And then for the duration of the connection/session, I kept getting the same warning message each time I connected to any website.  However, when I shut the PC down and came back later in the day, the warning message did not re-occur.

I would be grateful if anybody could give me an explanation as to what might have been happening.  Is it still worth posting my HijackThis log?

Offline Tonanet

  • Sr. Member
  • ****
  • Posts: 353
  • I'm a llama!
Re: Zhuge Liang Virus
« Reply #4 on: April 13, 2005, 10:33:34 AM »
Hello,

If you are not experiencing any more problem with this virus comming up, and all the teste results show that you are clean, then problaby you dont have to worry anymore....You should be clean.

But to be sure, I believe that is better if you post your Log of hijack this, so we can see if theres any hiding malware running on your machine.

Thanks for your time,

Elminster

chm1

  • Guest
Re: Zhuge Liang Virus
« Reply #5 on: April 14, 2005, 09:14:47 PM »
Please find below my HijackThis log.  I would appreciate if somebody would have look at it and comment.  Thanks in advance



Logfile of HijackThis v1.99.1
Scan saved at 20:06:53, on 14/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMIN0~1\LOCALS~1\Temp\2004826214115_mcinfo.exe /insfin
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu]  /L:ENG
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


Offline Tonanet

  • Sr. Member
  • ****
  • Posts: 353
  • I'm a llama!
Re: Zhuge Liang Virus
« Reply #6 on: April 14, 2005, 09:29:37 PM »
Hello,

Your running proccess are clean, dont worry.

I didnt found anything wrong with your log, I only reccomend you to fix the following itens that are auto starting with your computer, they are not needed to autostart:

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMIN0~1\LOCALS~1\Temp\2004826214115_mcinfo.exe /insfin
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu]  /L:ENG
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

By the way, are you using virusscan and avast together?

Thanks for your time,

Elminster

chm1

  • Guest
Re: Zhuge Liang Virus
« Reply #7 on: April 16, 2005, 04:56:41 PM »
Thank you Elminster for your time.  I really appreciate your help. 

I am only running Avast.  The PC came pre-loaded with another anti-virus package, which I uninstalled. However, it appears I was not able to remove it completely. 

If I could impose upon you one further time, but could you tell me how I would fix the items you have identified.  Should I just use HijackThis?

Once again, thank you. 

Offline Tonanet

  • Sr. Member
  • ****
  • Posts: 353
  • I'm a llama!
Re: Zhuge Liang Virus
« Reply #8 on: April 18, 2005, 06:06:02 PM »
Hello Chm1,

Sorry for the long time to answer.

In order to fix the entries that I said you should just use hijackthis.

Beside of each entry, theres a checkbox. Mark each entry that I told you and then click in fix.

If you need more help just tell me :)

Thanks for your time,

Elminster

Offline chocholo

  • Poster
  • *
  • Posts: 645
  • BSC, GSC, MCP
    • Avast