Author Topic: Hiberfil.sys Zipper 2778 Worm  (Read 10619 times)

0 Members and 1 Guest are viewing this topic.

Offline wrmrwgn

  • Newbie
  • *
  • Posts: 10
Hiberfil.sys Zipper 2778 Worm
« on: March 01, 2007, 10:34:27 PM »
Hi - I am new here and I have a problem that's driving me nuts. My PC has the Avast screensaver and it keeps intercepting the Zipper 2778 worm , recommended action: quarantine. Every time I quarantine it the warning comes back, with the radioactive symbol and siren.

Please help.

Thanks
Rob

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #1 on: March 01, 2007, 10:54:40 PM »
It may be a false positive in your hibernation file- it seems to be an old DOS virus. Try hibernating your system and restarting- hiberfil.sys is just a memory dump, so maybe there was a pattern in the dump that resembled the virus.

If it persists, try a boot time scan- right click the scanner screen, select schedule a boot time scan and reboot when requested.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline wrmrwgn

  • Newbie
  • *
  • Posts: 10
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #2 on: March 01, 2007, 11:19:40 PM »
I just went to the power options in control panel and tried to check the enable hibernation box and access was denied with a pop-up that says " the file is being used by another process" or something like that.
I did 2 boot-time scans but no.  This Avast Alert only happens in screensaver mode- scanning has found nothing .

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #3 on: March 02, 2007, 03:59:07 AM »
As a workaround, you can add this file to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...

Also, use the You need to use the on-demand scanning exclusion list for the screen-saver or the Simple User Interface:
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button...

Hope Alwil team correct the detection.
Maybe you should disable the hibernation option. Boot. Enable it again.
The best things in life are free.

Offline wrmrwgn

  • Newbie
  • *
  • Posts: 10
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #4 on: March 02, 2007, 04:20:29 AM »
I added hyberfil.sys. Is that good enough? I'll report if this is finished. I think you may be right about an old virus in DOS. This computer just got back from the shop with a clean install- my kernel32.dll was missing.

Still in the Avast! virus chest are these system files: Kernel32.dll. winsock.dll,and wsock.dll.

When the technician reinstalled windows, most of my program files were lost.
Yet when I looked in my virus chest last night, there was over 18,000 viruses, worms and trojans that had been quarantined after I bought this computer at a thrift store.
I ran Avast on it fist thing when I bought it last October and it spent several hours scanning and quarantining viruses in boot-mode.

I left these in the chest.
All of them were deleted exepth the three above, and I am leaviing it as is .

Just before the computer crashed, I removed those very files. Once in XP repair mode, I disabled automatic restart and when it tried to reboot the message came up saying that kernel32.dll was missing. The I went into XP despair mode.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #5 on: March 02, 2007, 04:29:28 AM »
I added hyberfil.sys. Is that good enough?
Should be...

I'll report if this is finished.
I'll be waiting for you...

Still in the Avast! virus chest are these system files: Kernel32.dll. winsock.dll,and wsock.dll.
They're there for backup purposes only. They're not infected at all, they're on System folder of the Chest.

Yet when I looked in my virus chest last night, there was over 18,000 viruses, worms and trojans that had been quarantined after I bought this computer at a thrift store.
Wow... are you sure that all that infections come from the store?

I ran Avast on it fist thing when I bought it last October and it spent several hours scanning and quarantining viruses in boot-mode. I left these in the chest.
All of them were deleted exepth the three above, and I am leaviing it as is .
It's ok...

Just before the computer crashed, I removed those very files.
avast will add them again later...

Once in XP repair mode, I disabled automatic restart and when it tried to reboot the message came up saying that kernel32.dll was missing. The I went into XP despair mode.
avast does not move the files from the computer to Chest. It just copies them, as a backup.
The best things in life are free.

Offline wrmrwgn

  • Newbie
  • *
  • Posts: 10
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #6 on: March 02, 2007, 04:44:44 AM »
Yes- over 18,000 bugs. That's my guess why it ended up in a thrift store.
Of course, there was NO AV program installed. The previous owner appears to have been a young person who did'nt know.

So now things are making sense maybe- a couple weeks ago I removed those system back ups, and the very next day it would only boot up to the XP Gui screen.
IS it just a coincidence or had the back up not been removed , it would still have the kernel32 file? 

I know better now to leave them alone.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #7 on: March 02, 2007, 04:55:58 AM »
the very next day it would only boot up to the XP Gui screen.
Well, avast does not mess your computer... the infections did it (or could did it).

IS it just a coincidence or had the back up not been removed , it would still have the kernel32 file?
The problem will be that you won't be able to boot and extract the file from the Chest, so, probably you'll need the original CD or a way to boot the computer and replace that file. Maybe XP Console recovery could do something here...
The best things in life are free.

Offline wrmrwgn

  • Newbie
  • *
  • Posts: 10
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #8 on: March 07, 2007, 01:01:10 AM »
Uberevangelist, My PC crashed again Sunday . On Monday I was able to run CHKDSK and repair the boot record, and my PC booted back up. Now that dumb ZIPPER viruys alert is testing my patience. Is there anyone on this board that may know how I get this virus or what ever it is to stop. Hibernate has been turned off.
I am not sure if this virus is causing my computer to crash but it seems to be a logical assumption at this point.
I'll check again to see if there it's in the exclusion list . I may not have had the time to do that as Saturday and SUn are busy days .


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #9 on: March 07, 2007, 01:51:18 AM »
alert is testing my patience
Which file is infected? Did you try to delete the hyberfil.sys file, maybe using Unlocker (http://ccollomb.free.fr/unlocker/) or Delete FXP (http://www.jrtwine.com/) or MoveOnBoot tool.
The best things in life are free.

Offline wrmrwgn

  • Newbie
  • *
  • Posts: 10
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #10 on: March 07, 2007, 06:52:20 AM »
MoveOnBoot tells me "incorrect file name "when I paste hyberfil.sys into the box. I haven't figured out how to use unlocker yet.

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #11 on: March 07, 2007, 06:57:27 AM »
I think the problem doesn't originate in hiberfil.sys but ends up there when Windows hibernates.  Zipper is a memory resident virus so it would be a part of the "snapshot" that Windows saves.

If an avast! boot scan doesn't help try a Trend Micro or Kapsersky on line scan

http://housecall.trendmicro.com/

http://www.kaspersky.com/virusscanner
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33133
  • malware fighter
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #12 on: March 07, 2007, 07:57:20 AM »
Download this removal tool to get the worm from your computer:
http://www.downloadtopc.com/get/62/42378/W32Stration_worm_removal_tool.html

This is a simple virus which stays resident in memory and infects COM and EXE files when they are accessed. \COMMAND.COM and \DOS\FORMAT.COM are infected on the first execution.

If you run PKZIPFIX against an infected COM or EXE file, it will create a PKFIXED.ZIP, which contains an assembly source file called ZIPPER.ASM.

The virus contais this texts, which is never displayed:

   >>*>> Use PKUNZIP *.EXE immediately! <<*<<

Zipper contains several bugs which might corrupt the infected files.
To remove the virus from your system, change DOS=HIGH to DOS=LOW in
   your CONFIG.SYS file.  Reboot the system.  Then run each .EXE file
   less than 62k.  The virus will remove itself from each .EXE program
   when it is executed.  Or, leave DOS=HIGH in you CONFIG.SYS; execute
   an infected .EXE file, then use a tape backup unit to copy all your
   files.  The files on the tape have had the virus removed from them.
   Change DOS=HIGH to DOS=LOW in your CONFIG.SYS file.  Reboot the
   system.  Restore from tape all the files back to your system.

polonus
« Last Edit: March 07, 2007, 08:32:15 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline wrmrwgn

  • Newbie
  • *
  • Posts: 10
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #13 on: March 07, 2007, 07:56:37 PM »
How do I find the CONFIG.sys file?

Offline wrmrwgn

  • Newbie
  • *
  • Posts: 10
Re: Hiberfil.sys Zipper 2778 Worm
« Reply #14 on: March 07, 2007, 08:12:57 PM »
Are you saying I should use PKzipfix immediately? You can tell I don't know my way around this. I'm worried that this thing is going to crash my co puter again if I don't get it off.