Win32:OnlineGames-IG [Trj] ,Win32:OnlineGames-JD [Trj]

[airgear2003]

everytime when i open my pc,avast will warning that there is a Win32:OnlineGames-IG [Trj] and Win32:OnlineGames-JD [Trj] and i cant delete it,so i move it to chest,but when i open pc again,it will appear again ,any ideas to solve this problem?

[DavidR]

What is your OS ?
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?  Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

There are likely to be more elements that are restoring the file.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.

[Lisandro]

If a virus is replicant (coming and coming again), you should:

1) Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again.

2) Clean your temporary files. You can use the Windows Advanced Care features for that.

3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4) It will be good if you download, install, update and run other trojan remover tools: a-squared and/or Free AVG Antispyware (trojan removers). Some users recommend SUPERantispyware or Spyware Terminator.

5) Use the immunization of Windows Advanced Care features of spyware/adware cleaning and removal.

[airgear2003]

here is the viruses are...so what should i do ?

[FreewheelinFrank]

Hi airgear2003,

Have you tried a boot time scan as Tech suggested, and run AVG Anti-Spyware and a-Squared as DavidR suggested?

http://www.sophos.com/security/analyses/trojlegmiraqj.html

If the Trojan is still active, Sophos have a scanner you can download and run from Safe Mode with Command Prompt. Details here:

http://www.geocities.com/dontsurfinthenude/antivir2.htm

Or you could post a HijackThis! log for us and we can tell you which entires to fix to disable the Trojan. Tutorial with screenshots here:

http://www.bleepingcomputer.com/tutorials/tutorial42.html

[airgear2003]

if i try for a boot time scan as Tech suggested,should i delete the virus that detected?

[FreewheelinFrank]

Put them into the chest (quarantine) just to be on the safe side. You always have the option of restoring files in the chest, useful in the rare event of a false detection. Although the two files Rav20.dll and CMDBSC.DLL are obviously malare, avast! might detect other files, and it's always better to be safe than sorry.

[airgear2003]

I had did the way that Tech taught,but the problem seem like havent solve,the virus still replicant

[DavidR]

A google search for cmdbcs.dll returns many hits, http://www.google.com/search?q=cmdbcs.dll, this is just one, http://fileinfo.prevx.com/adware/qqe2c868370349-CMDB32503141/CMDBCS.DLL.html.

Also see http://www.sophos.com/security/analyses/trojlegmiraqj.html.

When first run Troj/LegMir-AQJ copies itself to <Windows>\cmdbcs.exe and creates the file <System>\cmdbcs.dll.

Cmdbcs.dll is also detected as Troj/LegMir-AQJ.

The following registry entry is created to run cmdbcs.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cmdbcs
<Windows>\cmdbcs.exe

So this would appear to have a companion file, cmdbcs.exe and as a startup entry could be creating the cmdbcs.dll. If you find this cmdbcs.exe, add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.

Check, Windows Start button, Run, type msconfig and click OK, check the Startup Tab and see if the startup entry for cmdbcs.exe exists and if so delete it.

[airgear2003]

yea,i found it,so i have to delete it from my pc or move it to the chest ?
btw,are c0nime and spolive will harm my pc?

[FreewheelinFrank]

airgear2003,

You need to put the files into the chest during a boot time scan.

The screenshot you posted is not from a boot time scan.

[FreewheelinFrank]

This is what a boot time scan looks like:



(This is an old screen shot so it doesn't have the 'move to chest option'.)

[airgear2003]

i put the files into the chest during the boot time scan,but it still appear after the boot
so should i delete the cmdbcs.exe or put into chest
n how about c0nime and spolive?

[FreewheelinFrank]

OK, so as David suggested, another process is protecting cmdbcs.dll.

Have you tried AVG Anti-Spyware?

also worth a try is DrWeb CureIT!:

http://download.drweb.com/drweb+antivirus+free+services/

If these fail, please post a HijackThis! log:

http://www.bleepingcomputer.com/tutorials/tutorial42.html

[airgear2003]

i dint get what you mean.....sorry...
should i delete the cmdbcs.exe or put it into chest
n how about c0nime and spolive?