Author Topic: Help  (Read 8063 times)

0 Members and 1 Guest are viewing this topic.

keljopy

  • Guest
Help
« on: February 26, 2004, 04:51:54 AM »
I had a virus and the program got rid of it, but also got rid of all of my Microsoft Office files (My programs and folders are there but not my documents) is there some way I can make VRDB restore these?

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Help
« Reply #1 on: February 26, 2004, 07:14:04 AM »
What was the name of the virus? Which part of avast reported it? What action did you choose in avast, when asked what to do with the infected files?

What operating system are you using?

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

keljopy

  • Guest
Re:Help
« Reply #2 on: February 26, 2004, 08:32:42 AM »
It was the Win32:Mydoom virus.  It was reported by the Standard Shield.  The first time I tried to completely remove the virus and it froze and I restarted my computer.  Then it reported it for a whole bunch of files.  Some of them I chose repair, but some it said there was an error so I deleted them.  I have Windows XP.
Thanks

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Help
« Reply #3 on: February 26, 2004, 08:55:46 AM »
Was it MyDoom.F? This beast really does have a destructive payload and can delete documents :(

All of the files were reported as infected by MyDoom?

How many of those there were? You can try to undelete them e.g. by using this free utility: http://www.snapfiles.com/get/restoration.html (there are some better utitilies around but these are not free).

BTW the Virus Cleaner (the thing that poped up when you chose Completely remove the virus from my computer) locked up? That will be of interest to igor (should be online shortly).

Thanks
Vlk

If at first you don't succeed, then skydiving's not for you.

keljopy

  • Guest
Re:Help
« Reply #4 on: February 26, 2004, 09:04:14 AM »
I don't know what version of MyDoom it was.  There were like 50 files that it found infected.  Most of them started with C:\Documents and Settings.  When the virus cleaner came up it got most of the way through the first step then my computer froze up completely, I couldn't even end the program so I had to manually shut down my computer.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Help
« Reply #5 on: February 26, 2004, 09:52:21 AM »
Could you tell me what "low-level" software you have installed? How about PowerStrip, for example?
Could you tell me something more about your hardware?
Thanks.

keljopy

  • Guest
Re:Help
« Reply #6 on: February 26, 2004, 10:10:40 AM »
What is 'low level' software?  I have a Dell Inspiron 500m laptop.  It has an Intel (R) Pentium (R) M processor.  I'm not sure what you want to know?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Help
« Reply #7 on: February 26, 2004, 10:25:32 AM »
I would like to know what programs are running (started automatically when Windows start). Could you download HijackThis and send me the log?

When does the machine freeze? I suppose it's during the memory scan... what is the progress displayed above the listbox?

keljopy

  • Guest
Re:Help
« Reply #8 on: February 26, 2004, 10:31:53 AM »
It froze during the memory scan, it was pretty close to being finished with that, but I'm not sure exactly how far it was.

Logfile of HijackThis v1.97.7
Scan saved at 4:29:06 AM, on 2/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kelly\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [xngro] C:\WINDOWS\System32\ckqbyrufronk.exe
O4 - HKLM\..\Run: [kcur] C:\WINDOWS\System32\kjeqv.exe
O4 - HKLM\..\Run: [ewunau] C:\WINDOWS\System32\wlwu.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37854.61375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Help
« Reply #9 on: February 26, 2004, 10:36:24 AM »
Thanks.
If it is not too much to ask - could you please try to run the avast! Virus Cleaner again (you can download the standalone version from here) and let me know at what point exactly it freezes?

keljopy

  • Guest
Re:Help
« Reply #10 on: February 26, 2004, 10:44:11 AM »
It made it through the memory scan this time without freezing.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Help
« Reply #11 on: February 26, 2004, 11:04:35 AM »
Hmm, I guess it's a good news for you.
Did the Cleaner do its job this time? I can see (in the Hijackthis log) you have a number of files that shouldn't be there.

whocares

  • Guest
Re:Help
« Reply #12 on: February 26, 2004, 04:04:19 PM »
Logfile of HijackThis v1.97.7

Hi,

did you do a thorough scan of the whole PC with uptodate avast ?

to clean up your startups:
use KAV/Kaspersky-Onlinescanner & http://www.sysinfo.org/startuplist.php
to check the entries in your HJT-Log and find out if they are malicious or useless..
fix/remove the virus/useless ones..

ad-aware, spybot and cwshredder might also help (Links: see above search)

do you have the avast resident shield and Mcafee vshield running/active together ??