Author Topic: Repeated alerts for same virus  (Read 45397 times)

0 Members and 1 Guest are viewing this topic.

BarbeeGee

  • Guest
Re:Repeated alerts for same virus
« Reply #45 on: August 08, 2004, 10:37:02 PM »
Logfile of HijackThis v1.97.7
Scan saved at 4:35:41 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\WinZip2\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Owner\My Documents\UNZIPFOLDER\hijackthis[1]\HijackThis.exe

O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZILLAbar - {8FC8AE66-AC15-4C0D-9E9A-51296A0C52FA} - C:\Program Files\ISSS\ZILLAbar\ZILLAbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip2\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

whocares

  • Guest
Re:Repeated alerts for same virus
« Reply #46 on: August 08, 2004, 10:39:19 PM »
you went to

h**p://www.armbender.com/
h**p://dst.trafficsyndicate.com/

or were redirected to it (maybe BAD Browser settings) or installed dubious software that downloaded stuff from there..

--> both obviously BAD sites, since they host/spread trojan files..

AND your Browser (InternetExplorer ?) is configured insecurely that it could download the trojan-files (probably in the background/unnoticed by you...)

P.S.: Both trojans are imho not really that dangerous, but are probably just adware/spyware/Search-page-hijackers.. related

Info:
QDOWN

VB-bn

 ;)

whocares

  • Guest
Re:Repeated alerts for same virus
« Reply #47 on: August 08, 2004, 10:59:20 PM »

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Search.vbs - VBS/Krepper.A* -> Infected
C:\WINDOWS\pss\Search.vbsCommon Startup - VBS/Krepper.A* -> Infected
C:\WINDOWS\system32\ATPartners.dll - TrojanDownloader:Win32/Rameh.C -> Infected
C:\WINDOWS\system32\bolae9.dll - TrojanDownloader:Win32/Rameh.B -> Infected


if a THOROUGH scan with UPDATED avast really cannot detect these, then please send the above files to
virus (at) avast.com
(best in a password-protected ZIP-archive)

*

try deleting the files in SafeMode (F8-Boot) or follow the red linsk to instructions here:
Krepper

Rameh.B

Rameh.C


--> SPYBOT & Ad-AWARE could also help, see "VirusRemoval"



AFTER you've scanned & fixed with Spybot & ad-Aware AND had a go at the Removalinstructions...:

reboot, then UPDATE Hijackthis to version 1.98.2 via its internal Updater: -> config -> MiscTools -> Update

best unpack the downloaded ZIP-file into to same folder as before.


*

P.P.S.: before, fix
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
as instructed..

« Last Edit: August 08, 2004, 11:03:32 PM by whocares »

BarbeeGee

  • Guest
Re:Repeated alerts for same virus
« Reply #48 on: August 08, 2004, 11:37:02 PM »
I have been to neither of those sites and I don't see them in my history.

I don't even know what they are.   Despite my popup stopper I do get a lot of popups.

BarbeeGee

  • Guest
Re:Repeated alerts for same virus
« Reply #49 on: August 08, 2004, 11:39:08 PM »
I have automatic update so there is no reason to believe I am not up-to-date on my AVAST.

I will send them.

BarbeeGee

  • Guest
Re:Repeated alerts for same virus
« Reply #50 on: August 08, 2004, 11:40:32 PM »
Can you give me the correct setting for Explorer?

BarbeeGee

  • Guest
Re:Repeated alerts for same virus
« Reply #51 on: August 08, 2004, 11:44:10 PM »
According to this, the virus put me at those sites unbeknownst to me.

 

Home > Security Info > Virus Encyclopedia > Search Results
 

 
 
Virus Encyclopedia Search Results
 
 

<< Search Again

1 - 1 of 1 records match your query

VBS_KREPPER.A
Aliases: VBS/Krepper.A*, TrojanClicker.VBS.Krepper, Trj/Krepper.E
Upon execution, this Trojan opens a new Internet Explorer window with a height and width value of zero, making the said window invisible to users. It then accesses the following site using ...
 
 What I want to know is how the heck did I get it in the first place since I don't open attachments.

BarbeeGee

  • Guest
Re:Repeated alerts for same virus
« Reply #52 on: August 09, 2004, 12:15:42 AM »
Can you help me with these?

I don't recognize any of them... can I safely "FIX" them?

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_40/QDow.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldwinner.com/games/v41/jigsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://cobia.livehelpcasino.com/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://mirror.worldwinner.com/games/v49/bjattack/bjattack.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldwinner.com/games/v40/freecell/freecell.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldwinner.com/games/v40/focus/focus.cab
O16 - DPF: {957BDEC2-50EA-4B01-ABF5-22F86364A914} (Trivia Control) - http://mirror.worldwinner.com//games/v41/trivia/trivia.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v48/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v44/sol/sol.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v50/swapit/swapit.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version6/dlhelper.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://fptest.onisak.com/software/v7/gp0/setup.exe
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbuddy.com/characters/gar.exe
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {C5142630-9BC9-4236-BAC9-2E3C24566EC8} (XWord Control) - http://mirror.worldwinner.com/games/v40/xword/xword.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.zillabar.com/toolbar/bin/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/211/webolr/OCX/FlashAX.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldwinner.com/games/v41/golfsol/golfsol.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab


BarbeeGee

  • Guest
Re:Repeated alerts for same virus
« Reply #53 on: August 09, 2004, 12:16:45 AM »
I don't do live chat so I have no idea why I have Yahoo and MSN chat's here.

I just don't want to screw anything up.  Looks like things are pretty clean.

Thanks for all your help!!!!!!!!!!!!!!!!!!!!!

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Repeated alerts for same virus
« Reply #54 on: August 09, 2004, 12:24:56 AM »
DPF is short for Downloaded Program File. These are things you downloaded. And you do visit quiet some ad-/spyware spreading sites. That is most likely why you get into trouble.

BarbeeGee

  • Guest
Re:Repeated alerts for same virus
« Reply #55 on: August 09, 2004, 01:09:26 AM »
Decided to do one more scan with RAV and already I got a new virus and I haven't done anything!!!!!

Scan started at 8/8/2004 6:46:13 PM
 
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YXNCTK7A\UCSearch[1].CAB->UCSearch.ocx - TrojanDownloader:Win32/VB.BN -> Infected

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Repeated alerts for same virus
« Reply #56 on: August 09, 2004, 01:14:29 AM »
Quote
and I haven't done anything!!!!!
Yes you have done something. You visited malicious sites, that's why/how. See this entry in the HJT log. You where there!

O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB

BarbeeGee

  • Guest
Re:Repeated alerts for same virus
« Reply #57 on: August 09, 2004, 01:17:49 AM »
I went there out of curiousity... to see what it was that I was supposed to have visited but didn't.  And it was a blank page!!!!  It had a #1 on it.

I would never have gone there if you hadn't insisted I'd been there and I knew I had not.

Back to the beginning.....

Curiosity killed the cat... MEOW

galooma

  • Guest
Re:Repeated alerts for same virus
« Reply #58 on: August 09, 2004, 01:18:59 AM »
You can safely delete / fix any or all of the entries beginning with 016 as they are downloaded from sites when u visit. If you need them then you may have to wait an extra few seconds next time you visit for it to reload but removing them does no damage and may clear up your HJT report a little  ;)

BarbeeGee

  • Guest
Re:Repeated alerts for same virus
« Reply #59 on: August 09, 2004, 01:26:16 AM »
Thank you!!!!     Some of them were very old.