Win:32:Doeb [wrm]

[Towle]

Win32:Doeb [Wrm]" has been found in "C:\WINDOWS\system32\Inf\13 years Merrit Cabal && Pamela Anderson slut --Video Collection--.zip\Codec DIVX 5.1.1.exe" file.  
21/09/2004 4:05:04 AM   NT AUTHORITY\SYSTEM   1696   Sign of "Win32:Doeb [Wrm]" has been found in "C:\WINDOWS\system32\Inf\13 years Merrit Cabal && Pamela Anderson slut --Video Collection--.zip\Codec DIVX 5.1.1.exe" file.  
21/09/2004 4:05:07 AM   NT AUTHORITY\SYSTEM   1696   Sign of "Win32:Doeb [Wrm]" has .  


Will Avast Antivirus Pro 4.1.418 with latest definitions 20/09/2004 0439-0 remove these Virii ?

What is the virus and how dangerous is it to my system ? I can't find much info on the net to tell me how dangerous it is

there are multiple entries in my windows\system32\inf directory of this same virus

[Lisandro]

In fact, it is a worm added at VPS 0427-1 on 02.07.2004.
If you try to repair (maybe there were not infected files as it is a worm) or move the files to Chest you will be ok.
You can schedule a boot time scanning too (if you have Windows 2k/XP).
Wellcome to forums  

[Towle]

In fact, it is a worm added at VPS 0427-1 on 02.07.2004.
If you try to repair (maybe there were not infected files as it is a worm) or move the files to Chest you will be ok.
You can schedule a boot time scanning too (if you have Windows 2k/XP).
Wellcome to forums  

how dangerous is it and what damage can it do to my system ? I can find much info on it
thanks for the  prompt reply  

Do I have to disable the Win XP SP2 "system restore"   at all ?  
I will do the boot time scanning  as suggested . I am doing a "thorough scan" of my system (slider all to the right in simple interface) and also checking compressed files.  I deleted  the infected files from within the folder titled "infected"  in the Advanced User Interface , they weren't system files

[Lisandro]

How dangerous is it and what damage can it do to my system ? I can find much info on it thanks for the  prompt reply

Sorry, I did not find more either  
Google returned nothing...

Do I have to disable the Win XP SP2 "system restore" at all ?

Depends on the results of your scanning. Sure, for boot time scanning you do not have to disable it. After scanning, you could/should enable it again. So, I don't understand if you say 'at all' instead of 'for ever'. You can enable System Restore after scanning and cleaning. You have to disable it just to clean 'locked' infected files there.

I will do the boot time scanning  as suggested . I am doing a "thorough scan" of my system (slider all to the right in simple interface) and also checking compressed files.  I deleted  the infected files from within the folder titled "infected"  in the Advanced User Interface, they weren't system files

If your scanning returns nothing... so, enjoy, you're clean  
Send files to Chest is a wise decision  

[Towle]

I asked for a log report to be created when I did my boot time scheduled scan

C:\Program Files\Alwil Software\Avast4\DATA\report

Resident protection.txt

however it cannot be opened

it says in use by another application or cannot be acessed

[Eddy]

Doeb (as Avast calls it) is also known as:
poetry.a
p2p.doeb.b
p2p.poit.a
doeb.2@p2p
Ourtime!2p2
p2p.unknow.worm (CA)

I think if you search on those names you will find lots of info about it. How I know these names? Easy, that is why we have Vgrep

[Lisandro]

It says in use by another application or cannot be acessed

Strange, can't you open it with Notepad?
When are you trying to open it?

[Towle]

It says in use by another application or cannot be acessed

Strange, can't you open it with Notepad?
When are you trying to open it?

No I can't  with notepad

I am trying to open it from My Computer , not too sure I understand your question as to "when" what are you trying to ask ? The Avast Icons are in the System Tray (VRDB & On Access Scanner)

[bob3160]

Towle
Technical is referring to the .log file you created in
C:\Program Files\Alwil Software\Avast4\DATA\report

Right click on that file and select open with notepad.

[Lisandro]

Sorry, I was not so specific...
Thanks Bob.
When I asked for 'when' I was thinking in what circunstances:

a) while the boot scanning was running (I think it's not possible to open a report here)

b) after you logon in Windows and nothing should 'locking' the file at this moment... avast (and VRDB) could not 'lock' this file... no reason for that.

[Towle]

sorry it just won't open , no  boot scan is in operation. I can't tell how sucessfull  the boot scan was because I can't open the log file !

[whocares]

Hi,

if you can't delete the file
C:\WINDOWS\system32\Inf\13 years Merrit Cabal && Pamela Anderson slut --Video Collection--.zip
manually or with avast (in SAFEMODE -> F8-Boot),
then please post a hijackthis-Log for diagonosi: -> ttp://hjt.klaffke.de

 

[Towle]

Hi,

if you can't delete the file
C:\WINDOWS\system32\Inf\13 years Merrit Cabal && Pamela Anderson slut --Video Collection--.zip
manually or with avast (in SAFEMODE -> F8-Boot),
then please post a hijackthis-Log for diagonosi: -> ttp://hjt.klaffke.de

 

Makes no difference. Deleted that file and all others in this folder , they were all compressed "Winrar" files that had no similarity to Windows OS files and were for similar pornos  

Still can' t open the report file from Avast "reports" folder

[whocares]

Well just try repairing avast then (via Unisntall/Reapir)

and please follow the other advice above..e.g.:
- hijackthis-Log
- VGREP

->
1) For Cleaning:
best Disable all your Filesharing processes/Startups, and block/disable all sharing (I hope you didn't share your whole C: drive..)
Also Check/Secure/block your other network shares

2) WebLink_4u2read
-> go to the red links for Symantec & Trendmicro and Clean up

3) secure your system better

4) Onlinescans by Trend, RAV & COD might also help (-> see "VirusRemoval" below..)

5) Stay away from Porn/Cracks/warez/other dubious stuff & keep that nervous mouseclickfinger under control

[Towle]

Logfile of HijackThis v1.97.7
Scan saved at 6:21:26 PM, on 22/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\iNtfySvc\intfysvc.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\OPTISAFE Xtreme\ntevent.exe
C:\Program Files\OPTISAFE Xtreme\ntsrv.exe
C:\Program Files\OPTISAFE Xtreme\onevent.exe
C:\Program Files\OPTISAFE Xtreme\powersrv.exe
C:\Program Files\OPTISAFE Xtreme\upsagentd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\dnpower\UPSAGE~1.EXE
C:\Program Files\OPTISAFE Xtreme\upsis.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\LCDC\LCDC.exe
D:\acidmax\mirc.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\temp\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.overclockers.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.overclockers.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Marty *****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F0 - system.ini: Shell=
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\msie2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Marty"
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Marty"
O4 - Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Research (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_7626.dll' missing
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1091793856733
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38156.9052083333
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab