Annihilator 272 > Micro - 128

XP Home with Avast 4.8 Home; Windows Defender in Real-Time protection; updated Micrsoft Windows and Spyware Blaster.

Recently I had a couple of intrusions which I thought I had got rid of.

But, I have a possible problem that I do not understand. Because I had a virus that opened Internet Explorer in the Windows Firewall I have been watching it and disallowed just about everything. But in avery short time TWO entries appear which I had not approved. They are identical: Windows Media Format SDK (iexplorer.exe)

Is this normal? If so, what causes the entries to appear?

Thank you very much

Sorry… I’m not on XP now to see if I have that entries by default.
Anyway, to be sure you’re clean, I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Thank you tech

I am going to follow your suggestions and will report later.
qim

If it’s windows firewall, you won’t stop anything going out.

Dear Tech

I did the Avast Boot scan and it found a virus in
c:\Recycler\ s-1-5-21- etc (any numbers)\Dc129.exe\Files\initrd.img\imitrd\opt\pavc\usr\lib\libpskavs.so.1.4.3.24

The file is infected with Annihilator-272

However, I was unable to delte/Move/Chest with Error 42111 - operation not supported for this kind of archive

same problem with Repair: Error42060 (file was not repaired)

As I have no idea where this file is (I have no C:\ Recycler, by that name anyway, unless it is the Recycle bin) I don’t know what to do.

I decided t turn off system Restore but have not emptied the Recycle Bin awaiting your instructions

Meanwhile, I have been googling for this virus and it appears that it may be conected to Panda. I did use Panda recently. I also used the Online Housecall antivirus and I have discoered that in c:\Docs& Settings\Me\housecall6.6\Quarantine there are 2 entries for Pskavs.dll.bac a00436 (and the second ending in a01056)

I have also analysed online, as you suggested, the HijackThis report and starngely it tells me that Avast is not on (It is!) ad that I don’t have a Firewall (I do): windows’ own.
It seems that you don’t use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses. You can look here for a good anti-virus scanner.
We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.
I’m confused now…

Obrigado

qim

The file is into an archive one (.zip, .cab, .img…). It can’t harm from there. Don’t worry. avast can’t deal with the whole archive and the file is left inside it, harmless.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).

Go ahead, clean Recycle bin.

I do have hidden files on view. So where is this file? Could it be in the HouseCall quarantine?

And why does my Firewall not show in the HijackThis analysis?

Thanks

qim

I don’t think so… it’s on the Recycle bin, maybe of another user in this computer… how many login names are there in this computer? The adminstrator and other users or just one, your login? Are you logged as an administrator?

Sorry, I’m not an expert on HijackThis…

I only have one user: me.

Anyway, I have emptied the Recycle Bin and will do another Boot scan this afternoon (UK).

What about the Housecall Quarabtibe folder? it has 2 files there connected to the ‘virus’. Should I delete this folder?

Obrigado

qim

I think you could empty (delete) the Housecall quarantine but, files into quarantine are save and there is no rush to delete them.

The Windows firewall does not have an entry in a HijackThis log.

Hi Tech

News: I did another Boot scan and guess what.

First it found th same virus again (libpskavs.so.1.4.3.2.4.vir) but this time in the Avast4\data\moved folder.

So: a) it did move the file earlier even if it said that the operation was not supported

and b) this time the vius is no longer Annihilator - 272 but Micro -128

What is going on?

Anyway, I moved it to the Chest, and now need to know what I should do.

10/23/2008 07:01
Scan of all local drives

Scanning aborted
Number of searched folders: 2271
Number of tested files: 46826
Number of infected files: 0


10/23/2008 09:05
Scan of all local drives

File C:\RECYCLER\S-1-5-21-857417043-2124973893-2320036816-1005\Dc129.exe\Files\initrd.img\initrd\opt\pavcl\usr\lib\libPskavs.so.1.4.3.24 is infected by Annihilator-272, Move to chest: Error 42111 {The operation is not supported for this type of archive.}, Delete: Error 42111 {The operation is not supported for this type of archive.}, Delete: Error 42111 {The operation is not supported for this type of archive.}, Move: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
Scanning aborted

Number of searched folders: 5000
Number of tested files: 408553
Number of infected files: 1


10/23/2008 15:14
Scan of all local drives

File C:\Program Files\Alwil Software\Avast4\DATA\moved\libPskavs.so.1.4.3.24.vir is infected by Micro-128, Moved to chest
Number of searched folders: 7776
Number of tested files: 813829
Number of infected files: 1

Thank you for your invaluable help.

qim

qim

You can manually delete that file… avast can’t handle it (but it is harmless into the archive).

But why dd the virus change name AFTER being moved by Avast? (see above)

Thanks

qim

What option did you select on detection ?
If you chose Move/rename does what it says on the tin, it moves the file and tags .vir at the end of the file name.

This shows to me that you didn’t move it to the chest, but used Move/Rename not Move to chest:

C:\Program Files\Alwil Software\Avast4\DATA\moved\libPskavs.so.1.4.3.24.vir
The moved folder is a) outside the chest, b) only used if you selected Move/Rename, see image.

Where are you looking (folder and file name) of this change ?
If you are using explorer to look at the chest you won’t see the original file name, this is part of the protection of the chest (files names to the outside world are different and files are encrypted). This effectively stops files being accessed and run from the outside of the chest.

The .vir extension make the file harmless (you can’t execute, run, it).