Hiberfil.sys Zipper 2778 Worm

Hi - I am new here and I have a problem that’s driving me nuts. My PC has the Avast screensaver and it keeps intercepting the Zipper 2778 worm , recommended action: quarantine. Every time I quarantine it the warning comes back, with the radioactive symbol and siren.

Please help.

Thanks
Rob

It may be a false positive in your hibernation file- it seems to be an old DOS virus. Try hibernating your system and restarting- hiberfil.sys is just a memory dump, so maybe there was a pattern in the dump that resembled the virus.

If it persists, try a boot time scan- right click the scanner screen, select schedule a boot time scan and reboot when requested.

I just went to the power options in control panel and tried to check the enable hibernation box and access was denied with a pop-up that says " the file is being used by another process" or something like that.
I did 2 boot-time scans but no. This Avast Alert only happens in screensaver mode- scanning has found nothing .

As a workaround, you can add this file to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…

Also, use the You need to use the on-demand scanning exclusion list for the screen-saver or the Simple User Interface:
Right click the ‘a’ blue icon, click Program Settings.
Go to Exclusions tab and click on Add button…

Hope Alwil team correct the detection.
Maybe you should disable the hibernation option. Boot. Enable it again.

I added hyberfil.sys. Is that good enough? I’ll report if this is finished. I think you may be right about an old virus in DOS. This computer just got back from the shop with a clean install- my kernel32.dll was missing.

Still in the Avast! virus chest are these system files: Kernel32.dll. winsock.dll,and wsock.dll.

When the technician reinstalled windows, most of my program files were lost.
Yet when I looked in my virus chest last night, there was over 18,000 viruses, worms and trojans that had been quarantined after I bought this computer at a thrift store.
I ran Avast on it fist thing when I bought it last October and it spent several hours scanning and quarantining viruses in boot-mode.

I left these in the chest.
All of them were deleted exepth the three above, and I am leaviing it as is .

Just before the computer crashed, I removed those very files. Once in XP repair mode, I disabled automatic restart and when it tried to reboot the message came up saying that kernel32.dll was missing. The I went into XP despair mode.

Should be…

I’ll be waiting for you…

They’re there for backup purposes only. They’re not infected at all, they’re on System folder of the Chest.

Wow… are you sure that all that infections come from the store?

It’s ok…

avast will add them again later…

avast does not move the files from the computer to Chest. It just copies them, as a backup.

Yes- over 18,000 bugs. That’s my guess why it ended up in a thrift store.
Of course, there was NO AV program installed. The previous owner appears to have been a young person who did’nt know.

So now things are making sense maybe- a couple weeks ago I removed those system back ups, and the very next day it would only boot up to the XP Gui screen.
IS it just a coincidence or had the back up not been removed , it would still have the kernel32 file?

I know better now to leave them alone.

Well, avast does not mess your computer… the infections did it (or could did it).

The problem will be that you won’t be able to boot and extract the file from the Chest, so, probably you’ll need the original CD or a way to boot the computer and replace that file. Maybe XP Console recovery could do something here…

Uberevangelist, My PC crashed again Sunday . On Monday I was able to run CHKDSK and repair the boot record, and my PC booted back up. Now that dumb ZIPPER viruys alert is testing my patience. Is there anyone on this board that may know how I get this virus or what ever it is to stop. Hibernate has been turned off.
I am not sure if this virus is causing my computer to crash but it seems to be a logical assumption at this point.
I’ll check again to see if there it’s in the exclusion list . I may not have had the time to do that as Saturday and SUn are busy days .

Which file is infected? Did you try to delete the hyberfil.sys file, maybe using Unlocker (http://ccollomb.free.fr/unlocker/) or Delete FXP (http://www.jrtwine.com/) or MoveOnBoot tool.

MoveOnBoot tells me "incorrect file name "when I paste hyberfil.sys into the box. I haven’t figured out how to use unlocker yet.

I think the problem doesn’t originate in hiberfil.sys but ends up there when Windows hibernates. Zipper is a memory resident virus so it would be a part of the “snapshot” that Windows saves.

If an avast! boot scan doesn’t help try a Trend Micro or Kapsersky on line scan

http://housecall.trendmicro.com/

http://www.kaspersky.com/virusscanner

Download this removal tool to get the worm from your computer:
http://www.downloadtopc.com/get/62/42378/W32Stration_worm_removal_tool.html

This is a simple virus which stays resident in memory and infects COM and EXE files when they are accessed. \COMMAND.COM and \DOS\FORMAT.COM are infected on the first execution.

If you run PKZIPFIX against an infected COM or EXE file, it will create a PKFIXED.ZIP, which contains an assembly source file called ZIPPER.ASM.

The virus contais this texts, which is never displayed:

*>> Use PKUNZIP .EXE immediately! <<<<

Zipper contains several bugs which might corrupt the infected files.
To remove the virus from your system, change DOS=HIGH to DOS=LOW in
your CONFIG.SYS file. Reboot the system. Then run each .EXE file
less than 62k. The virus will remove itself from each .EXE program
when it is executed. Or, leave DOS=HIGH in you CONFIG.SYS; execute
an infected .EXE file, then use a tape backup unit to copy all your
files. The files on the tape have had the virus removed from them.
Change DOS=HIGH to DOS=LOW in your CONFIG.SYS file. Reboot the
system. Restore from tape all the files back to your system.

polonus

How do I find the CONFIG.sys file?

Are you saying I should use PKzipfix immediately? You can tell I don’t know my way around this. I’m worried that this thing is going to crash my co puter again if I don’t get it off.

The zipper virus contains the line

>>*>> Use PKUNZIP .EXE immediately! <<<<
within its code. Its mentioned in the quote polonus posted as a way to identify the virus.

Those instructions appear to refer back to the days of DOS since the files \command.com and \dos\format.com normally do not exist under Windows XP. There are files of the same name in a different directory in XP but I don’t know if they would be infectable by a DOS virus.

There will probably be a config.sys in your root directory under XP ( C:\ ) but I’m guessing it will be empty. In any event I don’t believe the dos=high or dos=low commands will have any meaning in an XP environment.

Maybe somebody else can comment - its been a long time since I’ve worked in DOS.

Have you tried the boot scan yet? If you open the avast! simple user interface and let the memory scan run it might provide confirmation of a memory resident virus.

The info below the toollink, is rather old info because the virus is old, so in that time XP was not around yet… Download this file to work on, just to compare, nothing else:
http://www.techadvice.com/specs/files_st1.asp?fnid=3398288

XP has MSCONFIG not the config.sys, if you are not familiar with these proceedings just run the tool from the link givenm to see whether it can resurrect the infected executables.

polonus

Thanks polonus

Keith :slight_smile:

Hi I have been at this two days and so maybe I should just uninstall AVAST? The damnable hyberfil.sys Zipper 2778 alert keeps popping up in screensaver mode .
None of he advice given so far has worked or I don’t know how to use it.
I am afraid this virus is already starting to do more damage. This morning’s computer boot was missing the Dell 782p monitor driver and the screen now flickers. I reinstalled the driver but the flickering won’t stop, no matter how high I set the resolution. I’ve gone round and round with this and I’m ready to sing the “Stop the computer and let me off” song.

My computer crashed last weekend and this Virus alarm and then monitor flickering preceded it. I would’nt doubt the next thing you hear is that my PC crashed.
I know a bunch of you evangelists have offered advice geared for the techie, but maybe you got a preacher in charge that you have been covering for?
SOmebody has got to know why Avast won’t qaurantine this Zipper virus.
To further confuse me , some say it’s not a virus and some say it’s corrupting my files. It’s starting to corrupt my mind!
Please help- I don’t think I have much time left before she blows

Have you tried deleting the hyberfil.sys file to see if that gets rid of the problem?

You will need to enable ‘view hidden files and folders’:

http://www.bleepingcomputer.com/tutorials/tutorial62.html

If the technician who reinstalled Windows for you did not do a completely clean install, you may have instability problems left over from all the malware removed previously. As this is an old computer, you may also have hardware problems: it’s difficult to know if your problems are down to malware or a video card on the blink.

You could try a registry scan with TuneUp utilities to look for problems in the OS. You could also try posting a HijackThis! log so we can look for any malware still active on your computer:

http://www.tune-up.com/

http://www.bleepingcomputer.com/tutorials/tutorial42.html