I'm confused - only Avast can see this virus?

Viruses and worms
1

Hi, my name is mareli and I have a problem with Avast.
Since a month ago when I scan my HD with Avast usually I find a virus called Trojan 85* (850, 851). It’s in window/system (I have still windows 98, I know!)

Every time Avast cleanes it, and the next scanning is good. Then I connect again and the virus is again on.

I’m confused. no other scanning found this virus but Avast. I run hijackthis or virus cleaner or ravantivirus on line. This virus can be found just by Avast.
Besides I can’t have any information about it. What damage could it do? It’s really a virus or what?

What I have to do? thanx for the help
:smiley:

2

Hi,

we need some more detailed info to help…

a) read the link “VirusRemoval” below in my sig
b) please tell us the exact virus name and the full path/folder/filename of the infected file
c) test the file with Onlinescanners (avast shield paused for this)
d) come back with above info & a hijackthis-Log & the version# of avast (program & VPS)

:wink:

3

done :slight_smile:

the path is c:windows\system
the name(s) are variable:
something like XxXxXxXx.dll (the letters change). Avast recognizes it as:
Win32:trojan-850 [Trj] or Win32:trojan-851 [Trj].
Viruses are always removed but after a connection I always find them again.

I used RAV and it didn’t find anything suspicious

avast:4.6-623 (I think it’s the last update. I set the updates automatically)
this is hijackthis.log
Logfile of HijackThis v1.99.1
Scan saved at 12.55.04, on 02/04/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\7KUW11\LN03WYH.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMMI\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAMMI\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAMMI\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAMMI\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAMMI\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: IEHlprObj Class - {01FB9C55-FC66-4476-A199-389241193188} - C:\WINDOWS\SYSTEM\HVSCSFDD.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [Disc Detector] C:\Programmi\Creative\ShareDLL\CtNotify.exe
O4 - HKLM..\Run: [AudioHQ] C:\Programmi\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM..\Run: [Creative Launcher] C:\Programmi\Creative\Launcher\CTLauncher.exe
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] “C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM..\Run: [Fix-It AV] C:\PROGRA~1\ONTRACK\FIX-IT\MEMCHECK.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM..\RunServices: [avast!] C:\Programmi\Alwil Software\Avast4\ashServ.exe
O4 - HKCU..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU..\Run: [AIM] C:\PROGRAMMI\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

thanx for help :smiley:
If you think I need an update I know. I just want to know if there’s any hope or I have to format this oldie… :wink:

ETA: since this morning Avast finds the virus at the connection to the net and it moves it into trash (where is its trash?)

4

Judging by the sympthoms,avast! indeed recognized the malware correctly.
Other AVs just failed to detect this specific sample.

5

Yep, avast seems to be picking it up fine.

Also, after a quick analysis of your log, i can see that you can/need to remove these:

O2 - BHO: IEHlprObj Class - {01FB9C55-FC66-4476-A199-389241193188} - C:\WINDOWS\SYSTEM\HVSCSFDD.DLL
O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab

Then open task manager (Alt + Ctrl + Delete), press the ‘processes’ tab at the top, then kill this process:

LN03WYH.EXE

Then browse to and delete this file:

C:\WINDOWS\DOWNLOADED PROGRAM FILES\7KUW11[b]LN03WYH.EXE[/b]

Then delete any temp files you have, you can use ccleaner for this if you want: http://www.filehippo.com/download/ncAOCJr-Om3Lq35Rh3QQoQ2/download.html

Then reboot your machine.

Then update your windows/IE, as they are out of date (www.windowsupdate.com)

Then see if avast still picks up this virus/malware.

Let us know the result.

–lee

6

first thanx for help. :slight_smile:
I did what you said but I couldn’t find any process named like you said or any file on the downloades under that name.
Hijackthis helped me but the problem is that even if I get rid of the infection fixing it at the next reboot the problem is here again :frowning:
So I’d say that whatever I’m looking for it’s well hidden (for me! ::slight_smile:

So, I guess I’m in for a format…
thanx guys :slight_smile:
ciao

7

Hi,

  • please install & Update SPYBOT & AD-AWARE (Links see “VirusRemoval”)
  • reboot to safeMode and scan & fix with them several times, until nothing more is found/fixed
  • reboot normally and come back with a fresh Hijackthis-log

Also Apply all Windowsupdates (e.g. your IE is outdated & insecure)

8

next time, you should MOVE the infected file to avast’s MOVED folder, NOT to the CHEST

from there, upload it to JOTTI (link : you know where :wink: ) with avast shield PAUSED
come back with the list of scan results
(remember to reenable the Shield afterwards… )

P.S. its probably a DIALER, so you should check your next phone bill carefully, and maybe keep the file in the moved folder, if you want to argue the phone bill

Info:
http://www.virusbtn.com/perlbin/vgrep/vgrep.cgi?terms=Win32%3Atrojano-850&product=1

http://www.virusbtn.com/perlbin/vgrep/vgrep.cgi?terms=Win32%3Atrojano-851&product=1

:wink:

9

thanx you’re really great! :slight_smile:

now I’m more confused than before. I had am ADSL modem and I pay flat so I wonder how I can be infected by a dialer… didn’t know it was possible.

I’m downloading everything! :wink:

10

Hi,

you can get “infected” by a dialer, i.e. it can be secretly installed on your PC, whether you’re on ADSL or modem, doesn’t matter:
just by surfing with unsafe system/browser settings to spurious sites

it can just do you no harm (not increase your phone bill) with ADSL … :wink:

(IF you don’t keep an analog/dial-up modem in the PC, e.g. for fax purposes or so…)

But this finding of the dialer means that other malware (e.g. trojans, spyware…) can also enter your system this way and do you lots more harm, until you’ve secured it…

:wink:

11

SpyWareBlaster provides excellent protection against dialers.

Spywareblaster