system
41
This is scary. I thought if I purchased AVAST I’d be virus free and I wouldn’t have to go through all this rigamarro.
Now I discover 4 or 5 viruses? Just what exactly is AVAST doing?
system
42
NO virus-scanner detects everything…
→ you also have to exercise some caution and common sense when using your PC / surfing / emailing…
please 1st follow the advice from Eddy and me to clean up your Hijackthis-Log
then reboot and post a new log…
the Onlinescan shouldn’t close unless you clicked the wrong button… try the one to the lower right where it says “REPORT”
system
43
You are not going to be happy with me.
I closed Hijack and now the report is gone. I’ll have to wait until the scan finishes and redo that too.
I went into Startup and disabled the place where the scan said there was a virus:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Search.vbs - VBS/Krepper.A* → Infected
system
44
you say: you also have to exercise some caution and common sense when using your PC / surfing / emailing…
I never open an attachment EVER. How do you use caution surfing… I go to medical site, I go to The Sims sites and forums, I go to Pogo ( a reputatble game site).
I don’t do much of anything else.
So what am I doing wrong?
system
45
Scan started at 8/8/2004 3:23:18 PM
Scanning memory…
Scanning boot sectors…
Scanning files…
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Search.vbs - VBS/Krepper.A* → Infected
C:\WINDOWS\pss\Search.vbsCommon Startup - VBS/Krepper.A* → Infected
C:\WINDOWS\system32\ATPartners.dll - TrojanDownloader:Win32/Rameh.C → Infected
C:\WINDOWS\system32\bolae9.dll - TrojanDownloader:Win32/Rameh.B → Infected
Scanned
Objects: 125730
Directories: 7118
Archives: 22191
Size(Kb): -1959519
Infected files: 4
Found
Viruses found: 3
Suspicious files: 0
Disinfected files: 0
Mail files: 1176
system
46
Logfile of HijackThis v1.97.7
Scan saved at 4:35:41 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\WinZip2\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Owner\My Documents\UNZIPFOLDER\hijackthis[1]\HijackThis.exe
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZILLAbar - {8FC8AE66-AC15-4C0D-9E9A-51296A0C52FA} - C:\Program Files\ISSS\ZILLAbar\ZILLAbar.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [STOPzilla] “C:\Program Files\STOPzilla!\Stopzilla.exe” /autorun
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip2\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
system
47
you went to
hp://www.armbender.com/
hp://dst.trafficsyndicate.com/
or were redirected to it (maybe BAD Browser settings) or installed dubious software that downloaded stuff from there…
→ both obviously BAD sites, since they host/spread trojan files…
AND your Browser (InternetExplorer ?) is configured insecurely that it could download the trojan-files (probably in the background/unnoticed by you…)
P.S.: Both trojans are imho not really that dangerous, but are probably just adware/spyware/Search-page-hijackers… related
Info:
QDOWN
VB-bn

system
48
if a THOROUGH scan with UPDATED avast really cannot detect these, then please send the above files to
virus (at) avast.com
(best in a password-protected ZIP-archive)
try deleting the files in SafeMode (F8-Boot) or follow the red linsk to instructions here:
Krepper
Rameh.B
Rameh.C
→ SPYBOT & Ad-AWARE could also help, see “VirusRemoval”
AFTER you’ve scanned & fixed with Spybot & ad-Aware AND had a go at the Removalinstructions…:
reboot, then UPDATE Hijackthis to version 1.98.2 via its internal Updater: → config → MiscTools → Update
best unpack the downloaded ZIP-file into to same folder as before.
P.P.S.: before, fix
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
as instructed…
system
49
I have been to neither of those sites and I don’t see them in my history.
I don’t even know what they are. Despite my popup stopper I do get a lot of popups.
system
50
I have automatic update so there is no reason to believe I am not up-to-date on my AVAST.
I will send them.
system
51
Can you give me the correct setting for Explorer?
system
52
According to this, the virus put me at those sites unbeknownst to me.
Home > Security Info > Virus Encyclopedia > Search Results
Virus Encyclopedia Search Results
<< Search Again
1 - 1 of 1 records match your query
VBS_KREPPER.A
Aliases: VBS/Krepper.A*, TrojanClicker.VBS.Krepper, Trj/Krepper.E
Upon execution, this Trojan opens a new Internet Explorer window with a height and width value of zero, making the said window invisible to users. It then accesses the following site using …
What I want to know is how the heck did I get it in the first place since I don’t open attachments.
system
53
Can you help me with these?
I don’t recognize any of them… can I safely “FIX” them?
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_40/QDow.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldwinner.com/games/v41/jigsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://cobia.livehelpcasino.com/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://mirror.worldwinner.com/games/v49/bjattack/bjattack.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldwinner.com/games/v40/freecell/freecell.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldwinner.com/games/v40/focus/focus.cab
O16 - DPF: {957BDEC2-50EA-4B01-ABF5-22F86364A914} (Trivia Control) - http://mirror.worldwinner.com//games/v41/trivia/trivia.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v48/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v44/sol/sol.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v50/swapit/swapit.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version6/dlhelper.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://fptest.onisak.com/software/v7/gp0/setup.exe
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbuddy.com/characters/gar.exe
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {C5142630-9BC9-4236-BAC9-2E3C24566EC8} (XWord Control) - http://mirror.worldwinner.com/games/v40/xword/xword.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.zillabar.com/toolbar/bin/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/211/webolr/OCX/FlashAX.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldwinner.com/games/v41/golfsol/golfsol.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
system
54
I don’t do live chat so I have no idea why I have Yahoo and MSN chat’s here.
I just don’t want to screw anything up. Looks like things are pretty clean.
Thanks for all your help!!!
Eddy
55
DPF is short for Downloaded Program File. These are things you downloaded. And you do visit quiet some ad-/spyware spreading sites. That is most likely why you get into trouble.
system
56
Decided to do one more scan with RAV and already I got a new virus and I haven’t done anything!!!
Scan started at 8/8/2004 6:46:13 PM
Scanning memory…
Scanning boot sectors…
Scanning files…
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YXNCTK7A\UCSearch[1].CAB->UCSearch.ocx - TrojanDownloader:Win32/VB.BN → Infected
Eddy
57
and I haven't done anything!!!!!
Yes you have done something. You visited malicious sites, that's why/how. See this entry in the HJT log. You where there!
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
system
58
I went there out of curiousity… to see what it was that I was supposed to have visited but didn’t. And it was a blank page!!! It had a #1 on it.
I would never have gone there if you hadn’t insisted I’d been there and I knew I had not.
Back to the beginning…
Curiosity killed the cat… MEOW
system
59
You can safely delete / fix any or all of the entries beginning with 016 as they are downloaded from sites when u visit. If you need them then you may have to wait an extra few seconds next time you visit for it to reload but removing them does no damage and may clear up your HJT report a little 
system
60
Thank you!!! Some of them were very old.