??? I have run avast and found that I have Whale.9216 on 3 computers in my home. It seems I got this from email since I use Outlook Express with my specific email address on only those 3 computers that have it. I have found instructions at McAfee to manually remove it but I do not worship McAfee with an annual fee, therefore I will not run it. Avast usually works so well for me that I don’t even fear viruses anymore. It usually takes care of everything. However, Avast will not delete this virus nor remove it. I am fairly sure I don’t have the “false alarm” I have been reading about in my various searches for information as I have all of the classic signs of Whale.9216…reboot randomly, video hanging, etc. Sooooo…with all of that said (and not in five words or less! LOL!) I really need some help! So I came here to the avast expert board for help! I also found a list of files to search for and delete. The process whale.exe IS NOT showing in my processes list nor can my computer find the umteen files that www.spywaredb.com/remove-whale-2/ says I should hunt down and delete. I am at a loss and need some expert advice…
Hi baenglish,
what was the name and location of the file(s) detected? This is the sort of thing we need:
C: Docs and Sets\All Users\Application Data\CanonBJ\IJPrinter\CNMWindows\Canonip6600D\Installer\Inst2\helpkicker.exe
Now Frank…I knew you were going to ask that after I did a lil bit of reading around here. Here it is:
10/7/2006 12:58:05 PM Owner 1296 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
10/7/2006 1:17:38 PM Owner 1296 Sign of “Whale-9216” has been found in “C:\Documents and Settings\Owner\Desktop\Administrative Forms & Schedules\Portfolio Subject Divider Sheets\Health & Personal Fitness.pub\Contents” file.
10/7/2006 1:18:41 PM Owner 1296 Sign of “Whale-9216” has been found in “C:\Documents and Settings\Owner\Desktop\Administrative Forms & Schedules\Yearly Portfolio Documents\Steph 11th Grade Portfolio Docs\Stephanie 11th grade Curriculum Design.pub\Contents” file.
10/7/2006 1:43:17 PM Owner 1296 Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\Documents and Settings\Owner\Local Settings\Temp\cd_clint.dll” file.
10/8/2006 12:15:53 AM Owner 3380 Sign of “Whale-9216” has been found in “C:\Documents and Settings\Owner\Desktop\Administrative Forms & Schedules\Portfolio Subject Divider Sheets\Health & Personal Fitness.pub\Contents” file.
10/8/2006 12:16:19 AM Owner 3380 Sign of “Whale-9216” has been found in “C:\Documents and Settings\Owner\Desktop\Administrative Forms & Schedules\Yearly Portfolio Documents\Steph 11th Grade Portfolio Docs\Stephanie 11th grade Curriculum Design.pub\Contents” file.
10/8/2006 12:38:17 AM Owner 688 Sign of “Whale-9216” has been found in “C:\Documents and Settings\Owner\Desktop\Administrative Forms & Schedules\Portfolio Subject Divider Sheets\Health & Personal Fitness.pub\Contents” file.
10/8/2006 12:38:41 AM Owner 688 Sign of “Whale-9216” has been found in “C:\Documents and Settings\Owner\Desktop\Administrative Forms & Schedules\Yearly Portfolio Documents\Steph 11th Grade Portfolio Docs\Stephanie 11th grade Curriculum Design.pub\Contents” file.
10/8/2006 1:14:34 AM Owner 688 Sign of “Whale-9216” has been found in “C:\Program Files\Alwil Software\Avast4\DATA\moved\Contents.2.vir” file.
10/8/2006 10:33:39 PM Owner 688 Sign of “Whale-9216” has been found in “C:\Program Files\Alwil Software\Avast4\DATA\moved\Contents.3.vir” file.
10/8/2006 10:33:43 PM Owner 688 Sign of “Whale-9216” has been found in “C:\Program Files\Alwil Software\Avast4\DATA\moved\Contents.vir” file.
I moved it to the chest and then tried to delete it. It said it was unsuccessful and then I tried to move it and it told me it was unable to move it too. It looks from the log like it did move it after all??? Once something is in the chest…does it become “nonviolent”. I know nothing at all about how viruses work other than they can really mess stuff up. This whale thing seems to only be rampant at times. Other times, the computer will randomly “reboot” a million times in one day. After it was detected scanning it seemed to fit the profile I read and got “mad”. We are homeschoolers and rely alot on our computers. I have to get the problem fixed before it starts affecting the girls school files.
If I have posted the wrong thing you are asking for in ignorance. Please leave me instructions as to where too look. I am computer savvy but not so wise when it comes to viruses and the innards of Avast (I never needed to be…it takes care of us!)
You have posted exactly what we need. Thankyou.
I am not familiar with the .pub\Contents file format but I suspect that is some sort of encrypted file system. It is probably something that avast! can read but not delete or move. The identification of Whale in these locations may actually be a false positive, as you don’t have any of the files or processes associated with Whale.
Of course you have some very real problems, which may be the result of a malware infection. The information you posted shows one item of adware, so I suggest some scans with some free anti-adware/spyware/Trojan* programs. These programs are all free (although they have pay versions or request donations) so you can keep them on your system and run a scan from time to time as a double check, although the free versions do not scan on access like avast!, so they should be used in addition to rather than as an alternative to avast!
Don’t forget to update all the programs before running them:
Ad-Aware:
http://www.download.com/3000-2144-10045910.html
Spybot Search & Destroy:
http://www.safer-networking.org/
Ewido: (Requires Win2000/XP)
a-Squared:
http://www.emsisoft.com/en/software/free/
If you run all these programs and you still have problems you could post a HijackThis! log for us to look at:
http://www.bleepingcomputer.com/tutorials/tutorial42.html
To answer the question you asked about the chest: yes, viruses moved to the chest (which other anti-malware programs call ‘quarantine’) are entirely inactive.
In this case I think avast! has been unable to move the files detected into the chest because they are in some way encrypted or protected. Perhaps another forum member familiar with the format will be able to give you some more information here.
Good luck!
*Adware displays advertisements and hogs system performance, spyware tracks you around the internet or steals personal information, Trojans download adware or spyware onto you computer or allow somebody to control you computer remotely: all things you don’t want
Frankiebaby! Thank you for your quick reply! It is MOST appreciated!
Just some FYI for you, .pub files are Microsoft Publisher files. It is a seperate module that interfaces with Office. Very handy for making flyers and such, anything graphically oriented. Thought you might like that for your knowledge base. I have been using it for years to make catalogs, flyers, brochures, and many other things both work and personal related. Hallmark’s card making programs have NOTHING on this program!
I, in fact, do run Registry Mechanic and Spyware Doctor. Both are paid programs from PC Tools. I have found them to be more user friendly and they pick up most everything. Spyware Doctor does have an “on access” type scanner and gets the majority of things before we “go there” on the web. I have had several trojans snatch on to us but Spyware Doctor ALWAYS gets them and takes care of the problem.
I know running more than on spyware or virus program is a no-no. That is about how far my knowledge of them goes though. With this new information, do you think I still need to d/l something else and run it?
Again, appreciations for your teachings and advice! Very kindly given I might add! Kudos to you!
Doh! I forgot to ask one more teeny question…
Out of the three computers (HP desktop, HP laptop, and E-machine desktop, all running XP) that Avast is picking this whale thing up on, ONLY the e-machine is the one shutting down out of the blue and not in a continuous pattern. It will go for weeks and not shut down and reboot and then it will do it 20 times in a few hours. Since you think it isn’t whale.9216 could it be something else?
more FYI and a lil bitty question…LOL!
In my search on the web about whale.9216, I read another poster that had problems also including a .pub file. Is it possible that Avast just doesn’t know what to do with a Publisher (.pub) file? It might see it as an enemy in itself? Also, what would the process be to inform Avast of this? If I need to find the other poster’s complaints let me know and I will go and get it for you.
I would recommend all the programs as a double check, but you will need to disable the on access scanning feature of Ewido (now called AVG anti-spyware) because it may conflict with Spyware Doctor.
You will need to uncheck the Resident Shield under the Status tab.
All the programs I recommend are free, so why not give them a try?
If they find nothing, the problem may be corrupt system files or even a hard disk problem, but just as a last resort, you could post a HijackThis! log from the problem machine. This will allow us to see what is running on the machine and what might be causing a problem.
Re your final post:
It may be that other people have had the same problem with a false identification of malware in .pub files. This doesn’t look like an active malware file to me.
I’ve just noticed that the Whale virus seems to date from 1990. Getting infected with such a historical virus would be the equivalent of going down with the Black Death today- even more reason to make me think that this is a false positive identification of a virus in these files.
I forgot to mention that the origination date I found in my research was indeed 1990. Of course that threw me for a loop because one would think that something that old would have been found and extinct with all of the programs that are on the market.
I will try a few of the things you have mentioned. I will give a report back…not sure how soon that will be. I guess it depends on how user friendly these things are.