what to do..??   found.. DAME (Dark Angel M.E.)

system · 2007-06-18T01:24:34.000Z

Tech post:10:

I’m not an expert on HijackThis… But you can check the automatic analysis of your HijackThis log here.

You can find more info in the links of the last column of this table.
That info could guide you on the cleaning process.
Anyway, if you have doubts, just post here.
Also, take a careful look at the first column of the table:

If you don’t recognize a legit program in one of the items marked as FIX IF UNKNOWN, please post it back here and maybe we can help you. Or, if you’re sure it’s a malware item, you can remove it as posted bellow.

If you agree with the automatic classification of the infected items marked as FIX (CHECK NOTES!), you can turn back to HijackThis program, check the box of this item and then remove it using the button ‘Fix checked’.

Hope it helps.

Hey Tech, im wondering now should i do what you were saying first, or should i do as essexboy said and fix the registry value first… im new to all of this [playing with registry values]… but im willing to learn… Thanks for all your patience, all of you!! ;D

FreewheelinFrank · 2007-06-18T07:49:41.000Z

Looks like a false positive. You should send the file to virust@avast.com with a link to this thread- they will update the definition to prevent the detection.

Also, you should probably edit your email address to avoid spam.

DavidR · 2007-06-18T14:22:54.000Z

Adding to what FWF said, add it to the exclusions until corrected.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Also see False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.

Lisandro · 2007-06-18T19:14:17.000Z

christa post:13:

Hey Tech, im wondering now should i do what you were saying first, or should i do as essexboy said and fix the registry value first… im new to all of this [playing with registry values]… but im willing to learn… Thanks for all your patience, all of you!! ;D

Always follow essexboy first than I. He’s a cleaning/malware expert. I’m not. I was just trying to give you a follow up of the cleaning procedure. But, care, maybe it’s a false positive as Frank said. You can update your virus database (VPS) again and see if the last ones correct this detection or, on contrary, confirms the infection.

system · 2007-06-20T16:22:44.000Z

hi all

i am new to this site. didn’t know it existed. :

anyway im experiencing the same problem as christa and was wondering whether i should follow the same procedures.

thank you all.

kaz

FreewheelinFrank · 2007-06-20T18:41:27.000Z

Hi KAZMANIA,

If it’s DAME in members.stg, it looks like a false alarm. Follow David’s advice here:

http://forum.avast.com/index.php?topic=28883.msg236485#msg236485

system · 2007-06-20T23:01:31.000Z

thank you fwf,

but you wont believe this. i left the pc on, my gf did something and its gone! ive run the avast virus checker on standard and thorough and still picked up nothing! is this possible with “DAME” or has it hidden somewhere were it cannot be found? she said she deleted it or moved it to the chest but there is nothing in the chest. i don’t know. let me know what you think.

kaz

DavidR · 2007-06-20T23:48:10.000Z

Where was it located originally, then check if it is still there ?
check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

It is possible that she moved/renamed and not moved to the chest, check the C:\Program Files\Alwil Software\Avast4\DATA\moved folder ?

system · 2007-06-21T11:03:32.000Z

hi david

i checked the moved folder and there is nothing there.

this is where the file is:

c:\documents and settings\kaz\local settings\application data\microsoft\windows live contacts[so and so]@hotmail.com\real\members.stg\ -55735052" file

i believe this file is still there. i found it. but under properties of that folder i cant find the numerics ‘-55735052"file’. i don’t know if these numerics need to be found to identify but the rest of file path takes me to “members.stg”

thank you for your help
kaz

FreewheelinFrank · 2007-06-21T11:17:50.000Z

The false positive may well have been corrected.

members.stg is a database file of contact’s personal information. The numerical tag is probably not a file but probably some sort of descriptor.

DAME is a virus dating back to 1993- such detections are often FP’s.

If the FP hasn’t been corrected by avast!, changes to the database file caused by adding, removing or updating contact details may have changed the character sequence causing the detection.

If avast! has moved the file, you will have lost you contact details in Windows Live Messenger, so you will need to restore the file.

Add it to the exclusions list to prevent detection if the FP has not been corrected.

DavidR · 2007-06-21T13:32:17.000Z

I would agree with Frank, if the file is still in the original location and undetected then the FP looks like it has been corrected. Do a right click context menu scan (in explorer) on the members.stg file to confirm it is clear.

The numerics file, \ -55735052, I believe is inside the members.stg that is why you can’t see it.

system · 2007-06-22T14:19:21.000Z

hi all

another prob. my pc has slowed down dramatically when using the internet since the virus. it has never run this slow. could there be any relation at all?

i just use my laptop for assignments and some surfing.

thank you

Lisandro · 2007-06-22T14:30:09.000Z

KAZMANIA post:24:

could there be any relation at all?

Yes, it could. But you need to scan your computer again (avast, AVGas, a-squared, Spyware Terminator…) and take a new HijackThis log.

system · 2007-09-09T22:04:30.000Z

Hi there,

Same problem and since it was more than 2-3 months when this topic was made and there were no adjustments to viral database in Avast,can anyone tell me is this still false positive cuz i got this same virus alert yesterday. ???

i checked it on virustotal and avast was the only one who detected it.

Any suggestions?Help?Oh yes,maybe i’m trippin but my pc slowed down.

EDIT : HJT log is attached

Lisandro · 2007-09-09T23:05:13.000Z

vladabgd post:26:

i checked it on virustotal and avast was the only one who detected it.

Most probably…
To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
VirusTotal and Jotti both have file size limits 10 and 15MB each.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be carefull, you should ‘exclude’ that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file - there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

system · 2007-09-09T23:59:55.000Z

Thanks,I just did that.

Can you please check my HJT log to see if there’s something wrong going on there?

big thnks in advance. ;]

DavidR · 2007-09-10T01:19:26.000Z

We didn't detect any active process of a firewall on your system. Reasons maybe: (1.) You are using the windows firewall or a hardware firewall.

I have just had a quick look at it and the most obvious sign to me is this.
O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll (file missing)

Even though the file is reported missing that may not be the case it could be being hidden by a rootkit.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm.

BlackLight - It can detect rootkits like Rootkit Revealer but can also remove them. http://www.f-secure.com/blacklight/
Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip .
AVG ANTI-ROOTKIT - AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5.

A google search for vtrurs.dll indicates this may be a Vundo infection.
Here are the cleansing instructions for Vundo/Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html

VirtumundoBegone (if VundoFix does not work) - http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Also
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\hawgwnsb.exe (file missing) - This file name returns zero hits in a google search, which is suspicious in its own right.

Did you make these entries in your HOSTS file for the oink.me.uk ?

system · 2007-10-10T18:58:53.000Z

this is my log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:44:46, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [{7A-A5-56-67-ZN}] C:\Documents and Settings\ALİYE\Local Settings\Temp\TIP2D002.exe P2D002
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [BullGuard] “C:\Program Files\BullGuard Software\BullGuard\bullguard.exe”
O4 - Startup: TA_Start.lnk = ?
O8 - Extra context menu item: Microsoft Excel’e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://aliyekilic.spaces.live.com//PhotoUpload/MsnPUpld.cab
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

–
End of file - 5372 bytes

help me sooonnn

DavidR · 2007-10-10T19:12:00.000Z

You really should start a new Topic and we will be happy to try and help if you tell what the problem is rather than just jump in with a hijackthis log without any reason why.

We don’t want to hijackthis topic which may be totally unrelated to your problem.

essexboy · 2007-10-10T20:50:43.000Z

Start a new topic as you have Zeno adware infection

O4 - HKLM..\Run: [{7A-A5-56-67-ZN}] C:\Documents and Settings\ALİYE\Local Settings\Temp\TIP2D002.exe P2D002
O4 - Startup: TA_Start.lnk = ?

Announcements