win 32:kreper-i

Viruses and worms
1

avast 4 home editions on line acess protection picked this win32:kreper-i.I moved it to chest and ran it through the data base.It came up listed as an exe infector,and seems to be only ifecting temp int files,so i delete them.
Each time i get my connection now ,avast still picks it up again, and now two days later it is infecting system files.What is this?,did an mcafee online scan and no viruses were found,is something wrong with my avast prog.

2

I have the same problem but I will now try deleting it in safe mode…maybe it will help

3

OK I’ve checked the entire system in safe mode… when I connect Internet nothing appears in the avast! scanner so I think it’s gone…
d_wtkns I think you should visit this site http://members.home.nl/edeijl/index1.htm
there’s a section named malware removal instructions and applications - there you’ll find tips how to clean the system. I followed them and I’ve get rid of that virus… And by the way thanks to Eddy which post I’ve read :slight_smile:

4

Hi, welcome to the forums.

Please Help us to Help you In order to help fully we need more information…
- What OS are you using? is it up to date?
- What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
- What was the filename, where was it found
example (C:\windows\system32\infected-filename.xxx)?
- What actions have you taken to try and resolve the problem?
Also see this thread for further information and advice User’s FAQ.

As Mentioned Eddy’s website provides much help as does the Advice & Tools for virus/trojan/malware Removal & Prevention thread.

5

hm… weird… yesterday it wasn’t there but today somehow he appeared again… so I’m asking for help… I’m using XP with SP1, avast home edition 4.5 VPS 0451-2. the virus was first found in temporary internet files, then he appeared in the windows folder. in the temp files the filename was main[1].exe and in the windows there were multiple filenames lile lb8m1knfzu.exe or lud2gsa13l. exe. When the avast had discovered this virus i moved it to the chest, but as d_wtkns says the virus respawns when i connect to the internet…

6

this is the hijackthis log in safe mode

Logfile of HijackThis v1.99.0
Scan saved at 09:25:51, on 2004-12-18
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\instalki\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programy\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programy\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”
O4 - HKLM..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM..\Run: [Outpost Firewall] C:\PROGRAMY\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
O4 - HKLM..\Run: [WOOTASKBARICON] C:\PROGRA~1\WANADOO\TaskbarIcon.exe
O4 - HKLM..\Run: [avast!] C:\Programy\AVAST!~1\ashDisp.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [AcctMgr] C:\Programy\Norton System Works 2004\Password Manager\AcctMgr.exe /startup
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [DAEMON Tools-1033] “C:\Programy\Deamon\daemon.exe” -lang 1033
O4 - HKLM..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe
O4 - HKLM..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM..\Run: [TrojanScanner] C:\Programy\Trojan Remover\Trjscan.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programy\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q678340.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=580b654524d68b23906b34a03fd33a9de69f5f922a0754ee169442922e3e48cbd7605b04e0917847f89efa8e422ece1a819f5daf9328:5db0f34c35fd827de7642452ea30b3de
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_cracks.cab
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/protect_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Programy\avast! Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Programy\avast! Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programy\avast! Antivirus\ashMaiSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Programy\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service - Agnitum - C:\PROGRAMY\OUTPOS~1\outpost.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Programy\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

7

Nakard

A virus can only to my knowledge ‘respawn’ if there is part of the virus left on the computer to respawn it, so i suggest doing a boot time scan with avast (open avast>menu>boot time scan), with the setting set to move to chest and also scan inside archives.

Let us know if this works :wink:

–lee

8

You can see the results of your hijackthis log at the link below:

http://www.hijackthis.de/logfiles/3595aa8715dee555ac491f8857e0fdf6.html

–lee

9

I’ve done the boot time scan multiple times and it found nothing
I think that there is something in the registry that respawns the virus… but it’s not in the msconfig certainly, because it appears again when I connect to the Internet

10

Am i right in saying it still respawns in safe mode?

–lee

11

Nakard hi and welcome
You have a scrip virus on board
I suggest if you want to be sure try an online scan at TREND MICRO or PANDA

Contains signature of the HTML script virus HTML/Exploit.Mhtml

12

lee16 in safe mode I can’t connect to the internet, bacause I’ve a modem connected by USB
ginblossom could you give me the links to these scanners ?

13

Find a post by rejzor and go via his security ops site in his signature
PANDA http://www.pandasoftware.com/activescan/com/activescan_principal.htm

14

panda has found 2 worms and Exploit/Mhtredir.gen which maybe (I think so )has caused this… I’'ll reboot and see if the virus still appears

15

That didn’t help… it still apppears

16

Also a hijackthis log could help (done when your not not in safe mode).

Also try these online scanners:

http://www.bitdefender.com/scan/index.html

http://housecall.trendmicro.com/housecall/start_corp.asp

http://www.ravantivirus.com/scan/indexie.php

Hopefully these will find this virus for you.

Also, try updating your OS, SP2 etc

–lee

17

Have you gone to the HiJackThis link that Lee gave you and fixed what was in the report?

There was lots of stuff there that is in your registry that could be recreating problems.

18

I’ve deleted some entries that hijack said they were nasty and it seems to work… but we’ll see tomorrow i think BTW It was some Windows Control Ad that I had to remove and maybe that was causing the problem. Anyway thanks guys, without your help it would be much harder to get rid of it … and yes DavidR - with this help i meant this analyzer too ;D ;D

19

A HijackThis log in safe mode isn’t any good. Safe mode prevents a lot of things from loading/replaces certain things with generic ones.

20

;)I seem to have cleaned the kreper-i bug out.by the way i am running win 98,sorry about that.
I went and did a windows update and downloaded all the current security patches,
then i ran my ad-aware se prog,it picked up 21 malware items.I put them into quarentine and my avast home edition hasen’t picked them up since.