Win32:Kreper-B

I can’t seem to find anything on this virus - can anyone help me out? Frankly, I’m afraid to try anything until I can figure out exactly what to delete. This is what the Avast log viewer shows:


03.04.2004 08:12:41 NT AUTHORITY\SYSTEM 1676 Sign of “Win32:Kreper-B [Trj]” has been found in “C:\WINDOWS\zufvt5zm97.exe” file.

09.04.2004 17:36:31 NT AUTHORITY\SYSTEM 1176 Sign of “Win32:Kreper-B [Trj]” has been found in “C:\WINDOWS\zufvt5zm97.exe” file.

10.04.2004 20:23:35 NT AUTHORITY\SYSTEM 1668 Sign of “Win32:Kreper-B [Trj]” has been found in “C:\System Volume Information_restore{05F94FFB-CE56-4203-B68F-D753748085AE}\RP225\A0075281.exe” file.

11.04.2004 12:15:55 NT AUTHORITY\SYSTEM 1700 Sign of “Win32:Kreper-B [Trj]” has been found in “C:\System Volume Information_restore{05F94FFB-CE56-4203-B68F-D753748085AE}\RP225\A0075281.exe” file.


Is this “zufvt5zm97.exe” file the culprit?

Also, Hijack This revealed:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\Anvshell.exe
C:\Program Files\Free Surfer\fs20.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\BRQIKMON.EXE
C:\Documents and Settings\Janine\My Documents\AntiVirus Stuff\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashLogV.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hispeed.rogers.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O3 - Toolbar: (no name) - {4DF5B116-4FD9-4039-B377-1130953A980F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKCU..\Run: [RHSI SHS] “C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe” /background
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra ‘Tools’ menuitem: Free Surfer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O15 - Trusted Zone: *.keenspace.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.epost.ca/printing/smsx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37850.8240856482
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


If it matters, I’m using Windows XP, with MSIE 6.0.

Thanks for your time.

Hi,

please scan the files with Onlinescanners from Trendmicro, Kaspersky and Ravantivirus, to get a more specific name/description. Look up info in the respective virusinfo-pages…
also look here:
http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=kreper&product=1
:wink:

After Avast notified me of the infected files, I had the program delete them (it worked alright). (Probably a stupid thing to do on my part, since now I can’t scan them for more detailed information?)

I’ve re-scanned my system using Avast, as well as a number of online scanners, and nothing has been turned up. I went to some of the sites you recommended and looked for the files and/or running processes they mentioned, but couldn’t find any.

This happened before - it looks like the problem has cleared up, but somehow, the virus still keeps showing up. Do I have to wait for the alert to pop up again before I can do anything? Maybe I need to disable System Restore before I let Avast get rid of the infected files when it happens…?

if trend and avast repoty nothing then ther is a 99.99999999999999999999999999999999999999999% chance you are clean

My priest called me yesterday to say that he was having problems with his laptop. When I checked his NAV subscription, it had ended last November. Apparently he thought “prayer” would be enough to protect him.

WRONG!

So, on to what relevance this has to this thread:

I noticed that a process was taking up a lot of CPU cycles. It was called “plci01pdva.exe”. I immediately killed it and looked (via msconfig) to see if it was being launched at startup. Sure enough, I found that it was being started by a file in c:\windows\prefetch called “PLCI01PDVA.EXE-2209F53B.PF”.

In order to avoid the whole paying for software thing, I downloaded avast! for him and scanned. The kreper-b trojan was found in the executable mentioned above in c:\windows.

So, in addition to the rz_christmas.exe and other “names” for this bugger, you may want to look for this as well.

HTH someone.

werd