Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

new icon on desktop?


  • Please log in to reply
14 replies to this topic

#1 boots

boots

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 02 March 2005 - 09:38 PM

there is a new icon on my desktop. it's not really a picture of anything it just says... vv rt clicked it and went to properties and it's a vv DAT File? anyone know what this is???

BC AdBot (Login to Remove)

 


#2 boots

boots
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 02 March 2005 - 09:40 PM

oh and one more thing. i downloaded yahoo messanger right before it appeared but the yahoo icons looked normal? i downloaded it to a "downloads" file? would this have anything to do with it?

#3 boots

boots
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 02 March 2005 - 09:56 PM

i just ran norton anti virus and it said it found one infected file and fixed one infected file but the strange icon is still there? the virus name is Bloodhound.Exploit.18 has anyone heard of it? please let me know if i should do anything else? please please please.

#4 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:10:21 AM

Posted 02 March 2005 - 11:34 PM

Bloodhound.Exploit.18 is a heuristic detection for HTML files attempting to exploit the recent Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability discovered in Internet Explorer 6.0.

Recent variants of the Mydoom family of worms attempt to exploit this vulnerability to spread. The downloader component of such worms may be detected as Bloodhound.Exploit.18.



(1) Did you scan with Norton while in safemode? If not it could be hidden in your System Restore still.

You need to disable System restore and then go into SafeMode. Run Norton. Then go back into Normal Mode. Then re-enable System Restore.



(2) Are you current on your Microsoft Updates? If not, you need to get all critical updates ASAP.


Now as far as the strange icon (vv .DAT file) goes I do not have any answers. Hopefully someone else will jump in and help with that.
Posted Image

#5 cooldudenz

cooldudenz

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Christchurch
  • Local time:11:21 AM

Posted 02 March 2005 - 11:52 PM

Yea u need to do as scarlett said, when u open that file on desktop does it open a internet browser? If so everytime you open it its re-executes the virus file reinfecting ur computer. Full virus scan in safe mode should get rid of it if not DONT open the file just delete it. Also you should get Microsoft AntiSpyware BETA, Its free at the mo and will get rid of all the spyware on your comp.
Also try a virus scanner called, Avast Antivirus. Cant remember homepage www.avast.com i think not sure just do a google for it. I reckon its better than Norton.

#6 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:10:21 AM

Posted 03 March 2005 - 12:01 AM

The issue with the Malformed IFRAME Remote Buffer Overflow Vulnerability discovered in Internet Explorer 6.0. is addressed here:

http://www.microsoft.com/technet/security/...n/ms04-040.mspx
Posted Image

#7 boots

boots
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 03 March 2005 - 07:19 AM

thanks for all of your advice. before i got your responses last night i did another system restore to an earlier point. I then found the file and deleted it as well as the icon. does this mean it's cleaned yet? also how do i disable system restore?

#8 TexasAngel67

TexasAngel67

    Bleeping Helper


  • Members
  • 1,551 posts
  • OFFLINE
  •  
  • Location:Fort Worth
  • Local time:11:21 AM

Posted 03 March 2005 - 09:34 AM

For XP, please go here for details on System Restore.
A search for the filename might help. If anything is found that matches what you've deleted/removed, just delete again. THEN disable System Restore using the instructions in the link I've given, reboot, and enable System Restore if you wish. But please read the entire link for detailed information regarding it.

#9 boots

boots
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 03 March 2005 - 11:19 AM

Thanks Angel! i'll try it when i get home today!

#10 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:10:21 AM

Posted 03 March 2005 - 11:29 AM

W32.Mydoom.AL@mm ( Please refer to Note: below ) is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it finds on a compromised computer. It also spreads by using ICQ instant messenger.
The worm attempts to exploit the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS04-040).

Note: HTML files found to exploit the aforemention IE vulnerability are detected as Bloodhound.Exploit.18 by virus definitions dated prior to January 19, 2005.

The above info. leads me to believe that your Antivirus is not updated with the latest definitions. If this is true. Update ASAP


The issue with the Malformed IFRAME Remote Buffer Overflow Vulnerability discovered in Internet Explorer 6.0. is addressed here:

Microsoft Security Bulletin MS04-040

Since you were infected in the first place. It seems that you do not have the latest Microsoft Updates. If you do not. Please do so immediatly Link below.


Microsoft Windows Update


This worm downloads and runs a copy of Backdoor.Nemog.D.

Also Known As: Win32.Mydoom.AJ [Computer Associates], Email-Worm.Win32.Mydoom.ah [Kaspersky Lab], W32/Mydoom.at@MM [McAfee], W32/MyDoom-AL [Sophos], WORM_MYDOOM.AL [Trend Micro]


OK So now you have the latest Microsoft Updates. And have your Antivirus updated with the latest definitions. Now do the next steps.

Windows System Restore Guide
Scroll down to disabling & enabling system restore You should print or write out the directions. Since you will need to enable system restore once you are finished.

Next go into Safe Mode As before you need to print or write out the directions. Instructions found here:

How To Start Windows in Safe Mode

Once in Safe Mode scan with your Antivirus. When you are finished.
Boot back into Normal Mode

Then enable System Restore

You will then need to re-boot to apply the settings for enabling system restore.

:thumbsup:

Edited by scarlett, 03 March 2005 - 02:03 PM.

Posted Image

#11 boots

boots
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 03 March 2005 - 05:24 PM

ok Scarlet, i followed your instructions step by step. this is what i did...

1. updated all microsoft updates for service pack 1 (i have srv pk 1)
2. updated all anti-virus software
3. disabled system restore
4. started computer in safe mode
5. ran norton anti-virus and no files were infected.
6. rebooted system in regular mode
7. enabled system restore
8. rebooted system

It seems to have gotten rid of the virus but i'm not sure if it is lingering anywhere else? is there a way i can tell for sure? also, out of curiousity i went into system restore to look at my restore points, and there were none? is that supposed to happen?

thanks sooooOhhhH much for all of your help!!!

#12 boots

boots
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 03 March 2005 - 06:56 PM

looks like i spoke too soon. i was browsing the web on sites i regularly visit and i got a fbunch of "page cannot be displayed" messages. some pictures were blocked with red x's also. ones that weren't blocked before? and then when i click on them i get the same "page cannot be displayed" message? and then i got another message and this is what it said...

Explorer.EXE-Application Error
The instruction at "0x77f580db" referenced memory at "0x00000067". The memory could not be "written".
Click On OK to Terminate Program.

#13 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:10:21 AM

Posted 04 March 2005 - 09:19 AM

When you disable system restore it flushes out all restore points. Your system will start creating restore points soon.


Explorer.EXE-Application Error
The instruction at "0x77f580db" referenced memory at "0x00000067". The memory could not be "written".
Click On OK to Terminate Program.


I do not know what excactly this error means. I've looked around some. And it may be from your Bloodhound.Exploit.18 (W32.Mydoom.AL@mm) still. I can't be sure. So lets let the Highjack This Team take a look at it.




With that in mind. Maybe you should consider posting a Highjack This Log. This link will take you to the HJT Forum. Please read the info. given. There you will learn all that you need to know regarding the the posting of your log. This Forum is also where you will start a new topic by posting your Highjack This Log. At the top of your post be sure to include ALL information that you can that applies to what has been going on.

How To Submit a Highjack This Log

Just please keep in mind that all Highjack This Team Members are volunteers. One must practice a little patience, when waiting for help. I promise you though that they will get to you as soon as they are able.

And above all do not attempt to work on your log yourself. And only take the advice from an official HJT Team Member. Which will show under thier name and avatar.

One more thing. Do not reply to your own post. As the Team keeps an eye out for zero replies. If they see a reply they will assume that someone is already helping you out. Then I'm afraid that you may get lost in the shuffle.

Edited by scarlett, 04 March 2005 - 12:40 PM.

Posted Image

#14 boots

boots
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 05 March 2005 - 08:31 AM

ok so i made a hi-jack this log. there's bee 80+ views but no reply :-( something tells me i'm going to have to uninstall all programs and re-install them again.

#15 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:10:21 AM

Posted 05 March 2005 - 08:55 AM

Hi boots

Please do not do anything yet. As I have mentioned, you need to be patient. The HJT Team is made up of volenteers. Someone will get to it soon. There are as of right now, fifteen unanswered logs inc. yours. Whatever you do. do not reply to your log untill a HJT Team Member replies. And all of those views are most likely curious onlookers.
If you get around to it. You may want to edit your HJT post to include info about this. Just in case it may mean something.


there is a new icon on my desktop. it's not really a picture of anything it just says... vv rt clicked it and went to properties and it's a vv DAT File? anyone know what this is???

oh and one more thing. i downloaded yahoo messanger right before it appeared but the yahoo icons looked normal? i downloaded it to a "downloads" file? would this have anything to do with it?


Edited by scarlett, 05 March 2005 - 08:59 AM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users