Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Found!


  • Please log in to reply
26 replies to this topic

#1 chow2rich

chow2rich

  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 22 January 2008 - 11:02 PM

My Anti-Virus Avast found these these morning:


Event Type: Warning
Event Source: avast!
Event Category: Client
Event ID: 90
Date: 1/22/2008
Time: 2:33:07 AM
User: N/A
Computer: DUO-CORE2
Description:
Sign of "Win32:Hijack-AS [Trj]" has been found in "C:\WINDOWS\system32\svchost.exe\exe.exe:$DATA\[UPX]" file.


Please help what should I do?

BC AdBot (Login to Remove)

 


#2 Tomo2

Tomo2

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wanganui, Aotearoa NZ
  • Local time:02:02 PM

Posted 22 January 2008 - 11:33 PM

Remove the virus Immediately. If it is in the virus chest then delete it from there.
If it has not been caught the best way to clean your pc of viruses is with a boot scan. To schedule a boot time scan: Open Avast and when It loads click the tools menu and select "schedule boot time scan" and select all drive and click ok. Then turn off your computer to wipe any temporary stuff and turn it on to scan.

Hope that helps!

L&P, World Famous in New Zealand since ages ago!
Posted Image
Avast! Antivirus : Spybot S&D : Trend Micro Housecall : Hosts file : HiJack This
Don't be too open minded - your brains will fall out


#3 chow2rich

chow2rich
  • Topic Starter

  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 23 January 2008 - 12:11 AM

How do I remove the virus? My computer is so slow that's because of this virus. Avast found it but I don't think it deleted it. Is there a way I can remove it manually? Help is appreciated! Thanks. My anti-virus also found these today, right now:

Event Type: Warning
Event Source: avast!
Event Category: Client
Event ID: 90
Date: 1/23/2008
Time: 12:00:51 AM
User: N/A
Computer: DUO-CORE2
Description:
Sign of "Win32:Hijack-AS [Trj]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP18\A0009617.EXE\exe.exe:$DATA\[UPX]" file.

Edited by chow2rich, 23 January 2008 - 12:16 AM.


#4 chow2rich

chow2rich
  • Topic Starter

  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 24 January 2008 - 07:29 PM

Help some please my computer scanned and found more virus this afternoon. Here are the results:


08/19/2007 15:52

----------------------------------------
08/21/2007 19:17
Scan of all local drives
File C:\Downloads\T08Beta.exe\Files\initrd.img\initrd\opt\pavcl\usr\lib\libPskavs.so.1.4.2.5 is infected by Annihilator-272, Move to chest: Error 0xC0000024 {Wrong Type}, Repair: Error 42060 {The file was not repaired.}, Delete: Error 0xC0000024 {Wrong Type}, Delete: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move: Error 0xC0000024 {Wrong Type}, Delete: Error 0xC0000024 {Wrong Type}, Delete: Error 0xC0000024 {Wrong Type}

Scanning aborted

Number of searched folders: 1878
Number of tested files: 35355
Number of infected files: 1

----------------------------------------
08/21/2007 19:37
Scan of all local drives
File C:\Downloads\T08Beta.exe\Files\initrd.img\initrd\opt\pavcl\usr\lib\libPskavs.so.1.4.2.5 is infected by Annihilator-272, Move to chest: Error 0xC0000024 {Wrong Type}

Scanning aborted

Number of searched folders: 1878
Number of tested files: 35365
Number of infected files: 1

----------------------------------------
12/12/2007 17:45
Scan of all local drives
File C:\Downloads\T08Beta.exe\Files\initrd.img\initrd\opt\pavcl\usr\lib\libPskavs.so.1.4.2.5 is infected by Annihilator-272, Delete: Error 0xC0000024 {Wrong Type}, Delete: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}
File C:\Program Files\Alwil Software\Avast4\DATA\moved\libPskavs.so.1.4.2.5.vir is infected by Win95:CIH-1106, Repair: Error 42060 {The file was not repaired.}, Deleted

Scanning aborted

Number of searched folders: 8155
Number of tested files: 216792
Number of infected files: 2

----------------------------------------
01/24/2008 13:00
Scan of all local drives
File C:\Downloads\T08Beta.exe\Files\initrd.img\initrd\opt\pavcl\usr\lib\libPskavs.so.1.4.2.5 is infected by Annihilator-272, Delete: Error 0xC0000024 {Wrong Type}
File C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP21\A0010065.exe\Files\initrd.img\initrd\opt\pavcl\usr\lib\libPskavs.so.1.4.2.5 is infected by Win95:CIH-1106, Delete: Error 0xC0000024 {Wrong Type}

Number of searched folders: 15443
Number of tested files: 667892
Number of infected files: 2

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 24 January 2008 - 08:58 PM

This appears to be living in the System Restore Points files. These are Protected files and as such can not be scanned. So
you should Create a New Restore Point. This will also prevent Reinfection by restoring your PC to an infected state at a later date.

The easiest and safest way to do this is:
Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then use Disk Cleanup to remove all but the most recently created Restore Point.
Go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 chow2rich

chow2rich
  • Topic Starter

  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 24 January 2008 - 10:53 PM

Thank you, but what about my other viruses from my other post? It was affecting my sound and sometimes my computer was slow. Can you help me with my other post. Can you take a look at it please? And thanks for helping for this.

#7 chow2rich

chow2rich
  • Topic Starter

  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 25 January 2008 - 04:27 PM

Here are some more virus I found today. Here are the results:

01/25/2008 10:53
Scan of all local drives
File C:\Downloads\T08Beta.exe\Files\initrd.img\initrd\opt\pavcl\usr\lib\libPskavs.so.1.4.2.5 is infected by Annihilator-272, Delete: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}
File C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP22\A0010168.exe\Files\initrd.img\initrd\opt\pavcl\usr\lib\libPskavs.so.1.4.2.5 is infected by Win95:CIH-1106, Move to chest: Error 42003 {Internal program error.}, Delete: Error 42003 {Internal program error.}, Move to chest: Error 0xC0000024 {Wrong Type}

Number of searched folders: 15353
Number of tested files: 636230
Number of infected files: 2

#8 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:07:02 PM

Posted 25 January 2008 - 07:50 PM

chow2rich,

For continuity purposes your topics Another Virus Found and More Virus have been merged with your original topic Virus Found.

Please keep all of your replies and further information in this one topic.
The members helping you, will be looking for your responses to their questions, in the topic they replied to.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#9 chow2rich

chow2rich
  • Topic Starter

  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 25 January 2008 - 10:38 PM

Thank you, from now I will do what you tell me what to do and where to post it? Thank you for all of your help and other members as well. Hope might question can be answered. And thank you again for re-arranging my topic, I did know where to post.

Edited by chow2rich, 25 January 2008 - 10:39 PM.


#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:02 PM

Posted 25 January 2008 - 11:10 PM

By any chance, do you have any Panda security programs installed on your computer? If so, which ones?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#11 chow2rich

chow2rich
  • Topic Starter

  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 25 January 2008 - 11:51 PM

No I don't, can you please help me with the above post? I need help to remove the virus:

The post I posted above:

01/25/2008 10:53
Scan of all local drives
File C:\Downloads\T08Beta.exe\Files\initrd.img\initrd\opt\pavcl\usr\lib\libPskavs.so.1.4.2.5 is infected by Annihilator-272, Delete: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}
File C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP22\A0010168.exe\Files\initrd.img\initrd\opt\pavcl\usr\lib\libPskavs.so.1.4.2.5 is infected by Win95:CIH-1106, Move to chest: Error 42003 {Internal program error.}, Delete: Error 42003 {Internal program error.}, Move to chest: Error 0xC0000024 {Wrong Type}

Number of searched folders: 15353
Number of tested files: 636230
Number of infected files: 2

Edited by chow2rich, 25 January 2008 - 11:52 PM.


#12 Teenage.Zombiee

Teenage.Zombiee

  • Members
  • 831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Western Sydney, Australia.
  • Local time:01:02 PM

Posted 25 January 2008 - 11:55 PM

Have you flushed out your system restore?

Teenage.Zombiee is back ! :halloween:


#13 chow2rich

chow2rich
  • Topic Starter

  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 26 January 2008 - 12:12 AM

Yes I have, so what about this viruses listed here:

The post I posted above:

This one listed here:

File C:\Downloads\T08Beta.exe\Files\initrd.img\initrd\opt\pavcl\usr\lib\libPskavs.so.1.4.2.5 is infected by Annihilator-272, Delete: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}

Edited by chow2rich, 26 January 2008 - 12:15 AM.


#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:02 PM

Posted 26 January 2008 - 12:17 AM

I had a very specific reason for asking about the Panda software: the files in the list you provided are at least sometimes related to some components of Panda software. If you had Panda software on your computer then your infection alerts would be FALSE POSITIVES. As an example, in the past every time I downloaded the software for the online Panda Scan, my AVAST anti-virus would list two files as infected, one in system restore and the other a regular file.

Your list is about only two files, even though it is several lines. Some of those lines are repeated efforts to quarantine or clean the same file. One of those files is the system restore version of the regular file. As long as the regular file is on the computer, the system restore version will also appear.

T08Beta.exe <-- from my research is connected to the Panda Firewall. The BETA part of the file name tells me that it is a version that they are working on and still developing.

Also, please read this post regarding Annihilator-272: http://www.bleepingcomputer.com/forums/ind...Annihilator-272

So, since you do not have any Panda software installed, have you run their online scanner?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#15 chow2rich

chow2rich
  • Topic Starter

  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 26 January 2008 - 01:22 AM

Yes I ran their online scanner. But that's it. No panda software installed, just the panda online scanner. Was that the one from panda online scanner? Thanks know I understand. Those aren't viruses. Those are panda online files installed into my computer. Thanks for clearing that up.

Edited by chow2rich, 26 January 2008 - 01:26 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users