OldVersion.com Forums - View Single Post

03-16-2004, 09:42 PM

I picked up a virus through a hole in my Internet Explorer 6.0 as a hijacking page hijacked my homepage. I deleted the hijacking page and it's host file with ease by using the appropriate software. After successfully deleting the hijacking page and host file from my computer and it's registry, my Grisoft AVG 6.0 contiued to send me a "virus detected" message. It looks as if some infected files were bundled along with the hijacking page as those infected files remained after the hijacking page itself was deleted. My AVG 6.0 eventually healed those infected files except for one which AVG says could not be healed but had to be moved to the virus vault. All of those healed files totalling 5 files although healed, are still in my virus vault. Here are the actual names of those healed files: 2 files named Blackbox[1].class ; 2 named Verifierbug[1].class and one named msdos.exe. The actual virus names associated with these infected files are Backdoor.Jeemp.A and Java/Byte Verify. The other infected file which AVG says could not be healed is named olehelp.exe, and the virus name directly associated with that one is Trojan horse Startpage.3.AR. Currently, my hard drive is virus free as long as keep those "healed files" stay in my virus vault, but when I go into my virus vault and try to restore those healed files back to my hard drive, I get the virus detected message again when I run the AVG . Given the name of those files, could you possibly tell me why those "healed files" remain infected while in my virus vault, and whether or not the infected files named above are actually windows files or are they something created by the persons who created the hijacking homepage. Can I delete them ? I will send you a copy of my log file generated by my software responsible for moving the hijacking file in the first place. I will restore from my virus vault the actual infected file olehelp.exe which could not be healed by AVG, and I will run my hijacker software so that you can see where that file was actually picked up. Please see Log file below Thanks for your time. CWShredder v1.53.1 scan only report

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: User

Hosts file not present
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
Found CWS.Olehelp file: C:\WINDOWS\olehelp.exe (11776 bytes, A)
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (8778 bytes, A)
Found line in Win.ini: load=essspk.exe
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2101 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -

03-16-2004, 09:42 PM	#1 (permalink)
guest_Doc Guest Posts: n/a	I picked up a virus through a hole in my Internet Explorer 6.0 as a hijacking page hijacked my homepage. I deleted the hijacking page and it's host file with ease by using the appropriate software. After successfully deleting the hijacking page and host file from my computer and it's registry, my Grisoft AVG 6.0 contiued to send me a "virus detected" message. It looks as if some infected files were bundled along with the hijacking page as those infected files remained after the hijacking page itself was deleted. My AVG 6.0 eventually healed those infected files except for one which AVG says could not be healed but had to be moved to the virus vault. All of those healed files totalling 5 files although healed, are still in my virus vault. Here are the actual names of those healed files: 2 files named Blackbox[1].class ; 2 named Verifierbug[1].class and one named msdos.exe. The actual virus names associated with these infected files are Backdoor.Jeemp.A and Java/Byte Verify. The other infected file which AVG says could not be healed is named olehelp.exe, and the virus name directly associated with that one is Trojan horse Startpage.3.AR. Currently, my hard drive is virus free as long as keep those "healed files" stay in my virus vault, but when I go into my virus vault and try to restore those healed files back to my hard drive, I get the virus detected message again when I run the AVG . Given the name of those files, could you possibly tell me why those "healed files" remain infected while in my virus vault, and whether or not the infected files named above are actually windows files or are they something created by the persons who created the hijacking homepage. Can I delete them ? I will send you a copy of my log file generated by my software responsible for moving the hijacking file in the first place. I will restore from my virus vault the actual infected file olehelp.exe which could not be healed by AVG, and I will run my hijacker software so that you can see where that file was actually picked up. Please see Log file below Thanks for your time. CWShredder v1.53.1 scan only report Windows 98 (4.10.2222 A) Windows dir: C:\WINDOWS Windows system dir: C:\WINDOWS\system AppData folder: C:\WINDOWS\Application Data Username: User Hosts file not present Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A) Found CWS.Olehelp file: C:\WINDOWS\olehelp.exe (11776 bytes, A) Registry value: DefaultPrefix (should be http://) [] http:// Registry value: WWW Prefix (should be http://) [www] http:// Registry value: Mosaic Prefix (should be http://) [mosaic] http:// Registry value: Home Prefix (should be http://) [home] http:// Found Win.ini file: C:\WINDOWS\win.ini (8778 bytes, A) Found line in Win.ini: load=essspk.exe Found line in Win.ini: run= Found System.ini file: C:\WINDOWS\system.ini (2101 bytes, A) Found line in System.ini: shell=Explorer.exe - END OF REPORT -

Thread: Computer Viruses View Single Post

Thread: Computer Viruses
View Single Post