I suspect it's a virus

donkey42

get Avast and update it then scan, also use Ad-Aware & Spybot S & D

and after you update the definitions scan with both, all three programs should be run about once a week (depending on the computer use)

if you ever have any weird problems run all three programs

all software posted here is free, but Avast is only free for non commercial use & you are required to reregister it every 14 months, IMO, Avast is the best antivirus software out there closely followed by AVG (also free) but that a debatable point

BTW: what Firewall are you using ?

__________________

enrimaiden

Thanks for the reply.
I forgt to mention that I've checked the system with Ad aware and Spy Bot and removed everything that both programas found. The first found some cookies and a Dialer and the latter fixed two registry entries.
I've managed to make a new install of windows and i'm going to run Avast as you recommend and inform the results, tough I don't know how many more times i'm going to be able to boot... (I did something similar when I got to perform a Panda online scan)
Any other opinion is welcomed.

P.S: I was using (until this disaster) Windows Xp built in firewall and Nod 32 completely up to date (but I've had several problems already with this AV so I'm planning to change it)
Thank you

donkey42

Windoze XPs built it Firewall is crap & also stay away from NIS (norton internet security) because

1) it is owned by symantec, symantec always re engineer software they acquire from companies they buy, because they always think they know best

for example partition magic (PM) was good when powerquest owned it, but, symantec took over powerquest in about 2003, they re-wrote PM and loads of people have lost data by using PM including me (before i came to HWF)

2) it is almost impossible to completely remove from your system once it's being on, the only way i know to completely remove it it a complete format

BTW: i've actually seen symantec being referred to as evil on the net

Edit: running online scans on Windoze is not a good idea, i use Linux with a hardware firewall built into my ethernet router & an online scan would require me to tell them my password, which is probably why there is no online scans available for Linux systems (i presume)

__________________

enrimaiden

Ok, I see you're very concerned about security and I thank you for the advice but I'm not planning to learn how to use a new OS like linux (tough i know they say it's better than windows in many aspects).
I have some good news, I've ran AVAST scan and found some more viruses, they had spread like the plague all over my disk!! I set it to delete every single thread it found, but couldn't do it with every file... some of them where corrupted or password protected. And because I'm not taking any chances, I took the job to manually delete every path that the AV couldn't handle.
All except some DVD isos I wouldn't like to erase, at least until you give me some advice. AVAST recognizes them as "decompression bomb" is it true? or is it because of the ".vob" extension?? I'm confused at this point
I've found also that the virus hides in the "System volume information", directory I believe was created by himself in both C and D partitions, I'm going to delete them from DOS.

Ok, I've made some progress and i think i'm going to recover most of my data. Here is AVAST Warning logs (i couldn't generate Scanner report)

02/03/2008 22:25:55 Administrador 1336 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
02/03/2008 23:01:30 Administrador 1336 Sign of "Win32:Agent-ROB [Trj]" has been found in "C:\Archivos de programa\Ares\Ares.exe" file.
02/03/2008 23:23:37 Administrador 1336 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Archivos de programa\KONAMI\Pro Evolution Soccer 6\dat\0_text.afs" file.
02/03/2008 23:26:47 Administrador 1336 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Archivos de programa\KONAMI\Pro Evolution Soccer 6\dat\e_sound.afs" file.
02/03/2008 23:27:00 Administrador 1336 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Archivos de programa\KONAMI\Pro Evolution Soccer 6\dat\s_sound.afs" file.
03/03/2008 0:39:59 Administrador 1336 Sign of "Win32:Agent-ROB [Trj]" has been found in "C:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000672.exe" file.
03/03/2008 3:05:19 Administrador 1336 Sign of "Win32:Trojan-gen {Other}" has been found in "D:\My Shared Folder\NOD32.FiX.v2.2-nsane.exe" file.
03/03/2008 3:13:51 Administrador 1336 Sign of "Win32:Trojan-gen {Other}" has been found in "D:\My Shared Folder\WinXP_Sp2_uE_v7_-_Bj_-_Spanish.iso\INSTALL\NOD32\NOD32F~1.EXE" file.
03/03/2008 3:18:22 Administrador 1336 Sign of "Win32:Rbot-ETN [Trj]" has been found in "D:\Software\Alcohol.120.v1.9.6.4719.Retail.Multil angages.Incl-Crack.rar\Alcohol120_retail_1.9.6.4719.exe" file.
03/03/2008 3:18:22 Administrador 1336 Sign of "Win32:Trojan-gen {Other}" has been found in "D:\Software\Alcohol.120.v1.9.6.4719.Retail.Multil angages.Incl-Crack.rar\Crack\keymaker.exe\[PECompact]\[Embedded#BLACKHOLE2]" file.
03/03/2008 3:18:38 Administrador 1336 Sign of "Win32:Agent-ROB [Trj]" has been found in "D:\Software\aresregular201_installer.exe" file.
03/03/2008 3:19:23 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-000-Pack-31-12-2001\TNT-F-Prot.Antivirus.v3.11b_CRK.ZIP\patch.exe" file.
03/03/2008 3:19:24 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-3DVista.Studio.Pro.v1.8_CRK\patch.exe" file.
03/03/2008 3:19:24 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-Banner.Maker.Pro.v.4.0.0.1_CRK\patch.exe" file.
03/03/2008 3:19:24 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-CheckSum.Guard.v3.0_CRK\patch.exe" file.
03/03/2008 3:19:24 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-Easy.Resource.Planner.1.0.0.2_CRK\patch.exe" file.
03/03/2008 3:19:25 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-Pc.Guardian.Encryption.Plus.Cd-Rom.v.4.0.Build.051_CRK\patch.exe" file.
03/03/2008 3:19:25 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-Stealther.v2.7_CRK\patch.exe" file.
03/03/2008 3:19:25 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-Zero.Popup.1.35_CRK\patch.exe" file.
03/03/2008 3:19:26 Administrador 1336 Sign of "Win32:Trojan-gen {UPX}" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\Microsoft\Microsoft office\Microsoft Office 2000 Serial # & Expir. Utility\MsOfCrack.exe" file.
03/03/2008 3:29:08 Administrador 1336 Sign of "Win32:Spyware-gen [Trj]" has been found in "D:\System Volume Information\_restore{996AC251-E901-4FF9-8A0A-30E141C5DE7E}\RP3\A0000705.exe\%SYS%\amcis.dll" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Trojan-gen {Other}" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000673.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Agent-ROB [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000674.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000675.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000676.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000677.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000678.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000679.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000680.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000681.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Trojan-gen {UPX}" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000682.exe" file.

Net Jockey

I just cleaned a teenagers computer. I did it with AVG, Ad-Aware, and SpyBot.

The computer had 4 or five different Trojan Horses that infected 19 different files...That AVG could not heal, which had to be deleted.

I found that you need to do more than one scan with each program.

Spyware Blaster is an excellent program that keeps a lot of junk off of your computer.

donkey42

yeah, it's just the .vob files, Avast / AV just reports "decompression bomb" when it encounters a compressed file with a high compression ratio (about 45% - 50%) & .vob files apparently use too efficient compression ratios, if in doubt, put files in the virus vault as they can do no damage from there, that's why the virus vault is there

don't worry, i've just found out what decompression bombs are

no, don't delete them, just run scandisk (thorough) on both drives, & defrag just for the hell of it then scan again with Avast and just uninstall & reinstall all software reported in results of Avast (probably not many of none)

BTW: decompression bomb are DoS (denial of service attack) and work by decompressing a file sized about 6k to over 100Gb (to eat your resources) although, it is possible to compress an image containing just one colour repeated over and over or a text file containing just one character could with a compression ratio of 1000 to 1

Source

__________________

enrimaiden

OK. That's useful information. Thank you.
I've made two more thorough scans with avast, the last result being only two corrupted rar files which I deleted. I've formatted my three partitions but always keeping one of them with my backup data; so I believe that if there's a virus it must be hiding in that backup folder.
Two strange behaviours after all this work:
1) Every time I boot my new Windows Xp installation, chkdsk is ran and always find something to correct: files references, etc.
2) Altough AVAST performs a complete system scan, when I try a DOS Mcaffee or Fropt scan they are either interrupted or hanged at a point (this using Hiren's boot cd 9.4 with updated virus defs.)
This last two items are what worry me the most, what do you think about this?
Thanks again for your help.

donkey42

not sure about this, but, you may be better running chkdsk from the recovery console, try if chkdsk errors are not fixed, enter the recovery console & try it again

• /f = thorough check & fix errors found
• /r = find bad sectors & recover readable data
• /x = Forces a volume to dismount to close open file handles on non-system volumes so it can be checked immediately and eliminates the need to reboot.
• /p = does the same as /f but it doesn't fix anything (for diagnostic purposes only)

BTW: put a <space> between chkdsk options
only use 1 AV because using multiple AVs is causing the problems you are experiencing, use only 1 AV then it'll make diagnosing a LOT easier
no probs

Edit: what firewall are you using ?

__________________

AJAI

Hi,
First of all you may select "RUN" from start menu and type "MSCONFIG" and click "OK". Now select the "STARTUP" tab and remove all unwanted and suspecious applications from the start-up. Now restart your pc and just log on in safe mode. After logon start command prompt and task manager. In the task manager end "EXPLORER.EXE". Now use the command prompt. Change your directory to your backup drive.Then type "ATTRIB -A -H -S *.* /S /D" and click enter. Then again type "DIR" and click enter. Now you can see the contents of that drive in command prompt. Just delete all unwanted and suspecious files using the "DEL" command in command prompt. Now exit command prompt and restart your pc. After log on in "NORMAL MODE" you may have some through scanning (complete pc) using your AVAST anti-virus, hope it will bring an end to your problems....