Virus or not?

My avast labels it as a Virus/worm. Win32:VB-IE [Wrm] The avast has been
removing the infection one piece at a time.. I am suspecting that the
infection piggy backed on an update from Microsoft, that is not an absolute.
It does not seem to be doing any thing now. It messed up my HP All-In-One
Program and Microsoft OneNotein the beginning. I removed the damaged
programs,hacked at the virus then reinstalled. Everything doing good now. I
still get an alert and delet it now and then. I am not sure where it is
coming from. I go to where it is supposed to be. I find three files.
(Ntf7.tmp., Ntf8.tmp, Perflib-Perfd...). I open the hiidden files and find
nothing else. I am thinking that whatever is left is slowly being found and
deleted (time will tell). If not ... ???

David
Tue May 09 15:40:39 CDT 2006

From: "rap4rag" <rap4rag@discussions.microsoft.com>

| My avast labels it as a Virus/worm. Win32:VB-IE [Wrm] The avast has been
| removing the infection one piece at a time.. I am suspecting that the
| infection piggy backed on an update from Microsoft, that is not an absolute.
| It does not seem to be doing any thing now. It messed up my HP All-In-One
| Program and Microsoft OneNotein the beginning. I removed the damaged
| programs,hacked at the virus then reinstalled. Everything doing good now. I
| still get an alert and delet it now and then. I am not sure where it is
| coming from. I go to where it is supposed to be. I find three files.
| (Ntf7.tmp., Ntf8.tmp, Perflib-Perfd...). I open the hiidden files and find
| nothing else. I am thinking that whatever is left is slowly being found and
| deleted (time will tell). If not ... ???

You didn't get a virus from a Microsoft update. The name inicates it is a worm. Worms
replicate and spread usually via Network protcocols, email, Peer-2-Peer (P2P) software and a
few other methods.

I suggest using the following tool to scan your computer.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

PA
Tue May 09 17:50:39 CDT 2006

> ...I am suspecting that
> the infection piggy backed on an update from Microsoft

Highly doubtful, unless you installed the update using an email attachment
sent to you "by Microsoft."

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.**
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org


rap4rag wrote:
> My avast labels it as a Virus/worm. Win32:VB-IE [Wrm] The avast has
> been removing the infection one piece at a time.. I am suspecting that
> the infection piggy backed on an update from Microsoft, that is not an
> absolute. It does not seem to be doing any thing now. It messed up my
> HP All-In-One Program and Microsoft OneNotein the beginning. I removed
> the damaged programs,hacked at the virus then reinstalled. Everything
> doing good now. I still get an alert and delet it now and then. I am
> not sure where it is coming from. I go to where it is supposed to be. I
> find three files. (Ntf7.tmp., Ntf8.tmp, Perflib-Perfd...). I open the
> hiidden files and find nothing else. I am thinking that whatever is left
> is slowly being found and deleted (time will tell). If not ... ???

Pandaman
Wed May 10 12:25:02 CDT 2006

My reply is at the bottom of your message :


"rap4rag" wrote:

> My avast labels it as a Virus/worm. Win32:VB-IE [Wrm] The avast has been
> removing the infection one piece at a time.. I am suspecting that the
> infection piggy backed on an update from Microsoft, that is not an absolute.
> It does not seem to be doing any thing now. It messed up my HP All-In-One
> Program and Microsoft OneNotein the beginning. I removed the damaged
> programs,hacked at the virus then reinstalled. Everything doing good now. I
> still get an alert and delet it now and then. I am not sure where it is
> coming from. I go to where it is supposed to be. I find three files.
> (Ntf7.tmp., Ntf8.tmp, Perflib-Perfd...). I open the hiidden files and find
> nothing else. I am thinking that whatever is left is slowly being found and
> deleted (time will tell). If not ... ???
>


You can use David's tool to check for and remove malware. Use McAfee and
Kaspersky modules

Also , you can have a second opinion on your malware status using these two
online scanners . NOTE >>> before using them , turn off Avast's on-access
protection, this is really important

Panda Software free ActiveScan
http://www.activescan.com

Kaspersky Labs free online scanner
http://www.kaspersky.com/virusscanner


Panda_man
--
Bronze level Contributor
http://pandaman.my.contact.bg
http://www.eset.com
Please , rate posts

rap4rag
Wed May 10 13:55:02 CDT 2006

Thank you all. I'll work on this. The reason I thought of piggy back on
Microsoft update is that it is in the Microsoft Temp. file. How or why it is
there???

"Panda_man" wrote:

> My reply is at the bottom of your message :
>
>
> "rap4rag" wrote:
>
> > My avast labels it as a Virus/worm. Win32:VB-IE [Wrm] The avast has been
> > removing the infection one piece at a time.. I am suspecting that the
> > infection piggy backed on an update from Microsoft, that is not an absolute.
> > It does not seem to be doing any thing now. It messed up my HP All-In-One
> > Program and Microsoft OneNotein the beginning. I removed the damaged
> > programs,hacked at the virus then reinstalled. Everything doing good now. I
> > still get an alert and delet it now and then. I am not sure where it is
> > coming from. I go to where it is supposed to be. I find three files.
> > (Ntf7.tmp., Ntf8.tmp, Perflib-Perfd...). I open the hiidden files and find
> > nothing else. I am thinking that whatever is left is slowly being found and
> > deleted (time will tell). If not ... ???
> >
>
>
> You can use David's tool to check for and remove malware. Use McAfee and
> Kaspersky modules
>
> Also , you can have a second opinion on your malware status using these two
> online scanners . NOTE >>> before using them , turn off Avast's on-access
> protection, this is really important
>
> Panda Software free ActiveScan
> http://www.activescan.com
>
> Kaspersky Labs free online scanner
> http://www.kaspersky.com/virusscanner
>
>
> Panda_man
> --
> Bronze level Contributor
> http://pandaman.my.contact.bg
> http://www.eset.com
> Please , rate posts

David
Wed May 10 14:36:27 CDT 2006

From: "rap4rag" <rap4rag@discussions.microsoft.com>

| Thank you all. I'll work on this. The reason I thought of piggy back on
| Microsoft update is that it is in the Microsoft Temp. file. How or why it is
| there???
|

Why is WHAT there ?

This is insufficient information "Microsoft Temp. file".

What exactly are you talking about ? Be specific.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

rap4rag
Wed May 10 15:03:02 CDT 2006

Win32:VB-IE[Wrm] Is what I started with in the initial letter. It showed up
in my microsoft Temp file. I have no idea of how or why it poped up there.
I started off with the quickfix that PA Bear suggested. The file would not
delete. I went with delete with reboot. Some of the file is still there. I
am getting no indication of the virus still there. I ran Ad-ware then avast.
No alerts. If there are any more alerts that pop up, I will keep you
informed and let you know what my next step is. I still have several things
left to try thanks to you guys

"David H. Lipman" wrote:

> From: "rap4rag" <rap4rag@discussions.microsoft.com>
>
> | Thank you all. I'll work on this. The reason I thought of piggy back on
> | Microsoft update is that it is in the Microsoft Temp. file. How or why it is
> | there???
> |
>
> Why is WHAT there ?
>
> This is insufficient information "Microsoft Temp. file".
>
> What exactly are you talking about ? Be specific.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

PA
Wed May 10 15:20:49 CDT 2006

> ...I started off with the quickfix that PA Bear suggested. The file
> would not delete.

And have you posted your HijackThis log in an appropriate forum for review
as I suggested?

<paste>
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**
</paste>
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org


rap4rag wrote:
> Win32:VB-IE[Wrm] Is what I started with in the initial letter. It showed
> up in my microsoft Temp file. I have no idea of how or why it poped up
> there. I started off with the quickfix that PA Bear suggested. The file
> would not delete. I went with delete with reboot. Some of the file is
> still there. I am getting no indication of the virus still there. I ran
> Ad-ware then avast. No alerts. If there are any more alerts that pop up,
> I will keep you informed and let you know what my next step is. I still
> have several things left to try thanks to you guys
>
> "David H. Lipman" wrote:
> > > Thank you all. I'll work on this. The reason I thought of piggy
> > > back on Microsoft update is that it is in the Microsoft Temp. file.
> > > How or why it is there???
> >
> > Why is WHAT there ?
> >
> > This is insufficient information "Microsoft Temp. file".
> >
> > What exactly are you talking about ? Be specific.

David
Wed May 10 15:39:07 CDT 2006

From: "rap4rag" <rap4rag@discussions.microsoft.com>

| Win32:VB-IE[Wrm] Is what I started with in the initial letter. It showed up
| in my microsoft Temp file. I have no idea of how or why it poped up there.
| I started off with the quickfix that PA Bear suggested. The file would not
| delete. I went with delete with reboot. Some of the file is still there. I
| am getting no indication of the virus still there. I ran Ad-ware then avast.
| No alerts. If there are any more alerts that pop up, I will keep you
| informed and let you know what my next step is. I still have several things
| left to try thanks to you guys

Saying; "It showed up in my microsoft Temp file" is still insufficient information.

Was it a file such as...

C:\Documents and Settings\<USER>\Local Settings\hp???.tmp ?

What is the fully qualified name and path to the file that was found to be infected with
"Win32:VB-IE" by Avast ?

Unfortunately, Avast does NOT provide a virus Library/Encyclopedia for lookups and
information.

What I still suggest is for you to use the Multi AV Scanning Tool to scan your computer as I
previously advised.

Since it has 4 different AV scanners it has a high probability of removing this worm and it
will also provide a name that can hopefully be searched in the AV vendor's virus
Library/Encyclopedia.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

rap4rag
Wed May 10 17:03:02 CDT 2006

C:\Documents and Settings\<user>\Local Settings\Application
Data\Microsoft\Desktop
SearchTemp\rssgthrsvc\C67EE31CO4B540be9DBOCD5DBDC92657\Setup.exe contains
sample of "Win32:VB-IE [Wrm]" This is the on the pop up warning for the
avast.

"David H. Lipman" wrote:

> From: "rap4rag" <rap4rag@discussions.microsoft.com>
>
> | Win32:VB-IE[Wrm] Is what I started with in the initial letter. It showed up
> | in my microsoft Temp file. I have no idea of how or why it poped up there.
> | I started off with the quickfix that PA Bear suggested. The file would not
> | delete. I went with delete with reboot. Some of the file is still there. I
> | am getting no indication of the virus still there. I ran Ad-ware then avast.
> | No alerts. If there are any more alerts that pop up, I will keep you
> | informed and let you know what my next step is. I still have several things
> | left to try thanks to you guys
>
> Saying; "It showed up in my microsoft Temp file" is still insufficient information.
>
> Was it a file such as...
>
> C:\Documents and Settings\<USER>\Local Settings\hp???.tmp ?
>
> What is the fully qualified name and path to the file that was found to be infected with
> "Win32:VB-IE" by Avast ?
>
> Unfortunately, Avast does NOT provide a virus Library/Encyclopedia for lookups and
> information.
>
> What I still suggest is for you to use the Multi AV Scanning Tool to scan your computer as I
> previously advised.
>
> Since it has 4 different AV scanners it has a high probability of removing this worm and it
> will also provide a name that can hopefully be searched in the AV vendor's virus
> Library/Encyclopedia.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

rap4rag
Wed May 10 17:05:02 CDT 2006

To PA Bear, not yet but will do so. Thank you.

"PA Bear" wrote:

> > ...I started off with the quickfix that PA Bear suggested. The file
> > would not delete.
>
> And have you posted your HijackThis log in an appropriate forum for review
> as I suggested?
>
> <paste>
> When all else fails, HijackThis v1.99.1
> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
> It will help you to both identify and remove any hijackware/spyware. **Post
> your log to http://forums.spybot.info/forumdisplay.php?f=22,
> http://castlecops.com/forum67.html,
> http://forums.subratam.org/index.php?showforum=7,
> http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
> analysis, not here.**
> </paste>
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org
>
>
> rap4rag wrote:
> > Win32:VB-IE[Wrm] Is what I started with in the initial letter. It showed
> > up in my microsoft Temp file. I have no idea of how or why it poped up
> > there. I started off with the quickfix that PA Bear suggested. The file
> > would not delete. I went with delete with reboot. Some of the file is
> > still there. I am getting no indication of the virus still there. I ran
> > Ad-ware then avast. No alerts. If there are any more alerts that pop up,
> > I will keep you informed and let you know what my next step is. I still
> > have several things left to try thanks to you guys
> >
> > "David H. Lipman" wrote:
> > > > Thank you all. I'll work on this. The reason I thought of piggy
> > > > back on Microsoft update is that it is in the Microsoft Temp. file.
> > > > How or why it is there???
> > >
> > > Why is WHAT there ?
> > >
> > > This is insufficient information "Microsoft Temp. file".
> > >
> > > What exactly are you talking about ? Be specific.
>
>

David
Wed May 10 17:14:26 CDT 2006

From: "rap4rag" <rap4rag@discussions.microsoft.com>

| C:\Documents and Settings\<user>\Local Settings\Application
| Data\Microsoft\Desktop
| SearchTemp\rssgthrsvc\C67EE31CO4B540be9DBOCD5DBDC92657\Setup.exe contains
| sample of "Win32:VB-IE [Wrm]" This is the on the pop up warning for the
| avast.


Delete the folder...

C:\Documents and Settings\lipman\Local Settings\Application
Data\Microsoft\DesktopSearchTemp\\rssgthrsvc

Have you run the Multi AV Scanner as prescribed yet ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

rap4rag
Wed May 10 19:23:01 CDT 2006

Excuse me for my lack of skill. This is my first computer and I have had it
about 6 months. No training or previous experiance. I downloaded and
unziped the Multi AV and nothing happens. Normally I am taken to another
file that the program is extracted in and I continue whatever program I am
working with from there. Not this time. ( I use the DAP program for
downloads and the PowerDesk 6 program for my file system) It unzips and
just dissapears. My avast gave a couple more alerts after I ran the killbox
on the rssgthrsvc file. The file will not totally delete. I tried the
"Hijack". It couldn't see it. I'm going to try a couple more things and be
back later.

"David H. Lipman" wrote:

> From: "rap4rag" <rap4rag@discussions.microsoft.com>
>
> | C:\Documents and Settings\<user>\Local Settings\Application
> | Data\Microsoft\Desktop
> | SearchTemp\rssgthrsvc\C67EE31CO4B540be9DBOCD5DBDC92657\Setup.exe contains
> | sample of "Win32:VB-IE [Wrm]" This is the on the pop up warning for the
> | avast.
>
>
> Delete the folder...
>
> C:\Documents and Settings\lipman\Local Settings\Application
> Data\Microsoft\DesktopSearchTemp\\rssgthrsvc
>
> Have you run the Multi AV Scanner as prescribed yet ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David
Thu May 11 07:07:08 CDT 2006

From: "rap4rag" <rap4rag@discussions.microsoft.com>

| Excuse me for my lack of skill. This is my first computer and I have had it
| about 6 months. No training or previous experiance. I downloaded and
| unziped the Multi AV and nothing happens. Normally I am taken to another
| file that the program is extracted in and I continue whatever program I am
| working with from there. Not this time. ( I use the DAP program for
| downloads and the PowerDesk 6 program for my file system) It unzips and
| just dissapears. My avast gave a couple more alerts after I ran the killbox
| on the rssgthrsvc file. The file will not totally delete. I tried the
| "Hijack". It couldn't see it. I'm going to try a couple more things and be
| back later.


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Pandaman
Thu May 11 08:53:01 CDT 2006

My reply is at the bottom of your message :


"rap4rag" wrote:

> Excuse me for my lack of skill. This is my first computer and I have had it
> about 6 months. No training or previous experiance. I downloaded and
> unziped the Multi AV and nothing happens. Normally I am taken to another
> file that the program is extracted in and I continue whatever program I am
> working with from there. Not this time. ( I use the DAP program for
> downloads and the PowerDesk 6 program for my file system) It unzips and
> just dissapears. My avast gave a couple more alerts after I ran the killbox
> on the rssgthrsvc file. The file will not totally delete. I tried the
> "Hijack". It couldn't see it. I'm going to try a couple more things and be
> back later.
>
>


Another possibility:
1) Goto Start-Settings-Control Panel -Add/Remove programs
remove Avast . Restart (important)

2) Make sure you have a firewall turned ON

3) For Windows XP and Windows Me , disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.aspx

4) Download and install a free trial version of Kaspersky AV Personal 5.0.527
http://www.kaspersky.com/trials?chapter=146481750

5) Update it !!!

6) Turn ON the usage of extended databases
http://www.kaspersky.com/faq?chapter=170704912&qid=170052625

7) Again update just to for sure

8) When KAV is active there is a red K icon on the system tray next to the
clock . Right click on this icon and choose to permanently disable
Kaspersky's real-time protection

9) Make sure you configure KAV correctly for Maximim level of both real-time
protection and on-demand scans

10) Open Kaspersky and perform full scan of your hard drive.
Leave it clean . If the disinfection is not possible at the moment , choose
to postpone.This means that KAV will clean the infection on next reboot .
After the scan is ready , KAV will try to restart the computer . Error
messages may occure but you don't worry

11) After you restart , you should be clean


Learn how to protect your computer :
http://pandaman.my.contact.bg


Panda_man
--
Bronze level Contributor
http://pandaman.my.contact.bg
http://www.eset.com
Please , rate posts


--
Bronze level Contributor
http://pandaman.my.contact.bg
http://www.eset.com
Please , rate posts

rap4rag
Fri May 12 13:21:02 CDT 2006

pDavid: I ran all 4 of the Multi-AV. None of them showed any indication of
a virus. Right after I ran Trend (#2). My avast poped up with a warning of
a virus/Worm in the "C:\AV_CLS\Trend\sysclean.exezz, Malware name:
VBS:Redlof, Malware typeL Virus/Worm, VPS version: 0619-3,05/12/2006".
I received only one warning and that I tried the repair command on. I
couldn't repair so I "moved to chest" as recommended. The rest of the
Multi program came up with a clean conclusion. No indication of removing or
repairing needed or completed. Just no action and no infection. My avast is
popping up with an occasionl warning of the infection in the original file.
My Powerdesk shows that there are 67 more commands (or whatever they are
called; rssgthrsvc\751EACEE97984F10BC14E1DA289412F8\Setup.exe). The avast
never shows the same one and the list used to be over 100(it was possibley
over 200 in the beginning). My guess is the virus has been damaged and
inactive. Broken to the point that the other anti-virus programs no longer
recognize it as such. The avast became aware of it at the beginning of
infection and has been removing the debri left from the first battle(?, for
lack of better name). Now, almost every startup, registry clean up or
anything that involves an indepth scan or search, the avast finds a couple
more that it recognizes as part of the infection and I have been hitting the
delete command. I think ( hope) that eventually it will be totally removed.
What do you think?

"David H. Lipman" wrote:

> From: "rap4rag" <rap4rag@discussions.microsoft.com>
>
> | Excuse me for my lack of skill. This is my first computer and I have had it
> | about 6 months. No training or previous experiance. I downloaded and
> | unziped the Multi AV and nothing happens. Normally I am taken to another
> | file that the program is extracted in and I continue whatever program I am
> | working with from there. Not this time. ( I use the DAP program for
> | downloads and the PowerDesk 6 program for my file system) It unzips and
> | just dissapears. My avast gave a couple more alerts after I ran the killbox
> | on the rssgthrsvc file. The file will not totally delete. I tried the
> | "Hijack". It couldn't see it. I'm going to try a couple more things and be
> | back later.
>
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David
Fri May 12 13:40:20 CDT 2006

From: "rap4rag" <rap4rag@discussions.microsoft.com>

| pDavid: I ran all 4 of the Multi-AV. None of them showed any indication of
| a virus. Right after I ran Trend (#2). My avast poped up with a warning of
| a virus/Worm in the "C:\AV_CLS\Trend\sysclean.exezz, Malware name:
| VBS:Redlof, Malware typeL Virus/Worm, VPS version: 0619-3,05/12/2006".
| I received only one warning and that I tried the repair command on. I
| couldn't repair so I "moved to chest" as recommended. The rest of the
| Multi program came up with a clean conclusion. No indication of removing or
| repairing needed or completed. Just no action and no infection. My avast is
| popping up with an occasionl warning of the infection in the original file.
| My Powerdesk shows that there are 67 more commands (or whatever they are
| called; rssgthrsvc\751EACEE97984F10BC14E1DA289412F8\Setup.exe). The avast
| never shows the same one and the list used to be over 100(it was possibley
| over 200 in the beginning). My guess is the virus has been damaged and
| inactive. Broken to the point that the other anti-virus programs no longer
| recognize it as such. The avast became aware of it at the beginning of
| infection and has been removing the debri left from the first battle(?, for
| lack of better name). Now, almost every startup, registry clean up or
| anything that involves an indepth scan or search, the avast finds a couple
| more that it recognizes as part of the infection and I have been hitting the
| delete command. I think ( hope) that eventually it will be totally removed.
| What do you think?
|


The VBS:RedLof declaration on Trend Micros' Sysclean utility is a long time, well known,
False positive declaration.

If I had known that you were using Avast, I would have warned you to diable Avast prior to
using it.

The fact that no modules in the Multi AV Scanning Tool indicated a infector where Avast
isdicated an infector could mean Avast is making a False Declaration.

Please submit one of those... \rssgthrsvc\751EACEE97984F10BC14E1DA289412F8\Setup.exe type
files to to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results so we can see the results.

Then with the results of Virus Total and the attached file, send it to;
mailto:virus@avast.com indicating the suspicion that it may be a False Positive.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

rap4rag
Fri May 12 14:17:01 CDT 2006

virustotal shows clean slate

"David H. Lipman" wrote:

> From: "rap4rag" <rap4rag@discussions.microsoft.com>
>
> | pDavid: I ran all 4 of the Multi-AV. None of them showed any indication of
> | a virus. Right after I ran Trend (#2). My avast poped up with a warning of
> | a virus/Worm in the "C:\AV_CLS\Trend\sysclean.exezz, Malware name:
> | VBS:Redlof, Malware typeL Virus/Worm, VPS version: 0619-3,05/12/2006".
> | I received only one warning and that I tried the repair command on. I
> | couldn't repair so I "moved to chest" as recommended. The rest of the
> | Multi program came up with a clean conclusion. No indication of removing or
> | repairing needed or completed. Just no action and no infection. My avast is
> | popping up with an occasionl warning of the infection in the original file.
> | My Powerdesk shows that there are 67 more commands (or whatever they are
> | called; rssgthrsvc\751EACEE97984F10BC14E1DA289412F8\Setup.exe). The avast
> | never shows the same one and the list used to be over 100(it was possibley
> | over 200 in the beginning). My guess is the virus has been damaged and
> | inactive. Broken to the point that the other anti-virus programs no longer
> | recognize it as such. The avast became aware of it at the beginning of
> | infection and has been removing the debri left from the first battle(?, for
> | lack of better name). Now, almost every startup, registry clean up or
> | anything that involves an indepth scan or search, the avast finds a couple
> | more that it recognizes as part of the infection and I have been hitting the
> | delete command. I think ( hope) that eventually it will be totally removed.
> | What do you think?
> |
>
>
> The VBS:RedLof declaration on Trend Micros' Sysclean utility is a long time, well known,
> False positive declaration.
>
> If I had known that you were using Avast, I would have warned you to diable Avast prior to
> using it.
>
> The fact that no modules in the Multi AV Scanning Tool indicated a infector where Avast
> isdicated an infector could mean Avast is making a False Declaration.
>
> Please submit one of those... \rssgthrsvc\751EACEE97984F10BC14E1DA289412F8\Setup.exe type
> files to to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's scanners.
> That will give you an idea what it is and who recognizes it. In addition, unless told
> otherwise, Virus Total will provide the sample to all participating vendors.
>
> You can also submit a suspect, one at a time, via the following email URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results so we can see the results.
>
> Then with the results of Virus Total and the attached file, send it to;
> mailto:virus@avast.com indicating the suspicion that it may be a False Positive.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David
Fri May 12 14:20:31 CDT 2006

From: "rap4rag" <rap4rag@discussions.microsoft.com>

| virustotal shows clean slate
|

Therefore it may be a False Positive. Send the file as I directed to Avast.

Plaese keep the thread updated

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

rap4rag
Fri May 12 14:35:02 CDT 2006

Had already been done. Kaspery shows a clean slate.

"Panda_man" wrote:

> My reply is at the bottom of your message :
>
>
> "rap4rag" wrote:
>
> > Excuse me for my lack of skill. This is my first computer and I have had it
> > about 6 months. No training or previous experiance. I downloaded and
> > unziped the Multi AV and nothing happens. Normally I am taken to another
> > file that the program is extracted in and I continue whatever program I am
> > working with from there. Not this time. ( I use the DAP program for
> > downloads and the PowerDesk 6 program for my file system) It unzips and
> > just dissapears. My avast gave a couple more alerts after I ran the killbox
> > on the rssgthrsvc file. The file will not totally delete. I tried the
> > "Hijack". It couldn't see it. I'm going to try a couple more things and be
> > back later.
> >
> >
>
>
> Another possibility:
> 1) Goto Start-Settings-Control Panel -Add/Remove programs
> remove Avast . Restart (important)
>
> 2) Make sure you have a firewall turned ON
>
> 3) For Windows XP and Windows Me , disable System Restore
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.aspx
>
> 4) Download and install a free trial version of Kaspersky AV Personal 5.0.527
> http://www.kaspersky.com/trials?chapter=146481750
>
> 5) Update it !!!
>
> 6) Turn ON the usage of extended databases
> http://www.kaspersky.com/faq?chapter=170704912&qid=170052625
>
> 7) Again update just to for sure
>
> 8) When KAV is active there is a red K icon on the system tray next to the
> clock . Right click on this icon and choose to permanently disable
> Kaspersky's real-time protection
>
> 9) Make sure you configure KAV correctly for Maximim level of both real-time
> protection and on-demand scans
>
> 10) Open Kaspersky and perform full scan of your hard drive.
> Leave it clean . If the disinfection is not possible at the moment , choose
> to postpone.This means that KAV will clean the infection on next reboot .
> After the scan is ready , KAV will try to restart the computer . Error
> messages may occure but you don't worry
>
> 11) After you restart , you should be clean
>
>
> Learn how to protect your computer :
> http://pandaman.my.contact.bg
>
>
> Panda_man
> --
> Bronze level Contributor
> http://pandaman.my.contact.bg
> http://www.eset.com
> Please , rate posts
>
>
> --
> Bronze level Contributor
> http://pandaman.my.contact.bg
> http://www.eset.com
> Please , rate posts

rap4rag
Fri May 12 16:59:02 CDT 2006



"David H. Lipman" wrote:

> From: "rap4rag" <rap4rag@discussions.microsoft.com>
>
> | pDavid: I ran all 4 of the Multi-AV. None of them showed any indication of
> | a virus. Right after I ran Trend (#2). My avast poped up with a warning of
> | a virus/Worm in the "C:\AV_CLS\Trend\sysclean.exezz, Malware name:
> | VBS:Redlof, Malware typeL Virus/Worm, VPS version: 0619-3,05/12/2006".
> | I received only one warning and that I tried the repair command on. I
> | couldn't repair so I "moved to chest" as recommended. The rest of the
> | Multi program came up with a clean conclusion. No indication of removing or
> | repairing needed or completed. Just no action and no infection. My avast is
> | popping up with an occasionl warning of the infection in the original file.
> | My Powerdesk shows that there are 67 more commands (or whatever they are
> | called; rssgthrsvc\751EACEE97984F10BC14E1DA289412F8\Setup.exe). The avast
> | never shows the same one and the list used to be over 100(it was possibley
> | over 200 in the beginning). My guess is the virus has been damaged and
> | inactive. Broken to the point that the other anti-virus programs no longer
> | recognize it as such. The avast became aware of it at the beginning of
> | infection and has been removing the debri left from the first battle(?, for
> | lack of better name). Now, almost every startup, registry clean up or
> | anything that involves an indepth scan or search, the avast finds a couple
> | more that it recognizes as part of the infection and I have been hitting the
> | delete command. I think ( hope) that eventually it will be totally removed.
> | What do you think?
> |
>
>
> The VBS:RedLof declaration on Trend Micros' Sysclean utility is a long time, well known,
> False positive declaration.
>
> If I had known that you were using Avast, I would have warned you to diable Avast prior to
> using it.
>
> The fact that no modules in the Multi AV Scanning Tool indicated a infector where Avast
> isdicated an infector could mean Avast is making a False Declaration.
>
> Please submit one of those... \rssgthrsvc\751EACEE97984F10BC14E1DA289412F8\Setup.exe type
> files to to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's scanners.
> That will give you an idea what it is and who recognizes it. In addition, unless told
> otherwise, Virus Total will provide the sample to all participating vendors.
>
> You can also submit a suspect, one at a time, via the following email URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results so we can see the results.
>
> Then with the results of Virus Total and the attached file, send it to;
> mailto:virus@avast.com indicating the suspicion that it may be a False Positive.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

PA
Sun May 14 13:00:51 CDT 2006

David H. Lipman wrote:
> From: "rap4rag" <rap4rag@discussions.microsoft.com>
> > virustotal shows clean slate
>
> Therefore it may be a False Positive. Send the file as I directed to
> Avast.
>
> Plaese keep the thread updated

smitFraud, David. See http://aumha.net/viewtopic.php?t=19604 &ff
--
~PA Bear

David
Sun May 14 13:24:48 CDT 2006

From: "PA Bear" <PABearMVP@gmail.com>

| David H. Lipman wrote:
>> From: "rap4rag" <rap4rag@discussions.microsoft.com>
>>> virustotal shows clean slate
>>
>> Therefore it may be a False Positive. Send the file as I directed to
>> Avast.
>>
>> Plaese keep the thread updated
|
| smitFraud, David. See http://aumha.net/viewtopic.php?t=19604 &ff

I don't see a SmitFraud/ZLob/FakeAlert Trojan connection in that discussion.

On the contrary, the castleCops thread indicates ... "FreeInstall.exe WinAntiSpyware 2006
version"
which is indicative of; Vundo Trojan/Virtumundo Adware family.

The second thing is it was a connection between; Win32:VB-IE and Troj/VBClick-A (Sophos)
Maybe because Sophos indicates that the VBClick-A Trojan is synonumous to the
"Trojan-Clicker.Win32.VB.ie"

Thats a loose association to say the lest. The problem is there is no naming convention
that all adhere to. Just because Avast called it "Win32:VB-IE" does not mean it is
equivalent to "Trojan-Clicker.Win32.VB.ie".

It is interesting to note when you actually submit a sample to Virus Total and see just how
many different names the vendors call the same infector and even when they degfine the
family to be the same they often designate a different variant suffix.

I would like to know Avast's take on the submitted file, assuming it was sent to them.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

PA
Sun May 14 14:56:48 CDT 2006

David H. Lipman wrote:
> From: "PA Bear" <PABearMVP@gmail.com>
>
> > David H. Lipman wrote:
> > > From: "rap4rag" <rap4rag@discussions.microsoft.com>
> > > > virustotal shows clean slate
> > >
> > > Therefore it may be a False Positive. Send the file as I directed to
> > > Avast.
> > >
> > > Plaese keep the thread updated
> >
> > smitFraud, David. See http://aumha.net/viewtopic.php?t=19604 &ff
>
> I don't see a SmitFraud/ZLob/FakeAlert Trojan connection in that
> discussion.
<snip>
/Mea culpa/, you're right. I misremembered (too many irons in the fire, too
little coffee) and have edited my reply.
--
~PA Bear

David
Sun May 14 15:49:33 CDT 2006

From: "PA Bear" <PABearMVP@gmail.com>


| <snip>
| /Mea culpa/, you're right. I misremembered (too many irons in the fire, too
| little coffee) and have edited my reply.

I make way more mistakes in a week than you do in a year :-)
{ That excludes my Usenet spelling too }

The important thing is through discussion and collaboration we all learn and we all do
better.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

rap4rag
Sun May 14 22:29:01 CDT 2006

I sent to avast what I was able to. If you wish, We might connect and I can
give you all the pictures of the ( A53F58A0940E42b0B9A910AC316EFEBA )'s. I
have about 60 of them. If you check with avast and find the sent file
incomplete, please, let me know. As far as what the 2 of you said to each
other here, I didn't even have to duck as it went over my head. Sorry about
not getting back earlier. I thought that I had posted 3 other times. I
messed up somewhere and didn't post correctly. I just had another avast
warning. Hadn't had one for 2 days. C:\Documents and Settings\<user>\Local
Settings\Application Data\Microsoft\Desktop
Search\rssgthrsc\AADD8237A6E642db9952DBCB284DCF4E\Setup.exe 1 less
to deal with. Later
"David H. Lipman" wrote:

> From: "PA Bear" <PABearMVP@gmail.com>
>
>
> | <snip>
> | /Mea culpa/, you're right. I misremembered (too many irons in the fire, too
> | little coffee) and have edited my reply.
>
> I make way more mistakes in a week than you do in a year :-)
> { That excludes my Usenet spelling too }
>
> The important thing is through discussion and collaboration we all learn and we all do
> better.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David
Mon May 15 11:13:50 CDT 2006

From: "rap4rag" <rap4rag@discussions.microsoft.com>

| I sent to avast what I was able to. If you wish, We might connect and I can
| give you all the pictures of the ( A53F58A0940E42b0B9A910AC316EFEBA )'s. I
| have about 60 of them. If you check with avast and find the sent file
| incomplete, please, let me know. As far as what the 2 of you said to each
| other here, I didn't even have to duck as it went over my head. Sorry about
| not getting back earlier. I thought that I had posted 3 other times. I
| messed up somewhere and didn't post correctly. I just had another avast
| warning. Hadn't had one for 2 days. C:\Documents and Settings\<user>\Local
| Settings\Application Data\Microsoft\Desktop
| Search\rssgthrsc\AADD8237A6E642db9952DBCB284DCF4E\Setup.exe 1 less
| to deal with. Later
| "David H. Lipman" wrote:
|


I cam't check with Avast. You must. I don't have a sample.

You could send me a copy of the EXE file in a password protected ZIP file with the password
being; infected { pwd = infected }

Just remove ~nopsam~ from;
DLipman~nospam~@Verizon.Net or David_H_Lipman~nospam~@Yahoo.Com


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Stefan
Mon May 15 17:33:07 CDT 2006

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:

[...]

> Just remove ~nopsam~ from;
> DLipman~nospam~@Verizon.Net or David_H_Lipman~nospam~@Yahoo.Com

PLEASE stop munging addresses.
Doing so REALLY increases the traffic of unwanted email a.k.a. SPAM!
See the report recently published from http://www.ironport.com/

Stefan
[
--
If you want to mail me directly:
- Use Rot13 on my address
- Enter "abfcnz" after the "@"
- Use Rot13 again and delete the "nospam"

NoNoBadDog!
Mon May 22 16:33:11 CDT 2006


"rap4rag" <rap4rag@discussions.microsoft.com> wrote in message
news:7169E75E-3240-41C4-91FB-F308AEA7ECFA@microsoft.com...
> My avast labels it as a Virus/worm. Win32:VB-IE [Wrm] The avast has
> been
> removing the infection one piece at a time.. I am suspecting that the
> infection piggy backed on an update from Microsoft, that is not an
> absolute.
> It does not seem to be doing any thing now. It messed up my HP
> All-In-One
> Program and Microsoft OneNotein the beginning. I removed the damaged
> programs,hacked at the virus then reinstalled. Everything doing good now.
> I
> still get an alert and delet it now and then. I am not sure where it is
> coming from. I go to where it is supposed to be. I find three files.
> (Ntf7.tmp., Ntf8.tmp, Perflib-Perfd...). I open the hiidden files and
> find
> nothing else. I am thinking that whatever is left is slowly being found
> and
> deleted (time will tell). If not ... ???

You did not get the virus from Windows Update. The Worm you have is very
prevalent on P2P networks, so whatever you are using to steal
software/music/videos is where you got it from. You will continue to be
reinfected every time you use whatever P2P you are using.

Bobby