virscan

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dromano, Oct 3, 2006.

  1. dromano

    dromano Staff Sergeant

    Hello all,
    I found this in c/ today and didn't know what it was. When i openned the zip
    there were many many files in it i clicked on one that said "set up info" Notepad came up and the first thing i saw was this:
    รต O$ No additional information. This virus infects the master boot record and boot record of floppy disks. Bootup from infected floppies often causes system hangs Lenart This virus contains the text, "I am Li Xibin!". Bootup from infected floppies often causes system hangs This is dropped by the "Backdoor.Poly" or "Backdoor.SubSeven". You must delete this file. This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file. This is a backdoor type trojan program which can be used to allow unauthorized access to your computer. This backdoor trojan loads by adding to the line shell=explorer.exe in the SYSTEM.INI file. To clean, replace that line and delete the corresponding file from the C:\WINDOWS directory. This virus does little but replicate. Note that Boot-437 does not infect the MBR of the hard drive; it infects only the Boot Sector. This is a Internet worm that uses .bat files to search through a range of IP addresses of known ISPs to find an accessible computer. If an accessible computer shares its C drive, it copies its files onto the other computer. DIR.Byway Byway creates a file called CHKLIST.MS in the root directory. DO NOT delete this file, as you will lose original file data! OZ, Die Hard.II, Die-Hard.4000.d Infected programs have the word "OZ" near the end of the file. Creeping Death Changes directory entries to point to itself. Using the "CHKDSK /F" command will destroy all program file linkage. To repair infected systems, you must use the DOS version of NAV. CMOS Killer This family of viruses attempts to modify CMOS information. EXE files are overwritten by virus code turning them into droppers. On the 18th of any month, the virus plays a clicking sound whenever a key is pressed. The virus contains the text: "The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic!"

    If anyone could please tell me how to proceed it would be greatly appreciated
    The file does not want to let me delete.
    It also has a lot of nero files in it and i unistalled nero about six months ago.
    Thanks for any help,
    Dan
     
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi

    Which Virus scan application do you use? is it this one Virscan if so that could well be the scan logs or quarantine folder.


    But even if that is your Virus Scanner I would also run through the guide below to make sure you have no malware on your PC.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy - ONLY IF you were not able to run Windows Defender
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

    The reason you cannot delete that folder or files is that they are most likely already owned by a running application, but I wont post any delete instructions for that file or folder until you answered the virus scanner question or run the guide adn attached the logs.
     
  3. dromano

    dromano Staff Sergeant

    Hi Halo,
    I have never heard of virscan i was in c/ looking for a scanner that i downloaded from M/G to show my memory usage. Thats when i found VIRSCAN ZIP FOLDER and opened it. I tried to follow delete instructions but it did not work. I have AVG free, Spybot and ad-aware. Also i have RemoveIT pro XT2 I have ran all and come up clean.
    This am when i booted the puter removeit pro xt2 encountered a problem and had to close yahoo mess. could not sign in i lost my active desktop(recovery would not fix) and i had a window pop up saying "run time error 216 at 00017d57 there were 5 or 6 of them.
    I went to msconfig and disabled all in an attempt to get things running. I got my desktop back but i had xt pro disabled and it loaded anyway??
    I will begin the proses you told me to this evening i sure am glad your here to help!!
    Thanks,
    Dan
     
  4. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi Dan

    try one of these of that zip folder to delete, but also do follow the guide steps as it well worth making sure your clear of malware as that is a suspicious file on your PC.


    1. Pocket Killbox
    2. MoveOnBoot this one, once you dragNdrop the file or browse for its location, deletes the file on reboot, so any applications that have locked the file are not running so cannot lock it before deletion.. my fav!
    3. Unlocker
     
  5. dromano

    dromano Staff Sergeant

    Hi Halo,
    Move on boot worked to get rid of the file. Thanks it was great and easy.
    I have followed all the suggested steps in read & run me here are the results:
    nothing bad found in add remove programs
    In safe mode
    ran cccleaner
    Spybot----clean
    Defender--clean
    MS.M.S.R. Tool--clean (All in safe mode)
    Had to reboot in normal mode i could not get on line
    I have the sun java 5.0 update8
    Bitfinder could not update and scan failed "in normal boot"
    Panda scan found (please see attached)
    runkey (please see attached)
    newfile (please see attached)

    Things seem to bne running ok now should i still run HJT ?
    Do i need to toggle system restore?
    Thank you for the help and a great learning experience!

    HAIL HALO & THE MAJOR GEEKS,
    Dan
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is the old version and you are also using an old FireFox version.

    Get new versions here:

    Sun Java Runtime Environment

    Mozilla Firefox

    Then uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 8


    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
  7. dromano

    dromano Staff Sergeant

    Hi Chaslang,
    Thanks alot for the feed back!! I updated firefox and java this am.
    When i rebooted RemoveIT xt2 pro popped up and told me it found a virus.
    I have done nothing except those two downloads since the cleaning yesterday.
    8:40:35 AM: Infected file (Sys32.zport4as) C:\WINDOWS\system32\zport4as.dll
    8:40:35 AM: 1 Dangerous files has been found on your computer.
    Click on "Fix" button to fix selected tasks.

    Any Ideas what it could be?? I am not sure if i should (fix) because of all the extra programs i downloaded for the cleaning yesterday.
    Thanks for all the help,
    Dan
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just another in a long line a false positive issues with RemoveIt Pro! I never recommended this program for just this reason. However are you using the current version of RemoveIt Pro with current updates. See: RemoveIT Pro XT - SE

    The zport4as.dll file is part of a Borland C++ Library used by many programs!
     
  9. dromano

    dromano Staff Sergeant

    Hi Chaslang,
    I would like to thank you and all the MAJORGEEKS for taking the time and effort to help all the computer dummy's like myself ! It is a great community service all of you are doing. It's wonderful to know that we have somewhere to go for straight forward ( SAFE ) help that doesn't cost a fortune or even a penny.
    Your guidance and efforts are greatly appreciated,
    Dan
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds