Please help

Yup, its definitely better. I've scanned so many times with AVG and nothing came up. And AntiVir immediately detected it. Thanks for the recommendation. I'll try Kaspersky next. I'm willing to do anything to get rid of this thing, if it means i dont have to reformat.

but i thought kaspersky doesnt allow more than one anti-virus software in one computer? is it really wise to uninstall both my AVG and AntiVir?
 
Last edited:
Kaspersky is my AV/Firewall of choice ... You can "trial" for 30 days, but you will need to uninstall any and all other Antivirus programs ... the likes of SBS&D & Windows Defender are ok with KIS


I cannot guarantee Kaspersky Internet Security will win, but it is the best AV I know of ... IMHO. It ain't free. ;)

You may want to try Stinger it may have been updated to 'see' this bugger ... the only program from McAfee I would use. READ This Bit first ... another thing I forgot to tell you to do. :o

I'm pretty good @ fixin if I have the PC in front of me ... :D


:user:
 
but i thought kaspersky doesnt allow more than one anti-virus software in one computer? is it really wise to uninstall both my AVG and AntiVir?
Yep ... uninstall both.


You shouldn't run two AV's on one PC, they will fight. ;)


:user:
 
lol, yeah i'm pretty sure you are. too bad you cant come over or i cant send you my comp. oh well, i'll have to deal with this on my own. i'll try everything u say, but it may take a while. ^^
 
I know my way to KL from Singapore ... :thumb:


The airfare may be a bit out of my reach though. :lol:


:user:
 
oh, you singaporean?

and here's some extra info on my little bug. AntiVir identified it as a worm with the signature WORM/Hakaglan.B . Hope thats useful in some way.

*and i checked the AntiVir log file, turns out that AntiVir couldnt delete the file because access was denied.
 
Nope, I'm a Scot ... but I spent some time in Singapore and made many a trip up the road to KL. :thumb:


The worm makes use of an AutoIt script to spread. To further conceal its intentions it is internally compressed with the upx packer.
When looking at the file with the windows explorer, its icon looks a bit like a folder - this is just a means to get the user to doubleclick on it unkowingly.

Upon running, it runs silently , no gui messageboxes appear on the screen.

In the meantime it has already copied itself on the system as "rvhost.exe" and made registry entries to launch itself.
  • c:\WINNT\RVHOST.exe (268.288 byte identical to f_drive.exe)
  • c:\WINNT\system32\RVHOST.exe (268.288 bytes)
  • c:\WINNT\Tasks\At1.job ( 342 bytes)

<LI>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Yahoo Messengger"

Data: C:\WINNT\System32\RVHOST.exe
It does have some side-effects such as disabling the Windows Task Manager.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NofolderOptions"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "AtTaskMaxHours"
Symptoms -


  • Presence of the "F_DRIVE.exe" and/or "rvhost.exe" , having a filesize of 268.288 bytes
  • Presence of registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Yahoo Messengger"
    Data: C:\WINNT\System32\RVHOST.exe
It does have some side-effects such as disabling the Windows Task Manager.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NofolderOptions"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "AtTaskMaxHours"
  • ... told you it hides. ;)
Have a HERE ... :thumb:

Now we is getting somewhere ...
nod.gif



user.gif
 
Finally! i can run my regedit, task manager, folder options etc. ^^

i want to say that i cant thank you enough for the help. you've answered my questions fully and devotedly over the last few hours, i owe you one. if the problem ever shows up again, i'll know what to do. Once again, thank you so much. this forum has been good to me, i'll remember that.

Now, i have to go to sleep, its almost midnight here. ^^

Before that, thank you (to the infinity). phew, i really cant thank you enough.
 
You is welcome ... it's only 5pm here, but have a good nights sleep. :thumb:


Oh, I would still tempt you into at least trying Kaspersky Internet Security out ... my opinion of AVG ain't to high. ;)


Catch you another time ... :wave:


:user:
 
Back
Top