Computer problem possibly virus related???

This morning my computer will launch to the desktop like normal but
then the icons and start menu disappear. I can use cont-alt-del and run
explorer.exe to get it back. So I then went into msconfig and found the
following entries:

c:\windows\system32\antiav_exe.exe
c:\windows\system32\hloader_exe.exe

I unchecked them and the pc is working fine now. I think this might be
a virus and want to remove it from my computer. I did a google groups
search on 'antiav_exe.exe' and found one other posting from this
morning but it is in a different language.

I am running XP Pro and etrust. Etrust found nothing. I just ran Trend
micro online and it did find the following:

TROJ ADCLICKER.O
TROJ STARTPAG.HW

These seem to be unrelated but I am not sure. I have removed them and
will see what happens.

If anyone has any idea what is going on I would greatly appreciate the
info.

Thanks,

Joe

I have this problem just over the last hour also, I believe it is a
virus also, removing it didn;lt work for me, any suggestions?

Did you remove anything else along with it?

I found some info about hloader_exe.exe on symantecs website:

http://symantec.com/avcenter/venc/d...n.lodear.b.html

I am going to update my virus defs and run another scan to see if it
picks it up like it says it will.

<jchorvath@gmail.com> wrote in message
news:1130953557.696421.71920@z14g2000cwz.googlegroups.com...
> This morning my computer will launch to the desktop like normal but
> then the icons and start menu disappear. I can use cont-alt-del and run
> explorer.exe to get it back. So I then went into msconfig and found the
> following entries:
>
> c:\windows\system32\antiav_exe.exe
> c:\windows\system32\hloader_exe.exe
>
> I unchecked them and the pc is working fine now. I think this might be
> a virus and want to remove it from my computer. I did a google groups
> search on 'antiav_exe.exe' and found one other posting from this
> morning but it is in a different language.
>
> I am running XP Pro and etrust. Etrust found nothing. I just ran Trend
> micro online and it did find the following:
>
> TROJ ADCLICKER.O
> TROJ STARTPAG.HW
>
> These seem to be unrelated but I am not sure. I have removed them and
> will see what happens.
>
> If anyone has any idea what is going on I would greatly appreciate the
> info.
>
> Thanks,
>
> Joe

Go to virustotal.com and submit those two files. They will be run against
several anti-virus engines (around 10+, I believe) and you should get an answer
from them while still at their site. If they are too busy, they will tell you
and then email the results to you, shortly. (Free)
If you use the 'Browse' option to send (on the somewhat upper right), you can
just find those files that way and just select them and they will be sent
automatically.
Please post back their results.

Here are the results for antiav_exe.exe... very interesting how some
sites find it and others don't...

This is a report processed by VirusTotal on 11/02/2005 at 20:23:05
(CET) after scanning the file "antiav_exe.exe" file.

Antivirus Version Update Result
AntiVir 6.32.0.6 11.02.2005 no virus found
Avast 4.6.695.0 11.02.2005 no virus found
AVG 718 11.01.2005 no virus found
Avira 6.32.0.6 11.02.2005 no virus found
BitDefender 7.2 11.02.2005 Win32.Bagle.EF@mm
CAT-QuickHeal 8.00 11.02.2005 (Suspicious) - DNAScan
ClamAV devel-20050917 11.02.2005 no virus found
DrWeb 4.33 11.02.2005 Win32.HLLM.Beagle.38912
eTrust-Iris 7.1.194.0 11.01.2005 no virus found
eTrust-Vet 11.9.1.0 11.02.2005 no virus found
Fortinet 2.48.0.0 11.02.2005 W32/Bagle.EH-mm
F-Prot 3.16c 11.02.2005 destructive program named W32/KillAV.CF@troj
Ikarus 0.2.59.0 11.02.2005 Email-Worm.Win32.Bagle.EE
Kaspersky 4.0.2.24 11.02.2005 Email-Worm.Win32.Bagle.eh
McAfee 4618 11.02.2005 W32/Bagle.gen
NOD32v2 1.1272 11.02.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 11.02.2005 W32/Malware
Panda 8.02.00 11.02.2005 Trj/Mitglieder.FM
Sophos 3.99.0 11.02.2005 Troj/BagleDl-AA
Symantec 8.0 11.02.2005 no virus found
TheHacker 5.9.1.027 11.02.2005 W32/Bagle.gen
VBA32 3.10.4 11.02.2005 no virus found

And the results for hloader_exe.exe

This is a report processed by VirusTotal on 11/02/2005 at 20:32:57
(CET) after scanning the file "hloader_exe.exe" file.

Antivirus Version Update Result
AntiVir 6.32.0.6 11.02.2005 TR/Bagle.DR
Avast 4.6.695.0 11.02.2005 Win32:Beagle-FT
AVG 718 11.01.2005 no virus found
Avira 6.32.0.6 11.02.2005 TR/Bagle.DR
BitDefender 7.2 11.02.2005 Trojan.Downloader.Bagle.H
CAT-QuickHeal 8.00 11.02.2005 Bagle.eb
ClamAV devel-20050917 11.02.2005 Worm.Bagle.CA-1
DrWeb 4.33 11.02.2005 Win32.HLLM.Beagle.38912
eTrust-Iris 7.1.194.0 11.01.2005 no virus found
eTrust-Vet 11.9.1.0 11.02.2005 no virus found
Fortinet 2.48.0.0 11.02.2005 W32/Mitglieder.GB!tr
F-Prot 3.16c 11.02.2005 security risk named W32/Mitglieder.GB
Ikarus 0.2.59.0 11.02.2005 Email-Worm.Win32.Bagle.EE
Kaspersky 4.0.2.24 11.02.2005 Email-Worm.Win32.Bagle.eb
McAfee 4618 11.02.2005 W32/Bagle.gen
NOD32v2 1.1272 11.02.2005 Win32/Bagle.DG
Norman 5.70.10 11.02.2005 W32/Malware
Panda 8.02.00 11.02.2005 Trj/Mitglieder.FL
Sophos 3.99.0 11.02.2005 Troj/BagleDl-Y
Symantec 8.0 11.02.2005 no virus found
TheHacker 5.9.1.027 11.02.2005 W32/Bagle.gen
VBA32 3.10.4 11.02.2005 Email-Worm.Win32.Bagle.eb

From: <jchorvath@gmail.com>

| And the results for hloader_exe.exe
|
| This is a report processed by VirusTotal on 11/02/2005 at 20:32:57
| (CET) after scanning the file "hloader_exe.exe" file.
|
| Antivirus Version Update Result
| AntiVir 6.32.0.6 11.02.2005 TR/Bagle.DR
| Avast 4.6.695.0 11.02.2005 Win32:Beagle-FT
| AVG 718 11.01.2005 no virus found
| Avira 6.32.0.6 11.02.2005 TR/Bagle.DR
| BitDefender 7.2 11.02.2005 Trojan.Downloader.Bagle.H
| CAT-QuickHeal 8.00 11.02.2005 Bagle.eb
| ClamAV devel-20050917 11.02.2005 Worm.Bagle.CA-1
| DrWeb 4.33 11.02.2005 Win32.HLLM.Beagle.38912
| eTrust-Iris 7.1.194.0 11.01.2005 no virus found
| eTrust-Vet 11.9.1.0 11.02.2005 no virus found
| Fortinet 2.48.0.0 11.02.2005 W32/Mitglieder.GB!tr
| F-Prot 3.16c 11.02.2005 security risk named W32/Mitglieder.GB
| Ikarus 0.2.59.0 11.02.2005 Email-Worm.Win32.Bagle.EE
| Kaspersky 4.0.2.24 11.02.2005 Email-Worm.Win32.Bagle.eb
| McAfee 4618 11.02.2005 W32/Bagle.gen
| NOD32v2 1.1272 11.02.2005 Win32/Bagle.DG
| Norman 5.70.10 11.02.2005 W32/Malware
| Panda 8.02.00 11.02.2005 Trj/Mitglieder.FL
| Sophos 3.99.0 11.02.2005 Troj/BagleDl-Y
| Symantec 8.0 11.02.2005 no virus found
| TheHacker 5.9.1.027 11.02.2005 W32/Bagle.gen
| VBA32 3.10.4 11.02.2005 Email-Worm.Win32.Bagle.eb

And here is the tool to check your PC...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti Virus Command
Line Scanners to remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On that special day, , (jchorvath@gmail.com) said...

> Here are the results for antiav_exe.exe... very interesting how some
> sites find it and others don't...
....
> BitDefender 7.2 11.02.2005 Win32.Bagle.EF@mm
....
> DrWeb 4.33 11.02.2005 Win32.HLLM.Beagle.38912
....
> Fortinet 2.48.0.0 11.02.2005 W32/Bagle.EH-mm
....
> Ikarus 0.2.59.0 11.02.2005 Email-Worm.Win32.Bagle.EE
> Kaspersky 4.0.2.24 11.02.2005 Email-Worm.Win32.Bagle.eh
> McAfee 4618 11.02.2005 W32/Bagle.gen
....
> Panda 8.02.00 11.02.2005 Trj/Mitglieder.FM
> Sophos 3.99.0 11.02.2005 Troj/BagleDl-AA
....
> TheHacker 5.9.1.027 11.02.2005 W32/Bagle.gen
....

One of six today... see
http://isc.sans.org/diary.php?storyid=816


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

SIZEMOREMK wrote:
> I have this problem just over the last hour also, I believe it is a
> virus also, removing it didn;lt work for me, any suggestions?
>
> Did you remove anything else along with it?


In MSCONFIG, uncheck the antiav and hloader boxes (Startup tab),
reboot, and log in to the same account. You should be ok to work. I
noticed that if I log in to a different account, those files are
checked at startup again (and also have replaced themselves in the
registry).

Symantec says:
http://symantec.com/avcenter/venc/d...n.lodear.b.html

Trying it now to see if that does the trick on full removal.

ISSUE:
PC has been infected with the antiav and hloader virus

SYMPTOMS:
Loss of control and/or icons, blue screen, accounts no longer work.
The reason why antivirus software doesn't catch it is because the
first thing it does upon infection is attempt to shut down any
antivirus software it finds on the host.

RESOLUTION:
Click Start, then Run
Type msconfig, then hit enter
Select the startup tab
Verify that antiav and hloader are in the startup list and both of them
have check marks next to them. This verifies that these two viruses
are actually causing the problem.
Browse to C:\Windows\System32 and delete the following 3 files:
antiav_dll.dll
antiav_exe.exe
hloader_dll.dll
Close that window
Click Start, then Run
Type regedit, then hit enter
Browse to HKLM\Software\Microsoft\Windows\Current Version\Run and
delete the following 2 keys:
auto_antiav_key
auto_hloader_key
Browse to HKCU\Software\Microsoft\Windows\Current Version\Run and
delete the following 2 keys:
auto_antiav_key
auto_hloader_key
Close the registry
Click Start, then Run
Type msconfig, then hit enter
Select the startup tab
Verify that neither antiav nor hloader are in the startup list.

NOTES:
The steps listed in the resolution are the steps necessary to perform
the ultimate goal of removing the virus. However, in order to be able
to perform those steps, you may need to perform preliminary steps such
as booting into safe mode. The symptoms of these two viruses are
varied. I have seen blue screens (not the blue screen of death), I
have seen icons disappear, I have seen user accounts get locked out, I
have seen passwords changed, etc. If your case is one in which the
user account has been locked out, you will need to use a lockout
utility disk that you can boot from and change the SAM account with.
If the password has changed, you will need a password resetting
utility...UNLESS the PC is using EFS (Encrypted File Systems). If the
PC is using EFS, and you use a password reset utility, YOU WILL LOSE
ALL ENCRYPTED DATA!!! In that scenario you must use a password
discovery utility to find out what the password has been changed to,
then use that password to log in to safe mode, then perform the steps
listed in the resolution portion.

--DrifterKona, Security+