R
RyanWirth
Hello All,
One of my employees came into work yesterday saying that his laptops
homepage was being hijacked, and favorites were being changed to porn
sites. After changing the homepage to something else, it would
automatically change back to whoispokavik.com or something like that.
Obviously a Virus or Spy Ware, so with Norton Anti 2004 right up to
date 11/25, and with Adware SE also upto date, I scanned the machine
in safe mode (no restore etc.), but it came up clean. So its a new
version of an old virus. I check the registry and there are two
strange entries, a jslvboo.exe and a videocntl.exe, both of which I
quarentine and send to Norton. I remove the Reg values, but they pop
up agian right away. So I stop their processes, and remove the
Values, and its fine. I change the names of the two files, and
reboot. I get two complant windows on boot up saying that
"videocntl.exe" can't be found, so I think its still in the reg
somewhere, and when I look a new value has been entered to
currentversion/run "avaadmb.exe" and a new .exe is added to the
windows directory. When I look in that directory, I find jslvboo and
avaabmd both at 45k and about 20 others just like them. By this time,
Notron gets back to me with an updated Virus Def for the
videocntl.exe, the anti-virus finds it and deletes it (Nov 26, 04).
But Norton says that jsvlboo.exe is not a virus and is getting passed
to an engineer for further analysis.
The computer has two virus then, a remake on an old download.trojan,
and a new one creating new files to keep it self up. Once the new one
is out of the registry (jslvboo and avaabmd) the web pages stop being
highjacked and its process's dont start up again, so its done until
Norton gets an update for it. But this videocntl.exe, which is
deleted, and doesnt exist anywhere in the registry still causes two
errors on boot up since it can't find the file.
"Unfortunately, this is worse than the virus" says my fellow employee.
So its no where in the reg, and I scan the computer for anything
containing "videocntl" and I find one prefetch file (and delete it)
and two xml files responsible for the registry mods (and delete it).
But, on a reboot I still get two errors (well, one error and one
warning) looking for this removed file. I ran out of time to explore
this problem further, so I created a blank exe file called
videocntl.exe and put it in the directory so that it is not "missing"
and doesnt do any harm. Which made the errors stop comming up, and
the employee happy.
Hopefully Norton can solve the other file jslvboo.exe, before this
spreads around my office. Is anyone else experiencing these problems?
Thanks all,
Ryan Wirth
P.S. Window XP Home all up to date (SP2 etc.)
Norton 2004
Adware SE
videocntl.exe is download.trojan
jslvboo.exe 45k not named yet
avaadmb.exe 45k not named yet
One of my employees came into work yesterday saying that his laptops
homepage was being hijacked, and favorites were being changed to porn
sites. After changing the homepage to something else, it would
automatically change back to whoispokavik.com or something like that.
Obviously a Virus or Spy Ware, so with Norton Anti 2004 right up to
date 11/25, and with Adware SE also upto date, I scanned the machine
in safe mode (no restore etc.), but it came up clean. So its a new
version of an old virus. I check the registry and there are two
strange entries, a jslvboo.exe and a videocntl.exe, both of which I
quarentine and send to Norton. I remove the Reg values, but they pop
up agian right away. So I stop their processes, and remove the
Values, and its fine. I change the names of the two files, and
reboot. I get two complant windows on boot up saying that
"videocntl.exe" can't be found, so I think its still in the reg
somewhere, and when I look a new value has been entered to
currentversion/run "avaadmb.exe" and a new .exe is added to the
windows directory. When I look in that directory, I find jslvboo and
avaabmd both at 45k and about 20 others just like them. By this time,
Notron gets back to me with an updated Virus Def for the
videocntl.exe, the anti-virus finds it and deletes it (Nov 26, 04).
But Norton says that jsvlboo.exe is not a virus and is getting passed
to an engineer for further analysis.
The computer has two virus then, a remake on an old download.trojan,
and a new one creating new files to keep it self up. Once the new one
is out of the registry (jslvboo and avaabmd) the web pages stop being
highjacked and its process's dont start up again, so its done until
Norton gets an update for it. But this videocntl.exe, which is
deleted, and doesnt exist anywhere in the registry still causes two
errors on boot up since it can't find the file.
"Unfortunately, this is worse than the virus" says my fellow employee.
So its no where in the reg, and I scan the computer for anything
containing "videocntl" and I find one prefetch file (and delete it)
and two xml files responsible for the registry mods (and delete it).
But, on a reboot I still get two errors (well, one error and one
warning) looking for this removed file. I ran out of time to explore
this problem further, so I created a blank exe file called
videocntl.exe and put it in the directory so that it is not "missing"
and doesnt do any harm. Which made the errors stop comming up, and
the employee happy.
Hopefully Norton can solve the other file jslvboo.exe, before this
spreads around my office. Is anyone else experiencing these problems?
Thanks all,
Ryan Wirth
P.S. Window XP Home all up to date (SP2 etc.)
Norton 2004
Adware SE
videocntl.exe is download.trojan
jslvboo.exe 45k not named yet
avaadmb.exe 45k not named yet