Please help

meiatenjou · Jul 16, 2007

Yup, its definitely better. I've scanned so many times with AVG and nothing came up. And AntiVir immediately detected it. Thanks for the recommendation. I'll try Kaspersky next. I'm willing to do anything to get rid of this thing, if it means i dont have to reformat.

but i thought kaspersky doesnt allow more than one anti-virus software in one computer? is it really wise to uninstall both my AVG and AntiVir?

muckshifter · Jul 16, 2007

Kaspersky is my AV/Firewall of choice ... You can "trial" for 30 days, but you will need to uninstall any and all other Antivirus programs ... the likes of SBS&D & Windows Defender are ok with KIS

I cannot guarantee Kaspersky Internet Security will win, but it is the best AV I know of ... IMHO. It ain't free.

You may want to try Stinger it may have been updated to 'see' this bugger ... the only program from McAfee I would use. READ This Bit first ... another thing I forgot to tell you to do. :blush:

I'm pretty good @ fixin if I have the PC in front of me ...

muckshifter · Jul 16, 2007

but i thought kaspersky doesnt allow more than one anti-virus software in one computer? is it really wise to uninstall both my AVG and AntiVir?

Yep ... uninstall both.

You shouldn't run two AV's on one PC, they will fight.

meiatenjou · Jul 16, 2007

lol, yeah i'm pretty sure you are. too bad you cant come over or i cant send you my comp. oh well, i'll have to deal with this on my own. i'll try everything u say, but it may take a while. ^^

muckshifter · Jul 16, 2007

I know my way to KL from Singapore ...

The airfare may be a bit out of my reach though. :lol:

meiatenjou · Jul 16, 2007

oh, you singaporean?

and here's some extra info on my little bug. AntiVir identified it as a worm with the signature WORM/Hakaglan.B . Hope thats useful in some way.

*and i checked the AntiVir log file, turns out that AntiVir couldnt delete the file because access was denied.

muckshifter · Jul 16, 2007

Nope, I'm a Scot ... but I spent some time in Singapore and made many a trip up the road to KL.

The worm makes use of an AutoIt script to spread. To further conceal its intentions it is internally compressed with the upx packer.
When looking at the file with the windows explorer, its icon looks a bit like a folder - this is just a means to get the user to doubleclick on it unkowingly.

Upon running, it runs silently , no gui messageboxes appear on the screen.

In the meantime it has already copied itself on the system as "rvhost.exe" and made registry entries to launch itself.

c:\WINNT\RVHOST.exe (268.288 byte identical to f_drive.exe)

c:\WINNT\system32\RVHOST.exe (268.288 bytes)

c:\WINNT\Tasks\At1.job ( 342 bytes)

<LI>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Yahoo Messengger"

Data: C:\WINNT\System32\RVHOST.exeIt does have some side-effects such as disabling the Windows Task Manager.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NofolderOptions"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "AtTaskMaxHours"

Symptoms -

Presence of the "F_DRIVE.exe" and/or "rvhost.exe" , having a filesize of 268.288 bytes

Presence of registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Yahoo Messengger"
Data: C:\WINNT\System32\RVHOST.exe

It does have some side-effects such as disabling the Windows Task Manager.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NofolderOptions"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "AtTaskMaxHours"

... told you it hides.

Have a HERE ...

Now we is getting somewhere ...

meiatenjou · Jul 16, 2007

Finally! i can run my regedit, task manager, folder options etc. ^^

i want to say that i cant thank you enough for the help. you've answered my questions fully and devotedly over the last few hours, i owe you one. if the problem ever shows up again, i'll know what to do. Once again, thank you so much. this forum has been good to me, i'll remember that.

Now, i have to go to sleep, its almost midnight here. ^^

Before that, thank you (to the infinity). phew, i really cant thank you enough.

muckshifter · Jul 16, 2007

You is welcome ... it's only 5pm here, but have a good nights sleep.

Oh, I would still tempt you into at least trying Kaspersky Internet Security out ... my opinion of AVG ain't to high.

Catch you another time ... :wave:

Please Help! Virus? Avast, Firefox, Windows update quit working	4	Jun 4, 2021
Comodo Firewall help	5	May 12, 2016
Help needed!	1	Jan 27, 2010
someone please help	4	May 26, 2007
Word Blank Word page opens before saved Doc	6	Jun 11, 2012
Disable Your Antivirus Software (Except Microsoft's)	30	Mar 7, 2017
please HELP fix my comp. im new	3	Mar 7, 2007
"cssrss.exe" - How to get rid?	2	Jun 4, 2008

Please help

meiatenjou

muckshifter

I'm not weird, I'm a limited edition.

muckshifter

I'm not weird, I'm a limited edition.

meiatenjou

muckshifter

I'm not weird, I'm a limited edition.

meiatenjou

muckshifter

I'm not weird, I'm a limited edition.

meiatenjou

muckshifter

I'm not weird, I'm a limited edition.

Ask a Question

Similar Threads