Persistant win32 valla.2048...

Status
Not open for further replies.
Akshay

Akshay

Cyborg Agent
I'v used rmvalla & other tools from grisoft & avast antivirus but none of them could remove the virus win32 valla 2048entirely. It keeps coming back with reboot. Files like marco!.scr, natal.scr, iexplore.exe, iexploreupdate[1].exe, p[1].exe, alevir.exe,etc. are created on c:\ with every reboot and references to alevir, speedy.bat, marco!.scr are added to win.ini and startup. The antivirus programs also detects i-worm/opus.cb which is healed by avg but that too keeps coming back. The AV programs and definitions are uptodate... I use avg in win98 and avast in xp. But valla 2048 troubles the most in win98. My system restore option is turned off
 
S

sakumar79

Technomancer
Are you running the cleaning utility in safe mode? And you probably have to run the utility in win98 safe mode as well as winxp safe mode, one after the other without booting into normal mode in either os inbetween in order to achieve full removal... and then run once more in safe mode in both os and run scan to verify complete removal...

Arun
 
swatkat

swatkat

Technomancer
Download McAfee Stinger and run it in SAFE mode.

Next, download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe).
Run it and click the button Do a System scan and save log file. HijackThis will perform a scan and gives you a log file. Copy the entire contents of the file and post it this Section.
Dont forget to run it from the OS which is having the problems.
 
S

sakumar79

Technomancer
@Swatkat, I looked at McAfee Stinger's list of viruses detected and it does not include Win32/Valla.a or its old name W32/Xoro

Arun
 
OP
Akshay

Akshay

Cyborg Agent
hijack this log file...

stinger does not detect valla... I'v run the rmvalla tool in safe mode in both the OS b4 booting in normal mode. But only win98 gives prob. I'v run spybot but there are no malwares or hijackers present. Most of the google links point to rmvalla but it is not helping. I'v now installed symantec in xp and it cleaned up valla in win98. (this scan was done immediatly after safe mode scanning in both the OS. Sys restore was off). but on restart valla strikes back. Hijack this log file ...

Logfile of HijackThis v1.99.1
Scan saved at 10:52:28 PM, on 12/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
D:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
D:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
E:\hijackthis\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [StatusClient] D:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] D:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] D:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
 
S

sakumar79

Technomancer
BTW, the .scr files appear to be from W32.Opaserv.G.Worm that Symantec says it will detect and remove with defs from 2004... Try to install NAV in win98 safe mode and scan the system...

Arun
 
OP
Akshay

Akshay

Cyborg Agent
rite... avast and avg detects opas but again opas also comes back after a reboot or 2. Memory area of my sys. is clean. Now a new virus W32.Clunk.A is being detected but it is not cleaned it is quarantined by nav. I dont know where all these viruses are coming from. I cannot use zonealarm as it interrupts my lan connection. My other sys are clean
 
S

sakumar79

Technomancer
zonealarm wont interrupt your lan connection... In zonealarm, you can configure your lan computers' IP address range as Trusted source...

Arun
 
Status
Not open for further replies.
Top Bottom