Ahh i`ve being invaded!

[Audioguru]

I recently downloaded a Divx player (Nostra Divx) which came with Addware. Anyhow it turned out to be a crappy peice of software so i removed it. Addware called weathercast remained ( which was expected) however upon complete removal of all its keys in the registry (using Regedit, Regcleaner). Upon restart, weathercast reapeared. I also noticed a file in Program files called "Krypton" which had one string located in System32. This also reapears upon restart. Neither apear in the startup file. Well thier not visible anyway.
Help me please.

XP Pro.

 

[cpals]

type "msconfig" in your Start-Run area.

Click the startup tab and see if you see anything out of the ordinary.

 

[Audioguru]

Nothing that wasnt thier before. Theirs only three files . One for Office, One RUNDLL32.EXE which is in system32 and ends with NVstartup i assume thats my color preferences for my GF2. The last is called Nwiz.exe/install. Wheres Weathercaster loading from??? whats happening here? any idea.

 

[AnyMal]

Originally posted by: Audioguru
Nothing that wasnt thier before. Theirs only three files . One for Office, One RUNDLL32.EXE which is in system32 and ends with NVstartup i assume thats my color preferences for my GF2. The last is called Nwiz.exe/install. Wheres Weathercaster loading from??? whats happening here? any idea.

Disable Nwiz reboot and see what happens.

 

[TheLogLady]

1) in your add/remove program files list, is there an entry for WhenUshop?

2)in x:\WINDOWS\Downloaded Program Files is there a WhenUDownload class or a class of similar name?

3) have you tried adaware or spybot s & d ?

 

[Audioguru]

Nothing in Addremove progies.
Nothing in download program files
I`ve uncovered some more info on that Krypton "file" . The file name "cmd32.exe" apears in the startup section of Regcleaner, it looks a little unneeded and out of place, right heres the interesting bit. Upon entering Regedit under HKLM-software the file Krypton apears. When opened guess which file is contained within?

"HKEY_LOCAL_MACHINE\SOFTWARE\Krypton\"C:-WINDOWS-System32-cmd32.exe" However the plot continues to thicken i cant delete these values in Regedit, everything goes fine until i restart and they all apear again.

How can this be?

I`ll try adaware and post back.

thanx

 

[TheLogLady]

hi audioguru,

I think you might be infected with Worm.P2Pl.Tanked virus

If you go to that link you'll notice that "cmd32.exe" is one of the files that the worm creates in the system directory. It also uses "Krypton" file encryption.

You should do a full system scan with your antivirus. If it doesn't find anything, then download a different antivirus and try again or else manually remove the files and registry keys indicated in the linked page ( also remember to remove the worm copy from your KAZAA directory if you use KAZAA, so that it can't spread itself to other users).

Good luck...let us know how it goes

 

[Audioguru]

BINGO!!!!!!!!!!!!!!

got it in one. That link tied up all the loose ends. I`m infected with the virus. I remember Kaaza Lite telling me this moring via some watchdog that the tank virus was present and that certain file had being quarantined. You just peiced it together for me.

I`m not currently running any antivirus software but will add some now. Will scan and postback

cheers.

 

[Audioguru]

Spybot removed weathercast among many other detected items. Which is a start, however Worm.P2P.Tanked still remains, i cannot delete those values mentioned in the registry they keep reapearing when windows restarts. As far as i`m aware all Norton anti would do is the "for dummy`s" removal of these bad values in the registry, and since they reapear when restarting what good would this do.

Does anyone have any idea why these reg values apear to be "un-deletable"

BTW i`ve made sure to always ctrl/alt/dl and close cmd32.exe, until this thing is solved.

hit me with any info you guys have on the virus and anything related.

cheers.

 

[OZEE]

Spybot or Adaware are not virus scanners... They won't find or fix your virus problem.

There are a couple of options to fix your virus...

Panda and Trend have good online scanners. I call 'em "post mortem" scanners, in that they'll scan your computer and find/fix viruses you have now, but won't keep you from getting the next one. They're free, online, and always up to date.

I strongly recommend that you install a real AV program. I recommend AVG. It too is free, easy to use, easy to update, always on...

 

[TheLogLady]

ditto what OZEE said, you should let an antivirus app remove this. I was only recommending spybot and adaware because I initially assumed that the only problem was spyware that came with weathercast.

Any AV worth its salt should be able to remove the virus completeley and permanently; i.e., it will not come back when you restart. AVG like OZEE recommended (free), AVAST home edition (free), or nod32 (free 30 day trial) are some of your options.

 

[Audioguru]

Thanx very much people, you have a great response time. Infact "theloglady" new what had infected my system before me!. I`m downloading AVG 6.0 now. Thanx again

 

[Audioguru]

This looks very bad guys. After doing an AVG scan it apears things are worse then first thought it identified a virus called "Worm/Kwbot" and "win32/Hantaner" .According to AVG hundreds of files have being affected with these. Heres some of the scan report if its helps.

Results of Complete Test, date and time 16/04/2003 14:10:17 :

Testing C:\ serial 24E5-78C0
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\JAMES\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\JAMES\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\JAMES\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\JAMES\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\System Volume Information\_restore{C5175DA8-8CB9-4209-9F73-0A66BBADA1D1}\RP116\A0020439.EXE Virus identified Worm/Kwbot
C:\System Volume Information\_restore{C5175DA8-8CB9-4209-9F73-0A66BBADA1D1}\RP116\A0020440.EXE Virus identified Worm/Kwbot
C:\System Volume Information\_restore{C5175DA8-8CB9-4209-9F73-0A66BBADA1D1}\RP117\A0020472.EXE Virus identified Win32/Hantaner
C:\System Volume Information\_restore{C5175DA8-8CB9-4209-9F73-0A66BBADA1D1}\RP117\A0020473.EXE Virus identified Win32/Hantaner
Test finished, duration 00:07:24.6 s
12804 objects tested, 196 found infected

According to this i`m infected to the shitter, however i havent noticed anything unusual happening. What do you people think?

cheers

 

[TheLogLady]

hantaner and kwbot are are both viruses that are spread through the KaZaA network.

kwbot

hantaner AKA handy

They most likely have infected all of the files in your KaZaA shared folder

You can see if AVG is able to disinfect the infected files. My parents had over 8,000 infected files on their PC and AVG was able to disinfect them all, although it was a different type of virus. If it can't fix them, you'll have to delete the files.

Let AVG fix what it can and then examine the report from the disinfection process. If it says that all disinfection was successful, then restart your computer and do another full system scan. Maybe even scan with a different virus scanner, like one of the online scanners OZEE recommended.

good luck