?
Solved

Virus Passma.B

Posted on 2006-05-23
18
Medium Priority
?
583 Views
Last Modified: 2008-01-09
How can i get rid of this Passma.B virus. It keeps on coming into both my 98 and XP machines and whenever i run Pccillin antivirus in Win98 and AVG in XP respectively it shows almost 300 files+ are infected with this virus and then cleans. But next reboot and all comes back to alive. What can i do to get rid of these. it really effects my work. thanks in advance.

0
Comment
Question by:ranjithbalan
  • 6
  • 6
  • 2
  • +1
16 Comments
 
LVL 11

Expert Comment

by:kelvinwkw
ID: 16741100
Create a emergency disk,
boot the emergency disk and remove the virus

Or get this
http://ultimatebootcd.com/

boot the cd and select the antivirus tool

Regards
Kelvin

0
 
LVL 11

Expert Comment

by:kelvinwkw
ID: 16741109
The reason not to do a scan while you are in your window are, the virus might be loaded into memory
and keep spreading. Thus the viable way is to run a virus scan before you are in Windows environment

Regards
Kelvin
0
 
LVL 32

Expert Comment

by:r-k
ID: 16744873
Do the following. Start with the XP machine:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 4

Accepted Solution

by:
Purple_Sky earned 1000 total points
ID: 16748192
great info and instructions here ----> http://www.symantec.com/avcenter/venc/data/w32.passma.html

Maybe your scanner doesnt pick up the infected registry entry that brings the virus back. Read the whole article about the infection it gives you information about deleting the value from the registry too.
0
 

Author Comment

by:ranjithbalan
ID: 16940866
Hi, thanks for the comments, i tried all possible ways as you suggested. i tried running both pccillin and norton 2003 from safe mode and infact norton deleted all 900+ exe files which was infected and next thing after reboot was pccilllin detecting the passma virus . iam left with format option only ... anymore help before format would be greatly appreciated ..i already lost toomany exe files.
i could n't find the registry entry for the virus.. will it be a problem if i remove whatever entry the virus is making in the registry
0
 
LVL 32

Expert Comment

by:r-k
ID: 16943007
"i could n't find the registry entry for the virus"

That is where it might be helpful to post the HJT log as I suggested above. It is better to do that if you're not sure about which Registry entries to delete.
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16943077
Pls run ewido  www.ewido.net
bitdefender online scan www.bitdefender.com
panda active scan @ http://www.pandasoftware.com/products/activescan.htm
kaspersky online scan @ www.kaspersky.com and post us the resulting log along with the hjt log.
0
 

Author Comment

by:ranjithbalan
ID: 16948563
Hi, Thanks again.
Will post the HJT log ASAP. in 3 - 4 days as iam a bit away from home.

Ranjith
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16951611
No problem at all. we will be here to help.
0
 

Author Comment

by:ranjithbalan
ID: 16979696
Hi,

HJT log is pasted below. Thanks for the help. I could not run ewido as i am solving a 98 m/c and ewido supports only 2000 and above

Logfile of HijackThis v1.99.1
Scan saved at 12:13:05 AM, on 6/26/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.HWD
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SERVICEMGR.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\TWEAKMASTER\TMTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.HWD
C:\PROGRAM FILES\DU METER\DUMETER.HWD
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\SOFTWARE\FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: (no name) - {C69B7B71-B2CE-83F6-61B9-D762F6B1BE40} - (no file)
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TWEAKBHO.DLL
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DU Meter] C:\PROGRAM FILES\DU METER\DUMETER.HWD
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TweakMASTER] C:\PROGRAM FILES\TWEAKMASTER\TMTray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [Service Manager] C:\WINDOWS\SYSTEM\SERVICEMGR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TWEAKM~1\TWEAKBHO.DLL/IESCRIPT
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {11111111-1111-1111-1111-111111113458} -

0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16987465
Let hjt fix the following :

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O4 - HKLM\..\Run: [TweakMASTER] C:\PROGRAM FILES\TWEAKMASTER\TMTray.exe      
O4 - HKLM\..\Run: [Service Manager] C:\WINDOWS\SYSTEM\SERVICEMGR.EXE
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TWEAKM~1\TWEAKBHO.DLL/IESCRIPT
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {11111111-1111-1111-1111-111111113458} -



pls run panda active scan  - bitdefender online scan and let clean what they find. then do a kaspersky online scan and delete whatever found.
0
 

Author Comment

by:ranjithbalan
ID: 16990459
Hi Purple_sky,

thanks.. I will do as you suggested. Before that please tell me if there is any alternatives for online scans. this is because i have a dial up connection and online scans will take a lot of time. I can actually download trial versionf of these antiviruses from a friends m/c who has broadband connection. Would it do the purpose, if i run these scans in after downloadin the applications.

thanks
Ranjith
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16993280
indeed they take a great deal of time with broadband connection. Online scans are extremely powerful and efficient thats why i recommended those. I would not use the trial versions of AV softwares as removal process of those may cause problems. Do not have more then one AV software installed at anytime. You may take your computer to a friends place where you can get online with broadband.

You can try :

adaware
spybot
counterspy
older versions of spysweeper
a square

all are available @ majorgeeks.com

0
 

Author Comment

by:ranjithbalan
ID: 16998847
OK , i will do and post the results ASAP
thanks

RAnjith
0
 

Author Comment

by:ranjithbalan
ID: 17029851
Purple_Sky,

You have asked me to fix those entries by HJT, and i did it. now my win98 is dead and i will have to format the c drive and reinstall the win98. Infact i trusted ur advice and paid the price.

Ranjith
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 17031257
Sorry to hear that but fixing none of those entries would corrupt nor crash an OS.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question