I got a virus_here

femuse · 11-25-2004, 10:12 PM

HELP ! ! ! ! !

on Nov 19, 13.03 my time, c.a.d 19.03 in France.

I definitively tracked it down from a link I accessed from this site.

Anybody else reported that? I do I get rid of it ?

I use AVG free version and it looks like it is unable to do it. It deleted one labelled "virus" , and left this one:

in C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\UXOHGJE5
Trojan Horse. Downloader Agent.3.OB mmviewer_101[1].cab : "infected - embedded object"

It looks like it is fairly well known.

I think it comes from my clicking on Kajtek signature "un peu de musique?". I found a pop-up I got at the same time as the virus: thisdaythatyear.com

I won't try to go there again. Maybe Kajtek could let us know if thisdaythatyear.com has anything to do with his signature. Did I reach that from another link on this site?
thisdaythatyear.com MAY BE responsible, but I am not trying to blame somebody here - I am just trying to heal my computer.

In C:\WINDOWS\Local Settings\......\27EL6XS5
I found: "Catoa19z.htm", here is its content: [I tried to break everything in little piece to make it safe]

*** Code Download Log entry (19 Nov 2004 @ 13:03:38) ***

Code Download Error: (hr = 800b0004) Trust verification failed!!

Operation failed. Detailed Information:

CodeBase: http:

//fad-408.mtl4.targetnet.com/ad/id=vijaykittu&opt=hkj
&pt=13735638087446892303&pfin=HSAHF5RIAKNK&
cv=210&uid=1218803726&url=http:
//www.ouchvideo.com/mmviewer_101.cab

CLSID: {EBBD88E5-C372-469D-B4C5-1FE00352AB9B}

Extension:

Type:

LOG: Reporting Code Download Completion: (hr:800b0004 (FAILED), CLASSID: ebbd88e5..., szCODE:
(http://fad-408.mtl4.targetnet.com/ad...kittu&opt=hkj&
pt=13735638087446892303&pfin=HSAHF5RIAKNK&cv=
210&uid=1218803726&url=http:
//www.ouchvideo.com/mmviewer_101.cab), MainType:
((null), MainExt:
(null))

--- Detailed Error Log Follows ---

LOG: Download OnStopBinding called (hrStatus = 0 / hrResponseHdr = 0).

LOG: URL Download Complete: hrStatus:0, hrOSB:800b0004, hrResponseHdr:0, URL:
(http://fad-408.mtl4.targetnet.com/ad/id=vijaykittu&
opt=hkj&pt=13735638087446892303&
pfin=HSAHF5RIAKNK&cv=210&uid=1218803726&
url=http:
//www.ouchvideo.com/mmviewer_101.cab)

LOG: Reporting Code Download Completion: (hr:800b0004 (FAILED), CLASSID: ebbd88e5..., szCODE:
(http://fad-408.mtl4.targetnet.com/ad/id=vijaykittu&
opt=hkj&pt=13735638087446892303&
pfin=HSAHF5RIAKNK&cv=210&uid=1218803726&
url=http:
//www.ouchvideo.com/mmviewer_101.cab), MainType:
(null), MainExt:
(null))

I don't know a thing about computers, but I wonder: "Trust verification failed!!" could that mean it is not really an active virus ?

... and the one deleted by AVG was inst201[1].exe
in C:\WINDOWS\Local Settings\......\SRUZ2F2X

Does that mean the virus is now disabled ?

HELP ! ! ! ! !

Nani · 11-25-2004, 10:37 PM

try to delet your temporary files .. then scan your computer with the anti virus you have ... when you scan it it should be cleaned after you emptied your temporary files.
what version of windows are you using ?

bernhard · 11-25-2004, 10:47 PM

First of all, use Firefox to browse the web, as IE has many security lacks.

Do you have windows XP ? Is your windows version Up to date ?

bernhard · 11-25-2004, 10:52 PM

The link you speak of, thisdaythatyear.com has no relation with http://www.baaba.terra.pl/ the site of the signature of Kajtek , I just checked it precisly. No calls for other sites or for dangerous software.... but first of all do as Nani said .

kajtek · 11-25-2004, 10:58 PM

Quote:

Originally Posted by femuse

Maybe Kajtek could let us know if thisdaythatyear.com has anything to do with his signature. Did I reach that from another link on this site?
thisdaythatyear.com MAY BE responsible, but I am not trying to blame somebody here - I am just trying to heal my computer.

Maybe Kajtek could not let you know because he/she doesn't know about what you talk. The link in Kajtek's signature is clear.
But he/she thinks you shouldn't go to open this link : it is not a kind of music that you would appreciate.

femuse · 11-25-2004, 11:15 PM

First:

I did not say it was directly from Kajtek 's signature. Sorry, this being a live link, I thought it was meant to be clicked [by the way, I am in the music business, that was why I was interested in checking it]

I said "I am sure it was from a pop-up I got from clicking on a link - not from the link itself". That link could have been hijacked without the owner knowing about it.

Next:

I have win98 SE.

We have "moved" the offending file , replacing it with a dummy one (same name - harmless).

Now, the antivirus program does not find any virus in Content.IE5. But, I don't trust that something is left behind.

We have temporary moved the "real" mmviewer_101[1].cab to "C:\Temp" until we are sure it can be safely deleted.
Can it now be deleted safely ?

Thank you all for your prompt answers.

11-25-2004, 10:12 PM	#1 (permalink)
femuse Senior International Member Join Date: Oct 2004 Posts: 209 femuse is an unknown character at this point	I got a virus_here HELP ! ! ! ! ! on Nov 19, 13.03 my time, c.a.d 19.03 in France. I definitively tracked it down from a link I accessed from this site. Anybody else reported that? I do I get rid of it ? I use AVG free version and it looks like it is unable to do it. It deleted one labelled "virus" , and left this one: in C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\UXOHGJE5 Trojan Horse. Downloader Agent.3.OB mmviewer_101[1].cab : "infected - embedded object" It looks like it is fairly well known. I think it comes from my clicking on Kajtek signature "un peu de musique?". I found a pop-up I got at the same time as the virus: thisdaythatyear.com I won't try to go there again. Maybe Kajtek could let us know if thisdaythatyear.com has anything to do with his signature. Did I reach that from another link on this site? thisdaythatyear.com MAY BE responsible, but I am not trying to blame somebody here - I am just trying to heal my computer. In C:\WINDOWS\Local Settings\......\27EL6XS5 I found: "Catoa19z.htm", here is its content: [I tried to break everything in little piece to make it safe] * Code Download Log entry (19 Nov 2004 @ 13:03:38) * Code Download Error: (hr = 800b0004) Trust verification failed!! Operation failed. Detailed Information: CodeBase: http: //fad-408.mtl4.targetnet.com/ad/id=vijaykittu&opt=hkj &pt=13735638087446892303&pfin=HSAHF5RIAKNK& cv=210&uid=1218803726&url=http: //www.ouchvideo.com/mmviewer_101.cab CLSID: {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} Extension: Type: LOG: Reporting Code Download Completion: (hr:800b0004 (FAILED), CLASSID: ebbd88e5..., szCODE: (http://fad-408.mtl4.targetnet.com/ad...kittu&opt=hkj& pt=13735638087446892303&pfin=HSAHF5RIAKNK&cv= 210&uid=1218803726&url=http: //www.ouchvideo.com/mmviewer_101.cab), MainType: ((null), MainExt: (null)) --- Detailed Error Log Follows --- LOG: Download OnStopBinding called (hrStatus = 0 / hrResponseHdr = 0). LOG: URL Download Complete: hrStatus:0, hrOSB:800b0004, hrResponseHdr:0, URL: (http://fad-408.mtl4.targetnet.com/ad/id=vijaykittu& opt=hkj&pt=13735638087446892303& pfin=HSAHF5RIAKNK&cv=210&uid=1218803726& url=http: //www.ouchvideo.com/mmviewer_101.cab) LOG: Reporting Code Download Completion: (hr:800b0004 (FAILED), CLASSID: ebbd88e5..., szCODE: (http://fad-408.mtl4.targetnet.com/ad/id=vijaykittu& opt=hkj&pt=13735638087446892303& pfin=HSAHF5RIAKNK&cv=210&uid=1218803726& url=http: //www.ouchvideo.com/mmviewer_101.cab), MainType: (null), MainExt: (null)) I don't know a thing about computers, but I wonder: "Trust verification failed!!" could that mean it is not really an active virus ? ... and the one deleted by AVG was inst201[1].exe in C:\WINDOWS\Local Settings\......\SRUZ2F2X Does that mean the virus is now disabled ? HELP ! ! ! ! !
(Offline)

11-25-2004, 10:37 PM	#2 (permalink)
Nani Super Moderator Join Date: Nov 2004 Posts: 1,439 Nani has a spectacular aura about	try to delet your temporary files .. then scan your computer with the anti virus you have ... when you scan it it should be cleaned after you emptied your temporary files. what version of windows are you using ?
(Offline)

11-25-2004, 10:47 PM	#3 (permalink)
bernhard :) Join Date: Nov 2003 Location: warsaw Posts: 2,275 Blog Entries: 10 bernhard has a spectacular aura about	First of all, use Firefox to browse the web, as IE has many security lacks. Do you have windows XP ? Is your windows version Up to date ? __________________ Bernhard (Admin) suggestions ?
(Offline)

11-25-2004, 10:52 PM	#4 (permalink)
bernhard :) Join Date: Nov 2003 Location: warsaw Posts: 2,275 Blog Entries: 10 bernhard has a spectacular aura about	The link you speak of, thisdaythatyear.com has no relation with http://www.baaba.terra.pl/ the site of the signature of Kajtek , I just checked it precisly. No calls for other sites or for dangerous software.... but first of all do as Nani said . __________________ Bernhard (Admin) suggestions ?
(Offline)

11-25-2004, 11:15 PM	#6 (permalink)
femuse Senior International Member Join Date: Oct 2004 Posts: 209 femuse is an unknown character at this point	First: I did not say it was directly from Kajtek 's signature. Sorry, this being a live link, I thought it was meant to be clicked [by the way, I am in the music business, that was why I was interested in checking it] I said "I am sure it was from a pop-up I got from clicking on a link - not from the link itself". That link could have been hijacked without the owner knowing about it. Next: I have win98 SE. We have "moved" the offending file , replacing it with a dummy one (same name - harmless). Now, the antivirus program does not find any virus in Content.IE5. But, I don't trust that something is left behind. We have temporary moved the "real" mmviewer_101[1].cab to "C:\Temp" until we are sure it can be safely deleted. Can it now be deleted safely ? Thank you all for your prompt answers.
(Offline)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode