I apparently have the w32.hllw.acebo virus in my win 98 version 2 computer. Norton 2002 with the latest updates does not detect the virus during a full scan. In fact I wouldn't know I had the virus except that every few days I get a norton alert saying that file tssg.exe is infected. I quarantine the file and I semm to be ok for a couple of days. I'm concerned that something worse will happen unless I can stop the virus from continuing. Is there something in startup or the register that needs to be deleted? I don't see anything unusual in either place.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Acebo Virus Problem
- Thread starter billnees
- Start date
Read this page:
I went back and took another look at your Startlog from your netbus thread. This entry looked suspicious to me but I wasn't sure what it was:
"EN60C Taskbar"="C:\\WINDOWS\\SYSTEM\\\\EN60CTB.EXE"
Do you know what that is? If not it may have been put there by the W32.HLLW.Acebo trojan you say you have. Symantec says:
--------
When W32.HLLW.Acebo is executed, it does the following: It copies itself to the \Windows\System folder using a random file name; for example, C:\Windows\System\Elrdvrp.exe. It then deletes the original Trojan file. It then adds a value that refers to the dropped file; for example,
Microsoft Diagnostic C:\Windows\System\Elrdvrp.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
--------
So, that 'EN60C Taskbar' entry at your Run registry key and EN60CTB.EXE may be the "random file name" that the trojan created.
Click start--run--type msconfig--ok--open the startup tab and uncheck that EN60C Taskbar entry then click ok and restart. After restarting find EN60CTB.EXE and delete it into the recycle bin for now. If it won't let you delete it then restart into safe mode and do it from there. Then go here and run an online virus scan:
Does it detect anything? I'm guessing it won't if you deleted EN60CTB.EXE. Let us know.
I went back and took another look at your Startlog from your netbus thread. This entry looked suspicious to me but I wasn't sure what it was:
"EN60C Taskbar"="C:\\WINDOWS\\SYSTEM\\\\EN60CTB.EXE"
Do you know what that is? If not it may have been put there by the W32.HLLW.Acebo trojan you say you have. Symantec says:
--------
When W32.HLLW.Acebo is executed, it does the following: It copies itself to the \Windows\System folder using a random file name; for example, C:\Windows\System\Elrdvrp.exe. It then deletes the original Trojan file. It then adds a value that refers to the dropped file; for example,
Microsoft Diagnostic C:\Windows\System\Elrdvrp.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
--------
So, that 'EN60C Taskbar' entry at your Run registry key and EN60CTB.EXE may be the "random file name" that the trojan created.
Click start--run--type msconfig--ok--open the startup tab and uncheck that EN60C Taskbar entry then click ok and restart. After restarting find EN60CTB.EXE and delete it into the recycle bin for now. If it won't let you delete it then restart into safe mode and do it from there. Then go here and run an online virus scan:
Does it detect anything? I'm guessing it won't if you deleted EN60CTB.EXE. Let us know.
After doing all that run Startlog.com again and post the new results here.
- Thread starter
- #4
Oh I see. Well, there's nothing else in your Startlog that points to that trojan that I can see. If you were infected it should show it there. I'm wondering if you got tssg.exe by visiting some website or through Messenger? Do you visit warez sites? Was tssg.exe found in the temporary internet files folder? If so you got it by visiting a website and Norton alerted you to it and blocked it from executing. If you run another Startlog, does anything new show up in the first part where it says '1. HKLM Run - Registry'? If you were infected by the acebo trojan it should show there. In what folder is Norton finding tssg.exe?
Did you run the online scan? If it doesn't detect anything then you're clean.
Did you run the online scan? If it doesn't detect anything then you're clean.
- Thread starter
- #6
I think the problem may be my home network. I read some more on the subject and apparently if the other computer is infected it could be infecting this one. I never use the other computers myself and nobody told me they had problems but I'd better check. Will do that today and let you know the results.
I looked in my Norton Quarantine files and the tssg was found in windows\start menu\programs\startup. As I said before it's gone now but it will mysteriously reappear soon. So it's probable the network.
I looked in my Norton Quarantine files and the tssg was found in windows\start menu\programs\startup. As I said before it's gone now but it will mysteriously reappear soon. So it's probable the network.
- Status
Similar threads
- Locked
- Question