Author Topic: Normal or thorough scan? The CIH-Monaa virus?  (Read 16002 times)

0 Members and 1 Guest are viewing this topic.

fkj

  • Guest
Normal or thorough scan? The CIH-Monaa virus?
« on: November 09, 2003, 03:46:57 PM »
Hi guys

I just tried avast! on another computer. First I made a normal scan and it found 3 files with the Win32:CIH-Monaa virus. I quarantined the files and them I tried a thorough scan. To my big surprise it then found one more file with the Win:CIH-Monaa virus, why?

Also I can't find any information on the Win:CIH-Monaa virus a all. What does the Monaa stand for? I have found it on two computers now, both where running Norton AV before avast!

I'm just a bit puzzled ;D

~Frank

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Normal or thorough scan? The CIH-Monaa virus?
« Reply #1 on: November 09, 2003, 03:51:32 PM »
Hi guys

I just tried avast! on another computer. First I made a normal scan and it found 3 files with the Win32:CIH-Monaa virus. I quarantined the files and them I tried a thorough scan. To my big surprise it then found one more file with the Win:CIH-Monaa virus, why?

Also I can't find any information on the Win:CIH-Monaa virus a all. What does the Monaa stand for? I have found it on two computers now, both where running Norton AV before avast!

I'm just a bit puzzled ;D

~Frank

Norton before avast!  >:(
Did you format your HDD prior installing avast! ?

If not, maybe some virus could not be caught by avast! because Norton corrupts the Registry. Do you need some help? ;)
The best things in life are free.

fkj

  • Guest
Re:Normal or thorough scan? The CIH-Monaa virus?
« Reply #2 on: November 09, 2003, 04:18:15 PM »
I only heard about avast! a few days ago ;D And no, I didn't format my HD, just uninstalled Norton and installed avast!

Help with what? To clear up the registry? I don't understand how Norton can prevent avast! from working ??? but if thats true, that sucks >:( Maybe I need some help, i don't know... ;D

~Frank

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Normal or thorough scan? The CIH-Monaa virus?
« Reply #3 on: November 09, 2003, 04:19:45 PM »
You may test one or more of these files here: http://www.kaspersky.com/remoteviruschk.html
But i think it is a kind of false alarm /corrupted Sample.


http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=Win32%3ACIH-Monaa&product=1
MfG Ralf

fkj

  • Guest
Re:Normal or thorough scan? The CIH-Monaa virus?
« Reply #4 on: November 09, 2003, 04:23:36 PM »
Oh, it looks like its just old remnants from a CIH virus. Good to know :)

~Frank

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Normal or thorough scan? The CIH-Monaa virus?
« Reply #5 on: November 09, 2003, 10:10:23 PM »
I only heard about avast! a few days ago ;D And no, I didn't format my HD, just uninstalled Norton and installed avast!

Help with what? To clear up the registry? I don't understand how Norton can prevent avast! from working ??? but if thats true, that sucks >:( Maybe I need some help, i don't know... ;D

~Frank

Frank, I'm very pleased to post for the 1000th time!  ;D

Oooohhh, noooooo.... Norton again!!! Get away from it!!! Do not install more than one antivirus program (resident).
Norton is the monster of the monsters... Never gets out of the registry... unless a lot of work can be done... But be happy, I´m here because I get rid from Norton, after Vlk and Kubecj precious help, lot of lost hours... But I´m here, I´m avast! To get rid from Norton is one of the most difficult things in the earth!

The main reason installation fails or systems freeze when using new AV programs is the inablility of the old ones to uninstall properly. I have had to dig up removal tools for Norton before anything would operate properly. This is not an avast issue, Kaspersky, McAfee and even Grisoft (e-mail plugin) have their own unique uninstall issues as well.

I'll post the 'saga'... Take a deep breath  8)

The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Normal or thorough scan? The CIH-Monaa virus?
« Reply #6 on: November 09, 2003, 10:11:57 PM »
Norton Uninstalling

1. Use the Control Panel > Install/Uninstall Applications applet to remove Norton Antivirus (NAV) (it´s not necessary to remove other applications from the Norton SystemWorks not even LiveUpdate or LiveRegistration). Uninstallation routine by Control Panel is not sufficient enough to remove NAV 2000/2001/2002/2003 (and probably 2004, which I never tested and will not! I have been running Norton's antivirus 4 years and no more!). For some reason that does not remove the program software completely, they recommend the download of a special program (see third step). In any case, it would probably be best to recommend that former NAV users consider uninstalling that software before installing avast! (see sixth step).

2. Boot.

3. Use RNAV2003 or this link to download and then remove traces of NAV into your registry: for removing the most fastidious at clearing out the vestiges of the software and sparing users' headaches. Download and run the application. If you have already done the first step, choose 'No' to continue.

4. Boot.

5. Do not remove manually or using another software the Registry keys, it´s not necessary (by now) and may be dangerous.  But, if you want and do not fell unconfortable walking through windows registry and deleating the many left behind entries, there is some good registry cleaners available to aid in complete removal of these. Reg Cleaner is a good one but it is a Shareware (you can run once to do its job). Another links and applications could be found here at the section Registry Tools. For Windows 98, I recommend RegClean.
If you have time, you can read more at this Windows Registry Guide.

6. Install avast! (answer 'Yes' for the presence of another av, in this case traces of NAV). Starting with version 4.0.172, there is a functionality in avast! Setup to detect and warn the presence of Norton Antivirus installed on the target machine.

7. Boot.

8. You will have to change Registry "corrupted" keys by NAV (especially the following keys):

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\VirtualDeviceDrivers
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\VirtualDeviceDrivers

Do you see any Symantec driver listed here? Is the avast! driver listed? If not, you are not protected under DOS (cmd window). I do recommend the freeware Registrar Lite to browse the Registry. It's a Freeware!

The solution is manually editing these Registry keys (corrupted by Symantec products or RNAV2003: see rnav_log.txt which is generated by the application):

   A Registry key must have this format: string,0,string,0,string,0,...,0,0
   But in my case it looks some idiotic program did:
   string,0,0,string,0,string,0,0

   You may have to export the key in the file, remove one zero from the first double zeros.
   Be sure the strings end with double zeros.
   Then import it back and reboot.
   You should then see there the record for \<avast directory>\aswMonVd.dll similar to this:

   Key name: HKLM\SYSTEM\ControlSet001\Control\VirtualDeviceDrivers
   Value name: VDD
   Type: REG_MULTI_SZ
   Type number: 00000007
   Text: \<avast directory>\aswMonVd.dll

   There must be the aswMonVD.dll in your avast directory too.



   (Note: the first thing avast team thought was that the aswmonds.sys resident drive for DOS was not correctly registered in Windows. This is correct but, at that time, we don´t know the cause. We tried to edit the file C:\Windows\System32\Config.nt that looks like:
   dos=high, umb
   device=%SystemRoot%\system32\himem.sys
   files=40
   device=\<avast directory>\aswmonds.sys

   If the user set the last line as a comment: REM device=\<avast directory>\aswmonds.sys

   The cmd window will work and DOS programs too (see letters a) and b) above). But, the DOS resident driver wouldn´t be loaded and the computer would not be completely protected against virus. The symptoms of this were:

   a) into a cmd window it was forbidden to use DOS programs (16-bits). The user just get the prompt after the command and nothing happens, e.g.:
   C:\pkunzip -n *.zip {enter}
   C:\
   By the way, with the WinZip Command Line 1.1 Beta1 the same effect were noted. This application is the command line version of WinZip 9.0 Beta (www.winzip.com)

   b) the cmd window just not 'change' its name with the command. For example, In AutoIt 2.64 scripts (the best macro maker for Windows, thanks to Jonathan Bennett), sending a 'Run' command to cmd windows (e.g.: Run, C:\\pkzip.exe -n *.zip  or  RunWait, %COMSPEC% /C copy c:\\*.zip a:\\,, hide), the cmd window remains with the title C:\Windows\System32\cmd.exe). The commands (programs) are not executed!


9. At last (after the boot), make a eicar.com test (see links here).

10. For me, this adventure was enough and works. Good luck and pray!
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Normal or thorough scan? The CIH-Monaa virus?
« Reply #7 on: November 09, 2003, 10:23:48 PM »
You may test one or more of these files here: http://www.kaspersky.com/remoteviruschk.html
But i think it is a kind of false alarm /corrupted Sample.


http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=Win32%3ACIH-Monaa&product=1

Thank raman (your virus support is quite amazing  ;))

Fkj, please, note that CIH-Monaa virus infectes EXE files and maybe it's a false alarm but if not, take a look at step 8th of Norton removing...
avast! could not be able to remove the files due to Norton previous installation  >:(

Pavel won't agree with me, but Virus Information from avast! page is quite bad. The user always have to search another av developers's page...  >:(
« Last Edit: November 09, 2003, 10:42:53 PM by Technical »
The best things in life are free.

fkj

  • Guest
Re:Normal or thorough scan? The CIH-Monaa virus?
« Reply #8 on: November 11, 2003, 08:21:18 PM »
Thanks Technical, I'll have a look at it :-)

Sorry for the late reply, I've been away for a few days

~Frank

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Normal or thorough scan? The CIH-Monaa virus?
« Reply #9 on: November 12, 2003, 01:53:57 AM »
Thanks Technical, I'll have a look at it :-)

Sorry for the late reply, I've been away for a few days

~Frank

Never mind, we will be always here waiting to 'fight'  ;D
The best things in life are free.

fkj

  • Guest
Re:Normal or thorough scan? The CIH-Monaa virus?
« Reply #10 on: November 12, 2003, 10:20:20 AM »
Hey, I'm a man of peace ;D

~Frank