photo album.zip

[warriors292]

my daughter has been sent this through msn and has stupidly opened it, the trouble is it is now sending itself to all her contacts trying to get them to open it, when this happens her computer freezes and wont do anything for a min. after looking it up it seems to be a virus of some kind but avg hasn`t picked up on it, i have deleted the folder ic c: program files called photo album.zip but it is still sending itself onto all her contacts...
anyone help ????

[Philip]

Quote:

Originally Posted by warriors292

my daughter has been sent this through msn and has stupidly opened it, the trouble is it is now sending itself to all her contacts trying to get them to open it, when this happens her computer freezes and wont do anything for a min. after looking it up it seems to be a virus of some kind but avg hasn`t picked up on it, i have deleted the folder ic c: program files called photo album.zip but it is still sending itself onto all her contacts...
anyone help ????

Hi there, and welcome to the BBB forums. I did some searching, it seems that the photo album.zip file contains the W32/IrcWorm-A. The only antivirus vendor who had some info on it was Sophos. The easiest way to get rid of this worm would be to download a trial copy of Sophos Antivirus here. Make sure to also update it after installation. Before installing Sophos, uninstall any existing antivirus programs in your system.

Please post back if you're still encountering problems.

[X Blader]

i have this thing in to i did try your suggestion but it failed to do anything for me please can you give any more information on how i can get this of my wlm please


never mind it seams to be out now

well i signed into my messenger this morning and about 30 mins into the convo it started doing it again the pif fil is removed and eveything alone with it and also the virus scan removed it but it is still in please help

regards

[Philip]

Quote:

Originally Posted by X Blader

i have this thing in to i did try your suggestion but it failed to do anything for me please can you give any more information on how i can get this of my wlm please


never mind it seams to be out now

regards

Some additional info: this appears to be a new worm spreading on the net, that's why none of the antivirus vendors (except Sophos) has posted anything about it. The moral of the story is: don't open any files sent from your contacts, unless you've verified it with them. And keep your antivirus program up to date.

[X Blader]

well i signed into my messenger this morning and about 30 mins into the convo it started doing it again the pif fil is removed and eveything alone with it and also the virus scan removed it but it is still in please help

well its gone again this time i did nothing with it ill update if it show up tomorrow

regards

[Philip]

Quote:

Originally Posted by X Blader

well i signed into my messenger this morning and about 30 mins into the convo it started doing it again the pif fil is removed and eveything alone with it and also the virus scan removed it but it is still in please help

well its gone again this time i did nothing with it ill update if it show up tomorrow

regards

Today (April 2) I searched the major antivirus vendor's websites, and unfortunately, there's still not much about this W32/IrcWorm-A. If your system is still infected, you can try the following. Warning: this involves editing the Registry. Be very careful when doing this, because editing the wrong keys could cause your system to malfunction. Do this at your own risk.

• Go to My Received Files in My Documents folder. Delete (Shift + Delete) the Photo Album.zip folder and its contents.
• Go to C:\Windows. Delete the Photo Album.zip folder.
• In C:\Windows\System, find the rdfhost.dll or rdshost.dll files. Delete them.
• Go to Start > Run. Type regedit to open the Registry. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
  ShellServiceObjectDelayLoad rdshost {5344BB88-3DE1-409F-8307-C85923A1F4DD} Delete this key (right-click and click on Delete)
• Navigate to HKCR\CLSID\{5344BB88-3DE1-409F-8307-C85923A1F4DD} Delete this key.
• Reboot your computer.

Check to see whether the problem still exists. Please post back to let me know.

[X Blader]

well is all gone now so im relieved its all gone no come backs

thanks for the help

[frankie7]

I cannot find this directory at all. On my system it just does'nt appear. Not the way you say it anyway.

I cannot get rid of this at all.

I keep getting loads of chat boxes opening up all the time, and my contacts say i keep asking them do they ant to see my photoalbum.zip how this got onto my system, i have no idea.

Is there any other way to fix this ?

[Philip]

Quote:

Originally Posted by frankie7

I cannot find this directory at all. On my system it just does'nt appear. Not the way you say it anyway.

I cannot get rid of this at all.

Hi Frankie,

Welcome to BBB. Which directory couldn't you find? What operating system are you using? Did you follow the steps in post #2 below, and still unsuccessful?

Did a Google search for the worm, but it seems like Sophos is the only antivirus vendor posting info about it.

[frankie7]

i use avast, but by using this only tempoary, will it still disappear after i unistall this software ?

I am using windows XP.

Quote:

* Go to My Received Files in My Documents folder. Delete (Shift + Delete) the Photo Album.zip folder and its contents.
* Go to C:\Windows. Delete the Photo Album.zip folder.
* In C:\Windows\System, find the rdfhost.dll or rdshost.dll files. Delete them.
* Go to Start > Run. Type regedit to open the Registry. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
rdshost {5344BB88-3DE1-409F-8307-C85923A1F4DD} Delete this key (right-click and click on Delete)
* Navigate to HKCR\CLSID\{5344BB88-3DE1-409F-8307-C85923A1F4DD} Delete this key.
* Reboot your computer.

this part, the part that says

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
rdshost Is not there. I have different settings.