AndyManchesta
-
Posts
1,796 -
Joined
-
Last visited
Posts posted by AndyManchesta
-
-
Cheers R,
I'll use that if I ever have problems with AVG but Im liking it up to now as it just does its thing without bothering me, maybe Antivir thinks displaying a full screen nag advert everyday will persuade users to upgrade but it just had the opposite effect on me and ended up getting removed after afew days, probably like most members here the only time my AV detects anything is when its a false positive so I just want one that doesnt nag unless it really does find infections,
Thanks for the tip
-
I was using AOL's Active shield and was really impressed with it, then they decided to drop it for McAfee and the Kaspersky version didnt update correctly for a couple of weeks so I removed it, Ive noticed on another machine here the AOL version from Kaspersky has started updating again now so I tried to put it back on mine but it wouldnt accept the serial number anymore so I put Antivir on it instead but got abit fed up with the nag screen which suggests updating to the pro version everytime it updated so removed it after a week for AVG, then AVG started detecting my SDFix tool as trojan obfustat whatever that is but they fixed it when I sent them a sample so Im going to stick with that now as it looks good
At least I got the chance to try out a few different AV's if nothing else
-
Congrats Andavari, Really well deserved
-
Im really not sure Humpty but its likely Windows features such as system restore would fail due to the amount of damage caused, if the ghost software allows you to boot from a disk to restore to an earlier image rather than run the .exe for the imaging software which would likely also be infected or corrupt by the virus then it may work but I wouldnt like to be put in a position where I had to find out
-
Congrats 1984
-
Happy Birthday Ms Teacup, Hope all your birthday wishes come true
.gif)
-
Amiga That brings back memories, I remember thinking Amiga's were the best thing ever around that time as Id updated from an Amstrad 464 (which Ive still got collecting dust somewhere in my attic )
-
Hi Dennis,
I don't think so but this isn't common so its anyone's guess what they hoping to achieve, it sort of defeats the purpose if they damage the system beyond repair as any revenue they would of made from the original malware that gets installed before Virut such as Smitfraud and Vundo type infections will also be lost if the user has to format.
Generally file infectors tend to mostly spread using backdoor bots or other network worms so for example a PC gets infected with a IRCBot but the system is already infected with a file infector such as Parite or Virut so it then infects the IRCBot file with the virus then the bot scans random IP's looking for more vulnerable machines to spread to which is usually the first thing bots will get instructed to do when they connect to the IRC channel and because the file is then infected with a Virus it also spreads that to other machines and on it goes infecting each machine it gets on but Virut itself can also be instructed to look for vulnerable systems to infect once that connects to its IRC channel so just keeping a system fully patched and having a strong AV and Firewall would be enough to avoid junk like that.
Honeypot sites such as honeynet will pick up Virut/Parite etc that are spreading together with alot of other infections as their sensors act like unpatched systems so I find thats always a useful reminder why keeping Windows updated is essential but if you download and run one of the infected files from the crack sites then even that will not help much.
-
The main problem is that AV programs tend to do a great job at detecting the virus once its trashed the machine but not so great at detecting the installer for the infection so it could easily get past the real time protection on some security programs, for example here's the results for a virut installer from last week and only 6 out of 32 vendors detected it at VirusTotal
File install.exe received on 09.15.2007 16:28:26 (CET)
Result: 6/32 (18.75%)
AntiVir 7.6.0.10 2007.09.14 W32/Virut.W
BitDefender 7.2 2007.09.15 Win32.Virtob.2.Gen
eSafe 7.0.15.0 2007.09.13 Suspicious Trojan/Worm
Microsoft 1.2803 2007.09.15 Virus:Win32/Virut.L
Sophos 4.21.0 2007.09.15 Mal/Dorf-A
Webwasher-Gateway 6.0.1 2007.09.14 Win32.Virut.W
File size: 13312 bytes
MD5: 5740638882b6e02b0633d985d550519b
SHA1: 79888eec0327b4fbce5906fa7a90fefee4d58970
-
Hi guys,
We always say using crack and serial sites is very dangerous as most of the malware around today is distributed from those sites but in the last few weeks they have been adding a file infector named Virut into the bundle and this is coming from multiple keygen and crack sites,
Virut will infect .exe and .scr files on the system and once it gets on the machine the only solution is to format and reinstall Windows, you can attempt to clean it using whatever Antivirus program you can think of but the AV programs will also be attacked by the virus, even if they are able to disinfect the files you will find that most of them will not function or run correctly because they have been corrupted by the virus and due to its process injection features such as injecting into winlogon.exe the virus will regenerate after running the scans and reinfect the files. Apart from the damage Virut causes it will also open a backdoor on the machine to allow the attacker full access so the only safe solution is to format and reinstall and with it being a file infector its not even possible to backup any data before doing that.
Please consider the consequences before visiting or downloading any files from crack, serial and keygen sites or even accepting those type of files from friends as this is about as bad as it gets
Sample Kaspersky scan log attached, No suprises where it came from on that system
G:\keygen.exe Infected: Virus.Win32.Virut.l
-
Thanks Guys,
It was a nice day
.gif)
-
There's not much you can do AJ once your email address gets on the spam lists except hope most of them are caught by the spam filter
http://www.secureworks.com/media/press_rel...70802-botstorm/
?From the first of January to the end of May, we only saw 71,342 Storm attacks,? said Joe Stewart, Senior Security Researcher for SecureWorks. ?However, since June we have blocked 20,200,101 Storm attacks.??The number of unique, infected hosts (bots), from which the attack is being launched by email, has also increased dramatically,? said Stewart. ?They went from 2,815 in the beginning of 2007 through the end of May to a total of 1.7 million for the months of June and July.?
http://www.informationweek.com/windows/sho...cleID=201311245
Last week, when the Storm worm was still focused exclusively on e-mail attacks, security company Postini reported that between July 16 and August 1, researchers there recorded 415 million spam e-mails. Before the Storm worm began its attack, an average day saw about 1 million virus-laden e-mails crossing the Internet. On July 19, Postini recorded 48.6 million and on July 24, researchers tracked 46.2 million malicious messages -- more than 99% of them are from the Storm worm.
-
My G-Mail account has been getting spam from all of these sites saying I've been getting "An E-card from Friend."
Course I don't even go to the site.
AJ
Good choice AJ as the page will contain exploit scripts which will attempt to load infections as soon as it's opened, the recent variants are patching tcpip.sys to load trojan files so it doesnt need other startup entries or show in tools like HJT.
http://www.sophos.com/security/blog/2007/07/419.html
They've recently changed tactics to spam all sorts of messges but its essentially the same junk
-
Hi Mic
Its no bother mic, we are happy to help
For SFP.exe just skip that part as alot of those files should be genuine, ones connected to gromozon and another is maybe an Adware installer but we can run another scan abit later to see if there is problems, there's probably still an active gromozon infection so removing that is the main concern for now.
Let me know if you have any problems with the remaining steps
Cheers
-
Your Welcome Luc, Im glad we could help
Happy Surfing
Andy
-
Hi Luc,
That looks fine
You can now delete all the tools and files we used
LinkOptCheck <-- Folder
LinkOptFix <-- Folder
C:\Avenger <--Folder
requested-files[Date/Time].cab <-- Folder
Avenger.exe <--File
LinkOptFix.exe <-- File
SFP.exe (Suspicious File Packer) <-- File
fix.reg <-- File
Gromozon Remover <-- File
Check.bat <-- File
Check.txt <-- File
uninstall_list.txt <-- File
C:\avenger.txt <-- File
C:\user.txt <-- File
C:\regresult.txt <-- File
C:\Gromozon_removal log <-- File
You have multiple versions of Java installed so all the older versions can be removed, its common for them to leave older versions on the system when it upgrades which can take up alot of space and are not needed, to remove them goto to the Add/Remove screen (Start > Control Panel > Add or Remove Programs) and remove:
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java SE Runtime Environment 6 Update 1
Just leave Java 6 Update 2 on the machine as that is the latest version.
I'll add afew basic steps below to help avoid further infections,
Consider installing Spywareblaster
SpywareBlaster can help prevent malware installing by adding hundreds of malicious sites to the restricted zone of IE and blocking the common spyware ActiveX controls which prevents the installation of any of them via webpages.
A tutorial on using SpywareBlaster may be found here.
- Avoid illegal sites such as warez, cracks, serials etc... because that's where most malware is present.
- Don't click on any links inside popups, Spam email messages or Instant Messenger programs.
- Download free software only from sites you know and trust
Make sure to run your Antivirus software regularly, and to keep it up-to-date and also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/
Please also read Tony Klein's excellent article:
So how did I get Infected in the First Place?
Hopefully these steps will lower the chances of getting more malware issues but just let us know if you have questions or problems again anytime.
Regards
Andy
- Avoid illegal sites such as warez, cracks, serials etc... because that's where most malware is present.
-
Hi Mic, thanks for your patience
AndyManchesta: I followed your instructions (here). I did a scan with HJT (now it works again after I used LinkOptFix), and tried to look for what www.hijackthis.de would say. They didn't really find something bad (except one or two items, that I removed),These auto analysis sites are really no use at all these days, there's far too many infections around that do not show any signs in HijackThis so although its probably ok to give them a try as part of a clean up process it would be dangerous to believe that the system is clean based on their results. There's infections that add rootkit components so their entries will not show in logs, infections that use Microsoft company details in their service files so HijackThis regards them as safe and doesnt list them, infections that hide all entries for certain area's such as winlogon and BHO entries so HijackThis doesnt show them and infections that run from area's that HijackThis doesn't check such as the Installed Components key so I wouldnt recommend using the auto analysis sites if anyone feels they have been infected.
Do you know what entries they suggested you remove ?
If your not sure it should show on the backups area (Start HijackThis > Click open the Misc tools section > Click Backups) then briefly type what they contain so I can make sure they needed to be removed.
We will be repeating alot of the steps you noticed in Leluc's post now as its the same infection.
Please download the Suspicious file Packer from Safer-Networking.org and unzip it to your desktop.
Run SFP.exe.
Please copy the following lines into the Step 1: Paste Text window:
C:\WINDOWS\com3.rjy
C:\WINDOWS\EXPLORER(2).EXE
C:\WINDOWS\GPInstall.exe
C:\WINDOWS\system32\CSRSS(3).EXE
C:\WINDOWS\system32\CTFMON(2).EXE
C:\WINDOWS\system32\LSASS(3).EXE
C:\WINDOWS\system32\SPOOLSV(2).EXE
C:\WINDOWS\system32\SVCHOST(3).EXE
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Please then visit the below link
http://www.bleepingcomputer.com/submit-mal....php?channel=27
In the Link to topic where this file was requested: area type Ccleaners, Click Browse and then locate the requested-files.cab archive on your desktop then click Send File
Once it shows
Your file was successfully submitted. Please let the user helping you know that you have submitted the file.You can then close the Bleeping Computer window and continue with the steps below
Download the Gromozon remover from here
http://www.prevx.com/gromozon.asp
Run the tool and follow the prompts, click No if it prompts you to install prevx as its a trial version and isnt required here, when its finished please post the c:\gromozon_removal.log into your next reply,
Goto Start > Run > copy and paste
cmd /c net user>%systemdrive%\user.txt & start notepad %systemdrive%\user.txt
Press OK and post the contents of the C:\user.txt file back on here
Goto Start > Run > copy and paste
cmd /c regedit.exe /a/e %systemdrive%\regresult.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" & start notepad %systemdrive%\regresult.txt
Press OK and post the contents of the C:\regresult.txt back
Finally download GetServices from HERE
Extract the zip file then open the getservice folder and double click getservice.bat, when it is completed a notepad will open with a lot of information. please attach that into your next post
Please copy/paste or attach the logs into your next reply together with a new HijackThis log
Let us know if you have any problems
Andy
-
Hi Luc,
That looks good, just afew leftover files to remove but Id like you run the Gromozon remover again to make sure its now showing clear,
1. Please download The Avenger by Swandog46 to your Desktop
- Click on Avenger.zip to open the file
- Extract avenger.exe to your desktop
2. Copy all of the text contained in the code box below (making Files to delete: the top line) to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to Delete:C:\Documents and Settings\Administrateur\Local Settings\Temp\PXR1.tmp C:\Documents and Settings\Administrateur\Local Settings\Temp\PXR2.tmpC:\Documents and Settings\Administrateur\Local Settings\Temp\PXR3.tmp C:\Documents and Settings\Administrateur\Local Settings\Temp\PXR4.tmpC:\Documents and Settings\Administrateur\Local Settings\Temp\PXR5.tmp
3. Now, start The Avenger program by clicking on its icon on your desktop.
- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text copied to clipboard into this window by pressing (Ctrl+V).
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
- It will Restart your computer.
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply
Open Notepad (Start Menu > Run > Type notepad and press OK)
Copy and Paste the contents of the code box into Notepad
dir /b/s/a-d "%commonprogramfiles%\*.exe">>Check.txtNotepad Check.txtdel /q Check.txt
Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to your desktop
Double click Check.bat and it will check for .exe files then open the results in notepad, if there is any information in the notepad file please post the contents of that (Check.txt) back on the forum.
Finally generate a report of the Add/Remove screen entries:
Open Hijackthis, and click the Misc Tools button.
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.
Post back the logs and let us know if your still having any problems
Thanks
Andy
- Click on Avenger.zip to open the file
-
Hopefully this will be the last scanner we need to use though as its detection rate is excellent
I'll get an email notification when you reply so we can continue either later tonight or tomorrow
Andy
-
Try Deckard's Association Fix Tool (DAFT) to make sure none of the file associations are damaged
http://www.techsupportforum.com/sectools/Deckard/daft.exe
Double-click the daft.exe icon. Read the disclaimer and click OK.
Click on the Scan button then save the logfile.
This will save as daft.txt which you can then post back if it finds any problems
Andy
-
Just delete these files then:
C:\WINDOWS\apisv.exe
C:\WINDOWS\msgh.exe
C:\WINDOWS\system32\atlws32.exe
C:\WINDOWS\system32\ntlg.exe
If you have problems finding them set Windows to show hidden and system files
Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back once you have checked for the files by opening the same page and pressing the Restore Defaults button then click Apply and OK.
Regarding Kaspersky, it will take a long time to scan but please allow it to finish as it will help us to see if there's any remaining problems on your system, you have had a nasty rootkit infection so its important to make sure there is no additional trojans now that has been removed.
Thanks
-
Hi Luc
The gromozon remover has done a great job there
None of the files were packed correctly by the suspicious file packer though except PATCH.EXE which is a legit file from Trend Micro so could you try uploading them at VirusTotal
Visit VirusTotal
Open the scan site and copy and paste this into the Upload a File area (next to Browse)
C:\WINDOWS\apisv.exe
Then click Send File, wait until all the results are shown and it shows Finished in the current status area then copy and paste the full results to notepad (Start > Run > type Notepad and press OK) then click Another file which will appear below the scan windows after its finished scanning the file and repeat the steps to scan these files one at a time
C:\WINDOWS\msgh.exe
C:\WINDOWS\system32\atlws32.exe
C:\WINDOWS\system32\ntlg.exe
Again copy and paste the scan results into a notepad file when the scan is complete then copy and paste the results from each file back on here, if the scanner shows they are 0 bytes when you attempt to upload them let us know.
Go to Start > Run > and copy and paste
sc delete UpdHab
Press OK and you will just notice the cmd screen flash on then off again and the service will be removed.
Open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.
REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]"UYpqSqP"=-
Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg(or right click and choose Merge) and allow it to be merged into the registry which will remove the entry.
Please then run a scan with Kaspersky's scanner to make sure there is no remaining malware problems
Run Kaspersky WebScanner
- Please go HERE and click Kaspersky Online Scanner
- Read and Accept the Agreement
- You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- If you see a Windows [dialog asking if you want to install this software, click the Install button.
- The program will launch and then begin downloading the latest definition files,
- When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
- Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
- Under "Please select a target to scan:", click My Computer to start the scan.
- When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Cheers
- Please go HERE and click Kaspersky Online Scanner
-
I hope I don't break any rule by entering this thread. As I read the rules, it seemed best to write this in this existing threat.
Thanks in advance!
Mic
Hi Mic, welcome to the forum,
Ive asked one of the Moderators for this area of the site to split your post into a new topic to prevent confusing this thread, once thats done I'll be happy to assist you in removing anything that remains,
Thanks
-
Hi Luc,
Thanks for the logs, there's still afew problems showing so this will take afew steps to help you get the machine clean again.
Run Hijack This and choose Do A System Scan then place a check next to these entries
O2 - BHO: Class - {0A5F82EA-0DD1-4033-7C1A-F9F2F5775550} - C:\WINDOWS\uvwog1.dll (file missing)
O23 - Service: UpdHab - Unknown owner - C:\Program Files\Fichiers communs\System\swA.exe
Close all open browser and other windows except for HijackThis and press the Fix Checked button
Please download the Suspicious file Packer from Safer-Networking.org and unzip it to your desktop.
Run SFP.exe.
Please copy the following lines into the Step 1: Paste Text window:
C:\WINDOWS\apisv.exe
C:\WINDOWS\msgh.exe
C:\WINDOWS\PATCH.EXE
C:\WINDOWS\system32\atlws32.exe
C:\WINDOWS\system32\ntlg.exe
C:\Program Files\Fichiers communs\System\swA.exe
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Please then visit the below link
http://www.bleepingcomputer.com/submit-mal....php?channel=27
In the Link to topic where this file was requested: area type Ccleaners, Click Browse and then locate the requested-files.cab archive on your desktop then click Send File
Once it shows
Your file was successfully submitted. Please let the user helping you know that you have submitted the file.You can then close that site and continue with the below steps
Download the Gromozon remover from here
http://www.prevx.com/gromozon.asp
Run the tool and follow the prompts, click No if it prompts you to install prevx as its a trial version and isnt required here, when its finished please post the gromozon_removal.log into your next reply,
Goto Start > Run > copy and paste
cmd /c net user>%systemdrive%\user.txt & start notepad %systemdrive%\user.txt
Press OK and post the contents of the C:\user.txt file back on here
Goto Start > Run > copy and paste
cmd /c regedit.exe /a/e %systemdrive%\regresult.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" & start notepad %systemdrive%\regresult.txt
Press OK and post the contents of the C:\regresult.txt back
Please then upload the Requested-files.cab archive, post back the Gromozon_removal log, C:\user.txt and C:\regresult.txt then we can take it from there
Thanks
Andy
Amiga 
Which cell phone do you have?
in The Lounge
Posted
Mines a Sony Ericsson W810i