AndyManchesta

Hi JD, Yes the current ransomware variant is very well detected by AV companies now, there's quite afew malware bundles around that include this trojan though except its the infostealer by itself and not the ransomware variant but they are changing the files often to try avoid being detected by AV's, they tend to spread using exploits on malicious websites but this ransomware variant appears to have mainly spread by being spammed which is explained more on the Prevx blog RRidgely linked to earlier Here's the current detections for the ransomware variant from VT I did just run the Prevx Ransomware decoder afew minutes ago and it did an excellent job in decoding all the encrypted files and removing the info stealer, Regarding what it steals this trojan doesnt steal info from the protected storage area although that method is used by alot of other password stealers like ldpinch, this one though will steal the information from any forms online before it even gets encrypted if its a secure site, the paper from SecureScience I linked to earlier explains it alot better than I ever could from chapter 8 'Internal Structures For API Hooks' Andy

No its fine here in sunny Manchester Its really abit wet as usual but like you say it looks like its further south thats got most of the problems again

Yeah there's some great tools on there, you may find that AV's detect some as risk tools though but that would only apply if they were added without consent by trojans as it would allow them to get personal information or make changes to the system, the tools themselves are clean and can be very useful. Examples after scanning the files at VirusTotal Protected Storage Pass Viewer NirCmd

Hi Leluc You do have the LinkOptimizer trojan showing which likely means you also have a variant of the Gromozon Rootkit, this is its entry in the log There is a newer variant of this trojan that also adds a debugger for iexplore.exe but the one you have appears to be the older version which has just added a debugger value for explorer.exe, this trojan is very difficult to manually remove as it changes permissions on its file and registry entry to deny anyone access and can restore its reg entry instantly if its removed, if the file is removed and the reg entry remains then its not possible to start explorer.exe (no desktop icons or taskbar). it also targets alot of the tools we use which is why your not able to open HijackThis at the moment. Download LinkOptfix from Here and save it to your desktop Copy and paste these instructions to notepad and save it to your C:\drive incase you need to access it without using the start menu later To run the fix, double click LinkOptfix.exe and it will create a new folder on your desktop named LinkOptfix, open the newly created LinkOptfix folder and double click fix.bat, it will only take afew seconds to run, first it creates a backups folder, moves the trojan file into the backups folder, stops explorer.exe (you will lose the desktop icons and taskbar) , resets the permissions then removes the trojan reg entry and restarts explorer.exe, you should then be able to run HJT and post a log, if you can then ignore the rest of this post and reply so we can then check for remaining problems in a HJT log and have some files scanned as there is afew suspicious files showing in that report you uploaded. If explorer.exe doesnt restart after running the tool then you will have to remove its reg entry which will be possible as the file would of been moved so it cannot load again, if explorer doesnt restart you will not be able to access the start menu so press Control , Alt & Delete to open Task Manager, then click Applications and New Task, you can then click Browse to find the text file you saved with these instructions and click ok to open it, then type Regedit into Task Manager > Applications > New Task and click OK to open the registry editor, Click the [+] next to HKEY_LOCAL_MACHINE Click the [+] next to SOFTWARE Click the [+] next to Microsoft Click the [+] next to Windows NT Click the [+] next to Current Version Click the [+] next to Image File Execution Options Scroll down the list and find explorer.exe then right click it and choose Permissions, On the permissions for Everyone area place a check next to Full Control then click Apply and OK, right click the explorer.exe key and choose Delete, then go back to Task Manager > Applications > New Task and type explorer.exe and click ok and then it will restart You should not need the manual instructions as the fixtool should remove it fine but its best to provide an alternative method just incase its needed, Let me know if you have any problems or questions Cheers Andy

Hi Dennis, I think there's always going to be a small risk involved with shopping or banking online but I doubt the majority of people will ever have a problem unless they do get infected with these types of trojans, sometimes the information may not always be stolen from your own system and a legit site you have done business with at one stage may get compromised but thankfully that isnt common and generally banks would always refund the account if it was used without the owners consent For account and login details it really depends on how you enter the site, IE's autocomplete feature if used saves login details to a protected storage area in the registry and it is quite common for information stealing trojans to read the data from there, in IE7 that has changed abit but you can get more info and tools to view the protected storage data on Nirsoft's site, http://www.nirsoft.net/utils/pspv.html http://www.nirsoft.net/articles/ie7_passwords.html

The main problem with this trojan is the information it steals, it shows in HJT as F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, Its been around for a long time but this 'ransomware' variant has only been showing up since the start of July, the trojan is very nasty as it will record login usernames and passwords for every site used even if its secure and upload it to a drop site and the sites tend to have many GB's worth of stolen information ranging from myspace and email logins to Paypal, Ebay and Banking login information. SecureScience wrote an excellent paper on the trojan at the end of last year http://www.securescience.net/securescience...ecasestudy.html As the paper explains it injects its code into Winlogon then svchost then into all other running processes with the exception of csrss.exe due to access and stability issues but the code injection guarantees its always running on the system and monitoring what is being submitted into online forms. Hopefully the prevx tool helps with decoding the files, Ive not tried it yet but I will later today if I have the time but anyone who is infected with this should know their login information for every site visited since they became infected and anything else submitted into online forms has been stolen so they will need to contact financial institutions for advise plus change all passwords as soon as possible after removing the trojan or from a different pc that is known to be clean.

Hi Leluc, Welcome to the forum This does sound like it maybe trojan related, can you download the attached zip file (LinkOptCheck), extract the folder then double click RunThis.bat, it will then export some registry keys and check a couple of folders for non-default exe files then write the information to a text file named Report.txt which will save inside the LinkOptCheck folder and also open with Notepad once its finished, Please post the full contents of that report back on here and we can then take it from there Let us know if you have any problems running the file Cheers Andy LinkOptCheck.zip LinkOptCheck.zip

Your welcome, I'm glad it solved the problem Andy

Thanks

Check your Screen Saver and Monitor power options Right click the desktop > click Properties > click Screen Saver (Check the screen saver settings and if its set to password protect when it resumes) > click Power at the bottom > then check the settings for the power scheme (Turn Off Monitor / Turn Off Hard Disks / System Standby / System Hibernates ), Click Apply and OK if you make any changes

Thanks guys

My maths isnt that good Its very kind of Microsoft to give me the award though, alot of my spare time on the pc these days is spent on research (testing trojans and submitting them to AV's) and developing a tool called SDFix but I didnt expect to have enough public postings to be considered for the award as my forum posts are abit few and far between these days so it was a great suprise to be accepted and I'm proud to now show the mvp icon in my signature

I dont know the answer to that CeeCee, some people nominated me (who may already be MVP's) and then they decide if they think my work over the past year merits the award based on the information they have been given

Hi CeeCee Yes, Microsoft contacted me a couple of months ago saying I had been nominated to receive the award and asking if I would be interested which I obviously said yes to as I have alot of respect for the MVP program and its members, I then received another email at the start of this month saying Congrats' on becoming an MVP in Windows Security

Thanks Robbie

Thanks alot for the kind comments everyone, it's really appreciated

http://www.sophos.com/security/blog/2007/07/322.html If anyone does open it Id suggest running a full scan with Kaspersky's online scanner and also running a rootkit scanner such as GMER as it will likely attempt to install windev-*-*.sys which is a component of the Nuwar/Storm worm (*=random numbers and letters) http://www.google.co.uk/search?hl=en&q...*.sys&meta=

Its really not possible to say what installed it but it may of been a program or game you installed at some stage then removed and it may of left the oreans32 service behind, It's possible a spyware remover added it to their database so it was removed on your system but the file and service is harmless as its a genuine program, like alot of things though its starting to be abused by trojan writers as it also helps them to avoid being detected by Antivirus companies so some vendor may of added it by mistake. Here's an example of a backdoor IRCbot (rBot) I got yesterday thats packed with Themida If you dont have the file though just delete its service to remove it from your system as its likely just a leftover entry from a program you have used in the past if the file doesnt exist. Andy

oreans32 is part of Themida protection http://www.oreans.com/themida.php Its used in quite alot of programs such as games to prevent piracy, it is also being used by some trojans like backdoor IRCBots as they can make it alot harder for the files to be analysed by preventing people reverse engineering or dissembling the files and also by preventing them being run in a virtual environment If you do not still have the oreans32.sys file on your system then it's fine to remove its service but make sure the file doesnt exist first as the program that added it will not start if the service is missing, Goto Start > Run > Search Click All Files and Folders Then scroll down to More Advanced options and place a check next to Search system folders, Search hidden files and folders and Seach subfolders Then scroll back up to the All or part of the file name: area and enter this to be searched for then click Search oreans32.sys If its found then leave the service in place but if its not then goto start > run > and type sc delete oreans32 Press OK and you will just notice the cmd screen open then close and the service will be removed on the next reboot Andy

You may want to give Startuplite a try as that will list any unnecessary items and give you some descriptions on each one to help you decide if you want it starting with Windows or not http://www.malwarebytes.org/startuplite.php

I remember this program when it was being promoted early last year http://forums.spywareinfo.com/index.php?showtopic=77280 I tested it at the time and it wasnt great, it was fine to reverse the changes made by Adware type programs that already had add/remove screen entries and uninstallers but it had alot of problems with more nasty infections like rootkits and trojans that hook to system files, it kept showing it had fully removed files then crashing at random points when it was reversing the changes and the same files were there again when it reopened. It also appeared to interfere with other programs as I had problems at times opening security programs and tools I had installed but they opened fine after Spyberus crashed which it did about 4 or 5 times in the space of 1 hour on an infected machine so I gave up and havent tried it since. Hopefully its improved alot since then

Thanks Ian Its hard to say where this trojan is coming from, the gromozon infections in the past have only attacked users with Italian IP's but this variant is different as we have seen it infecting users with U.K IP addresses, there's another member on here who posted today with the same trojan so its difficult to say at the moment what type of site is adding it, Im glad we were able to get it removed from your system but let us know if you have problems again anytime Happy Surfing Andy

Hi Ian, Sorry for the delay in replying, I wasn't able to get on the pc for most of yesterday so Ive just been catching up with my emails, Unfortunately Avenger wasnt able to create a backup of the file, Im not sure why but the backup.zip is empty except for a text file showing that it removed the file, Its nice to see it was removed though The logs look fine, Kaspersky is finding an infected System Restore point but thats to be expected after getting the trojans and we can clear them out now the system is clean, I'll also post afew basic steps to help avoid further infections Click Start Menu > All Programs > Accessories > System Tools > SystemRestore Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close. Next goto Start Menu > Run > type cleanmgr Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. Then press OK to clear the temp files found in the initial scan and close Disk Cleanup Consider Installing Spywareblaster if it's not already installed, SpywareBlaster doesn`t scan and clean spyware, but can help prevent it from being installed by blocking the popular spyware ActiveX controls which prevents the installation of any of them via webpages, It also adds hundreds of malicious sites to the restricted zone so they cannot cause damage to your system if you visit them by mistake anytime such as by typing a URL slightly wrong and ending up at a malicious site rather than the intended site. A tutorial on using SpywareBlaster can be found here. Avoid illegal sites such as warez, cracks, serials etc... because that's where most malware is present. Don't click on links inside Popups, Messenger programs or spam email messages. Download free software only from sites you know and trust. Please make sure to run your Antivirus software regularly, and to keep it up-to-date and also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/ Please also read Tony Klein's excellent article: How I got Infected in the First Place Let me know if there's any remaining problems Cheers Andy

Hi Ian, Thanks for the logs, Its nice to see seagate-helper hasnt got any additional registry entries except for the userinit hook that we fixed earlier, I didn't think the .exe would be found after reading your earlier post but thought we may as well include it while we were deleting the .old file, can you please upload the avenger backups for me so I can have a closer look at the seagate file Please visit SpyKillers forum here http://www.thespykiller.co.uk/index.php?board=1.0 Read the instructions for uploading files which is the first topic on the forum then start a new Topic named 'File For AndyManchesta' , please then post a link to this thread and upload the C:\avenger\backup.zip folder, The logs are looking good but with you having had a rootkit infection its best to run a couple of final scans to make sure there is no remaining issues then we can clear up the system restore points once we know the machine is clean. Download Blacklight beta HERE and save it to your desktop. Run the program, accept statement > click next then scan When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file. Finally run Kaspersky WebScanner Please go HERE and click Kaspersky Online Scanner Read and Accept the Agreement You will be promted to install an ActiveX component from Kaspersky, Click Yes. If you see a Windows dialog asking if you want to install this software, click the Install button. The program will launch and then begin downloading the latest definition files, When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it. Click on the Scan Settings button, and in the next window select the Extended database, and click Ok. Under "Please select a target to scan:", click My Computer to start the scan. When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window. Please the post back the Kaspersky log and the Blacklight log, let me know if there's any problems Regards Andy

Cheers Ian, No problem regarding the help, this is quite a new infection so getting any information on it or samples of additional files is really helpful so we can get them sent to Antivirus companies and also find easier ways of dealing with it each time it shows up, 1. Please download The Avenger by Swandog46 to your Desktop Click on Avenger.zip to open the file Extract avenger.exe to your desktop 2. Copy all of the text contained in the code box below (making Files to delete: the top line) to your Clipboard by highlighting it and pressing (Ctrl+C): Files to Delete:c:\windows\seagate-helper.exec:\windows\seagate-helper.old 3. Now, start The Avenger program by clicking on its icon on your desktop. Under "Script file to execute" choose "Input Script Manually". Now click on the Magnifying Glass icon which will open a new window titled "View/edit script" Paste the text copied to clipboard into this window by pressing (Ctrl+V). Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following: It will Restart your computer. On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. 5. Please copy/paste the content of c:\avenger.txt into your reply Next download RegSearch by Bobbi Flekman from Here Download and extract the contents of the zip file. Double-click the icon for RegSearch.exe to launch the program. Enter seagate-helper (in the first open box) to search for and click "OK". After its finished notepad will open and show any found instances of seagate-helper in the registry, the results are also saved in the same location as RegSearch.exe. Please post that back on here There's a couple of optional fixes showing in HijackThis but its fine if you want to leave them, R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ The above entry is from Yahoo but you can see from the address that the system is being redirected through red.clientapps before going to the Yahoo site, red.clientapps is Red Sheriff and a form of spyware, Although its probably nothing nasty it can be fixed to return it to Microsoft's default SearchURL, Here's some info on Red Sheriff. O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u dumprep.exe is Microsoft's fault logging software. Once errors happen on the system this program will write the details to a text file and request the information be sent to Microsoft, it should remove itself from the run key but Ive noticed its present in both logs so the entry can be fixed if it remains after another reboot. You should really avoid having more than one Antivirus program installed as they use alot of system resources and having two providing protection can cause alot of problems on the system such as false virus alerts, crashes, slowdowns and even make the system more likely to get a trojan infection if they are conflicting with each other. If Panda and AVG are both providing real time monitoring then you should consider uninstalling or disabling the real time protection on one and only using it as a 'on-demand' scanner which you start and stop manually so there is only one Antivirus program starting with Windows and providing protection to prevent any problems, Can you check your Add/Remove screen (Start Menu > Control Panel > Add or Remove programs) for any older versions of Java (J2SE Runtime Environment) , its common for them to leave older versions behind when it updates which can take up alot of space and some of them are vulnerable to certain infections, ignore 1.6.0_01 but remove any other versions that maybe present, Please then post back the Avenger log and the Regsearch log and we can see if this remaining trojan was removed, Cheers Andy