AndyManchesta

Mines a Sony Ericsson W810i

Cheers R, I'll use that if I ever have problems with AVG but Im liking it up to now as it just does its thing without bothering me, maybe Antivir thinks displaying a full screen nag advert everyday will persuade users to upgrade but it just had the opposite effect on me and ended up getting removed after afew days, probably like most members here the only time my AV detects anything is when its a false positive so I just want one that doesnt nag unless it really does find infections, Thanks for the tip

I was using AOL's Active shield and was really impressed with it, then they decided to drop it for McAfee and the Kaspersky version didnt update correctly for a couple of weeks so I removed it, Ive noticed on another machine here the AOL version from Kaspersky has started updating again now so I tried to put it back on mine but it wouldnt accept the serial number anymore so I put Antivir on it instead but got abit fed up with the nag screen which suggests updating to the pro version everytime it updated so removed it after a week for AVG, then AVG started detecting my SDFix tool as trojan obfustat whatever that is but they fixed it when I sent them a sample so Im going to stick with that now as it looks good At least I got the chance to try out a few different AV's if nothing else

Congrats Andavari, Really well deserved

Im really not sure Humpty but its likely Windows features such as system restore would fail due to the amount of damage caused, if the ghost software allows you to boot from a disk to restore to an earlier image rather than run the .exe for the imaging software which would likely also be infected or corrupt by the virus then it may work but I wouldnt like to be put in a position where I had to find out

Congrats 1984

Happy Birthday Ms Teacup, Hope all your birthday wishes come true

Amiga That brings back memories, I remember thinking Amiga's were the best thing ever around that time as Id updated from an Amstrad 464 (which Ive still got collecting dust somewhere in my attic )

Hi Dennis, I don't think so but this isn't common so its anyone's guess what they hoping to achieve, it sort of defeats the purpose if they damage the system beyond repair as any revenue they would of made from the original malware that gets installed before Virut such as Smitfraud and Vundo type infections will also be lost if the user has to format. Generally file infectors tend to mostly spread using backdoor bots or other network worms so for example a PC gets infected with a IRCBot but the system is already infected with a file infector such as Parite or Virut so it then infects the IRCBot file with the virus then the bot scans random IP's looking for more vulnerable machines to spread to which is usually the first thing bots will get instructed to do when they connect to the IRC channel and because the file is then infected with a Virus it also spreads that to other machines and on it goes infecting each machine it gets on but Virut itself can also be instructed to look for vulnerable systems to infect once that connects to its IRC channel so just keeping a system fully patched and having a strong AV and Firewall would be enough to avoid junk like that. Honeypot sites such as honeynet will pick up Virut/Parite etc that are spreading together with alot of other infections as their sensors act like unpatched systems so I find thats always a useful reminder why keeping Windows updated is essential but if you download and run one of the infected files from the crack sites then even that will not help much. http://honeynet.cz/?mmenu=malware&smen...=en&vmetr=7

The main problem is that AV programs tend to do a great job at detecting the virus once its trashed the machine but not so great at detecting the installer for the infection so it could easily get past the real time protection on some security programs, for example here's the results for a virut installer from last week and only 6 out of 32 vendors detected it at VirusTotal File install.exe received on 09.15.2007 16:28:26 (CET) Result: 6/32 (18.75%) AntiVir 7.6.0.10 2007.09.14 W32/Virut.W BitDefender 7.2 2007.09.15 Win32.Virtob.2.Gen eSafe 7.0.15.0 2007.09.13 Suspicious Trojan/Worm Microsoft 1.2803 2007.09.15 Virus:Win32/Virut.L Sophos 4.21.0 2007.09.15 Mal/Dorf-A Webwasher-Gateway 6.0.1 2007.09.14 Win32.Virut.W File size: 13312 bytes MD5: 5740638882b6e02b0633d985d550519b SHA1: 79888eec0327b4fbce5906fa7a90fefee4d58970

Hi guys, We always say using crack and serial sites is very dangerous as most of the malware around today is distributed from those sites but in the last few weeks they have been adding a file infector named Virut into the bundle and this is coming from multiple keygen and crack sites, Virut will infect .exe and .scr files on the system and once it gets on the machine the only solution is to format and reinstall Windows, you can attempt to clean it using whatever Antivirus program you can think of but the AV programs will also be attacked by the virus, even if they are able to disinfect the files you will find that most of them will not function or run correctly because they have been corrupted by the virus and due to its process injection features such as injecting into winlogon.exe the virus will regenerate after running the scans and reinfect the files. Apart from the damage Virut causes it will also open a backdoor on the machine to allow the attacker full access so the only safe solution is to format and reinstall and with it being a file infector its not even possible to backup any data before doing that. Please consider the consequences before visiting or downloading any files from crack, serial and keygen sites or even accepting those type of files from friends as this is about as bad as it gets Sample Kaspersky scan log attached, No suprises where it came from on that system G:\keygen.exe Infected: Virus.Win32.Virut.l Kav.txt

Thanks Guys, It was a nice day

There's not much you can do AJ once your email address gets on the spam lists except hope most of them are caught by the spam filter http://www.secureworks.com/media/press_rel...70802-botstorm/ http://www.informationweek.com/windows/sho...cleID=201311245

Good choice AJ as the page will contain exploit scripts which will attempt to load infections as soon as it's opened, the recent variants are patching tcpip.sys to load trojan files so it doesnt need other startup entries or show in tools like HJT. http://www.sophos.com/security/blog/2007/07/419.html They've recently changed tactics to spam all sorts of messges but its essentially the same junk http://www.f-secure.com/weblog/#00001255

Hi Mic Its no bother mic, we are happy to help For SFP.exe just skip that part as alot of those files should be genuine, ones connected to gromozon and another is maybe an Adware installer but we can run another scan abit later to see if there is problems, there's probably still an active gromozon infection so removing that is the main concern for now. Let me know if you have any problems with the remaining steps Cheers

Your Welcome Luc, Im glad we could help Happy Surfing Andy

Hi Luc, That looks fine You can now delete all the tools and files we used LinkOptCheck <-- Folder LinkOptFix <-- Folder C:\Avenger <--Folder requested-files[Date/Time].cab <-- Folder Avenger.exe <--File LinkOptFix.exe <-- File SFP.exe (Suspicious File Packer) <-- File fix.reg <-- File Gromozon Remover <-- File Check.bat <-- File Check.txt <-- File uninstall_list.txt <-- File C:\avenger.txt <-- File C:\user.txt <-- File C:\regresult.txt <-- File C:\Gromozon_removal log <-- File You have multiple versions of Java installed so all the older versions can be removed, its common for them to leave older versions on the system when it upgrades which can take up alot of space and are not needed, to remove them goto to the Add/Remove screen (Start > Control Panel > Add or Remove Programs) and remove: J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 11 Java SE Runtime Environment 6 Update 1 Just leave Java 6 Update 2 on the machine as that is the latest version. I'll add afew basic steps below to help avoid further infections, Consider installing Spywareblaster SpywareBlaster can help prevent malware installing by adding hundreds of malicious sites to the restricted zone of IE and blocking the common spyware ActiveX controls which prevents the installation of any of them via webpages. A tutorial on using SpywareBlaster may be found here. Avoid illegal sites such as warez, cracks, serials etc... because that's where most malware is present. Don't click on any links inside popups, Spam email messages or Instant Messenger programs. Download free software only from sites you know and trust Make sure to run your Antivirus software regularly, and to keep it up-to-date and also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/ Please also read Tony Klein's excellent article: So how did I get Infected in the First Place? Hopefully these steps will lower the chances of getting more malware issues but just let us know if you have questions or problems again anytime. Regards Andy

Hi Mic, thanks for your patience These auto analysis sites are really no use at all these days, there's far too many infections around that do not show any signs in HijackThis so although its probably ok to give them a try as part of a clean up process it would be dangerous to believe that the system is clean based on their results. There's infections that add rootkit components so their entries will not show in logs, infections that use Microsoft company details in their service files so HijackThis regards them as safe and doesnt list them, infections that hide all entries for certain area's such as winlogon and BHO entries so HijackThis doesnt show them and infections that run from area's that HijackThis doesn't check such as the Installed Components key so I wouldnt recommend using the auto analysis sites if anyone feels they have been infected. Do you know what entries they suggested you remove ? If your not sure it should show on the backups area (Start HijackThis > Click open the Misc tools section > Click Backups) then briefly type what they contain so I can make sure they needed to be removed. We will be repeating alot of the steps you noticed in Leluc's post now as its the same infection. Please download the Suspicious file Packer from Safer-Networking.org and unzip it to your desktop. Run SFP.exe. Please copy the following lines into the Step 1: Paste Text window: C:\WINDOWS\com3.rjy C:\WINDOWS\EXPLORER(2).EXE C:\WINDOWS\GPInstall.exe C:\WINDOWS\system32\CSRSS(3).EXE C:\WINDOWS\system32\CTFMON(2).EXE C:\WINDOWS\system32\LSASS(3).EXE C:\WINDOWS\system32\SPOOLSV(2).EXE C:\WINDOWS\system32\SVCHOST(3).EXE then click "Continue". This will create a .cab file on your desktop named requested-files[Date/Time].cab Please then visit the below link http://www.bleepingcomputer.com/submit-mal....php?channel=27 In the Link to topic where this file was requested: area type Ccleaners, Click Browse and then locate the requested-files.cab archive on your desktop then click Send File Once it shows You can then close the Bleeping Computer window and continue with the steps below Download the Gromozon remover from here http://www.prevx.com/gromozon.asp Run the tool and follow the prompts, click No if it prompts you to install prevx as its a trial version and isnt required here, when its finished please post the c:\gromozon_removal.log into your next reply, Goto Start > Run > copy and paste cmd /c net user>%systemdrive%\user.txt & start notepad %systemdrive%\user.txt Press OK and post the contents of the C:\user.txt file back on here Goto Start > Run > copy and paste cmd /c regedit.exe /a/e %systemdrive%\regresult.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" & start notepad %systemdrive%\regresult.txt Press OK and post the contents of the C:\regresult.txt back Finally download GetServices from HERE Extract the zip file then open the getservice folder and double click getservice.bat, when it is completed a notepad will open with a lot of information. please attach that into your next post Please copy/paste or attach the logs into your next reply together with a new HijackThis log Let us know if you have any problems Andy

Hi Luc, That looks good, just afew leftover files to remove but Id like you run the Gromozon remover again to make sure its now showing clear, 1. Please download The Avenger by Swandog46 to your Desktop Click on Avenger.zip to open the file Extract avenger.exe to your desktop 2. Copy all of the text contained in the code box below (making Files to delete: the top line) to your Clipboard by highlighting it and pressing (Ctrl+C): Files to Delete:C:\Documents and Settings\Administrateur\Local Settings\Temp\PXR1.tmp C:\Documents and Settings\Administrateur\Local Settings\Temp\PXR2.tmpC:\Documents and Settings\Administrateur\Local Settings\Temp\PXR3.tmp C:\Documents and Settings\Administrateur\Local Settings\Temp\PXR4.tmpC:\Documents and Settings\Administrateur\Local Settings\Temp\PXR5.tmp 3. Now, start The Avenger program by clicking on its icon on your desktop. Under "Script file to execute" choose "Input Script Manually". Now click on the Magnifying Glass icon which will open a new window titled "View/edit script" Paste the text copied to clipboard into this window by pressing (Ctrl+V). Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following: It will Restart your computer. On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. 5. Please copy/paste the content of c:\avenger.txt into your reply Open Notepad (Start Menu > Run > Type notepad and press OK) Copy and Paste the contents of the code box into Notepad dir /b/s/a-d "%commonprogramfiles%\*.exe">>Check.txtNotepad Check.txtdel /q Check.txt Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to your desktop Double click Check.bat and it will check for .exe files then open the results in notepad, if there is any information in the notepad file please post the contents of that (Check.txt) back on the forum. Finally generate a report of the Add/Remove screen entries: Open Hijackthis, and click the Misc Tools button. Then click the Open Uninstall Manager... button. The Add/Remove Programs Manager panel should appear. In this panel click the Save list button. Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply. Post back the logs and let us know if your still having any problems Thanks Andy

Hopefully this will be the last scanner we need to use though as its detection rate is excellent I'll get an email notification when you reply so we can continue either later tonight or tomorrow Andy

Try Deckard's Association Fix Tool (DAFT) to make sure none of the file associations are damaged http://www.techsupportforum.com/sectools/Deckard/daft.exe Double-click the daft.exe icon. Read the disclaimer and click OK. Click on the Scan button then save the logfile. This will save as daft.txt which you can then post back if it finds any problems Andy

Just delete these files then: C:\WINDOWS\apisv.exe C:\WINDOWS\msgh.exe C:\WINDOWS\system32\atlws32.exe C:\WINDOWS\system32\ntlg.exe If you have problems finding them set Windows to show hidden and system files Click Start. Goto MyComputer then C:\drive Select the Tools menu from the top bar and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select "Show hidden files and folders". UnCheck the "Hide protected operating system files (recommended)" option. Click Yes to confirm then OK Set this back once you have checked for the files by opening the same page and pressing the Restore Defaults button then click Apply and OK. Regarding Kaspersky, it will take a long time to scan but please allow it to finish as it will help us to see if there's any remaining problems on your system, you have had a nasty rootkit infection so its important to make sure there is no additional trojans now that has been removed. Thanks

Hi Luc The gromozon remover has done a great job there None of the files were packed correctly by the suspicious file packer though except PATCH.EXE which is a legit file from Trend Micro so could you try uploading them at VirusTotal Visit VirusTotal Open the scan site and copy and paste this into the Upload a File area (next to Browse) C:\WINDOWS\apisv.exe Then click Send File, wait until all the results are shown and it shows Finished in the current status area then copy and paste the full results to notepad (Start > Run > type Notepad and press OK) then click Another file which will appear below the scan windows after its finished scanning the file and repeat the steps to scan these files one at a time C:\WINDOWS\msgh.exe C:\WINDOWS\system32\atlws32.exe C:\WINDOWS\system32\ntlg.exe Again copy and paste the scan results into a notepad file when the scan is complete then copy and paste the results from each file back on here, if the scanner shows they are 0 bytes when you attempt to upload them let us know. Go to Start > Run > and copy and paste sc delete UpdHab Press OK and you will just notice the cmd screen flash on then off again and the service will be removed. Open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line. REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]"UYpqSqP"=- Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg(or right click and choose Merge) and allow it to be merged into the registry which will remove the entry. Please then run a scan with Kaspersky's scanner to make sure there is no remaining malware problems Run Kaspersky WebScanner Please go HERE and click Kaspersky Online Scanner Read and Accept the Agreement You will be promted to install an ActiveX component from Kaspersky, Click Yes. If you see a Windows [dialog asking if you want to install this software, click the Install button. The program will launch and then begin downloading the latest definition files, When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it. Click on the Scan Settings button, and in the next window select the Extended database, and click Ok. Under "Please select a target to scan:", click My Computer to start the scan. When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window. Cheers

Hi Mic, welcome to the forum, Ive asked one of the Moderators for this area of the site to split your post into a new topic to prevent confusing this thread, once thats done I'll be happy to assist you in removing anything that remains, Thanks

Hi Luc, Thanks for the logs, there's still afew problems showing so this will take afew steps to help you get the machine clean again. Run Hijack This and choose Do A System Scan then place a check next to these entries O2 - BHO: Class - {0A5F82EA-0DD1-4033-7C1A-F9F2F5775550} - C:\WINDOWS\uvwog1.dll (file missing) O23 - Service: UpdHab - Unknown owner - C:\Program Files\Fichiers communs\System\swA.exe Close all open browser and other windows except for HijackThis and press the Fix Checked button Please download the Suspicious file Packer from Safer-Networking.org and unzip it to your desktop. Run SFP.exe. Please copy the following lines into the Step 1: Paste Text window: C:\WINDOWS\apisv.exe C:\WINDOWS\msgh.exe C:\WINDOWS\PATCH.EXE C:\WINDOWS\system32\atlws32.exe C:\WINDOWS\system32\ntlg.exe C:\Program Files\Fichiers communs\System\swA.exe then click "Continue". This will create a .cab file on your desktop named requested-files[Date/Time].cab Please then visit the below link http://www.bleepingcomputer.com/submit-mal....php?channel=27 In the Link to topic where this file was requested: area type Ccleaners, Click Browse and then locate the requested-files.cab archive on your desktop then click Send File Once it shows You can then close that site and continue with the below steps Download the Gromozon remover from here http://www.prevx.com/gromozon.asp Run the tool and follow the prompts, click No if it prompts you to install prevx as its a trial version and isnt required here, when its finished please post the gromozon_removal.log into your next reply, Goto Start > Run > copy and paste cmd /c net user>%systemdrive%\user.txt & start notepad %systemdrive%\user.txt Press OK and post the contents of the C:\user.txt file back on here Goto Start > Run > copy and paste cmd /c regedit.exe /a/e %systemdrive%\regresult.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" & start notepad %systemdrive%\regresult.txt Press OK and post the contents of the C:\regresult.txt back Please then upload the Requested-files.cab archive, post back the Gromozon_removal log, C:\user.txt and C:\regresult.txt then we can take it from there Thanks Andy