Lowyat.NET > Trojan Horse VB.KL

macaddict

Aug 15 2008, 01:30 AM

i am not sure if any treads about this virus have been open yet.
but all my hard disc have been infected by this virus.
tried deleting it with AVG. but it doesn't help.
the virus is still there.
for every folder that i have in my hark disc a AutoCAD Script file for a folder will appear.
is there any other way that i could delete the virus without reformatting my pc?
thanks for the help

user posted image

R4yMoNd

Aug 15 2008, 01:41 AM

try to use kaspersky instead. the last time i use avg my pc still infected with brontok virus

jayzac

Aug 15 2008, 01:45 AM

try search from google about the virus, i think there should be solution offered by there

macaddict

Aug 15 2008, 01:55 AM

QUOTE(jayzac @ Aug 15 2008, 01:45 AM)

try search from google about the virus, i think there should be solution offered by there

i tried searching for it on google before posting it here.
not much info about this virus
sighs

eclectice

Aug 15 2008, 02:05 AM

The so-called AutoCAD script file is actually a .SCR file extension which accidentially is not a valid AutoCad script file format but a virus file of 40KB in size and it is using the .SCR format to deceive the user. The normal .SCR extension is also used by the screensaver file.

http://benthenk.blogspot.com/2007/06/cara-...t4sy-virus.html

http://www.mail-archive.com/daarut-tauhiid...m/msg00377.html (in Indonesian language)

http://www.compactbyte.com/brontok/ (in Indonesian language)

sUBs

Aug 15 2008, 02:50 AM

Upload one of those scr files to here > http://www.bleepingcomputer.com/submit-malware.php?channel=4

I shall take a closer look at it

macaddict

Aug 15 2008, 09:20 AM

QUOTE(sUBs @ Aug 15 2008, 02:50 AM)

Upload one of those scr files to here > http://www.bleepingcomputer.com/submit-malware.php?channel=4

I shall take a closer look at it

uploaded the file already
thank you
((:

macaddict

Aug 15 2008, 09:23 AM

QUOTE(eclectice @ Aug 15 2008, 02:05 AM)

The so-called AutoCAD script file is actually a .SCR file extension which accidentially is not a valid AutoCad script file format but a virus file of 40KB in size and it is using the .SCR format to deceive the user. The normal .SCR extension is also used by the screensaver file.

http://benthenk.blogspot.com/2007/06/cara-...t4sy-virus.html

http://www.mail-archive.com/daarut-tauhiid...m/msg00377.html (in Indonesian language)

http://www.compactbyte.com/brontok/ (in Indonesian language)

yes
all the file is in 40KB
tried deleting it but it appears again

Shah_Etd

Aug 15 2008, 11:08 AM

Try checking your Startup & process for any suspicious process running.

sUBs

Aug 15 2008, 07:16 PM

QUOTE(macaddict @ Aug 15 2008, 09:20 AM)

uploaded the file already
thank you
((:

Give me some time on it. I have some another infections on the test machines. Will look at yours after that

Added on August 15, 2008, 9:23 pmI need another file from you.

Do a search of your machine to look for a file named ...

CODE

Thumbs .db

3 blank space between 'Thumbs' and '.db'

If you find it, upload it to the same website as earlier on.

Also tell me how many copies you found. I only need 1 copy

macaddict

Aug 17 2008, 11:16 PM

QUOTE(sUBs @ Aug 15 2008, 07:16 PM)

Give me some time on it. I have some another infections on the test machines. Will look at yours after that

Added on August 15, 2008, 9:23 pmI need another file from you.

Do a search of your machine to look for a file named ...

CODE

Thumbs .db

3 blank space between 'Thumbs' and '.db'

If you find it, upload it to the same website as earlier on.

Also tell me how many copies you found. I only need 1 copy

hi there
i've just uploaded the thumbs file
there's one of this file in every hard drive
C , D , E and my external hard disk (G)

jananan

Aug 18 2008, 01:47 AM

try mcafee stinger

then try SDfix.exe

both are downloadable free from the internet and less than 2MB in size...

and they work great against most of these common infections

sUBs

Aug 18 2008, 02:30 AM

LOL ... that's not "thumbs .db". That's thumbs.com.
It's an exact replicate of the earlier file you uploaded. Let's try another angle.

Download & run this file > http://download.bleepingcomputer.com/sUBs/FindR.exe
It shall produce a log for you to post back here

-----------

QUOTE

then try SDfix.exe

Andy makes a great tool but I doubt he targets local infections like this

jananan

Aug 18 2008, 03:38 AM

QUOTE(sUBs @ Aug 18 2008, 02:30 AM)

LOL ... that's not "thumbs .db". That's thumbs.com.
It's an exact replicate of the earlier file you uploaded. Let's try another angle.

Download & run this file > http://download.bleepingcomputer.com/sUBs/FindR.exe
It shall produce a log for you to post back here
-----------
Andy makes a great tool but I doubt he targets local infections like this

sometimes u'll be surprised the amounts of malware/virus/trojan whatever stuff detection capability of Andy's tool... keeps getting better all the time... wonder if he'll release a real-time virus protection tool... haha... that's really lotsa work for 1 guy...

sUBs

Aug 18 2008, 03:52 AM

Drop him an email to ask.

Uhm ... maybe not such a good idea to make convo on someone else thread.

macaddict

Aug 18 2008, 08:21 PM

QUOTE(sUBs @ Aug 18 2008, 02:30 AM)

LOL ... that's not "thumbs .db". That's thumbs.com.
It's an exact replicate of the earlier file you uploaded. Let's try another angle.

Download & run this file > http://download.bleepingcomputer.com/sUBs/FindR.exe
It shall produce a log for you to post back here
-----------
Andy makes a great tool but I doubt he targets local infections like this

oh well.
i think my problem is solved so far!
i tried the method mention here:
http://benthenk.blogspot.com/2007/06/cara-...t4sy-virus.html
after trying the method i scan it with AVG again
it seems like the virus are all clear
thanks everyone
((((:

tan_pang

Aug 18 2008, 08:35 PM

I'm impress with the step 7 in that blog post...

QUOTE

7. Tampilkan kembali file/folder yang sudah di sembunyikan oleh virus. Untuk menampilkan file folder yang disembunyikan oleh VbWorm.MYE anda dapat menggunakan perintah ATTRIB –s –h /s /d dengan memastikan posisi kursor berada di root masing-masing Drive yang file/foldernya akan ditampilkan. (lihat gambar 8)

Contoh:

C:\> ATTRIB –s –h /s /d

Menampilkan file/folder yang disembunyikan oleh VBWorm.MYE

Maybe my Malay is bad... is that mean he tell you to use attrib -s -h /s /d in every root drive??

sUBs

Aug 18 2008, 09:17 PM

QUOTE

is that mean he tell you to use attrib -s -h /s /d in every root drive??

LOL .... that exposes all the Windows system files. MS set those attributes for good reasons. What you just did is irreversible. Only System Restore can undo it.

tan_pang

Aug 18 2008, 09:25 PM

QUOTE(sUBs @ Aug 18 2008, 09:17 PM)

LOL .... that exposes all the Windows system files. MS set those attributes for good reasons. What you just did is irreversible. Only System Restore can undo it.

LOL

Actually...... I going to asking how to make the system and hidden attribute back to some files, and glad that you have answer that...

However... step 3...

QUOTE

3. Jika menggunakan Windows ME/XP Disable “System restore” untuk sementara selama proses pembersihan
[http://www.norman.com/Virus/Articles/Articles_previous_years/25782/en-us]

sUBs

Aug 18 2008, 09:28 PM

Wasn't me who recommend that blog. Perhaps macaddict should ask the expert who wrote it.

redkord

Aug 19 2008, 03:01 AM

lol..its indonesian not malay language.. but not that far different..