Welcome Guest ( Log In | Register )

17 Pages < 1 2 3 4 5 > » Bottom

Outline · [ Standard ] · Linear+

Virus/Malware Virus /Rootkits Thread, Work In Progress

views
     
Deani_77
post Aug 27 2008, 05:38 PM

Luaskan Kuasamu...
*******
Senior Member
3,250 posts

Joined: Nov 2006
From: Kuala Rompin, Pahang


QUOTE(bagata @ Jul 9 2008, 11:23 AM)
erm... sorry if its inappropriate for this post to b at here...

i wanna ask for help as my comp was infected by a trojan named PSW.OnlineGames.AWIU (thread detected by my AVG free version) is there anyway to remove this trojan as my AVG keeps detect this trojan access my comp files... and another matter is tat now i cant open my C and D drive directly, when i click the driver (C and D Drive) a windows will pop out (sumthng lik "open with" window) and i hav to access my C and D drive using explore option... icon_question.gif
*
Mine was infected by that virus too. Been detected by Eset. But new problem occured, I cannot enable option to show my hidden file. Anybody have the solution?

jovi
post Sep 3 2008, 11:54 PM

New Member
*
Junior Member
15 posts

Joined: May 2005
From: Kuala Terengganu


QUOTE(bagata @ Jul 9 2008, 11:23 AM)
erm... sorry if its inappropriate for this post to b at here...

i wanna ask for help as my comp was infected by a trojan named PSW.OnlineGames.AWIU (thread detected by my AVG free version) is there anyway to remove this trojan as my AVG keeps detect this trojan access my comp files... and another matter is tat now i cant open my C and D drive directly, when i click the driver (C and D Drive) a windows will pop out (sumthng lik "open with" window) and i hav to access my C and D drive using explore option... icon_question.gif
*
QUOTE(Deani_77 @ Aug 27 2008, 05:38 PM)
Mine was infected by that virus too. Been detected by Eset. But new problem occured, I cannot enable option to show my hidden file. Anybody have the solution?
*
hi,
for bagata's problem i think any new antivirus can handle that problem. it is actually a problem that cause by a file named 'autorun.inf'. if antivirus cannot delete the file, you can delete it manually. the file attribute is hidden and system. so therefore you need to show hidden file and uncheck hide protected operating system file to see it.you'll be warn when you uncheck the hide protected operating system file but it's ok. when u the file just delete it. restart the pc then it'll be just fine.

but when u effected by kavo like worm-trojan. it patch ntdetect file so that you cannot see the hidden file. to solve this
you need to follow the instruction below. this tool only can be run in windows xp and 2000 only.


1. Disable “System Restore” on your System (Accessories > System Tools > System Restore)
2. Click here to download this file - kavo killer
3. Unzip and extract it anywhere
4. Restart your PC in safe mode (for WinXP, before the WinXP screen comes in, press F8 repeatedly until you come to the start-up options)
5. Locate the exe file and double-click on it
6. Click on the top right-most button (the only button with an icon)
user posted image
7. When finished. Reboot
8. Just to be sure, set your anti-virus to scan at boot time and restart again to make sure the Kavo.exe is no more

That’s it. Let me know if this post has helped you.

(courtesy of http://mrbadak.com/2008/01/11/remove-kavo-easily/)
Deani_77
post Sep 4 2008, 10:03 AM

Luaskan Kuasamu...
*******
Senior Member
3,250 posts

Joined: Nov 2006
From: Kuala Rompin, Pahang


» Click to show Spoiler - click again to hide... «

Bro...

When I downloading the kavo killer file, it detected containing a virus... How? hmm.gif


Added on September 5, 2008, 8:40 amFind this while goggling around looking for my problem solution. Hope this help...

» Click to show Spoiler - click again to hide... «


This post has been edited by Deani_77: Sep 5 2008, 08:41 AM
jovi
post Sep 5 2008, 11:01 AM

New Member
*
Junior Member
15 posts

Joined: May 2005
From: Kuala Terengganu


ok Deani, sory for that. i did not check the file.BTW this should be ok. i upload it myself.

download link
http://rapidshare.com/files/142720162/kavo_killer.rar.html

i'm using kaspersky Internet security 2009 and it's ok. eset sometime detect apps like this as virus. i don' know why. but if its still detected it as virus please turn off ur antivirus.

if u worried being infected, please change ur antivirus first.

please follow the instruction for further steps

hope this will do.

keep updating so i can give more support. TQ

bean_man
post Sep 7 2008, 12:16 AM

Casual
***
Junior Member
371 posts

Joined: Aug 2006


QUOTE(jovi @ Sep 5 2008, 11:01 AM)
ok Deani, sory for that. i did not check the file.BTW this should be ok. i upload it myself.

download link
http://rapidshare.com/files/142720162/kavo_killer.rar.html

i'm using kaspersky Internet security 2009 and it's ok. eset sometime detect apps like this as virus. i don' know why. but if its still detected it as virus please turn off ur antivirus.

if u worried being infected, please change ur antivirus first.

please follow the instruction for further steps

hope this will do.

keep updating so i can give more  support. TQ
*
Hi Jovi,
asking the TS to disable his antivirus without checking first is a bad advice. You should ask the TS to check the file content by uploading to Jotti or Virustotal for results that are more affirmative.
jovi
post Sep 10 2008, 09:19 AM

New Member
*
Junior Member
15 posts

Joined: May 2005
From: Kuala Terengganu


QUOTE(bean_man @ Sep 7 2008, 12:16 AM)
Hi Jovi,
asking the TS to disable his antivirus without checking first is a bad advice. You should ask the TS to check the file content by uploading to Jotti or Virustotal for results that are more affirmative.
*
Thx bean_man for ur advice. it is actually my bad by advising Deani to do that, but i do that with a very good reason. i've been using the program for almost a year now for virus removing service and it works just fine. even for the second link i, upload it myself. it's the same tools that i've using for almost a year. the steps that i have copy from other site is the same steps that i have been using. it just a fast way to write an instruction without writing it. biggrin.gif

BTW thx for ur advice. i'm sending this app to Jotti or Virustotal as u advised for more confirmation. i'm new here and looking forward for more reply TQ


Added on September 10, 2008, 9:41 ami've send the file to Jotti and Virustotal and both give partially bad result. sad.gif . some detected it as trojan. but from my experience it will not effected your windows. i'm using Kaspersky Internet Security which is i' ve red the no 1 internet security app for now, and KIS detect nothing. lastly it may be up to Deani to decide weather to try it or not. biggrin.gif . for me b4 i found this tools, the only way to resolve the prob is to reinstall the windows icon_rolleyes.gif

This post has been edited by jovi: Sep 10 2008, 09:41 AM
bean_man
post Sep 10 2008, 10:35 AM

Casual
***
Junior Member
371 posts

Joined: Aug 2006


QUOTE(jovi @ Sep 10 2008, 09:19 AM)
Thx bean_man for ur advice. it is actually my bad by advising Deani to do that, but i do that with a very good reason. i've been using the program for almost a year now for virus removing service and it works just fine. even for the second link i, upload it myself. it's the same tools that i've using for almost a year. the steps  that i have copy from other site is the same steps that i have been using. it just a fast way to write an instruction without writing it. biggrin.gif

BTW thx for ur advice. i'm sending this app to Jotti or Virustotal as u advised for more confirmation.  i'm new here and looking forward for more reply TQ


Added on September 10, 2008, 9:41 ami've send the file to Jotti and Virustotal and both give partially bad result. sad.gif . some detected it as trojan. but from my experience it will not effected your windows. i'm using Kaspersky Internet Security which is i' ve red the no 1 internet security app for now, and KIS detect nothing. lastly it may be up to Deani to decide weather to try it or not.  biggrin.gif  . for me b4 i found this tools, the only way to resolve the prob is to reinstall the windows  icon_rolleyes.gif
*
I DL the file and checked an indeed it is a partial result. But the classification of trojan means to me that i should be aware about running it as it could very well install a backdoor that you did not know about.
jovi
post Sep 10 2008, 12:05 PM

New Member
*
Junior Member
15 posts

Joined: May 2005
From: Kuala Terengganu


QUOTE(bean_man @ Sep 10 2008, 10:35 AM)
I DL the file and checked an indeed it is a partial result. But the classification of trojan means to me that i should be aware about running it as it could very well install a backdoor that you did not know about.
*
Yap u should be aware for that situation. maybe i'll start google around the net to find new safer solution for this. its involve some registry modification and maybe replace new ntdetect file on the system using bart pe will do. But i'll try find it first.TQ biggrin.gif
Jass
post Sep 11 2008, 10:35 AM

New Member
*
Newbie
2 posts

Joined: May 2008
Hi All,

My pc was infected by virus, i guess. When i shut down, it prompt me "rundll32.exe" not responding. When start up, it will prompt up "error loading c:\windows/system32/ccwld16_080326.dll" and "error loading c:\windows/system32/3fadll" saying that this specified module could not be found. My pc will keep on pop up "error loading c\:windows/downlo~1/621sc.dll when i'm using it.

Beside the above, when i suft net, my IE will freezed when i click on any link or when i type in the address in IE tab bar. For example: when i sign up for lowyat, i need to confirm my registration by clicking some link from my email, but it freeze and i have us use ctrl & alt to close it. Otherwise, it will freeze there loading. It cause lots of inconvenience to me.

I've scanned using Spyeraser but the free version only allowed me to scan but no remove service provided. Other software like adaware and avg, avast can't help my problem. Please refer to the below for the log file from spyeraser software:

Start Date:September 10, 2008 at 03:06:45PM

End Date:September 10, 2008 at 03:12:24PM

Total Time:5 Mins 39 Secs
Detected Infections

Cookie.Tracking-Cookie
Details: A Tracking Cookie is any cookie that is installed on a computer to save and access various activities of the user. It may be used by web sites to identify returning visitors who have registered for special services; to monitor, measure, and scrutinize visitors' navigation and use of web site features. It can also count the number of visitors to web sites and allow web surfers to use virtual "shopping carts". All this information is saved for future target advertising and marketing campaigns by various internet Advertising and Marketing companies. Though these cookies do not pose immediate threats but they can be misused to capture confidential information like user names and passwords.
Status:No Action taken
Category: Tracking Cookie



Infected Cookies
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[2].txt
C:\Documents and Settings\user\Cookies\user@xiti[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[4].txt

Cookie.DoubleClick
Details: A Tracking Cookie is any cookie that is installed on a computer to save and access various activities of the user. It may be used by web sites to identify returning visitors who have registered for special services; to monitor, measure, and scrutinize visitors' navigation and use of web site features. It can also count the number of visitors to web sites and allow web surfers to use virtual "shopping carts". All this information is saved for future target advertising and marketing campaigns by various internet Advertising and Marketing companies. Though these cookies do not pose immediate threats but they can be misused to capture confidential information like user names and passwords.
Status:No Action taken
Category: Tracking Cookie



Infected Cookies
C:\Documents and Settings\user\Cookies\user@doubleclick[2].txt

Malware (General Components)
Details: Malware is a malicious program that is developed to seriously harm and damage the targeted system and may be installed on it without the knowledge or consent of the user. It can change system settings, corrupt the registry and destroy personal data. The Programs that cannot be classified in other categories or carry more than one traits which belong to different categories have been categorized under this categories.
Status:No Action taken
Category: Malware (General)



Infected files detected

FileName: c:\windows\system32\kavo1.dll
MD5: b60e1b788b0d248305dff1a7e4cc6048 (187392 Bytes)

FileName: c:\windows\system32\kavo.exe
MD5: 6651fcbbcb100f9b608e47a503588690 (117194 Bytes)

FileName: c:\windows\system32\kavo0.dll
MD5: b859812358da146372ff243edc8341a3 (187392 Bytes)
Infected registry keys/values detected
hkey_classes_root\appid\activex.dll\
hkey_classes_root\appid\activex.dll\appid\
hkey_classes_root\iehpr.invoke.1\
hkey_classes_root\iehpr.invoke\
hkey_local_machine\software\classes\iehpr.invoke.1\clsid\
hkey_local_machine\software\classes\iehpr.invoke.1\
hkey_local_machine\software\classes\iehpr.invoke\clsid\
hkey_local_machine\software\classes\iehpr.invoke\curver\
hkey_local_machine\software\classes\iehpr.invoke\


Details:
Status:No Action taken
Category:




RCS.TeamViewer
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_current_user\appevents\schemes\apps\vncviewer\vncviewerbell\.current\
hkey_current_user\appevents\schemes\apps\vncviewer\vncviewerbell\.default\

RCS.TightVNC
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_deferral\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_getupdaterect\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_keypress\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_lbuttonup\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_mbuttonup\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_rbuttonup\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_timer\
hkey_current_user\software\orl\vnchooks\application_prefs\
hkey_current_user\software\orl\winvnc3\autoportselect\
hkey_current_user\software\orl\winvnc3\idletimeout\
hkey_current_user\software\orl\winvnc3\inputsenabled\
hkey_current_user\software\orl\winvnc3\localinputsdisabled\
hkey_current_user\software\orl\winvnc3\locksetting\
hkey_current_user\software\orl\winvnc3\onlypollconsole\
hkey_current_user\software\orl\winvnc3\onlypollonevent\
hkey_current_user\software\orl\winvnc3\password\
hkey_current_user\software\orl\winvnc3\passwordviewonly\
hkey_current_user\software\orl\winvnc3\pollforeground\
hkey_current_user\software\orl\winvnc3\pollfullscreen\
hkey_current_user\software\orl\winvnc3\pollundercursor\
hkey_current_user\software\orl\winvnc3\removewallpaper\
hkey_current_user\software\orl\winvnc3\socketconnect\
hkey_local_machine\software\orl\winvnc3\default\

Adware.FlashEnhancer
Details: Adware programs secretly embed themselves on the victim抯 computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:No Action taken
Category: Adware



Infected registry keys/values detected
hkey_current_user\software\xml\

RCS.UltraVNC
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_current_user\appevents\eventlabels\vncviewerbell\
hkey_current_user\appevents\schemes\apps\vncviewer\vncviewerbell\
hkey_current_user\appevents\schemes\apps\vncviewer\
hkey_current_user\software\orl\winvnc3\
hkey_local_machine\software\orl\winvnc3\

RAT.WinVNC-based.h
Details: A remote administration tool is a program that enables a user to control a system remotely. It can access files, restart ?shutdown the system and even format the hard drive of the victim抯 machine. Such programs are basically used by administrators of a network to keep a watch on the peers. It generally works in the stealth mode and can start automatically at system boot-up. This program may pose grave security and privacy threats and hence the user is advised to remove this program from the system if not installed for a legitimate purpose.
Status:No Action taken
Category: Remote Administration Tool



Infected registry keys/values detected
hkey_current_user\software\orl\winvnc3\querysetting\
hkey_current_user\software\orl\winvnc3\querytimeout\

RAT (General Components)
Details: A remote administration tool is a program that enables a user to control a system remotely. It can access files, restart ?shutdown the system and even format the hard drive of the victim抯 machine. Such programs are basically used by administrators of a network to keep a watch on the peers. It generally works in the stealth mode and can start automatically at system boot-up. This program may pose grave security and privacy threats and hence the user is advised to remove this program from the system if not installed for a legitimate purpose.
Status:No Action taken
Category: Remote Administration Tool



Infected registry keys/values detected
hkey_current_user\software\orl\vnchooks\

RCS.RealVNC
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_local_machine\software\orl\

Malware.Malware-(General-Components)
Details: Malware is a malicious program that is developed to seriously harm and damage the targeted system and may be installed on it without the knowledge or consent of the user. It can change system settings, corrupt the registry and destroy personal data. The Programs that cannot be classified in other categories or carry more than one traits which belong to different categories have been categorized under this categories.
Status:No Action taken
Category: Malware (General)



Infected files detected

FileName: c:\windows\6.tmp
MD5: d41d8cd98f00b204e9800998ecf8427e (0 Bytes)

Trojan-Downloader (General Components)
Details: A Trojan Downloader is a program that is usually installed through an exploit or some other erroneous channels. The key objective of this program is to download malevolent code or other malwares and unwanted softwares on the user抯 system. Downloaders can also be written in script languages such as VB Script and Java Script. These programs often make use of Microsoft Internet Explorer vulnerabilities. A Trojan downloader, when executed, normally installs itself on to the system and waits for the user to connect to the Internet. Once the internet connection is available, it endeavors to connect to a web or ftp site, download specific file or files and run them. These downloaded files may harm the system and result in malfunctioning of the system.
Status:No Action taken
Category: Trojan-Downloader



Infected files detected

FileName: c:\windows\2.tmp
MD5: 4316e55df1b80f5bd5f143bfffd271ef (24576 Bytes)

Trojan-Downloader.Adload.ko
Details: A Trojan Downloader is a program that is usually installed through an exploit or some other erroneous channels. The key objective of this program is to download malevolent code or other malwares and unwanted softwares on the user抯 system. Downloaders can also be written in script languages such as VB Script and Java Script. These programs often make use of Microsoft Internet Explorer vulnerabilities. A Trojan downloader, when executed, normally installs itself on to the system and waits for the user to connect to the Internet. Once the internet connection is available, it endeavors to connect to a web or ftp site, download specific file or files and run them. These downloaded files may harm the system and result in malfunctioning of the system.
Status:No Action taken
Category: Trojan-Downloader



Infected files detected

FileName: c:\documents and settings\user\local settings\temp\cml23.tmp
MD5: 58f95f1d32ffdfb817600d73a259ce8c (450560 Bytes)

FileName: c:\documents and settings\user\local settings\temp\cml3a.tmp
MD5: ce3a554190f6f1b89ef686a654855dac (860160 Bytes)

Adware.bho.jw
Details: Adware programs secretly embed themselves on the victim抯 computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:No Action taken
Category: Adware



Infected files detected

FileName: c:\documents and settings\user\local settings\temp\cml25.tmp
MD5: 604f615bf7963c2f7015db84236b646c (450560 Bytes)




--------------------------------------------------------------------------------

Start Date:September 11, 2008 at 10:23:46AM

End Date:September 11, 2008 at 10:27:52AM

Total Time:4 Mins 6 Secs
Detected Infections

Cookie.Tracking-Cookie
Details: A Tracking Cookie is any cookie that is installed on a computer to save and access various activities of the user. It may be used by web sites to identify returning visitors who have registered for special services; to monitor, measure, and scrutinize visitors' navigation and use of web site features. It can also count the number of visitors to web sites and allow web surfers to use virtual "shopping carts". All this information is saved for future target advertising and marketing campaigns by various internet Advertising and Marketing companies. Though these cookies do not pose immediate threats but they can be misused to capture confidential information like user names and passwords.
Status:No Action taken
Category: Tracking Cookie



Infected Cookies
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[2].txt
C:\Documents and Settings\user\Cookies\user@xiti[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[4].txt
C:\Documents and Settings\user\Cookies\user@apmebf[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[5].txt

Cookie.FastClick.com
Details: A Tracking Cookie is any cookie that is installed on a computer to save and access various activities of the user. It may be used by web sites to identify returning visitors who have registered for special services; to monitor, measure, and scrutinize visitors' navigation and use of web site features. It can also count the number of visitors to web sites and allow web surfers to use virtual "shopping carts". All this information is saved for future target advertising and marketing campaigns by various internet Advertising and Marketing companies. Though these cookies do not pose immediate threats but they can be misused to capture confidential information like user names and passwords.
Status:No Action taken
Category: Tracking Cookie



Infected Cookies
C:\Documents and Settings\user\Cookies\user@fastclick[2].txt

Cookie.BS.Serving-Sys
Details: A Tracking Cookie is any cookie that is installed on a computer to save and access various activities of the user. It may be used by web sites to identify returning visitors who have registered for special services; to monitor, measure, and scrutinize visitors' navigation and use of web site features. It can also count the number of visitors to web sites and allow web surfers to use virtual "shopping carts". All this information is saved for future target advertising and marketing campaigns by various internet Advertising and Marketing companies. Though these cookies do not pose immediate threats but they can be misused to capture confidential information like user names and passwords.
Status:No Action taken
Category: Tracking Cookie



Infected Cookies
C:\Documents and Settings\user\Cookies\user@bs.serving-sys[2].txt

RCS.TeamViewer
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_current_user\appevents\schemes\apps\vncviewer\vncviewerbell\.current\
hkey_current_user\appevents\schemes\apps\vncviewer\vncviewerbell\.default\

RCS.TightVNC
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_deferral\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_getupdaterect\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_keypress\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_lbuttonup\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_mbuttonup\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_rbuttonup\
hkey_current_user\software\orl\vnchooks\application_prefs\winvnc.exe\use_timer\
hkey_current_user\software\orl\vnchooks\application_prefs\
hkey_current_user\software\orl\winvnc3\autoportselect\
hkey_current_user\software\orl\winvnc3\idletimeout\
hkey_current_user\software\orl\winvnc3\inputsenabled\
hkey_current_user\software\orl\winvnc3\localinputsdisabled\
hkey_current_user\software\orl\winvnc3\locksetting\
hkey_current_user\software\orl\winvnc3\onlypollconsole\
hkey_current_user\software\orl\winvnc3\onlypollonevent\
hkey_current_user\software\orl\winvnc3\password\
hkey_current_user\software\orl\winvnc3\passwordviewonly\
hkey_current_user\software\orl\winvnc3\pollforeground\
hkey_current_user\software\orl\winvnc3\pollfullscreen\
hkey_current_user\software\orl\winvnc3\pollundercursor\
hkey_current_user\software\orl\winvnc3\removewallpaper\
hkey_current_user\software\orl\winvnc3\socketconnect\
hkey_local_machine\software\orl\winvnc3\default\

Adware.FlashEnhancer
Details: Adware programs secretly embed themselves on the victim抯 computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:No Action taken
Category: Adware



Infected registry keys/values detected
hkey_current_user\software\xml\

RCS.UltraVNC
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_current_user\appevents\eventlabels\vncviewerbell\
hkey_current_user\appevents\schemes\apps\vncviewer\vncviewerbell\
hkey_current_user\appevents\schemes\apps\vncviewer\
hkey_current_user\software\orl\winvnc3\
hkey_local_machine\software\orl\winvnc3\

RAT.WinVNC-based.h
Details: A remote administration tool is a program that enables a user to control a system remotely. It can access files, restart ?shutdown the system and even format the hard drive of the victim抯 machine. Such programs are basically used by administrators of a network to keep a watch on the peers. It generally works in the stealth mode and can start automatically at system boot-up. This program may pose grave security and privacy threats and hence the user is advised to remove this program from the system if not installed for a legitimate purpose.
Status:No Action taken
Category: Remote Administration Tool



Infected registry keys/values detected
hkey_current_user\software\orl\winvnc3\querysetting\
hkey_current_user\software\orl\winvnc3\querytimeout\

RAT (General Components)
Details: A remote administration tool is a program that enables a user to control a system remotely. It can access files, restart ?shutdown the system and even format the hard drive of the victim抯 machine. Such programs are basically used by administrators of a network to keep a watch on the peers. It generally works in the stealth mode and can start automatically at system boot-up. This program may pose grave security and privacy threats and hence the user is advised to remove this program from the system if not installed for a legitimate purpose.
Status:No Action taken
Category: Remote Administration Tool



Infected registry keys/values detected
hkey_current_user\software\orl\vnchooks\

Malware (General Components)
Details: Malware is a malicious program that is developed to seriously harm and damage the targeted system and may be installed on it without the knowledge or consent of the user. It can change system settings, corrupt the registry and destroy personal data. The Programs that cannot be classified in other categories or carry more than one traits which belong to different categories have been categorized under this categories.
Status:No Action taken
Category: Malware (General)



Infected files detected

FileName: c:\windows\system32\kavo.exe
MD5: 6651fcbbcb100f9b608e47a503588690 (117194 Bytes)

FileName: c:\windows\system32\kavo0.dll
MD5: b859812358da146372ff243edc8341a3 (187392 Bytes)

FileName: c:\windows\system32\kavo1.dll
MD5: b60e1b788b0d248305dff1a7e4cc6048 (187392 Bytes)
Infected registry keys/values detected
hkey_classes_root\appid\activex.dll\
hkey_classes_root\appid\activex.dll\appid\

RCS.RealVNC
Details: A Remote Control Software is a network program that is used by administrators to control computers in a network from a remote location. Though not harmful in itself but if used with malicious intent, such programs may cause damage to system files and other data. Hence, users are advised to remove this program from their system immediately upon detection.
Status:No Action taken
Category: RemoteControlSoftware



Infected registry keys/values detected
hkey_local_machine\software\orl\

Malware.Malware-(General-Components)
Details: Malware is a malicious program that is developed to seriously harm and damage the targeted system and may be installed on it without the knowledge or consent of the user. It can change system settings, corrupt the registry and destroy personal data. The Programs that cannot be classified in other categories or carry more than one traits which belong to different categories have been categorized under this categories.
Status:No Action taken
Category: Malware (General)



Infected files detected

FileName: c:\windows\6.tmp
MD5: d41d8cd98f00b204e9800998ecf8427e (0 Bytes)

Trojan-Downloader (General Components)
Details: A Trojan Downloader is a program that is usually installed through an exploit or some other erroneous channels. The key objective of this program is to download malevolent code or other malwares and unwanted softwares on the user抯 system. Downloaders can also be written in script languages such as VB Script and Java Script. These programs often make use of Microsoft Internet Explorer vulnerabilities. A Trojan downloader, when executed, normally installs itself on to the system and waits for the user to connect to the Internet. Once the internet connection is available, it endeavors to connect to a web or ftp site, download specific file or files and run them. These downloaded files may harm the system and result in malfunctioning of the system.
Status:No Action taken
Category: Trojan-Downloader



Infected files detected

FileName: c:\windows\2.tmp
MD5: 4316e55df1b80f5bd5f143bfffd271ef (24576 Bytes)

Trojan-Downloader.Adload.ko
Details: A Trojan Downloader is a program that is usually installed through an exploit or some other erroneous channels. The key objective of this program is to download malevolent code or other malwares and unwanted softwares on the user抯 system. Downloaders can also be written in script languages such as VB Script and Java Script. These programs often make use of Microsoft Internet Explorer vulnerabilities. A Trojan downloader, when executed, normally installs itself on to the system and waits for the user to connect to the Internet. Once the internet connection is available, it endeavors to connect to a web or ftp site, download specific file or files and run them. These downloaded files may harm the system and result in malfunctioning of the system.
Status:No Action taken
Category: Trojan-Downloader



Infected files detected

FileName: c:\documents and settings\user\local settings\temp\cml23.tmp
MD5: 58f95f1d32ffdfb817600d73a259ce8c (450560 Bytes)

FileName: c:\documents and settings\user\local settings\temp\cml3a.tmp
MD5: ce3a554190f6f1b89ef686a654855dac (860160 Bytes)

Adware.bho.jw
Details: Adware programs secretly embed themselves on the victim抯 computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:No Action taken
Category: Adware



Infected files detected

FileName: c:\documents and settings\user\local settings\temp\cml25.tmp
MD5: 604f615bf7963c2f7015db84236b646c (450560 Bytes)

Can anyone suggested what should i do to deleted the virus DIY? FYI this is company pc and we will be issued a warning letter if our pc found to be infected by virus.

Your assistance on the above is highly appreciated.

Thank you.






Jass
post Sep 11 2008, 11:00 AM

New Member
*
Newbie
2 posts

Joined: May 2008
QUOTE(HanevE @ Dec 22 2007, 08:34 AM)
Since many AV cant detect KAVO / NTDELECT, I've show how to remove it manually

~~~~~~~~~~~~~
Remove kavo / kava / ntdelect

**DELETE**

run CMD,

Type this to show hidden and system files since ur regedit n folder opt has been kacau by kavo0.dll,
CD \windows\system32
ATTRIB kavo.exe -R -A -S -H
ATTRIB kavo0.dll -R -A -S -H
ATTRIB kavo1.dll -R -A -S -H

Delete
"\windows\system32\kavo.exe", 
"\windows\system32\kavo0.dll", 
"\windows\system32\kavo1.dll"
by using unlocker (DL Here)

**REGISTRY**

Change Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
"CheckedValue" to 2
"DefaultValue" to 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" to 1
"DefaultValue" to 2
*
Hi,
I failed to perform the above. when i type in attrib kavo.exe -r -a -s -h when i run CMD as instructed, it said file not found - kavo.exe. I've scanned my pc using spyeraser, it listed out the file infected are:
c:\windows\system32\kavo1.dll
c:\windows\system32\kavo.exe
c:\windows\system32\kavo0.dll

Please refer to the attached for log file.

Now, my pc has problem to click link from the website. It will freeze when i click on link. I've to use ctrl & alt to close the IE otherwise my pc will hang.


Attached File(s)
Attached File  log_file.htm ( 36.63k ) Number of downloads: 43
bean_man
post Sep 11 2008, 04:01 PM

Casual
***
Junior Member
371 posts

Joined: Aug 2006


QUOTE(Jass @ Sep 11 2008, 11:00 AM)
Hi,
I failed to perform the above. when i type in attrib kavo.exe -r -a -s -h when i run CMD as instructed, it said file not found - kavo.exe.  I've scanned my pc using spyeraser, it listed out the file infected are:
c:\windows\system32\kavo1.dll
c:\windows\system32\kavo.exe
c:\windows\system32\kavo0.dll

Please refer to the attached for log file.

Now, my pc has problem to click link from the website. It will freeze when i click on link. I've to use ctrl & alt to close the IE otherwise my pc will hang.
*
Looking at this. I would suggest that you look for an emergency boot Cd such as Avira rescue system CD and burn a copy and run that. Run a scan and it should pick some of the viruses up. But bear in mind that you may lose some functionality as the damage from the virus would most likely be done.
sgwc
post Nov 4 2008, 12:31 PM

New Member
*
Junior Member
18 posts

Joined: Jan 2006
From: inside a palace with ephemeral darkness embrace


I need help regarding my situation right now. To keep it simple I write the details in points.

EDITED:

1. There's a shady program running in my pc. I found it in my Task Manager and the program is tyjkfww.exe or something like that. So I just kill the process but it still keep on opening itself.

2. The "virus" disabling my antivirus. I even fiin out that my antivirus's .exe file has been deleted.

3. I noticed that i have that program "tyjkfww.exe" at any root folder of any drive (like C://,D:// except for CD/DVDROM drive) with its own autorun.inf. Yeah, they're hidden but luckily my ACDSee program can 'see' them. I tried to unhide them but can't because they keep on hiding. I tried to delete them but they still exist. And here i thought that there is no use for me to format my pc.

4. I also noticed that the program "tyjkfww.exe" will not open if i use "right click-->explore" a root folder rather than double clicking the root folder.

5. I still have my folder options but can't unhide hidden files and folders.

6. I no longer can view any pictures using the usual windows picture preview.

Are there any cleaner for this?

Oh my... i keep on editing my post...

7. It seems that my pc keeps on utilizing its cpu at 50% even though i have closed all programs.

This post has been edited by sgwc: Nov 4 2008, 12:40 PM
bean_man
post Nov 5 2008, 09:56 AM

Casual
***
Junior Member
371 posts

Joined: Aug 2006


QUOTE(sgwc @ Nov 4 2008, 12:31 PM)
I need help regarding my situation right now. To keep it simple I write the details in points.

EDITED:

1. There's a shady program running in my pc. I found it in my Task Manager and the program is tyjkfww.exe or something like that. So I just kill the process but it still keep on opening itself.

2. The "virus" disabling my antivirus. I even fiin out that my antivirus's .exe file has been deleted.

3. I noticed that i have that program "tyjkfww.exe" at any root folder of any drive (like C://,D:// except for CD/DVDROM drive) with its own autorun.inf. Yeah, they're hidden but luckily my ACDSee program can 'see' them. I tried to unhide them but can't because they keep on hiding.  I tried to delete them but they still exist. And here i thought that there is no use for me to format my pc.

4. I also noticed that the program "tyjkfww.exe" will not open if i use "right click-->explore" a root folder rather than double clicking the root folder.

5. I still have my folder options but can't unhide hidden files and folders.

6. I no longer can view any pictures using the usual windows picture preview.

Are there any cleaner for this?

Oh my... i keep on editing my post...

7. It seems that my pc keeps on utilizing its cpu at 50% even though i have closed all programs.
*
Please post this on the tech support corner. A malware helper will aid you.
Benny-T
post Nov 8 2008, 12:51 AM

Casual
***
Junior Member
450 posts

Joined: Aug 2008
From: Ipoh,Perak


have anyone encountered this problem before?
swsyorn.exe
i cant open up my system restore,it'll close it down immediately
same goes for antivirus
disabled my safe mode as well
radioactive
post Nov 24 2008, 05:55 PM

Regular
******
Senior Member
1,857 posts

Joined: Dec 2005
guys....i found out combofix written by subs, its pretty good.
warning: its very good but its rather intrusive in its way.

it changes my desktop and closes everything before running, but everything will be back to normal after restart. i was infected with win32/heur type virus. blocked my avg from updating, blocked most rootkits scanners from installing. downloaded it from my laptop copied into my pc...changed it to a generic name so that the virus doesn't detect it.

killed the rootkit on the first run, then leaved behind the rest of the cleaning job to my avg.
waruna
post Nov 25 2008, 10:28 PM

On my way
****
Junior Member
542 posts

Joined: Mar 2005
From: Cyberjaya | Kota Bharu | Republic of Terengganu



izzit true we have to have very good internet connection to update karpersky antivirus?
Faiza|
post Nov 30 2008, 02:26 PM

Getting Started
**
Junior Member
117 posts

Joined: Feb 2006
From: Ipoh


sifu(s),

my laptop have been infected with worm.win32.autorun.scw virus.
i got the virus name after i scanned with my kaspersky anti virus 7
unfortunately, it cannot be removed by kav7 due to my c drive have been corrupted with the virus already.
any suggestion what should i do to make my vista is ok all over again instead of formatting c drive?
attached here is the hijackthis log for sifu(s) referrence.

thank you in advance for helping me out.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:52 PM, on 11/30/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Launch Manager\WLBTTray.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\IObit\Advanced WindowsCare V2\Awcl.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2756381265-1365012787-916203025-1003\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'weMA')
O4 - HKUS\S-1-5-21-2756381265-1365012787-916203025-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'weMA')
O4 - HKUS\S-1-5-21-2756381265-1365012787-916203025-1003\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot (User 'weMA')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GrooveSystemServices.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LckFldService - Unknown owner - C:\Windows\system32\LckFldService.exe
O23 - Service: SONbuddyDriverService - Green Packet Inc. - C:\Program Files\iTalk\iTalk Buddy For Windows\SONbuddyDriverService.exe
O23 - Service: SONNonAdminService - Green Packet - C:\Program Files\iTalk\iTalk Buddy For Windows\SONNonAdminService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: WisLMSvc - TODO: <Company name> - C:\Program Files\Launch Manager\WisLMSvc.exe

--
End of file - 10394 bytes


Added on November 30, 2008, 7:40 pmdear sifu jovi,

u rocks!!!! thank you bro!!




This post has been edited by Faiza|: Nov 30 2008, 07:40 PM
shally87
post Dec 1 2008, 07:51 AM

Getting Started
**
Junior Member
232 posts

Joined: Nov 2008
From: Penampang Sabah



There is a good combination of antivirus that i always do.
Install AVG then Install Avast then Install Bit Defender. The process is ligther than installing Kaspersky alone.
This works well for my PC and 4 years old Laptop. smile.gif
eltaria
post Dec 13 2008, 12:52 PM

GO GO GO
******
Senior Member
1,039 posts

Joined: Apr 2005


Hi guys, just wondering, I'm an IT guy as well, I practice safe computing, which practically eliminates 95% of the viruses. Using non admin account, and not opening unsafe files, right click explore /disable autorun pendrives etc..

Problem is, if the virus is written effectively.
How would you know if you got hit with a virus?

Case in point is the me_cute.exe virus that some of my colleagues got hit with. In this case, the me_cute.exe virus writer actually made a mistake in the registry field, which tried to load c:\windows\system32userinit.exe
instead of c:\windows\system32\userinit.exe

Ofcourse, the file doesn't exists and windows can't load normally. which gives a tell tale sign that something is a miss, and the troubleshooting steps begins.

Whether this was a typo by the virus writer, or he did it on purpose, we'll never know. BUT if he DID typed the path to userinit.exe correctly, the girls will never even know they got hit with a virus. they'll happily reboot, and use their pc continuosly, and passing their pendrives around infecting others in the process.

Which leads me to the question, how would you know if your PC has been compromised? If the virus is written cleverly, and is local to a specific region. the latest updates on AVG8 paid version didn't even catch the virus. and uploading the file to virus total, i noticed a lot of other AVs don't even have the signature for it yet.

A virus which spreads by pendrive, properly written, limited to a specific local, KL/PJ/Ipoh. it'll be hard for people to even notice it's there until it's too late (IE the pen drive reaching our hands, and we right click, and noticed the hidden autorun.inf inside it.....)


Added on December 13, 2008, 12:57 pmIs there steps that we can do manually, to ensure our PC is safe?

Even for us IT ppl, sometimes we accidentally do double click the pendrive, and that's all it takes for the virus to get in.

In my case, I noticed it due to my firewall alerting me of outgoing communications.

Layered defense. But again, what if it escaped my firewall too, then I'd have no idea I've already been compromised.

This post has been edited by eltaria: Dec 13 2008, 12:57 PM
saintangelius
post Dec 26 2008, 02:55 AM

New Member
*
Junior Member
46 posts

Joined: Oct 2005
From: KL


Greetings and Happy Holidays!

I come baring a not so delightful little 'gift'

At the end of last week I notice something strange with my desktop and my laptop. A series of scans showed me that I have been infected by a virus called Trojan Horse Crypt.AYG. I tried many means possible. Even took my lappy over to my IT guy in the office and the 2 of us couldn't crack it at all. Here is a summary of what I've done so far.

1. unplugged desktop from internet to stop it from further infestation. Since the lappy was newer and had less important stuff on it, I kinda used it to search around the net for solutions but to no avail.

2. I took the comps off the router and went direct dial but internet would cut itself off every 20 minutes because the dialer would have hung.
Noted an extra svchost.exe process running with massive mem usage. java.exe also takes more mem than usual. The only way to get back online was the restart the comp. It seems that if I'm on the LAN there is no problems with the connection but when I do direct dial it happens. At times FF3 would even autoshutdown.

3. AVG 8 picks up the virus, says it healed it/dumped it in the vault but then it pops up all over again. I have...
a) cleaning the vaults
b) manually deleting the folders/files and emptying the recycle bin each time. They come out in these:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5

C:\Documents and Settings\LocalService\Network Settings\Temporary Internet Files\Content.IE5

folders inside them would be in random 8 letter alpha numeric names( e.g. TwEot5FY) and the files in them would be 4 letter 1 number in bracket jpegs(e.g.rspw[1].jpg).

After healing/vaulting, a popup appears 10 minutes later with the same infection but a slightly dissimilar file name.


4. Tried the following without much luck:
a) AVG 8
b) hijack this (nothing unusual showed up)
c) system restore (no difference)
d)Panda online scan (wants me to pay to disinfect)
e)Tea Timer spybot search and destroy (couldn't find it)
f)Geekz Virus remover (couldn't even run the program for some strange reason says it's a runtime error)
g)a number of other BIOS and windows based ones my IT just has on his super secret weapon CD virus annihilator! (couldn't find it-it hides too well)

5. In my frustration I deleted all the contents of the C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 above (specifically the desktop.ini and index.dat) and it seems to have stopped popping up on AVG now whenever I run a scan.

I'm not sure if what I did was right or wrong. I feel like I've just kinda put a lid on it but haven't cleared it out entirely. Please correct me if I'm wrong. My main desktop is still in suspended animation. I fear turning it on. Because it has less ram and processing power than my lappy, explorer.exe hangs every time the dialer dies.

This is a pretty obscure version of the crypt virus. I haven't been able to find one similar to it on google or trendmicro. Can it possibly be a dialer virus? I'm at my wits end trying to understand this one.


17 Pages < 1 2 3 4 5 > » Top
 

Change to:
| Lo-Fi Version
0.0255sec    0.60    6 queries    GZIP Disabled
Time is now: 29th March 2024 - 11:06 PM