Welcome Guest ( Log In | Register )

Please provide proper description when you report a post. Report button abuse will earn you an automatic warn + suspension.
 
RSS feedBump TopicReply to this topicStart new topicStart Poll

Outline · [ Standard ] · Linear+

> Me_cute virus infection, help! (Virus/Malware)

Polaris
post Dec 22 2008, 08:47 AM


Trust Fund Baby
*******
Group: Senior Member
Posts: 2,850

Joined: Aug 2006
From: Stellar Nursery
I first noticed this when Kaspersky stopped something from running when I plugged in the thumbdrive (must've got infected on campus when I used the printing room last week on campus).

Then there's this me_cute jpg like .exe file and autorun (both hidden) in the pendrive which I tried to delete but it keeps reappearing.

So I googled and found this site,

http://forums.cnet.com/5208-4_102-0.html?threadID=315839 and
http://hocanlai.blogspot.com/2008/11/mecuteexe.html

and then back to LYN, http://forum.lowyat.net/topic/848204

I tried doing the steps,

» Click to show Spoiler - click again to hide... «


But each time I tried this part,

lsass.exe Admin --- <select This>

The pop up says "This is a critical process. Task Manager cannot end this process."

1.How do I disinfect this if I can't eliminate it from the Task Manager?
2. How to remove the $%@# virus from the pendrive?


-------------------------------------

I also found another mention in the pinned thread, Virus /Rootkits Thread, Work In Progress (Virus/Malware) which may offer some clues as to how to disinfect this thing.

» Click to show Spoiler - click again to hide... «








User is offlineProfile CardPM
Go to the top of the page
+Quote Post
convivencia
post Dec 22 2008, 09:47 AM


idiot
*******
Group: Senior Member
Posts: 2,675

Joined: Dec 2008
I suspect that lsass.exe is a bogus file produced by the virus.

Run hijackthis, and then post the log file at both the hijackthis forum and here.

Many kind hearted people will tell you what to do next. smile.gif

This post has been edited by convivencia: Dec 22 2008, 09:48 AM
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Polaris
post Dec 22 2008, 02:57 PM


Trust Fund Baby
*******
Group: Senior Member
Posts: 2,850

Joined: Aug 2006
From: Stellar Nursery
Following Razali Rambli's commenter's last posting, I managed to rename the file to,

lsass2.exe2.hjh or some sort, preventing it from starting during the logon, and went thru the whole manual disinfection process.

Still don't know if this is a red herring or the real culprit, but the desktop seems to be working okay now.

I'm doing a Kaspersky scan of drive C to see if anything comes up.

What about the pendrive? How can it be disinfected?
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
beautifoolgirl
post Dec 22 2008, 04:24 PM


Getting Pwned
****
Group: Senior Member
Posts: 583

Joined: Nov 2008
From: Clunk


do u think it does infect ur thumdrive oso? then scan it using kaspersky lah.
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
xamenx
post Feb 17 2009, 06:05 AM


New Member
*
Group: New Member
Posts: 2

Joined: Feb 2007


before this i'm using FLASH DISINFECTOR for viruses in pendrive and after disinfect i juz simply shift delete the virus.

but seems like this me_cute.exe, i cant do it same way

>.<

User is offlineProfile CardPM
Go to the top of the page
+Quote Post
ariesboy2020
post Feb 17 2009, 08:14 AM


Getting Started
**
Group: Junior Member
Posts: 235

Joined: Jan 2008


please post hijackthis log so that other can help u solv the problem...
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Qute
post Feb 17 2009, 08:56 AM


Getting Started
**
Group: Junior Member
Posts: 208

Joined: Dec 2008
From: KayElLL


QUOTE(xamenx @ Feb 17 2009, 06:05 AM)
before this i'm using FLASH DISINFECTOR for viruses in pendrive and after disinfect i juz simply shift delete the virus.

but seems like this me_cute.exe, i cant do it same way

>.<
*
There is a senior here who's trying to get the virus infected file. I'll check out the name and let you know later. But anyhow, when the computer that is infected with me_cute, my colleagues and I decided to just format it because we had tried to solve the problem by scanning virus, removing etc etc but it doesn't work. Be really careful. Any pc that is infected with me_cute, immediately if you put in ur thumbdrive/external hard disk, if u open the folder immediately, it WILL be infected by me_cute. doh.gif
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
eclectice
post Feb 17 2009, 12:36 PM


Look at all my stars!!
*******
Group: Senior Member
Posts: 2,284

Joined: Mar 2008
Interesting, can someone please post this malware to any antivirus solution center? Since Kasperksy can detect it, try to quarantine the executable if possible and send it as a report.

I am interested to know whether there is any network activity performed by me_cute file especially on the common LSASS exploited vulnerable TCP/UDP ports:
UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593.

A valid services.exe and a valid lsass.exe service should run under the SYSTEM account in the Task Manager, not under non-SYSTEM account.

Please confirm any presence of more than one services.exe (Windows Service Manager) file and lsass.exe (Local Security Authentication Service) in Windows system folder, by typing at the command prompt:
CODE
dir /s "services.exe"
.
CODE
dir /s "lsass.exe"
.

The valid ones should be in the following results:
CODE

C:\WINDOWS>dir /s "services.exe"
Volume in drive C has no label.
Volume Serial Number is XXXX-XXXX

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004  03:56 PM           108,032 services.exe
              1 File(s)        108,032 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008  08:12 AM           108,544 services.exe
              1 File(s)        108,544 bytes

Directory of C:\WINDOWS\system32

14/04/2008  08:12 AM           108,544 services.exe
              1 File(s)        108,544 bytes


CODE

C:\WINDOWS>dir /s "lsass.exe"
Volume in drive C has no label.
Volume Serial Number is XXXX-XXXX

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004  03:56 PM            13,312 lsass.exe
              1 File(s)         13,312 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008  08:12 AM            13,312 lsass.exe
              1 File(s)         13,312 bytes

Directory of C:\WINDOWS\system32

14/04/2008  08:12 AM            13,312 lsass.exe
              1 File(s)         13,312 bytes



Also, check the child services invoked by them:
CODE

C:\WINDOWS>tasklist /SVC /FI "IMAGENAME eq services.exe"

Image Name                   PID Services
========================= ====== =============================================
services.exe                1184 Eventlog, PlugPlay

C:\WINDOWS>tasklist /SVC /FI "IMAGENAME eq lsass.exe"

Image Name                   PID Services
========================= ====== =============================================
lsass.exe                   1196 Netlogon, PolicyAgent, ProtectedStorage,
                                SamSs


As you can notice, higher activity of services.exe is due to its services: to log an event log (EventLog) where you should see the log results from the Event Viewer. And, it also invokes the plug-and-play service (PlugPlay) which it can be related to any plug-and-play device's activities like USB thumbdrive.

Activities of lsass.exe are related to user account authentication/logon, policy setup and some other user-level protection schemes.

Check for any possible Sasser-alike malware activities as mentioned in the below link:
http://ask-leo.com/what_are_lsass_lsassexe...do_if_i_am.html

This post has been edited by eclectice: Feb 17 2009, 01:04 PM
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
siles1991
post Feb 19 2009, 02:41 AM


I love tubes so should you!
******
Group: Senior Member
Posts: 1,580

Joined: Feb 2008
From: Selangor


I've read something like this in a hack forum.They hide viruses inside of pictures by certain methods using winrar.You might be able to find out whats inside if you run winrar on it NOT to make a .rar file but to OPEN it.
User is offlineProfile CardPM
Go to the top of the page
+Quote Post

Bump TopicReply to this topicTopic OptionsStart new topic
 

Switch to:
| Lo-Fi Version
0.0477sec    1.40    5 queries    GZIP Disabled
Time is now: 19th April 2014 - 05:23 PM