bad virus

[Xray]

Ok heres what happened, I feel like quite an idiot.

A few months ago my hard drive died a natural death, so I got a new one of
course ... I have been meaning to reinstall my favorite game, Dark Crusade,
and finally got around to doing it, I was just jonsin to play.

Wouldn't install, there were errors on the disc, I got 3 CD/DVD players in
my computer, tried all 3 and they all couldn't install it. Tried cleaning
it, still no luck, I was fixated on playing this game so I decided to
download it, and of course using my legit serial #, there would be no
problems.

So I found it and downloaded it, pretty big file 3.5 gb, took a few hours,
so I put the image in my ******* drive, and right off the bat Avast popped
up a virus warning.
I thought it was a false alarm, I figured why would anyone hide a virus in
a 3gb file ?
So like an idiot I disable the virus and tried it again, clicked on setup
and all hell broke lose.
Pop up windows galore, warnings left and right from programs I never
installed, this disabled that disabled. In a panic I reactivated the anti
virus, but it was too late.

This program, called Windows XP virus removal tool, popped up and started
running a scan, finding dozens of virus and malicious programs, flashing
all kinds of warnings.
At first I thought cool, never knew I had this program, it looks official,
right from Microsoft.
But it has a button that says "click here to get the full version so you
can be fully protected", so I got suspicious and figured it was the virus
trying to get me to do something.
Couldn't stop this program, ctrl/alt/delete had no affect, closed down my
firewall ect, and who knows what else.

So I ran spybot, took quite a while to scan, but it found a load of
problems, including malicious registry entries, malware, spyware, bots, you
name it.
So I clicked "fix the problems", and spybot froze right up.
This damn virus disabled any preventive measures I was trying to take.

So I tried running Avast again, it said warning, virus detected in memory.
It is dangerous to work in this state, recommend reboot so Avast can scan
and remove files before they load".
Sounded good to me, so I rebooted and Avast ran, found at least a dozen
infections, and cleared them out.

So I booted normally, and hell was still breaking lose, damn.
So I tried botting in safe mode, I ran spybot again and it found all those
probelms again, including the bogus registry entries.
Apparently the virus couldn't affect it in safe mode, and it deleted most
of them, it said there was 1 it couldn't delete, and would do it on next
boot up.
So I restarted again, and spybot started scanning, a deep scan, took damn
near 4 hours.
Found more problems, deleted them so I ran Avast again, and now Avast is
corrupted, won't run.
Tried installing AVG, it said Avast needs to be uninstalled first.
Fine - But the virus has got that covered, it won't uninstall. Same with
Kaspery or whatever its called, tried to install that, but it needs Avast
unistalled, which ain't happening.

Tried rebooting in safe mode again, and was greeted by a blank screen.
So now, I ran spybot again and it found 100's on infections, they seem to
regenerate.

This virus seems to want to trick me into thinking everythings Ok, right
now I can browse around almost normal, but I'm going to pull the internet
connection as soon as I post this, who knows what its trying to do ?

So any advice to get rid of this thing ?
Edit - Did it again, all of those problems above, spybot is unable to get
rid of.
Oh, and tried system restore, virus has got that covered too.
Only 1 restore point, and thats today - Got this virus about 3am this
morning.

Edit - Booted into safe mode sucessfully, spybot found the infections
again, and deleted all but 1, which was apparently running.
1 is in a folder c/windows/system32/lowsec
I could see the actul files in safe mode, tried to manually delete them but
I couldn't.
In normal mode they aren't visible.

 

[Beauregard T. Shagnasty]

Ok heres what happened, I feel like quite an idiot.

In a panic I reactivated the anti virus, but it was too late.

It was too late the microsecond you ran whatever it is you ran -- though
you were probably infected from a web site.

Get these two free-for-home-use programs.
Download, install, update, scan.
MalwareBytes AntiMalware: http://malwarebytes.org/
SUPERAntiSpyware: http://superantispyware.com/

Use a better browser. Get a firewall.

 

[Xray]

It was too late the microsecond you ran whatever it is you ran -- though
you were probably infected from a web site.

Yes, I realize it was too late - And so do most people who slam on the brakes
before slamming into a light pole.
I didn't get infected from a web site, I got infected from a 3gb file I
downloaded from the usenet, after I carelessly turned off my anti virus.

Get these two free-for-home-use programs.
Download, install, update, scan.
MalwareBytes AntiMalware: http://malwarebytes.org/
SUPERAntiSpyware: http://superantispyware.com/

Use a better browser. Get a firewall.

Browsers fine, firewalls fine, thanks.

 

[Beauregard T. Shagnasty]

Yes, I realize it was too late - And so do most people who slam on the
brakes before slamming into a light pole.
I didn't get infected from a web site, I got infected from a 3gb file
I downloaded from the usenet, after I carelessly turned off my anti
virus.

I sorta doubt is was the 3GB file. I personally know of no instances
where a malware-doer purposely set out to infect files of that size. Who
would download them? Oh wait! I know who would!!! ;-)

What was the website (so it can be examined)? Post the URL - but mung
it so it is not clickable.

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010
(please excuse the IntelliTXT ads on this otherwise okay page)

 

[David H. Lipman]

From: "Xray" <[email protected]>


| Yes, I realize it was too late - And so do most people who slam on the brakes
| before slamming into a light pole.
| I didn't get infected from a web site, I got infected from a 3gb file I
| downloaded from the usenet, after I carelessly turned off my anti virus.


| Browsers fine, firewalls fine, thanks.


All the software won't protect you if you don't practice Safe Hex -- YOU DIDN'T !

Usenet binaries are FULL of injected trojans. Either the binary is the trojan, a
legitimate application is repackaged with a trojan or some other methos but Usenrt
binaries can NOT be trusted -- EVER.

As for you problem ... What virus ?

It sounds like you got infected alright but NOT with a "virus" ?

%windir%\system32\lowsec is indicative of a Zeus bit (zbot) trojan. A bank account
compramising trojan.

And other non-viral malware.

 

[Xray]

I sorta doubt is was the 3GB file. I personally know of no instances
where a malware-doer purposely set out to infect files of that size. Who
would download them? Oh wait! I know who would!!! ;-)

What was the website (so it can be examined)? Post the URL - but mung
it so it is not clickable.

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010
(please excuse the IntelliTXT ads on this otherwise okay page)

Well, that logic was exactly what made me think the anti virus was giving a
false alarm, sadly for me, it wasn't - And the file is more like 4gb.

There is no URL for this, it was downloaded from the usenet,
alt.binaries.games "Warhammer 40,000 Dawn of War Dark Crusade" posted Oct
24 2009 by kenny <[email protected]>

If you really want to investigate this large file, here is the complete
header info, I'm here to tell ya it is infected, and infected big.
Premium servers like easynews or giganews are likely to be the only ones
still carrying this nearly half year old file.

date: 24 Oct 2009 01:31:40 GMT
lines: 566
x-trace: DXC=WB9m0E82BT5\nWXJLoiYd:L?0kYOcDh@:BK2jREKf`g:8S2RAnKBM\>h5gfcj>
lJI87Bf`@U07lA7=h7VX^H1@S?
nntp-posting-host: 0a548bf5.news.astraweb.com
from: kenny <[email protected]>
organization: Unlimited download news at news.astraweb.com
xref: easynews.com alt.binaries.games:238756069
x-newsreader: JBinUp 0.90 Beta 7 - Build: 2008120403
(http://www.JBinUp.com)
subject: "Warhammer 40,000 Dawn of War Dark Crusade.par2" 594 yEnc (1/1)
path: sc-01!news-in-04.newsfeed.easynews.com!easynews.com!easynews!
npeer01.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-
media.com!nx02.iad01.newshosting.com!newshosting.com!novia!news-
out.octanews.net!mauve.octanews.net!news.astraweb.com!
border1.newsrouter.astraweb.com!not-for-mail
newsgroups: alt.binaries.games
x-no-archive: yes
message-id: <[email protected]>

 

[David H. Lipman]

From: "Xray" <[email protected]>


| Well, that logic was exactly what made me think the anti virus was giving a
| false alarm, sadly for me, it wasn't - And the file is more like 4gb.

| There is no URL for this, it was downloaded from the usenet,
| alt.binaries.games "Warhammer 40,000 Dawn of War Dark Crusade" posted Oct
| 24 2009 by kenny <[email protected]>

| If you really want to investigate this large file, here is the complete
| header info, I'm here to tell ya it is infected, and infected big.
| Premium servers like easynews or giganews are likely to be the only ones
| still carrying this nearly half year old file.

Like I said...

Usenet binaries are FULL of injected trojans. Either the binary is the trojan, a
legitimate application is repackaged with a trojan or some other method but Usenet
binaries can NOT be trusted -- EVER.

In certain circles I am well known for investgating Usenet binaries.

 

[Xray]

From: "Xray" <[email protected]>



| Yes, I realize it was too late - And so do most people who slam on the
| brakes before slamming into a light pole.
| I didn't get infected from a web site, I got infected from a 3gb file I
| downloaded from the usenet, after I carelessly turned off my anti
| virus.



| Browsers fine, firewalls fine, thanks.


All the software won't protect you if you don't practice Safe Hex -- YOU
DIDN'T !

Usenet binaries are FULL of injected trojans. Either the binary is the
trojan, a legitimate application is repackaged with a trojan or some
other methos but Usenrt binaries can NOT be trusted -- EVER.

As for you problem ... What virus ?

It sounds like you got infected alright but NOT with a "virus" ?

%windir%\system32\lowsec is indicative of a Zeus bit (zbot) trojan. A
bank account compramising trojan.

And other non-viral malware.

True, though my anti virus program is hosed, so I don't know what I have in
the way of a virus.

Here is what I seem to have, at least this is what spybot is detecting.
A total of 21 infected files, spybot locks up with an error "cannot create
file c/windows/system32/drivers/ect/hosts access is denied" when trying to
delete any of these.
Malwarebytes is unable to install, so they are known and located, removing
them is the problem.


--- Search result list ---
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
4-open-davinci.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
securitysoftwarepayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
secure.privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
www.getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
www.secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
www.getavplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
safebrowsing-cache.google.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
urs.microsoft.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
www.securesoftwarebill.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
secure.paysecuresystem.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
paysoftbillsolution.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
protected.maxisoftwaremart.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $B89FBA81] Redirected host
(Redirected host, nothing done)
www.securesoftwarebill.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $19781685] Redirected host
(Redirected host, nothing done)
secure.paysecuresystem.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $CEFF52BA] Redirected host
(Redirected host, nothing done)
paysoftbillsolution.com=74.125.45.100

Virtumonde.prx: [SBI $1FB893A0] Autorun settings (kulisizaru) (Registry
value, nothing done)
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\kulisizaru

Virtumonde.prx: [SBI $1FB893A0] Autorun settings (kulisizaru) (Registry
value, nothing done)
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\kulisizaru

Virtumonde.prx: [SBI $1FB893A0] Autorun settings (kulisizaru) (Registry
value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\kulisizaru










--- Browser helper object list ---
{2A0F3D1B-0909-4FF4-B272-609CCE6054E7} (Browser Defender BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Browser Defender BHO
CLSID name: PC Tools Browser Guard BHO
Path: C:\Program Files\Spyware Doctor\BDT\
Long name: PCTBrowserDefender.dll
Short name: PCTBRO~1.DLL
Date (created): 3/20/2010 4:41:16 PM
Date (last access): 3/20/2010 6:21:18 PM
Date (last write): 11/10/2009 10:28:12 AM
Filesize: 395216
Attributes: archive
MD5: 3E1873E478CC25C9495C319B2B34A1C4
CRC32: 7C1BB94B
Version: 2.0.6.11

{3551fe4f-fa6b-4a26-983a-c31bac04ac29} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path:
Long name: lerobido.dll

 

[David H. Lipman]

From: "Xray" <[email protected]>

< snip >

| True, though my anti virus program is hosed, so I don't know what I have in
| the way of a virus.

| Here is what I seem to have, at least this is what spybot is detecting.
| A total of 21 infected files, spybot locks up with an error "cannot create
| file c/windows/system32/drivers/ect/hosts access is denied" when trying to
| delete any of these.
| Malwarebytes is unable to install, so they are known and located, removing
| them is the problem.


< snip >

Please stop using the term virus. It is specific implications on its abilities to spread.
You are infected with malware and highly probable it is ONLY of type trojan.

As for Malwarebytes' Anti Malware.

First...

Kill as many running programs as possible then...

Download the 'mbam-setup.exe' and rename it to something lik; xray.com
Then run; xray.com

Don't allow it to update or run.
Then go to; "C:\Program Files\Malwarebytes' Anti-Malware"

Find; "mbam.exe" and the COPY it to something like; xray.com and the run; xray.com .

Perform an update and then run a scan on your PC.

 

[Xray]

From: "Xray" <[email protected]>



| Well, that logic was exactly what made me think the anti virus was
| giving a false alarm, sadly for me, it wasn't - And the file is more
| like 4gb.

| There is no URL for this, it was downloaded from the usenet,
| alt.binaries.games "Warhammer 40,000 Dawn of War Dark Crusade" posted
| Oct 24 2009 by kenny <[email protected]>

| If you really want to investigate this large file, here is the complete
| header info, I'm here to tell ya it is infected, and infected big.
| Premium servers like easynews or giganews are likely to be the only
| ones still carrying this nearly half year old file.

Like I said...

Usenet binaries are FULL of injected trojans. Either the binary is the
trojan, a legitimate application is repackaged with a trojan or some
other method but Usenet binaries can NOT be trusted -- EVER.

In certain circles I am well known for investgating Usenet binaries.

Theres alot of crap out there, to be sure.
To say that every signle one is infected is clearly ludicrous, there are
many clean programs available - I've never had much of a problem, for
years, until this one time I made the poor decision to ignore the anti
virus warning and procede anyhow.
Live and learn.

 

[Xray]

From: "Xray" <[email protected]>

< snip >

| True, though my anti virus program is hosed, so I don't know what I
| have in the way of a virus.

| Here is what I seem to have, at least this is what spybot is detecting.
| A total of 21 infected files, spybot locks up with an error "cannot
| create file c/windows/system32/drivers/ect/hosts access is denied" when
| trying to delete any of these.
| Malwarebytes is unable to install, so they are known and located,
| removing them is the problem.


< snip >

Please stop using the term virus. It is specific implications on its
abilities to spread. You are infected with malware and highly probable
it is ONLY of type trojan.

As for Malwarebytes' Anti Malware.

First...

Kill as many running programs as possible then...

Download the 'mbam-setup.exe' and rename it to something lik; xray.com
Then run; xray.com

Don't allow it to update or run.
Then go to; "C:\Program Files\Malwarebytes' Anti-Malware"

Find; "mbam.exe" and the COPY it to something like; xray.com and the
run; xray.com .

Perform an update and then run a scan on your PC.

I'll give that a try, thanks.

I finally managed to uninstall Avast, so I could install Kaspersky.
It found 3 viruses and 2 trojans, including 2 in memory.
One is rootkit.win32.agent.bdzt
Another located at c/windows/system32/drivers/bqglkgov.sys

It calls for a restart to be removed, but upon restarting, Kaspersky
crashes.

 

[FromTheRafters]

[...]

Usenet binaries are FULL of injected trojans.
Either the binary is the trojan, a legitimate
application is repackaged with a trojan or some
other method but Usenet binaries can NOT be
trusted -- EVER.

[...]

Theres alot of crap out there, to be sure.
To say that every signle one is infected is clearly ludicrous,

No-one is saying that.

there are many clean programs available - I've
never had much of a problem, for years, until
this one time I made the poor decision to ignore
the anti virus warning and procede anyhow.
Live and learn.

The best practice is to get your programs *only* from trustworthy
sources - *and* scan them.

 

[David H. Lipman]

From: "Xray" <[email protected]>



| I'll give that a try, thanks.

| I finally managed to uninstall Avast, so I could install Kaspersky.
| It found 3 viruses and 2 trojans, including 2 in memory.
| One is rootkit.win32.agent.bdzt
| Another located at c/windows/system32/drivers/bqglkgov.sys

| It calls for a restart to be removed, but upon restarting, Kaspersky
| crashes.

Please describe what were 3 viruses were found.
File name and paths as well as what Kaspersky called it.

 

[David H. Lipman]

From: "Xray" <[email protected]>

| Theres alot of crap out there, to be sure.
| To say that every signle one is infected is clearly ludicrous, there are
| many clean programs available - I've never had much of a problem, for
| years, until this one time I made the poor decision to ignore the anti
| virus warning and procede anyhow.
| Live and learn.

The vast majority are. If you want freeware, go to a vetted web site. You can NOT vet a
news group.

 

[gufus]

From: gufus
Subj: Re: bad virusSat, 20 Mar 2010 19:59:02 -0600

From: David H. Lipman---? To: Xray
Subj: Re: bad virusSat, 20 Mar 2010 18:26:10 -0400

Hello, David!

You wrote on Sat, 20 Mar 2010 18:26:10 -0400:

??|>
??>>> Xray wrote:

??>>>> "Beauregard T. Shagnasty" wrote:
??>>>>> Xray wrote:
??>>>>>> Ok heres what happened, I feel like quite an idiot.

??>>>>>> In a panic I reactivated the anti virus, but it was too late.

DHL> In certain circles I am well known for investgating Usenet binaries.

Vcool..

 

[Xray]

[...]

Usenet binaries are FULL of injected trojans.
Either the binary is the trojan, a legitimate
application is repackaged with a trojan or some
other method but Usenet binaries can NOT be
trusted -- EVER.

[...]

Theres alot of crap out there, to be sure.
To say that every signle one is infected is clearly ludicrous,

No-one is saying that.

Saying "Usenet binaries can NOT be trusted -- EVER." comes pretty close.

The best practice is to get your programs *only* from trustworthy
sources - *and* scan them.

I agree.
In a perfect world, everyone would do that, every time.

 

[Xray]

From: "Xray" <[email protected]>

| Theres alot of crap out there, to be sure.
| To say that every signle one is infected is clearly ludicrous, there
| are many clean programs available - I've never had much of a problem,
| for years, until this one time I made the poor decision to ignore the
| anti virus warning and procede anyhow.
| Live and learn.

The vast majority are. If you want freeware, go to a vetted web site.
You can NOT vet a news group.

As per the OP, I was trying to download a game that I already owned on DVD,
not sure where your getting the freeware angle from.
The DVD had become unreadable, so my options were:
* Don't play the game ever
* Buy a used copy on ebay
* Download an image from the usenet, and use my legit serial number

 

[Xray]

From: "Xray" <[email protected]>



| I'll give that a try, thanks.

| I finally managed to uninstall Avast, so I could install Kaspersky.
| It found 3 viruses and 2 trojans, including 2 in memory.
| One is rootkit.win32.agent.bdzt
| Another located at c/windows/system32/drivers/bqglkgov.sys

| It calls for a restart to be removed, but upon restarting, Kaspersky
| crashes.

Please describe what were 3 viruses were found.
File name and paths as well as what Kaspersky called it.

Well, the rootkit listed above is a virus I believe.
Also have Rootkit.Win32.TDSS.d

Since Kaspersky wasn't doing anything, I unistalled it and installed Avast.
Got multiple blue screen page faults on startup after that, apparently my
system has become highly unstable.
Finally managed to boot normally.
Avast doesn't work at all, its there but corrupted, won't do a thing.

Looks like I'm looking at a fresh OS reinstall about now, this thing is
insidious and is always one step ahead.

 

[David H. Lipman]

From: "Xray" <[email protected]>

| Well, the rootkit listed above is a virus I believe.
| Also have Rootkit.Win32.TDSS.d

| Since Kaspersky wasn't doing anything, I unistalled it and installed Avast.
| Got multiple blue screen page faults on startup after that, apparently my
| system has become highly unstable.
| Finally managed to boot normally.
| Avast doesn't work at all, its there but corrupted, won't do a thing.

| Looks like I'm looking at a fresh OS reinstall about now, this thing is
| insidious and is always one step ahead.

RootKits are trojans not viruses.

Viruses self replicate. That means once infected it will auto-infect other files (by
appending, inserting or prepending code ), boot sectors and/or systems. Trojans may
infect another file by appending, inserting or prepending code but that subsequent file
doe not speread the infection. It is simply becoames "trojanized".

You can't uninstall, replace and re-install fully installed antio virus applications like
you've been doing.

** At this point, my advice is now to WIPE and RE-INSTALL the OS.

 

[David H. Lipman]

From: "Xray" <[email protected]>


| As per the OP, I was trying to download a game that I already owned on DVD,
| not sure where your getting the freeware angle from.
| The DVD had become unreadable, so my options were:
| * Don't play the game ever
| * Buy a used copy on ebay
| * Download an image from the usenet, and use my legit serial number


OK, it wasn't freeware.

Your *ONLY* option was to BUY another copy!