B
Buffalo
You only got yourself.
jeffc said:
J
jeffc
David H. Lipman said:
I was able to download AdAware. Unfortunately I went to www.adaware.com
which is a totally different thing - it installed Spy Assassin or some such
nonsense that I assumed was the right thing. I uninstalled it but it left
some remnants, like a IE task bar. Anyway, AdAware found a couple things,
but it is not related to me problem.
J
jeffc
"software\microsoft\windows\currentversion\policies\system","DisableRegistryDavid H. Lipman said:
Tools"
I'm a little leery of what the does exactly. I'd really rather identify
exactly what virus I have first.
J
jeffc
madmax said:
The virus (or whatever) kept replacing the hosts file. I made it read only
and I haven't seen it change in awhile - could be just a coincidence. I was
able to get to symantec and download a trial version of their AV software.
Unfortunately I can't run the install - just quits (just like regedit, etc.)
I tried renaming the exe, but no luck. (I was able to rename the
stinger.exe and got that to run, but it didn't find the problem .... I don't
think...)
J
jeffc
http://www.avast.com/eng/products/desktop_protection/avast_bart_cd/avast_bart_cd_downlo.htmlJJO said:
Apparently the virus is not allowing me to get to this site, even though my
hosts file appears to be clear.
D
David H. Lipman
It is a McAfee INF file { http://vil.nai.com/vil/averttools.asp }
To make sure executable file types are indeed executable.
Dave
|
| I'm a little leery of what the does exactly. I'd really rather identify
| exactly what virus I have first.
|
|
To make sure executable file types are indeed executable.
Dave
|
| I'm a little leery of what the does exactly. I'd really rather identify
| exactly what virus I have first.
|
|
J
jeffc
David H. Lipman said:
Does not seem to make any difference. As of now, I'm not able to run a
virus scanner such as Stinger (which I had to rename) because it gets into
an apparent endless loop searching my Temporary Internet files directory,
even though I've removed all files from that directory.
G
Guy
jeffc said:
Hi, sorry I'm not much of a "handholder" so you will need to work most
of this out yourself. Seems as if you have a version of Agobot.
Rename regedit.exe to regedit.com
Run regedit, backup the registry then poke through the registry keys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run*
(probably best to go through all the HKCU "Run*" keys too)
and remove ALL the entries that seem strange.
(I hope you know your system, or at least what is normal)
Clear out that Hosts file and reboot.
Go to a AV site and get a scanner and update the defs.
Run it and clean your system.
Z
Zvi Netiv
jeffc said:
Your problems sounds familiar and the symptoms resemble those I found on a
friend's PC, a couple of months ago.
What caused the mess was a variant of what's known as HacDef. The trouble was
that nothing of the methods provided on the AV producer pages seemed to work,
they didn't even seem to detect anything suspicious on the affected system.
Moreover, essential utilities and applications such as Regedit, Msconfig,
HijackThis, Spybot, Stinger and others couldn't be used as they strangely
"disappeared" on the affected drive, or aborted soon after launching, just as
you described.
The reason to all that mess, after we resolved it, was found in the following
section of an apparently innocent INI file:
--- found in Winunins.ini ---
[Hidden Table]
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
CWShredder*
HijackThis*
ProceXP*
Spybot*
msconfig*
[Root Processes]
svhost.exe
trj4j6js.exe
winunins.exe
[Hidden Services]
HackerDefender*
[Hidden RegKeys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100
[Hidden RegValues]
[Startup Run]
C:\WINNT\svhost.exe -sr -0
[Free Space]
[Hidden Ports]
[Settings]
Password=qweqwe
BackdoorShell=ddd.exe
FileMappingName=_.-=[PokuS]=-._
ServiceName=HackerDefender100
ServiceDisplayName=Windows System Uninstaller
ServiceDescription=Microsoft System Service
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys
--- /end quote from winunins.ini ----
From the above you can learn how this trojan works, and more important, how to
defeat it.
Eventually, the solution was to rename the Trojan's driver and INI file from a
network connected PC. You can't do it from the affected PC because all bogus
files, processes, service, and even registry entries, are all hidden when the
Trojan was active, even in Safe Mode! Rebooting after having renamed the driver
let us clear manually all the remains of the Trojan, from registry, HOSTS, and
delete the offending files. Check the AV producer pages to read what they are.
The first clue where to look for the driver name was obtained by running a
renamed copy of Regedit.exe (don't use "Regedit.com" for name since "regedit" is
in the hide list), and browsing the content of
LMHK/Software/Microsoft/Windows/CurrentVersion/Run. In our case the bogus pair
was Winunins.exe and Winunins.ini.
If your PC isn't networked and runs on NTFS, then you can boot from a CD
prepared with Bart's PE to rename the Trojan driver.
Regards, Zvi
X
xmp
Zvi said:
Hacker Defender is a rootkit and may used in conjuction with other
backdoors and/or hack tools. It's a kernel-mode kit, so quite stealthy.
"once in Ring Zero, forever Ring Zero" as they say.
Word is that Kaspersky has the best chance of detecting it (outside of
dedicated tools).
michael
X
xmp
Zvi said:
Things that might come in handy are VICE, Klister, Patchfinder2, RK
Detector, RegDatXP, Task Info, Kaspersky, etc.
michael
Z
Zvi Netiv
xmp said:
Common sense is handier, faster and more dependable.
Regards, Zvi
J
jeffc
Guy said:
HacDef and Agobot sound like 2 good leads. Thanks for the help. Was able
to connect to Symantec site after clearing hosts file, but ws not able to
run the dowloaded install program. Was not able to connect to Avast even
after clearing my hosts file. Will try some of other sites mentioned. Will
rename regedit.exe to something other than regedit.com as another poster
mentioned. Thanks for the clues guys...
J
jeffc
Zvi Netiv said:
I'm not on a network, but will get to work on these clues, thanks....
J
jeffc
Guy said:
No can do. After renaming it it says registry editing has been disabled by
your administrator (even if logged on as administrator in safe mode). This
is getting silly.
L
Larry Sabo
jeffc said:
Reminds me of W32/Torvil-A...
http://www.sophos.com/virusinfo/analyses/w32torvila.html
Google for a removal tool for Torvil (I think I used one from
Kaspersky, but could be wrong).
Larry
D
David H. Lipman
Who has to Google I already posted a tool that will find and remove the Torvil worm.
Trend Sysclean
http://www.trendmicro.com/download/dcs.asp
In fact I was the first to reply to him and I suggested Sysclean ;-)
Dave
|
| >
| >| >> of this out yourself. Seems as if you have a version of Agobot.
| >> Rename regedit.exe to regedit.com
| >> Run regedit
| >
| >No can do. After renaming it it says registry editing has been disabled by
| >your administrator (even if logged on as administrator in safe mode). This
| >is getting silly.
|
| Reminds me of W32/Torvil-A...
|
| http://www.sophos.com/virusinfo/analyses/w32torvila.html
|
| Google for a removal tool for Torvil (I think I used one from
| Kaspersky, but could be wrong).
|
| Larry
| ---
| larry sabo (as one word) at istop dot com
|
|
|
|
|
Trend Sysclean
http://www.trendmicro.com/download/dcs.asp
In fact I was the first to reply to him and I suggested Sysclean ;-)
Dave
|
| >
| >| >> of this out yourself. Seems as if you have a version of Agobot.
| >> Rename regedit.exe to regedit.com
| >> Run regedit
| >
| >No can do. After renaming it it says registry editing has been disabled by
| >your administrator (even if logged on as administrator in safe mode). This
| >is getting silly.
|
| Reminds me of W32/Torvil-A...
|
| http://www.sophos.com/virusinfo/analyses/w32torvila.html
|
| Google for a removal tool for Torvil (I think I used one from
| Kaspersky, but could be wrong).
|
| Larry
| ---
| larry sabo (as one word) at istop dot com
|
|
|
|
|
Z
Zvi Netiv
jeffc said:
Is this after you renamed the application to Regedit.com? What happens if you
rename it to abcde.exe?
Regards
Z
Zvi Netiv
David H. Lipman said:
You deserve a medal, then! ;-)
Cheers
J
jeffc
David H. Lipman said:
Sysclean won't run because it gets in an infinite loop (apparently) checking
through the internet Temporary Files folder (which is supposed to be empty.)