Virus Thread - News - Help

[Ðєѕı]

Hi,
I received the following in my yahoo account. Sender was "security@microsoft.com" and subject was "Use this patch immediately !"
It sez
"Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!"
and moves on to its attachment called "patch.exe
.exe file " A friend sed its prolly a virus so I didn't open it but instead contacted microsoft Hellas (greece).
I was wondering if anyone can tell me what it is. I'm sure it's a virus cause I doubt Microsoft would make a grammar mistake! I would like to know about it though.
Seeing that I'm on the subject, do we have a Virus News section??
Ty

[»T€€«]

I wouldn't run anything that had been sent in an e-mail like that EVER. If you're worried about Windows security/vulnerability issues - run Windows update and install any recommended patches from there. It's quite possible that people are distributing viruses and the like by praying on people's fears about Windows vulnerabilities that have been attacked in the past.


You can also check out viruses and malicious e-mails and things at the symantec website.

[albatross]

on the subject of virus`...if you have Hijack this or CMshredder on board....uninstall immediatley and download updated version....a very nasty virus has imbedded itself in the original......just clicking on the original triggers the virus,so don`t......hope this helps someone
cheers
and maybe Desider is right in having a virus alert section thats easily seen at loggin....instead of hunting for info.....this would certainly benefit all...

[ßOxClev吐]

This is a known hoax , and i am pretty sure this was mentioned in the MSN Beginners Comm.

Anyway , yup , MSN NEVER send email's offering security downloads.

The problem with virus's is that there are so flippin many , millions in fact! and if we were to post details here of every single virus that hit the net this forum would crumble under the volume of posts!! What makes matters even worse is that a virus is created , then other people get their hands on it and resend it with a slightly different filename , which as u can imagine causes a whole lot more confusion.


The simple fact of the matter is that u dramatically reduce the chances of u contracting a virus by ensuring the following.......


1. Make sure you have an Ati Virus program on your pc. Make sure its running constantly and that its regulaly updated. If u have yours set to manual update make sure u update it once a week .

2. Make sure you have a Firewall running , firewalls are your first line of defence with virus's , make sure (as with the anti virus prog) that its running and upto date with its definitions.How many of u check your security settings on your firewall to make sure that its blocking what u want it to block ??

3. Without doubt the best form of defence is common sense. Desi did exactly the right thing , she didnt panic and downloaded the fake security patch ,she quite rightly asked first before downloading.
Also if you put that file name she gave ' patch.exe.exe' into the Google search engine you get an exact description of what this patch is , i.e a virus / netspy.

With reference to Hijackthis , the link i have given in the spyware thread on this forum is the current safe version.


tc


Box

[albatross]

howdy Box...just thought I would let you know that I wasn`t refering to the link you have here...actually got the new patched version from here..I do trust your judgement.Sorry if I have confused anyone,my intension was to warn of a nasty,not create confusion
Cheers.

lol.. np Albatross , i knew what u meant , i just didnt want peeps being worried about downloading the version i have linked too. no harm done

Box

[Ðєѕı]

Thx to all of ya for replying to this. Microsoft Hellas hasn't replied yet..lol.

Box,
What if we didn't have a section that you have to update but merely a thread where members could post virus threats they themselves got or are aware of?

Thx again

[ßOxClev吐]

i changed the title of this thread , there ya go

[albatross]

yes me again...just thought peeps would like to some more about Hijack This and CW shredder....these two programs are very efficient at what they do,I have both on board...what should be known is,if you do have the misfortune to have to use either of them,once they have done their work and cleaned the machine,uninstall them, then download them again.Seems the trojans etc. infect the version you have just used and wreaks havoc next time it`s used, so just use them as disposables to use once only....throw them away and get new one.Trust me,I found out the hard way 3 times.
Hope this helps,
Cheers.

EDIT Please disregard this message until i can clarify if there is an issue. I have used the same hijack this numerous times with no adverse effects. I will remove this edit should i find Albatross' claims to be valid.ty. ßOxClev吐

[ßOxClev吐]

Okies ,
i have trebled checked what i am about to tell you , as its far better to have two or three other people checking the same thing that you are. three heads are better than one and all that .........

The only time u should uninstall Hijack is when there is a newer version available, or if u decide that you are never going to use it again.

The only way that you can become re infected , or that Hijackthis can aid the transfer of any kind of spyware is if the user hasnt followed the instructions properly.

I have listed below some reasons for this, starting with the most common mistake first.

1. Before hitting the 'Fix' button u must be signed off the internet. If u are a cable user pull the plug.

2. The user didnt close all windows browsers / programs running in background

3. The user didn't follow a suggested 'order of fixing' by an expert. i.e if the user was told to fix problems a , b, c, d in that order they fixed them in d, c, a, b ,

4. A certain spware/malware item wasn't completely removed / cleaned from the system before the next HijackThis use .

The botton line is this : Hijackthis is certainly not responsible for more infections or re-infections !


May i suggest that any threads like this be pm'd to a Forum member of staff prior to posting . Just so we can avoid scaring people. ty .


tc


Box

[«ÇhoiceÑewcomer»]

he he yep it is a virus we got it at work & the boss opened it before i could tell him not to it was the only puter without protection so we spent half the day cleaning all on network and getting a fix for his
Choicenewcomer

[ßOxClev吐]

Okies , i dont normally post virus warnings as there are so many , but this one is a bit sinister so i've detailed below how it works.

-------------------------------------------------------------------------

Sober.C Worm

Sober.C is an e-mail worm that sends itself as an attachment to e-mail messages with different subject and body texts. Messages are composed from either German or English text strings depending on a recipient's domain suffix.

The worm can disguise itself as a message from a police force or government body, that allegedly found illegal movies, music and software on a user's computer. The worm's message tells that police filed a lawsuit against a user and a user is offered to read the rest of information in the attachment which has a .TXT.EXE extension. But the attachment contains only a sample of the worm. The worm can also send other kind of messages. Additionally, the worm has the functionality to spread in P2P (peer-to-peer) networks

-----------------------------------------------------------------------

Sobig has been around for a while but its really starting to spread now , so be vigilant !

tc

Box

[Ťoñy4iñ1]

Worrying, seeing as I get daily messages from the Sussex Police force!

But, the basic answer is if you don't know and trust the person sending the email, don't open an attachment, just delete it!

[Çr¥§tálm€rlíñ]

Hi guys.... I have that AVG virus checker on my computer. Whenever it does it's scheduled check, it's been telling me that I have a virus called, " Trojan Horse Dropper. Swicer A" infecting a file called " C:\_RESTORE\TEMP\A0084170:CPY ". At the end of the test, I'm asked to move the virus to the 'Virus Vault' but it comes back saying it cant be moved.
I've used the spyware link to check for the same virus but that comes back saying the my computer is virus free. What am I doing wrong ?
[/color][/size]

[ßOxClev吐]

Yet again this is a spware problem , grrr ..

Okies , what i need you to do first is to download HijackThis u can get it by clicking on this link. mjc1.com/mirror/hjt/


When u have downloaded it , open it and click on 'Scan'

When the scan is complete copy and paste ALL the text it shows you in the window and paste it here.

That will tell what applications u have running (including the spyware) and how to remove them. To rid your system of this virus is gonna take a few messages between us and will require u downloading a couple of spyware stopper programms , but u will have a much happier pc at the end .

P.S. The reason AVG cant remove the trojan is because its in the Restore file , no Anti Virus progs can clean restore files.

tc


Box

[Çr¥§tálm€rlíñ]

Hi box....... thanks for this I think I did this properly but there is a lot of information to paste in here, so I'm hoping I got it right..cheers

Logfile of HijackThis v1.97.7
Scan saved at 11:55:12 a.m., on 8/01/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCTRL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.xtra.co.nz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-93FF-FD64B787BB38} - C:\WINDOWS\DOWNLO~1\SEARCH~1.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SEARCHAT\1.BIN\MWSSRCAS.DLL
O3 - Toolbar: x=96402|r-103003games1-tb1p - {4E7BD74F-2B8D-469E-93FF-FD64B787BB38} - C:\WINDOWS\DOWNLO~1\SEARCH~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: My &Way Speedbar - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [FMP] C:\WINDOWS\FMP.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: IRCXpro Messenger.lnk = C:\Program Files\IRCXpro Messenger\Messenger.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37886.8075
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - www.wildtangent.com/install/wdriver/racing/rcriot2/zone/wtinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4E7BD74F-2B8D-469E-93FF-FD64B787BB38} (x=96402|r-103003games1-tb1p) - toolbar.push.com/searchbar.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {CD89AB62-B70C-43CF-AC83-C7BB55C3DA43} - www.sirsearch.com/toolbar/partner/selfnetwork/setup_selfnet_bundle_tdp047.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} (Vitalize Class) - www.ircxpro.com/prochat/vitalize.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab