Trojan Alert

[TheOne]

I cannot longer expand the screen, its hard to navigate without it! The option no longer exist?

EDITED:

Ok now it work, I needed to navigate in the profile section to re-enable it by magic.

[hansvonlieven]

My hoster had a DNS problem a few minutes ago.
Now it is fixed again.

I hope we have resolved now this issue.

Let us hope so.

Thank you Stefan for the hard work put in by you to get the thing going again. I am sure all of us appreciate your effort.

Greetings

Hans von Lieven

[Pirate88179]

Yes Stefan, thanks for fixing this. A good thing came out of this for me as I had forgotten how easy and fun firefox is to use and today, I made it my default browser.  I also beefed up my antivirus soffware with some additional downloads which is never a bad thing to do.

Bill

[wattsup]

Shit ..... I got it too.

I was at the damn US patent site that only really works with IE, and without thinking I browsed here instead of with my regular Firefox.

First I removed Internet Explorer from Windows XP. FINI IE TABARNAC.

Did some heavy duty sword fighting with the bastard and found this out.

from what I can tell, it uploaded onto the my computer from the OU index page to;

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Temporary Internet Files\Content.IE5\C1QFG567\images2[1]\00000063.js
Virus name: VBS/Psyme

It probably activated itself before my virus scanner could catch it. It was updated yesterday.

Stefan, you may try to do a search for this file on the server 00000063.js

My virus checker also deleted this one.
C:\WINDOWS\system32\drivers\smtpdrv.sys
Virus name: Generic dx
smtpdrv.sys Trojan deleted

Spy-Agent.bv.dldr

Trojan Discovered : 03/27/2007,Risk: Low-Profiled

vil.nai.com/vil/content/v_141846.htm - 26k - Cached

The "Spy-Agent.bv.dldr" trojan is designed to download Spy-Agent.bv files from a remote site.

Upon execution, the trojan drops the following files:

    * %Windir%\System32\drivers\ip6fw.sys (Spy-Agent.bv.dldr)
    (Cannot yet delete. It pops back seconds later)
    * %Windir%\System32\drivers\runtime.sys (Spy-Agent.bv.dldr)
    (Manually Deleted)
    * %Windir%\System32\5_exception.nls (Spy-Agent.bv.dldr)
    (Manually Deleted)

(Where %Windir% is the Windows folder, e.g. C:\Windows)

It adds the following registry keys:

Remove these.

    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime
      "ImagePath" =  \??\%Windir%\System32\drivers\runtime.sys
      "ErrorControl" = 1
      "Start" = 3
      "Type" = 1
     
    * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Runtime "ImagePath"
      "ImagePath" =  \??\%Windir%\System32\drivers\runtime.sys
      "ErrorControl" = 1
      "Start" = 3
      "Type" = 1

Open       C:\WINDOWS\regedit.exe       
and remove the above registry keys; BE CAREFUL WITH REGEDIT!!!!!!

The trojan injects a code into the process "IExplore.exe". The injected code attempts to download files from the following remote site.

    * 66.246.252.[removed]

I found the file here;

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Temporary Internet Files\\Content.IES\C1QFG567\216.195.55[1].HTML

Cannot yet delete this file.

You won't be able to see the above directory with Windows Explorer. You will need ztreewin. I have attached the file ZTW.ZIP. Create a directory as C:\ZTW download this file there then unzip it. Link to  it from your desktop the ZTW.EXE. This is the best low level drive browser out there. Very powerful and indespensible when hunting these rats.

Symptoms - Existence of mentioned files and registry keys.

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

If you did the above changes, then before rebooting you have to dissable the Windows Restore so it does not re-install itself from a backup.

WindowsXP

Disabling the System Restore Utility (Windows XP Users)

   1. Right click the My Computer icon on the Desktop and click on Properties.
   2. Click on the System Restore tab.
   3. Put a check mark next to 'Turn off System Restore on All Drives'.
   4. Click the 'OK' button.
   5. You will be prompted to restart the computer. Click Yes.


Now I am getting an Explorer.exe error

AppName: explorer.exe    AppVer: 6.0.2900.2180    ModName: winhttp.dll
ModVer: 5.1.2600.2180    Offset: 00018fa0

I moved C:\windows\system32\winhttp.dll to a newly created directory that I named "aaa-hold" in case I needed it.

There are also some tmp files that cannot be deleted.

My computer crashed a few times.

Now I will re-boot with my Windows 98 start up diskette and remove those stray files under Dos.

What a total waste of time.

[Paul-R]

This board is useless with dial up, and has a signal/noise
ratio of around 200:1. No wonder we have bandwidth issues.

And now this.
At least this sort of thing never happened with YahooGroups.
If you want to serve best the new energy community, Stefan,
you need to do some hard thinking about the future.
Paul.