Re: bad virus

---

• From: Xray <pl@xxxxxxx>
• Date: 20 Mar 2010 22:41:01 GMT

---

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:ho2d1t0c3@xxxxxxxxxxxxxxxxx:

From: "Xray" <pl@xxxxxxx>

| "Beauregard T. Shagnasty" <a.nony.mous@xxxxxxxxxxxxxxx> wrote in
| news:ho1h63 $3fd$1@xxxxxxxxxxxxxxxxxxxxxxxxxx:

Xray wrote:

Ok heres what happened, I feel like quite an idiot.

In a panic I reactivated the anti virus, but it was too late.

It was too late the microsecond you ran whatever it is you ran --
though you were probably infected from a web site.

| Yes, I realize it was too late - And so do most people who slam on the
| brakes before slamming into a light pole.
| I didn't get infected from a web site, I got infected from a 3gb file I
| downloaded from the usenet, after I carelessly turned off my anti
| virus.

Get these two free-for-home-use programs.
Download, install, update, scan.
MalwareBytes AntiMalware: http://malwarebytes.org/
SUPERAntiSpyware: http://superantispyware.com/

Use a better browser. Get a firewall.

| Browsers fine, firewalls fine, thanks.


All the software won't protect you if you don't practice Safe Hex -- YOU
DIDN'T !

Usenet binaries are FULL of injected trojans. Either the binary is the
trojan, a legitimate application is repackaged with a trojan or some
other methos but Usenrt binaries can NOT be trusted -- EVER.

As for you problem ... What virus ?

It sounds like you got infected alright but NOT with a "virus" ?

%windir%\system32\lowsec is indicative of a Zeus bit (zbot) trojan. A
bank account compramising trojan.

And other non-viral malware.

True, though my anti virus program is hosed, so I don't know what I have in
the way of a virus.

Here is what I seem to have, at least this is what spybot is detecting.
A total of 21 infected files, spybot locks up with an error "cannot create
file c/windows/system32/drivers/ect/hosts access is denied" when trying to
delete any of these.
Malwarebytes is unable to install, so they are known and located, removing
them is the problem.


--- Search result list ---
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
4-open-davinci.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
securitysoftwarepayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
secure.privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
www.getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
www.secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
www.getavplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
safebrowsing-cache.google.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
urs.microsoft.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
www.securesoftwarebill.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
secure.paysecuresystem.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
paysoftbillsolution.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
protected.maxisoftwaremart.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $B89FBA81] Redirected host
(Redirected host, nothing done)
www.securesoftwarebill.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $19781685] Redirected host
(Redirected host, nothing done)
secure.paysecuresystem.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $CEFF52BA] Redirected host
(Redirected host, nothing done)
paysoftbillsolution.com=74.125.45.100

Virtumonde.prx: [SBI $1FB893A0] Autorun settings (kulisizaru) (Registry
value, nothing done)
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\kulisizaru

Virtumonde.prx: [SBI $1FB893A0] Autorun settings (kulisizaru) (Registry
value, nothing done)
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\kulisizaru

Virtumonde.prx: [SBI $1FB893A0] Autorun settings (kulisizaru) (Registry
value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\kulisizaru










--- Browser helper object list ---
{2A0F3D1B-0909-4FF4-B272-609CCE6054E7} (Browser Defender BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Browser Defender BHO
CLSID name: PC Tools Browser Guard BHO
Path: C:\Program Files\Spyware Doctor\BDT\
Long name: PCTBrowserDefender.dll
Short name: PCTBRO~1.DLL
Date (created): 3/20/2010 4:41:16 PM
Date (last access): 3/20/2010 6:21:18 PM
Date (last write): 11/10/2009 10:28:12 AM
Filesize: 395216
Attributes: archive
MD5: 3E1873E478CC25C9495C319B2B34A1C4
CRC32: 7C1BB94B
Version: 2.0.6.11

{3551fe4f-fa6b-4a26-983a-c31bac04ac29} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path:
Long name: lerobido.dll




.

---

• Follow-Ups:
  • Re: bad virus
    • From: David H. Lipman

• References:
  • bad virus
    • From: Xray
  • Re: bad virus
    • From: Beauregard T. Shagnasty
  • Re: bad virus
    • From: Xray
  • Re: bad virus
    • From: David H. Lipman

• Prev by Date: Re: VIRUS QUESTION
• Next by Date: Re: bad virus
• Previous by thread: Re: bad virus
• Next by thread: Re: bad virus
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Malware Triangle ... the classification of trojan under the right circumstances... ... > An executable code that creates copies of itself. ... a virus is a self-replicating program that attaches itself to a host ... (alt.computer.security) Re: Weight Watching ... health of the host this would lead to very low levels of infection. ... to say that "it's not in the interests of the virus to kill off ... process of evolution per se. ... a virus is formed that is able to spread to ... (uk.rec.motorcycles) Re: Weight Watching ... virus' interests to kill off its hosts too quickly so it will tend to ... so why would a less virulent form ... it may take some time but at an earlier stage it can weaken the host ... (uk.rec.motorcycles) Re: What to do about Islam? ... Influenza would control the AIDS epidemic. ... AIDS sufferers and IV drug users have a weakened ... virus to yet another deadly virus might produce a few ... and a disease which kills its host is a failure. ... (rec.org.mensa) A question for the list... ... to virus infections that have affected networks and hosts. ... attempts to remove the virus from the host. ... I have read the reports correctly, ... (Incidents)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

newsgroups.derkeiler.com  > Archive  > Alt  > alt.comp.anti-virus  > 2010-03