Tuesday, December 9, 2008

Trojan-PSW.Win32.OnLineGames.sxa / Kavo.exe

Details

This malicious program is a Trojan. It is a Windows PE EXE file. It is 118103 bytes in size.

Infection

The Trojan copies its executable file to the Windows system directory:

%System%\kavo.exe

In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%System%\kavo.exe"


The Trojan also extracts the file shown below from its body:

%System%\kavo0.dll

This file is 114176 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.szc.

The Trojan also extracts the file shown below from its body:

%Temp%\.dll

This file is 29815 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.stcw.


The Trojan loads the .dll file to all processes launched in the system.
The Trojan intercepts mouse and keyboard events if any of the processes below have been launched:

maplestory.exe
dekaron.exe
gc.exe
RagFree.exe
Ragexe.exe
ybclient.exe
wsm.exe
sro_client.exe
so3d.exe
ge.exe
elementclient.exe

It sniffs traffic sent to the following addresses:

61.220.60.***
61.220.62.***
61.220.56.***
61.220.62.***
203.69.46.***
220.130.113.***

It does this in an attempt to harvest account data for the following games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver
and some other games. The Trojan also analyses the configuration files of the games above and attempts to harvest information about gamers' accounts on the web
server.

Harvested data is sent to the remote malicious user's site.

The Trojan also modifies the following system registry key parameter values:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
der\Hidden\SHOWALL]
"CheckedValue" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"ShowSuperHidden" = "0"

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
"NoDriveTypeAutoRun" = "0x91"

The Trojan also attempts to terminate the following processes:
KAV
RAV
AVP
KAVSVC

The Trojan also has worm functionality, making it able to propagate via removable storage media. The Trojan copies its executable file to the root of each drive as follows:

:\n6j.com
indicates the relevant disk.

In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:
:\autorun.inf

This file will launch the Trojan executable file each time the user opens the infected disk using Explorer.

Removal Guide
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the following file:
%System%\kavo.exe

2. Reboot the computer.

3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).

4. Delete the following system registry key parameter:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%System%\kavo.exe"

5. Restore the original system registry key values:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
der\Hidden\SHOWALL]
"CheckedValue" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"ShowSuperHidden" = "0"

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
"NoDriveTypeAutoRun" = "0x91"

6. Delete the following file:
%System%\kavo0.dll

7. Empty the temporary directory (%Temp%).

8. Delete the files shown below from all removable disks:
:\n6j.com
:\autorun.inf
stands for the letter of the removable disk.







http://www.emailcashpro.com

Pendaftaran Percuma

Trojan-Downloader.JS.Small.fi

Details

This Trojan downloads other files via the Internet and launches them for execution on the victim machine. The program is an HTML page which contains Java Script scenarios. It is 1432 bytes in size.


The Trojan downloads a file from the URL shown below by exploiting a vulnerability (CVE-2006-1359) in the processing of "createTextRange" in Microsoft Internet Explorer:

http://195.62.***.21/a.exe

The Trojan saves this file to its working directory as shown below:

%WorkDir%\a.exe

The downloaded file will then be launched for execution.
At the time of writing, the link was not active.

Removal Guide

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the process shown below:
a.exe

2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).

3. Delete the following file:

%WorkDir%\a.exe

4. Delete all files from %Temporary Internet Files%.






http://www.emailcashpro.com

Pendaftaran Percuma

Monday, October 27, 2008

Trojan-Downloader.Win32.Delf.cgx

Tecnical Details

This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 48128 bytes in size. It is packed using PECompact. The unpacked file is approximately 131KB in size. It is written in Delphi.

Simpton

Once launched, the Trojan downloads files from the following URL:

http://paginas.terra.com.br/*****/down2/code.jpg
http://paginas.terra.com.br/*****/down1/lzma.jpg
http://paginas.terra.com.br/*****/down1/branch.jpg
http://paginas.terra.com.br/*****/down1/7z2.jpg
http://paginas.terra.com.br/*****/down1/7z.jpg

These files will be saved to the Windows root directory as follows:

%WinDir%\krn.7z
%WinDir%\7z\Codecs\lzma.dll
%WinDir%\7z\Codecs\branch.dll
%WinDir%\7z\Formats\7z.dll
%WinDir%\7z\7z.exe

The saved files are then launched for execution

Removal instructions

1. Use Task Manager to terminate the Trojan process.

2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).

3. Delete the following files:

%WinDir%\krn.7z
%WinDir%\7z\Codecs\lzma.dll
%WinDir%\7z\Codecs\branch.dll
%WinDir%\7z\Formats\7z.dll
%WinDir%\7z\7z.exe

4. Delete all files from %Temporary Internet Files%






http://www.emailcashpro.com

Tuesday, September 2, 2008

Trojan-Downloader.Win32.Banload.dcd Virus

This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 113152 bytes in size. It is not packed in any way. This Trojan is written in Visual Basic.

INSTALLATION

Once launched, the Trojan copies its body to the Windows program files directory as "lsass.exe":

%Program Files%\Microsoft Studio Files\lsass.exe

In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan registers its executable file in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

"lsass" = "%Program Files%\Microsoft Studio Files\lsass.exe"

The Trojan then creates a command interpreter file called "vcdg.bat" in the same directory:

%Program Files%\Microsoft Studio Files\vcdg.bat

It writes the following strings to this file:
netsh.exe firewall add allowedprogram PROGRAM="%Program Files%\Microsoft Studio
Files\lsass.exe" NAME="Session Win32" MODE=ENABLE PROFILE=ALL

In doing so, the Trojan modifies the configuration of the Windows XP firewall, permitting any network activity created by the malicious process.

"%Program Files%\Microsoft Studio Files\vcdg.bat" is then launched for execution.

PAYLOAD

Once installed, the Trojan downloads files from the following URLs:

http://www.club-vw.cl/*****/modules/subsmanager/api_apache.tar
http://www.*****-consult.net/rcss.res
http://www.photo-*****.ru/images/exhibition_moll2005_file0031.jpg

At the time of writing, these links were not active.

http://www.cemm*****ac.at/img/nav/plus19a_RO.jpg

This file is 2603325 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Banbra.bak.

Files which are downloaded are saved to the Trojan's installation directory under random names and launched for execution.

REMOVAL GUIDE

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process.

2. Delete the following system registry key parameter:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"lsass" = "%Program Files%\Microsoft Studio Files\lsass.exe"

3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).

4. Delete the following directory and its contents:
%Program Files%\Microsoft Studio Files

5. Delete all files from %Temporary Internet Files%.



Ingin Mengetahui Meningkatkan Traffik bagi perniagaan internet anda???



Ingin Mengetahui Cara untuk Menjadi 'Pria Terhebat' ??????



Ingin Mengetahui Rahsia Membuat Duit Tanpa Modal Dengan Google Adsense???



Ingin Mengetahui bagaimana caranya individu menjana pendapatan lumayan melalui Internet???

Wednesday, August 27, 2008

Backdoor.Win32.Agent.ich

Details
This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is 48640 bytes in size. It is packed using UPX. The unpacked file is approximately 360KB in size.

Installation

The Trojan extracts the following file from its body:
%System%\aspimgr.exe

This file is 73728 bytes in size. Kaspersky Anti-Virus does not detect this file as malicious.

The original file will then be deleted.

The backdoor creates a service called "Microsoft ASPI Manager" which ensures the backdoor executable file will be launched each time the victim machine is restarted.
The Trojan launches a HTTP proxy server on the victim machine on TCP port 80. It then sends notification that the victim machine has been infected to the addresses shown below:

66.199.241.98
82.103.140.75
203.117.175.124
72.21.63.114
66.232.102.169
66.96.196.53

It does this by sending HTTP requests. Once infected, the victim machine becomes part of a zombie network and can be used to send spam or to conduct DoS attacks.

The backdoor creates the following log files:

%WinDir%\ws386.ini
%WinDir%\db32.txt
%WinDir%\s32.txt
%WinDir%\f32.txt

It creates the following registry key:

[HKLM\SOFTWARE\Microsoft\Sft]

and saves its configuration to this key.

Removal Guide

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the malicious process

2. Delete the following registry key:

[HKLM\SOFTWARE\Microsoft\Sft]

3. Delete the "Microsoft ASPI Manager" service.

4. Delete the following files:

%WinDir%\ws386.ini
%WinDir%\db32.txt
%WinDir%\s32.txt
%WinDir%\f32.txt
%System%\aspimgr.exe


Tips about How to Choose Computer

Check Out

http://choosingcomputer.blogspot.com

Trojan.Win32.Agent.dcc

Once launched, the Trojan copies its executable file as shown below:
%System%\drivers\runtime.sys

In order to ensure that the Trojan is launched each time the system is started, it creates a system service called "Runtime" which launches the Trojan executable file each time Windows is booted. The following registry key will be created:

[HKLM\System\CurrentControlSet\Services\runtime]

Once installed, the Trojan deletes its original file.

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 20480 bytes in size.

The Trojan contains a rootkit driver which masks the presence of Trojan files on the hard disk, and also the presence of the files listed below:

%System%\ntoskrnl.exe
%System%\ntkrnlpa.exe
%System%\ntkrnlmp.exe
%System%\ntkrpamp.exe

It also masks the presence of processes related to these files.
The Trojan also launches a hidden process called "iexplore.exe". It injects its code into this process, which will then download files from the following addresses:

208.66.194.***
66.246.252.***
208.66.195.***
74.53.42.***
74.53.42.***

Downloaded files will be saved as:

%TEMP%\.exe

with standing for a random sequence of numbers.

Once downloaded, the files will be launched for execution.

Removal Guide

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the malicious program’s process.

2. Delete the following system registry key:

[HKLM\System\CurrentControlSet\Services\runtime]

3. Delete the following file:

%System%\drivers\runtime.sys

4. Delete the contents of %Temp%



Tips about How to Choose Computer

Check Out

http://choosingcomputer.blogspot.com

Tuesday, August 26, 2008

DriveGuard.exe Or FlashGuard.exe Virus

This virus also known as Worm.Win32.Autoit.au - kaspersky, this worm tries to impersonate a friendly application one that wants to protect your removable drives from other pieces of malware.

It also includes a readme file that reads:
"This tiny software is used to protect removable storage devices from
worms that are spread from one PC to another. "

But at the same time it will download backdoor files..

You can locate the virus at c:\Program Files\FlashGuard\FlashGuard.exe only if you unhide hidden files already(How to Unhide Hidden Files Guide)





The malicious file would copy itself to :

c:\Program Files\FlashGuard\FlashGuard.exe
c:\Program Files\FlashGuard\ReadMe.txt
c:\DocumentsandSettings\**UserProfile\LocalSettings\Temp\DriveGuard.tmp.exe
c:\DocumentsandSettings\**UserProfile\LocalSettings\Temp\gHmpg.tmp.exe

It create folders in your pendrive & copy itself to :

f:\System\Security\DriveGuard.exe *
f:\autorun.ini *

*[f:\] drive letter could vary depend on how Windows assign/mount your pendrive

Create startup launcher(Registry) :

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard

To see these virus you must set Windows to show hidden files - Guide

Removal Guide :



Press Ctrl+Alt+Del to open 'Task Manager', select FlashGuard.exe & click 'End Process'



You can browse to the folder mentioned above or you can find it quickly by using 'Search' feature(Start Menu>>Search). In the search box type, flashguard.exe or flashguard. Don't hit the search button yet..



Scroll down & expand 'More Advanced Options'.Check the all the box as you see in the screenshot below & hit 'Search' button..




Delete all the files found..



Also serch for .tmp.exe, delete DriveGuard.tmp.exe & gHmpg.tmp.exe files found..



The virus files can easily recognized with pendrive like icon..



Your pc now clean from the virus, since the virus load at startup, it left an entry in your registry, you can delete it in registry or you can go to Start Menu>>Run, type msconfig & click 'Ok'.



Select 'Startup' tab, select & uncheck FlashGuard. Click 'Apply' to take effect..


Delete Registry Entry : Go to Start Menu>>Run, type regedit & click 'Ok'
Browse to :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
Select FlashGuard, right-click on it & delete..




FlashGuard.exe cleaned..
If you new on manually on removing virus, this guide also useful for other type of virus too, especially the type that infecting removable drive(pendrive/flashdrive/memory card). It also depend on how strong the viruses, some viruses replicate itself with random/different file name(hard to find). As you can see FlashGuard.exe replicate itself as DriveGuard.tmp.exe & gHmpg.tmp.exe.

















system.exe backdoor spyware

System.exe is a Backdoor W32.Spybot.OBB.
System.exe spreads by e-mail and via network shares.
System.exe monitors user Internet activity and private information.
It sends stolen data to a hacker site

Related files :

"c:\Windows\system.exe" or "c:\Windows\system32\system.exe"

Solution :

1. update your antivirus and scan it ... ehehehe
2. Manual Removal

MANUAL REMOVAL
Step 1: Use Windows File Search Tool to Find system.exe Path

1. Go to Start > Search > All Files or Folders.
2. In the "All or part of the the file name" section, type in " system.exe" file name(s).
3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
4. When Windows finishes your search, hover over the "In Folder" of " system.exe", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete system.exe in the following manual removal steps.

Step 2: Use Windows Task Manager to Remove system.exe Processes

1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
2. Click on the "Image Name" button to search for " system.exe" process by name.
3. Select the " system.exe" process and click on the "End Process" button to kill it.

Step 3: Detect and Delete Other system.exe Files

1. To open the Windows Command Prompt, go to Start > Run > cmd and then press the "OK" button.
2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
3. To change directory, type in "cd name_of_the_folder".
4. Once you have the file you're looking for type in del "name_of_the_file".
5. To delete a file in folder, type in "del name_of_the_file".
6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
7. Select the " system.exe" process and click on the "End Process" button to kill it.


Tips About Choosing Your Computer
Check Out

http://choosingcomputer.blogspot.com

Virus "81u3f4nt45y - 24.01.2007 - Surabaya”

Jika anda dipaparkan dengan message seperti dibawah setiap kali anda menghidupkan komputer anda bererti anda sudah terkena virus:

“Surabaya in my birthday
Don’t kill me, i’m just send message from your computer
Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti
Maafkan jika kebahagiaan yang kuminta adalah teman sepanjang hidupku
Seharusnya aku mengerti bahwa keberadaanku bukanlah disisimu, hanyalah lamunan dalam sesal
Untuk kekasih yang tak kan pernah kumiliki 3r1k1m0″

Cara untuk membuang virus pesanan ini:

1.klik ke start-> run kemudian taip regedit dan enter.

2.Setelah program register editor muncul, sila klik urutan berikut pada window kiri :

“HKEY_LOCAL_MACHINE” -> “SOFTWARE” -> “Microsoft” -> “Windows NT” -> “Current Version” -> “WinLogon”.

dibahagian kanan window, delete item “LegalNoticeCaption” dan “LegalNoticeText”.

3. selesai


Tips About Choosing Your Computer
Check Out

http://choosingcomputer.blogspot.com






HOW TO REMOVE PC-OFF.BAT Trojan

1. Open "task manager" by pressing CTRL-ALT-DEL. Under tab 'processes', select 'password_viewer.exe' or 'bar311.exe' or 'photo.zip.exe' and Click ‘End Process’

2. Open "register editor"( click 'START’--> ‘RUN’ , type “regedit”) .

• GO TO ‘HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon’

FIND KEY
"Userinit" = C:\WINDOWS\system32\userinit.exe,bar311.exe"
----> remove value ‘bar311.exe’ ONLY!!!!
OR
"Userinit" = C:\WINDOWS\system32\userinit.exe,photo.zip.exe"
----> remove value ‘photo.zip.exe’ ONLY!!!!
OR
"Userinit" = C:\WINDOWS\system32\userinit.exe,password_viewer.exe"
----> remove value ‘password_viewer.exe’ ONLY!!!!

*/DO NOT REMOVE “USERINIT.EXE” VALUE OR “USERINIT” KEY, OR ELSE YOUR PC CANNOT ENTER YOUR WINDOWS/*

• GO TO ‘HKEY_CURRENT_USER \software\microsoft\windows\currentversion\explorer\advanced’
Change Value data for Key As Shown Below :-

"Hidden"=dword:00000001 (1) - Change to ‘1’
"HideFileExt"=Dword:00000000 (0) - Change to ‘0’
"ShowSupperHidden"=Dword:00000001 (1) – Change to ‘1’


• GO TO
‘HKEY_CURRENT_USER \software\microsoft\Command Processor’

FIND KEY

"autorun=c:\windows\pc-off.bat"
-----> Remove "c:\windows\pc-off.bat" or Delete autorun key



. go to ThumbDrive DRIVE(Do not doubleclick the drive,Use Address panel to view file inside DRIVE)

4. delete - autorun.inf
password_viewer.exe
bar311.exe
photo.zip.exe

5. Open Notepad and Type -

@echo off
del /a /f c:\windows\bar311.exe
del /a /f c:\windows\password_viewer.exe
del /a /f c:\windows\photo.zip.exe
del /a /f c:\windows\pc-off.bat
pause


6. Save As "remove.bat"

7. Run remove.bat

8. GO TO
C:\Windows\

Find bar311.exe OR password_viewer.exe OR photo.zip.exe OR pc-off.bat and delete it.

Tips About Choosing Your Computer
Check Out

http://choosingcomputer.blogspot.com