From: Xray on
"Beauregard T. Shagnasty" <a.nony.mous(a)example.invalid> wrote in
news:ho21t0$bi7$1(a)news.eternal-september.org:

> Xray wrote:
>
>> "Beauregard T. Shagnasty" wrote:
>>> Xray wrote:
>>>> Ok heres what happened, I feel like quite an idiot.
>>>>
>>>> In a panic I reactivated the anti virus, but it was too late.
>>>
>>> It was too late the microsecond you ran whatever it is you ran --
though
>>> you were probably infected from a web site.
>>
>> Yes, I realize it was too late - And so do most people who slam on the
>> brakes before slamming into a light pole.
>> I didn't get infected from a web site, I got infected from a 3gb file
>> I downloaded from the usenet, after I carelessly turned off my anti
>> virus.
>
> I sorta doubt is was the 3GB file. I personally know of no instances
> where a malware-doer purposely set out to infect files of that size. Who
> would download them? Oh wait! I know who would!!! ;-)
>
> What was the website (so it can be examined)? Post the URL - but mung
> it so it is not clickable.
>
> http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010
> (please excuse the IntelliTXT ads on this otherwise okay page)

Well, that logic was exactly what made me think the anti virus was giving a
false alarm, sadly for me, it wasn't - And the file is more like 4gb.

There is no URL for this, it was downloaded from the usenet,
alt.binaries.games "Warhammer 40,000 Dawn of War Dark Crusade" posted Oct
24 2009 by kenny <kennynspleenny(a)gmail.com>

If you really want to investigate this large file, here is the complete
header info, I'm here to tell ya it is infected, and infected big.
Premium servers like easynews or giganews are likely to be the only ones
still carrying this nearly half year old file.

date: 24 Oct 2009 01:31:40 GMT
lines: 566
x-trace: DXC=WB9m0E82BT5\nWXJLoiYd:L?0kYOcDh@:BK2jREKf`g:8S2RAnKBM\>h5gfcj>
lJI87Bf`@U07lA7=h7VX^H1@S?
nntp-posting-host: 0a548bf5.news.astraweb.com
from: kenny <kennynspleenny(a)gmail.com>
organization: Unlimited download news at news.astraweb.com
xref: easynews.com alt.binaries.games:238756069
x-newsreader: JBinUp 0.90 Beta 7 - Build: 2008120403
(http://www.JBinUp.com)
subject: "Warhammer 40,000 Dawn of War Dark Crusade.par2" 594 yEnc (1/1)
path: sc-01!news-in-04.newsfeed.easynews.com!easynews.com!easynews!
npeer01.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-
media.com!nx02.iad01.newshosting.com!newshosting.com!novia!news-
out.octanews.net!mauve.octanews.net!news.astraweb.com!
border1.newsrouter.astraweb.com!not-for-mail
newsgroups: alt.binaries.games
x-no-archive: yes
message-id: <oPnva4HHUiagfTuQ8Td3(a)JBinUp.local>


From: David H. Lipman on
From: "Xray" <pl(a)yer.com>

| "Beauregard T. Shagnasty" <a.nony.mous(a)example.invalid> wrote in
| news:ho21t0$bi7$1(a)news.eternal-september.org:

>> Xray wrote:

>>> "Beauregard T. Shagnasty" wrote:
>>>> Xray wrote:
>>>>> Ok heres what happened, I feel like quite an idiot.

>>>>> In a panic I reactivated the anti virus, but it was too late.

>>>> It was too late the microsecond you ran whatever it is you ran --
| though
>>>> you were probably infected from a web site.

>>> Yes, I realize it was too late - And so do most people who slam on the
>>> brakes before slamming into a light pole.
>>> I didn't get infected from a web site, I got infected from a 3gb file
>>> I downloaded from the usenet, after I carelessly turned off my anti
>>> virus.

>> I sorta doubt is was the 3GB file. I personally know of no instances
>> where a malware-doer purposely set out to infect files of that size. Who
>> would download them? Oh wait! I know who would!!! ;-)

>> What was the website (so it can be examined)? Post the URL - but mung
>> it so it is not clickable.

>> http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010
>> (please excuse the IntelliTXT ads on this otherwise okay page)

| Well, that logic was exactly what made me think the anti virus was giving a
| false alarm, sadly for me, it wasn't - And the file is more like 4gb.

| There is no URL for this, it was downloaded from the usenet,
| alt.binaries.games "Warhammer 40,000 Dawn of War Dark Crusade" posted Oct
| 24 2009 by kenny <kennynspleenny(a)gmail.com>

| If you really want to investigate this large file, here is the complete
| header info, I'm here to tell ya it is infected, and infected big.
| Premium servers like easynews or giganews are likely to be the only ones
| still carrying this nearly half year old file.

Like I said...

Usenet binaries are FULL of injected trojans. Either the binary is the trojan, a
legitimate application is repackaged with a trojan or some other method but Usenet
binaries can NOT be trusted -- EVER.

In certain circles I am well known for investgating Usenet binaries.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: Xray on
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:ho2d1t0c3(a)news3.newsguy.com:

> From: "Xray" <pl(a)yer.com>
>
>| "Beauregard T. Shagnasty" <a.nony.mous(a)example.invalid> wrote in
>| news:ho1h63 $3fd$1(a)news.eternal-september.org:
>
>>> Xray wrote:
>
>>>> Ok heres what happened, I feel like quite an idiot.
>
>>>> In a panic I reactivated the anti virus, but it was too late.
>
>>> It was too late the microsecond you ran whatever it is you ran --
>>> though you were probably infected from a web site.
>
>| Yes, I realize it was too late - And so do most people who slam on the
>| brakes before slamming into a light pole.
>| I didn't get infected from a web site, I got infected from a 3gb file I
>| downloaded from the usenet, after I carelessly turned off my anti
>| virus.
>
>>> Get these two free-for-home-use programs.
>>> Download, install, update, scan.
>>> MalwareBytes AntiMalware: http://malwarebytes.org/
>>> SUPERAntiSpyware: http://superantispyware.com/
>
>>> Use a better browser. Get a firewall.
>
>
>| Browsers fine, firewalls fine, thanks.
>
>
> All the software won't protect you if you don't practice Safe Hex -- YOU
> DIDN'T !
>
> Usenet binaries are FULL of injected trojans. Either the binary is the
> trojan, a legitimate application is repackaged with a trojan or some
> other methos but Usenrt binaries can NOT be trusted -- EVER.
>
> As for you problem ... What virus ?
>
> It sounds like you got infected alright but NOT with a "virus" ?
>
> %windir%\system32\lowsec is indicative of a Zeus bit (zbot) trojan. A
> bank account compramising trojan.
>
> And other non-viral malware.

True, though my anti virus program is hosed, so I don't know what I have in
the way of a virus.

Here is what I seem to have, at least this is what spybot is detecting.
A total of 21 infected files, spybot locks up with an error "cannot create
file c/windows/system32/drivers/ect/hosts access is denied" when trying to
delete any of these.
Malwarebytes is unable to install, so they are known and located, removing
them is the problem.


--- Search result list ---
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
4-open-davinci.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
securitysoftwarepayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
secure.privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
www.getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
www.secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
www.getavplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
safebrowsing-cache.google.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
urs.microsoft.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
www.securesoftwarebill.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
secure.paysecuresystem.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
paysoftbillsolution.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected
host, nothing done)
protected.maxisoftwaremart.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $B89FBA81] Redirected host
(Redirected host, nothing done)
www.securesoftwarebill.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $19781685] Redirected host
(Redirected host, nothing done)
secure.paysecuresystem.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $CEFF52BA] Redirected host
(Redirected host, nothing done)
paysoftbillsolution.com=74.125.45.100

Virtumonde.prx: [SBI $1FB893A0] Autorun settings (kulisizaru) (Registry
value, nothing done)
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\kulisizaru

Virtumonde.prx: [SBI $1FB893A0] Autorun settings (kulisizaru) (Registry
value, nothing done)
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\kulisizaru

Virtumonde.prx: [SBI $1FB893A0] Autorun settings (kulisizaru) (Registry
value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\kulisizaru










--- Browser helper object list ---
{2A0F3D1B-0909-4FF4-B272-609CCE6054E7} (Browser Defender BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Browser Defender BHO
CLSID name: PC Tools Browser Guard BHO
Path: C:\Program Files\Spyware Doctor\BDT\
Long name: PCTBrowserDefender.dll
Short name: PCTBRO~1.DLL
Date (created): 3/20/2010 4:41:16 PM
Date (last access): 3/20/2010 6:21:18 PM
Date (last write): 11/10/2009 10:28:12 AM
Filesize: 395216
Attributes: archive
MD5: 3E1873E478CC25C9495C319B2B34A1C4
CRC32: 7C1BB94B
Version: 2.0.6.11

{3551fe4f-fa6b-4a26-983a-c31bac04ac29} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path:
Long name: lerobido.dll




From: David H. Lipman on
From: "Xray" <pl(a)yer.com>

< snip >

| True, though my anti virus program is hosed, so I don't know what I have in
| the way of a virus.

| Here is what I seem to have, at least this is what spybot is detecting.
| A total of 21 infected files, spybot locks up with an error "cannot create
| file c/windows/system32/drivers/ect/hosts access is denied" when trying to
| delete any of these.
| Malwarebytes is unable to install, so they are known and located, removing
| them is the problem.


< snip >

Please stop using the term virus. It is specific implications on its abilities to spread.
You are infected with malware and highly probable it is ONLY of type trojan.

As for Malwarebytes' Anti Malware.

First...

Kill as many running programs as possible then...

Download the 'mbam-setup.exe' and rename it to something lik; xray.com
Then run; xray.com

Don't allow it to update or run.
Then go to; "C:\Program Files\Malwarebytes' Anti-Malware"

Find; "mbam.exe" and the COPY it to something like; xray.com and the run; xray.com .

Perform an update and then run a scan on your PC.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: Xray on
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:ho3jvg0qo5(a)news3.newsguy.com:

> From: "Xray" <pl(a)yer.com>
>
> < snip >
>
>| True, though my anti virus program is hosed, so I don't know what I
>| have in the way of a virus.
>
>| Here is what I seem to have, at least this is what spybot is detecting.
>| A total of 21 infected files, spybot locks up with an error "cannot
>| create file c/windows/system32/drivers/ect/hosts access is denied" when
>| trying to delete any of these.
>| Malwarebytes is unable to install, so they are known and located,
>| removing them is the problem.
>
>
> < snip >
>
> Please stop using the term virus. It is specific implications on its
> abilities to spread. You are infected with malware and highly probable
> it is ONLY of type trojan.
>
> As for Malwarebytes' Anti Malware.
>
> First...
>
> Kill as many running programs as possible then...
>
> Download the 'mbam-setup.exe' and rename it to something lik; xray.com
> Then run; xray.com
>
> Don't allow it to update or run.
> Then go to; "C:\Program Files\Malwarebytes' Anti-Malware"
>
> Find; "mbam.exe" and the COPY it to something like; xray.com and the
> run; xray.com .
>
> Perform an update and then run a scan on your PC.

I'll give that a try, thanks.

I finally managed to uninstall Avast, so I could install Kaspersky.
It found 3 viruses and 2 trojans, including 2 in memory.
One is rootkit.win32.agent.bdzt
Another located at c/windows/system32/drivers/bqglkgov.sys

It calls for a restart to be removed, but upon restarting, Kaspersky
crashes.