Prev: wmi namespace ? virus
Next: this is really awesome
From: David H. Lipman on 14 Sep 2009 18:53 From: "JClark" <jclark(a)nomail.invalid> JClark: Tell your son to do the following... Download and execute HiJack This! (HJT) http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe Then post the contents of the HJT log in the post with a full explanation of the problem and/or suspicions and what has been done to date in one of the below expert forums... { Please - Do NOT post the HJT Log here ! } Forums where he can get expert advice, assistance and one-on-one direction. NOTE: Registration is REQUIRED in any of the below before posting a log Suggested primary: http://www.thespykiller.co.uk/index.php?board=3.0 Suggested secondary: http://www.bleepingcomputer.com/forums/forum22.html http://www.malwarebytes.org/forums/index.php?showforum=7 Suggested tertiary: http://www.dslreports.com/forum/cleanup http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 http://www.atribune.org/forums/index.php?showforum=9 http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html http://gladiator-antivirus.com/forum/index.php?showforum=170 http://forum.networktechs.com/forumdisplay.php?f=130 http://forums.maddoktor2.com/index.php?showforum=17 http://www.spywarewarrior.com/viewforum.php?f=5 http://forums.spywareinfo.com/index.php?showforum=18 http://forums.techguy.org/f54-s.html http://forums.tomcoyote.org/index.php?showforum=27 http://forums.subratam.org/index.php?showforum=7 http://www.5starsupport.com/ipboard/index.php?showforum=18 http://aumha.net/viewforum.php?f=30 http://makephpbb.com/phpbb/viewforum.php?f=2 http://forums.techguy.org/54-security/ http://forums.security-central.us/forumdisplay.php?f=13 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: 1PW on 14 Sep 2009 18:55 JClark wrote: > On Mon, 14 Sep 2009 18:06:25 -0400, JClark <jclark(a)nomail.invalid> > wrote: > >> On Sun, 13 Sep 2009 22:39:59 -0400, "David W. Hodgins" >> <dwhodgins(a)nomail.afraid.org> wrote: >> >>> On Sun, 13 Sep 2009 21:54:10 -0400, JClark <jclark(a)nomail.invalid> wrote: >>> >>>> Many thanks for your input. The McAfee description keeps repeating the >>>> simple word "python" which makes it so worrisome. >>> According to mcafee, they gave the virus that name becuase the decrypted >>> virus contains that word in text format. The word python is not used >>> in the file name(s). >>> >>> What led you to the mcafee site about this ancient virus? >>> >>> Regards, Dave Hodgins >> HI Dave, >> >> The McAfee site popped up on a google search by my son, who has become >> a bit obsessed, I fear, about the security of his computer. But I'm >> not virus knowlegeable enough to refute his fears. >> >> I posted details of this situation in this group on August 25 >> Message-ID: <c3l7951gr0vcod4mc414nmvc9asumtcm97(a)4ax.com> >> >> Since then he's stopped using the Dell laptop and I put together a >> desktop system for him, doing the same things I did for the Dell: >> Short and flash the BIOS, wipe the HD with WipeDrive in DOS, partition >> with FDISK, format as NTFS and reinstall Windows XP. But he's >> searching all over the drive, findings scripts, dlls with funny lines >> in them, the WMI jargon regarding "impersonate" etc. He finds things >> he thinks are viruses. Even though I put the premium version of Avira >> on the system and ran a full system check before taking it over to >> him. He has Online Armor full version firewall. I also put a Linksys >> router between his new cable modem (changed the default router >> password.) >> He sent me some files he's worried about tonight: >> 1. a DCOM log from wbemprox.log >> >> (Mon Sep 14 13:07:37 2009.81109) : Using the principal -RPCSS/asuscf- >> (Mon Sep 14 13:07:42 2009.86500) : Using the principal -RPCSS/asuscf- >> (Mon Sep 14 13:07:42 2009.86562) : ConnectViaDCOM, CoCreateInstanceEx >> resulted in hr = 0x0 >> many more lines >> >> 2. Framework log (GLUE-1) >> Login Warning - provider with that name already existed, overridden >> with latest provider login >> (root\cimv2:Win32_ComputerSystemWindowsProductActivationSetting) >> 09/01/2009 15:02:38.265 thread:864 >> [d:\xpsprtm\admin\wmi\wbem\sdk\framedyn\wbemglue.cpp.2252] >> >> 3. A long script from pickletester, which I won't copy here. >> >> 4. httpserver.py etc etc >> >> Dave, I appreciate your help or any suggestions. Again, I'm having a >> hard time believing there is any threat in this new system, but >> although I am reasonably computer literate, I'm virus-ignorant. >> >> Jack >> > Here's a recent transmission from my son, with his concerns. Again, I > don't know enough to tell him he's over his head: > > (Apologies for caps, his original email) > > PLEASE SEE ATTACHED. YES IT DOES HAVE AN ANTIVIRUS "MUK" PROGRAM. > YES, > IT WRITES A FILE THAT MAKES BACKUPS AND RESTORES USELESS. ONE EASY > TEST > FOR YOUR PC.... "UNLOCK" TASK BAR, AUTOHIDE IT, THEN REBOOT A FEW > TIMES. YOU WILL DEFAULT TO LOCKED UNHIDDEN. IT HAS TROUBLE EXACTLY > MIRRORING THE NUANCES EACH WIN VER - NT 2K 98 XP AND I ASSUME VISTA. > LIKELY WHY YOUR VEIW AS LIST REGEDIT DID NOT TAKE... > > DEAREST FATHER: > > I THINK THIS WILL ASSURE YOU THAT I AM ON A "REDIRECTED > MIRROR/SHELL SITE". AND NOT THE RR SITE. EVENTUALLY THIS PC WILL > HAVE THE FATE OF MY LAPTOP. I HAVE EXPERIECED THIS FOR MONTHS AND IT > IS HARD TO ITERATE ITS COMPLEXITY. I FOUND 100'S OF HIDDEN FILES ON > THE NEW PC WITH "JEFF C. LAPTOP" DIRECTORIES ... IN UNNAMED SUB > DIRECTORIES. I ASSUME THAT IS WHERE THE INFECTION ORIGIONATED. YOU > LIKELY (AND UNDERSTANDABLTY) USED SOME OLD SOFTWARE ... OPEN OFFICE > PERHAPS. WE LIKELY HAVE SCREEN READERS... SO ...BE CAUTI0US WITH > PERSONAL AND FINANCIAL STUFF. U USE AN AX CARD FOR AMROUR? U MAY > WANT 2 CHANGE THE NUMBER. > I FOUND THE BELOW EVIDENCE (IT HAS BEEN HARD, BECAUSE SHELL > BLOCKS U OUT OF THE EVIDENCE), U FIND THIS BY RUNNING "IN NETWORK > CONNECTIONS" (FOUND IN THE CONTROL PANEL) IN SAFE MODE WITHOUT > INTERNET CABLE PLUGGED IN (IF YOU HAVE NO "ONBOARD WIRELESS" ). THE > FIELD IS STILL "SHELLED" BUT YOU CAN BREAK IT BY CHANGING THE DISPLAY > OF MONITOR, IE: RED WITH ALL THE OPTIONS ..THEN OPEN UP A FEW MEDIA > PLAYERS (U MAY WANT TO CHECK FOR PYTHONS .. I BELIEVE THEY ARE > **PY.LNK IN THE DORMANT STATE). THEN CLICK ON THE PROPERTY'S OBJECT > SEVERAL TIMES, CUT/SELECT ALL EVEN IF YOU SEE NOTHING. PLEASE SEE > BELOW: > !@! I JUST GOT A "PICKLE" IN THIS DOCUMENT ... IS WAS A VERY > LIGHT ABBERATION INBETWEEN A WORD I COULD NOT CUT AND PASTE THE IT. > ... I CHECKED THE FILE SIZE FROM THE BACK UP AND THE FILE WAS ABOUT > 1500 KB BIGGER... GUESS I SAW IT BECAUSE I HAVE THE DISPLAY SO MESSED > UP... I AM TENATIOUSLY BACKING UP. COINICEDENTALLY MY EVIDENCE GETS > CHANGED OR DISAPEARS. THUS, I WAS WORRIED ABOUT MY MENTALL HEALTH! > > MIRROR SITE FROM "IN NETWORK CONNECTIONS" > > 1)ADDRESS/URL: > MS-ITS:C:\WINDOWS\Help\netcfg.chm::/EXEC=,control.exe, netconnections > CHM=ntshared.chm FILE=alt_url_windows_component.htm > > 2)GENERAL: > EXEC=,control.exe, netconnections CHM=ntshared.chm > FILE=alt_url_windows_component.htm > > THIS IS FROM MY "BROWSER ADDRESS BOX" > 1)REDIRECT (UNVERIFIED, JUST LOOK) TO A FAKE MS SITE: > http://www.microsoft.com/isapi/redir.dll?prd=ie&clcid=0x0409&pver=6.0&ar=home > > FINALLY, I HOPE TO GET ON-LINE AND ASK OPEN OFFICE ABOUT THEIR > SOFTWARE PLATFORM. IN THE INTERIM, AND IF YOU HAVE THE INTEREST, MY > "PYTHON FOLDER" HAS A ENTIRE TEST SITE. IT IS ONE \ FOLDER UNDER THE > PYYTHON FOLDER. THE PROGRAMS ARE "INFANTS' AND HAVE CODE > EXPLANATIONS. OBVIOUSLY, THE INF, COM, HML, ARE EASIER TO READ; BUT > THE DLL HAVE SOME MEAT. READ THE BOTTOM OF THE DLL FIRST. I AM > PRETTY SURE YOU HAVE THE VIRUS. SORRY, I KNOW YOU WERE TRYING TO HELP > AND THE TENACITY OF THE BUG IS AMAZING... > > GIVE ME A CALL THIS WEEK AND TELL ME IF I NEED A STRAIGHT JACKET. > > -- JC > > PS: I COULD GO ON FOR HOURS... IT LIKES TO PICLKLE IMAGES, RECORDINGS, > ETC. I THINK IT IS EASIER. I HAS A PREFERENCES PROGRAM TO TRACK > YOU...IT DOES HAVE CODE THAT IMPRESONATES REGISTRATION OF SOFTWARE, > LOG ONS, ETC. I T ALSO HIDES BY CALLING A RESPECABLE PROGRAM WHICH IN > TURN CALLS A PYTHON SYSTEM PROGRAM (USUALLY HAS A *32* OR *NT32*). IT > USES THE WMI NAMESPACE, REMOTE ACCESS - EARLY ON IT MAKES WINXP (OR > YOUR OS) THINK YOU ARE ASKING FOR HELP FROM THE ABOVE SITE. IT > REQUESTS FROM YOUR COMPUTER REMOTE ASSISTANCE. ONCE THAT IS DONE IT IS > OVER. IT DOWNLOADS A SERIES OF PROGRAMS, MAINLY DLLS RAN AS APPS .. I > CAN PRETTY MUCH LIST THE PROGRESSION FOR YOU ..MSVCRT (MAKE PROXY > MIRROR CONNECTION) REGVR32 (REGEDIT OR SERVER I FORGET) > ADVAPI32...RPCRT4 (?).. USER32 ...GDI32.. OLE32, HIMENG, ACGINARL, > WINMA (?) .. OLEAVT32... SACM32......AND SO ON. EVENTUALLY YOUR > ENTIRE OS IS NT32 WITH A WINXP/98/ETC SHELL AND > > ...............YOU ARE NO LONGER IN KANSAS DORTHY.......... > > I have no idea what all of this means, if anything. Again, I > appreciate any advice the group can give me. > > Jack Hello Jack: The AV protection you installed is excellent. What other antimalware protection have you installed? -- 1PW
From: JClark on 14 Sep 2009 19:31 On Mon, 14 Sep 2009 15:55:55 -0700, 1PW <1PW(a)INVALID.com> wrote: >JClark wrote: >> On Mon, 14 Sep 2009 18:06:25 -0400, JClark <jclark(a)nomail.invalid> >> wrote: >> >>> On Sun, 13 Sep 2009 22:39:59 -0400, "David W. Hodgins" >>> <dwhodgins(a)nomail.afraid.org> wrote: >>> >>>> On Sun, 13 Sep 2009 21:54:10 -0400, JClark <jclark(a)nomail.invalid> wrote: >>>> >>>>> Many thanks for your input. The McAfee description keeps repeating the >>>>> simple word "python" which makes it so worrisome. >>>> According to mcafee, they gave the virus that name becuase the decrypted >>>> virus contains that word in text format. The word python is not used >>>> in the file name(s). >>>> >>>> What led you to the mcafee site about this ancient virus? >>>> >>>> Regards, Dave Hodgins >>> HI Dave, >>> >>> The McAfee site popped up on a google search by my son, who has become >>> a bit obsessed, I fear, about the security of his computer. But I'm >>> not virus knowlegeable enough to refute his fears. >>> >>> I posted details of this situation in this group on August 25 >>> Message-ID: <c3l7951gr0vcod4mc414nmvc9asumtcm97(a)4ax.com> >>> >>> Since then he's stopped using the Dell laptop and I put together a >>> desktop system for him, doing the same things I did for the Dell: >>> Short and flash the BIOS, wipe the HD with WipeDrive in DOS, partition >>> with FDISK, format as NTFS and reinstall Windows XP. But he's >>> searching all over the drive, findings scripts, dlls with funny lines >>> in them, the WMI jargon regarding "impersonate" etc. He finds things >>> he thinks are viruses. Even though I put the premium version of Avira >>> on the system and ran a full system check before taking it over to >>> him. He has Online Armor full version firewall. I also put a Linksys >>> router between his new cable modem (changed the default router >>> password.) >>> He sent me some files he's worried about tonight: >>> 1. a DCOM log from wbemprox.log >>> >>> (Mon Sep 14 13:07:37 2009.81109) : Using the principal -RPCSS/asuscf- >>> (Mon Sep 14 13:07:42 2009.86500) : Using the principal -RPCSS/asuscf- >>> (Mon Sep 14 13:07:42 2009.86562) : ConnectViaDCOM, CoCreateInstanceEx >>> resulted in hr = 0x0 >>> many more lines >>> >>> 2. Framework log (GLUE-1) >>> Login Warning - provider with that name already existed, overridden >>> with latest provider login >>> (root\cimv2:Win32_ComputerSystemWindowsProductActivationSetting) >>> 09/01/2009 15:02:38.265 thread:864 >>> [d:\xpsprtm\admin\wmi\wbem\sdk\framedyn\wbemglue.cpp.2252] >>> >>> 3. A long script from pickletester, which I won't copy here. >>> >>> 4. httpserver.py etc etc >>> >>> Dave, I appreciate your help or any suggestions. Again, I'm having a >>> hard time believing there is any threat in this new system, but >>> although I am reasonably computer literate, I'm virus-ignorant. >>> >>> Jack >>> >> Here's a recent transmission from my son, with his concerns. Again, I >> don't know enough to tell him he's over his head: >> >> (Apologies for caps, his original email) >> >> PLEASE SEE ATTACHED. YES IT DOES HAVE AN ANTIVIRUS "MUK" PROGRAM. >> YES, >> IT WRITES A FILE THAT MAKES BACKUPS AND RESTORES USELESS. ONE EASY >> TEST >> FOR YOUR PC.... "UNLOCK" TASK BAR, AUTOHIDE IT, THEN REBOOT A FEW >> TIMES. YOU WILL DEFAULT TO LOCKED UNHIDDEN. IT HAS TROUBLE EXACTLY >> MIRRORING THE NUANCES EACH WIN VER - NT 2K 98 XP AND I ASSUME VISTA. >> LIKELY WHY YOUR VEIW AS LIST REGEDIT DID NOT TAKE... >> >> DEAREST FATHER: >> >> I THINK THIS WILL ASSURE YOU THAT I AM ON A "REDIRECTED >> MIRROR/SHELL SITE". AND NOT THE RR SITE. EVENTUALLY THIS PC WILL >> HAVE THE FATE OF MY LAPTOP. I HAVE EXPERIECED THIS FOR MONTHS AND IT >> IS HARD TO ITERATE ITS COMPLEXITY. I FOUND 100'S OF HIDDEN FILES ON >> THE NEW PC WITH "JEFF C. LAPTOP" DIRECTORIES ... IN UNNAMED SUB >> DIRECTORIES. I ASSUME THAT IS WHERE THE INFECTION ORIGIONATED. YOU >> LIKELY (AND UNDERSTANDABLTY) USED SOME OLD SOFTWARE ... OPEN OFFICE >> PERHAPS. WE LIKELY HAVE SCREEN READERS... SO ...BE CAUTI0US WITH >> PERSONAL AND FINANCIAL STUFF. U USE AN AX CARD FOR AMROUR? U MAY >> WANT 2 CHANGE THE NUMBER. >> I FOUND THE BELOW EVIDENCE (IT HAS BEEN HARD, BECAUSE SHELL >> BLOCKS U OUT OF THE EVIDENCE), U FIND THIS BY RUNNING "IN NETWORK >> CONNECTIONS" (FOUND IN THE CONTROL PANEL) IN SAFE MODE WITHOUT >> INTERNET CABLE PLUGGED IN (IF YOU HAVE NO "ONBOARD WIRELESS" ). THE >> FIELD IS STILL "SHELLED" BUT YOU CAN BREAK IT BY CHANGING THE DISPLAY >> OF MONITOR, IE: RED WITH ALL THE OPTIONS ..THEN OPEN UP A FEW MEDIA >> PLAYERS (U MAY WANT TO CHECK FOR PYTHONS .. I BELIEVE THEY ARE >> **PY.LNK IN THE DORMANT STATE). THEN CLICK ON THE PROPERTY'S OBJECT >> SEVERAL TIMES, CUT/SELECT ALL EVEN IF YOU SEE NOTHING. PLEASE SEE >> BELOW: >> !@! I JUST GOT A "PICKLE" IN THIS DOCUMENT ... IS WAS A VERY >> LIGHT ABBERATION INBETWEEN A WORD I COULD NOT CUT AND PASTE THE IT. >> ... I CHECKED THE FILE SIZE FROM THE BACK UP AND THE FILE WAS ABOUT >> 1500 KB BIGGER... GUESS I SAW IT BECAUSE I HAVE THE DISPLAY SO MESSED >> UP... I AM TENATIOUSLY BACKING UP. COINICEDENTALLY MY EVIDENCE GETS >> CHANGED OR DISAPEARS. THUS, I WAS WORRIED ABOUT MY MENTALL HEALTH! >> >> MIRROR SITE FROM "IN NETWORK CONNECTIONS" >> >> 1)ADDRESS/URL: >> MS-ITS:C:\WINDOWS\Help\netcfg.chm::/EXEC=,control.exe, netconnections >> CHM=ntshared.chm FILE=alt_url_windows_component.htm >> >> 2)GENERAL: >> EXEC=,control.exe, netconnections CHM=ntshared.chm >> FILE=alt_url_windows_component.htm >> >> THIS IS FROM MY "BROWSER ADDRESS BOX" >> 1)REDIRECT (UNVERIFIED, JUST LOOK) TO A FAKE MS SITE: >> http://www.microsoft.com/isapi/redir.dll?prd=ie&clcid=0x0409&pver=6.0&ar=home >> >> FINALLY, I HOPE TO GET ON-LINE AND ASK OPEN OFFICE ABOUT THEIR >> SOFTWARE PLATFORM. IN THE INTERIM, AND IF YOU HAVE THE INTEREST, MY >> "PYTHON FOLDER" HAS A ENTIRE TEST SITE. IT IS ONE \ FOLDER UNDER THE >> PYYTHON FOLDER. THE PROGRAMS ARE "INFANTS' AND HAVE CODE >> EXPLANATIONS. OBVIOUSLY, THE INF, COM, HML, ARE EASIER TO READ; BUT >> THE DLL HAVE SOME MEAT. READ THE BOTTOM OF THE DLL FIRST. I AM >> PRETTY SURE YOU HAVE THE VIRUS. SORRY, I KNOW YOU WERE TRYING TO HELP >> AND THE TENACITY OF THE BUG IS AMAZING... >> >> GIVE ME A CALL THIS WEEK AND TELL ME IF I NEED A STRAIGHT JACKET. >> >> -- JC >> >> PS: I COULD GO ON FOR HOURS... IT LIKES TO PICLKLE IMAGES, RECORDINGS, >> ETC. I THINK IT IS EASIER. I HAS A PREFERENCES PROGRAM TO TRACK >> YOU...IT DOES HAVE CODE THAT IMPRESONATES REGISTRATION OF SOFTWARE, >> LOG ONS, ETC. I T ALSO HIDES BY CALLING A RESPECABLE PROGRAM WHICH IN >> TURN CALLS A PYTHON SYSTEM PROGRAM (USUALLY HAS A *32* OR *NT32*). IT >> USES THE WMI NAMESPACE, REMOTE ACCESS - EARLY ON IT MAKES WINXP (OR >> YOUR OS) THINK YOU ARE ASKING FOR HELP FROM THE ABOVE SITE. IT >> REQUESTS FROM YOUR COMPUTER REMOTE ASSISTANCE. ONCE THAT IS DONE IT IS >> OVER. IT DOWNLOADS A SERIES OF PROGRAMS, MAINLY DLLS RAN AS APPS .. I >> CAN PRETTY MUCH LIST THE PROGRESSION FOR YOU ..MSVCRT (MAKE PROXY >> MIRROR CONNECTION) REGVR32 (REGEDIT OR SERVER I FORGET) >> ADVAPI32...RPCRT4 (?).. USER32 ...GDI32.. OLE32, HIMENG, ACGINARL, >> WINMA (?) .. OLEAVT32... SACM32......AND SO ON. EVENTUALLY YOUR >> ENTIRE OS IS NT32 WITH A WINXP/98/ETC SHELL AND >> >> ...............YOU ARE NO LONGER IN KANSAS DORTHY.......... >> >> I have no idea what all of this means, if anything. Again, I >> appreciate any advice the group can give me. >> >> Jack > >Hello Jack: > >The AV protection you installed is excellent. What other antimalware >protection have you installed? I installed "Online Armor" for firewall. And I think I put Superantispyware on as well, but I've messed with several systems lately, and I'm not sure about the last SAS. I put malwarebytes on some of them. (I'm not a pro ... just a lot of family and friends asking for my help lately.) Thanks. Jack
From: JClark on 14 Sep 2009 19:33 On Mon, 14 Sep 2009 19:07:03 -0400, "FromTheRafters" <erratic(a)nomail.afraid.org> wrote: >"JClark" <jclark(a)nomail.invalid> wrote in message >news:3cgta5d0epn8s3befk6cfesklgm0gi7jms(a)4ax.com... > >I would be more concerned about your son in this case. It seems he >suspects mental issues, as do I. His confidence in his computer's >security will *never* be restored until he can think clearly. His fears >will not be refuted by logic unless he begins thinking logically. > >I'm sorry, this is not meant to be mean spirited. > Rafters, I completely understand, and you have expressed my own concerns as well. I am very grateful for your thoughts. Jack
From: David W. Hodgins on 14 Sep 2009 22:37
On Mon, 14 Sep 2009 18:40:38 -0400, JClark <jclark(a)nomail.invalid> wrote: > I have no idea what all of this means, if anything. Again, I > appreciate any advice the group can give me. The openoffice application is written mostly in the python language. There should be almost a thousand .py files in C:\Program Files\OpenOffice.org 3\Basis\program\python-core-2.3.4\lib and it's subdirectories. If he can handle the learning curve, you may want to suggest he investigate installing a version of linux. My preference is Mandriva Linux Free 2009 Spring from http://www.mandriva.com/en/download/free although ubuntu from http://www.ubuntu.com/GetUbuntu/download seems to be more popular right now. He'd find lots of python programs there :-), as well as other scripts etc, but at least he wouldn't have to worry about getting a virus. Sounds like it's going to be difficult to convince him that nothing he's found so far indicates any malware infection. Best of luck! Regards, Dave Hodgins -- Change nomail.afraid.org to ody.ca to reply by email. (nomail.afraid.org has been set up specifically for use in usenet. Feel free to use it yourself.) |