Brief Description

The following registry elements have been created:

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\

• HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\

• HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\INPROCSERVER32\

• HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\

download unhide.exe and TDssKiller
Run  TDSSKiller and it will locate your infection. It will ask you to remoev the infection ans simply say yes.  IF all goes well and your PC is clean, it will ask to reboot your windows 7. Please do so.

It will most likely find: TrojanDownloader.OpenStream.NBF trojan

If this does not work for you, download the latest malwarebytes and update and scan.

To clean, simply run your anti virus software, we suggest Microsoft Security Essentials. If your anti-spyware app closes, this means the virus has blocked access to your app. You may either do a system scan online via Panda, or try running your antispyware in safemode.

Other Aliases from other anti virus companies

The following files were analyzed:

3766d83c6754d41c912c87b1f001fe2a1eea6747

• %APPDATA%\services.exe

• %TEMP%\e3c1c08557a0d0feee33b9c9d18b4e6c129b553f.exe

This Trojan will attempt to fiddle with your network conection, e.g hxxp://www.maxmind.com/app/***

How to remove Generic BackDoor!djf!5D41C80E​A0DA

Removal should be easy given the fact that you are able to follow directions

First thing to do is disconnect your network or internet. Now you will need to reboot your PC and enter safe mode, if you do not know how to enter safe mode, please search above for ” how to enter safe mode”

Now you will need to do a system scan using these apps below:

1. your favorite virus app, i suggest AVG or Microsoft security essentials
2. do a system scan using Malwarebytes
3. do a system scan using spybot
4. do a system scan using hijackthis

if the virus  is not letting you do these scans, you must :

1.Disable System Restore on Windows ME and windows XP only.
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.

This should remove the threat, this threat is a low security threat but never the less it should always be cleaned before using the world wide web.

go to start menu, then run, now type in MSCONFIG, go to startup tab and look for a long string of command that has random letters and sometimes numbers, disable that line and save.

Download Malwarebytes, update malwarebytes then do a full system scan. if any virus is found, it will delete it.

Now download spybot, do an update and a full scan, delete any melware or spyware it finds.

You surly must have a virus protection software, if not, download Microsoft Security Essentials, its free, update the app then a full scan.

These steps above should fix and delete the Trojan.win32.Generic.pak!cobra.Engine virus

Here are other virus trojans that are smiler to the one above and can be cleaned the same way.

Trojan.Win32.Generic!BT: Trojan
Trojan-Spy.Win32.Zbot.gen: Trojan
Exploit.PDF-JS.Gen (v): Exploit
Trojan.Win32.Generic!SB.0: Trojan
INF.Autorun (v): Trojan
Trojan.Win32.Hiloti.gen.d (v): Trojan
Trojan.Win32.Generic.pak!cobra: Trojan
Trojan.Win32.Adware: Adware (General)
MyWebSearch Toolbar: Potentially Unwanted Program
Trojan.Win32.Malware: Trojan

Attempts to connect to a high risk domain that may pose a security risk.  It also creates one or more shortcuts .LNK files to provide user accessible links to start a program usually form the desktop or start menu.

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\USE FORMSUGGEST = Yes

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CERTIFICATEREVOCATION = 0

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WARNONBADCERTRECVING = 0

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WARNONZONECROSSING = 0

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\3\1601 = 0

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\STATE = 146944

• 188.229.88.***:80

• 46.161.11.***:80

• hxxp://searcham.org/*****

To remove this virus,

1.Disable System Restore Windows ME XP only.

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and  INI files for the purposes of hooking system startup, will be removed if cleaning with the recommended engine and DAT combination or higher.

McAfee Detection FakeAlert-SecurityTool.bt

System Changes
Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

The following registry elements have been created:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\

The following registry elements have been changed:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{92780B25-18CC-41C8-B9BE-3C9C571A8263} = 8193
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\NEXTID = 8194
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\PO28273LJGGI28273 = %ALLUSERSPROFILE%\Application Data\pO28273LjGgI28273\pO28273LjGgI28273.exe

How to remove this Virus threat

1.Disable System Restore on Windows ME and windows XP only.
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.

This should remove the threat, this threat is a low security threat but never the less it should always be cleaned before using the world wide web.

avast Win32:Caxnet [Trj]
AVG (GriSoft) Rootkit-Pakes.BG (Trojan horse)
avira TR/Koutodoor.psa
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Gen:Variant.Koutodoor.18
clamav Trojan.Dropper-27717
Dr.Web Trojan.MulDrop.origin
F-Prot W32/Koutodoor.N.gen!Eldorado
FortiNet W32/Koutodoor.KWD!tr.bdr
Microsoft Trojan:Win32/Koutodoor.E
Symantec Trojan.Koutodoor
Eset Win32/Koutodoor.HM trojan (variant)
norman W32/Suspicious_Gen2.LZIQS (trojan)
panda Trj/Genetic.gen
rising Trojan.Win32.Generic.1282E422
Sophos Troj/Kouto-D
Trend Micro TROJ_DLOADR.SMOM
vba32 Trojan.Downloader.gen.h (suspected)

The following files have been added to the system:
%WINDIR%\SYSTEM32\szccw.dll
%TEMP%\nsd12.tmp
%PROGRAMFILES%\Microsoft\ie13\Internat Explorer\target.lnk
%ALLUSERSPROFILE%\Desktop\Internat Explorer.jgp
%WINDIR%\SYSTEM32\drivers\fmsde.sys
%PROGRAMFILES%\Microsoft\ie13\Internat Explorer\Desktop.ini
The following files were temporarily written to disk then later removed:
%TEMP%\hmufctw.bat
%TEMP%\nsq13.tmp
%TEMP%\ygnpyvce.bat
%TEMP%\nsi11.tmp
%WINDIR%\SYSTEM32\mhzscp.bat
%TEMP%\faxjdr.exe
%TEMP%\tmp.bat
%TEMP%\yxcdiz.exe
%TEMP%\nsq13.tmp\System.dll
%TEMP%\wcyolgo.bat
%TEMP%\ftrnkqxw.bat

This is a Trojan detection Unlike viruses Trojans do not self replicate they are spread manually under the premise that they are beneficial. The most common installation methods involve system security exploitation unsuspecting users manually executing unknown programs. Distribution channels include email malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks and what have you.

After the attacker has finished configuring the software and setting the monitoring period, Android/Actrack.B spyware will run in the background of your phone and will start to send your GPS location information to their server controlled by the vendor. So be careful not to be a victim of this latest spyware.

These bots have  injected “badware” i like to call it, into your server, which gives them a backdoor entrance to your server, changing password might slow the bots down from cracking the code, but over all you must clean your server and files. Download a free FTP application, a good one is Filezilla, you can get it here  http://filezilla-project.org/download.php
make sure you check your main config files where your database info is, and make sure permissions are 744
Now  download all of your files on the server to your hard drive, then scan them with your virus software. AVG or Microsoft Security Essentials are free virus apps and work great.

Once your entire server has been download to your hard drive, sort the files and folders by date. Now the dates that are the most recent are the files and folders that have been altered.
You might have to edit all the php files, most likely the files are index.php files and any other file that has a recent date. Edit these files with your favorite html editor and look for base64 codes, or any code that is within an iframe or a redirect code, these codes are always either on top of the source code or on the bottom right before ?>

They also plant the code in many files along with .js files, if you have more than one domain on your server, then be sure that they will plant more threats on your other domain files.

Once again,download your entire site to your PC, and do a virus scan locally on the files and make sure no virus files have been planted, then go through all your folders one by one checking the date, if date is new, then open the php file and look to see if there is a code.

These backdoor viruses are planted because plugins and wordperss  is not updated, make sure you update wordpress/joomla etc.  as soon as they come out with a new version. also update the plugins if needed, that is under the WP admin dashboard as well.

Once you are sure your files are clean and everything above has been done,  go to google webmaster tools www.google.com/webmasters/tools/
and click on threats and see if your site in there says infected, if so, you must send an email right through the tools section to google telling them your site is now clean, if not, google will block your sites from firefox and chrome saying its infected.

If all goes well, your site should be backup and indexed properly within a few weeks.

PS: if you do not care about your files or database, its easier to just delete all files in your server and reinstall your script and create a new database.

If  you load a browser such as firefox, chrome or internet explorer, and either the page you are searching for takes you to a completely different page results, or simply it redirects you to another website that is totally erelevant to what you were looking for in the first place, then you have whats called the google redirect spyware.

First step is to download Silent Runners which will show malicious files

Now please do the following

open your MalwareBytes AntiMalware Program
Click the Update Tab and search for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select “Perform Quick Scan”, then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

What the Win32/Olmarik trojan does is it infects your PC by installing a nasty malware by falsified displaying security alerts and making the user install even more bugs. Once you click on  the alert, it will start downloading anti-spyware or anti-virus tools that are useless and will infect even more of  your file system structure and files in general. Take care of this trojan as soon as you can to prevent our PC from getting any worse.

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

The following registry elements have been created:

• HKEY_CURRENT_USER\SOFTWARE\ENIGMA PROTECTOR\

• HKEY_CURRENT_USER\SOFTWARE\ENIGMA PROTECTOR\29AEB4A0365755F6-B862CAE984EA4D0E\

• HKEY_CURRENT_USER\SOFTWARE\ENIGMA PROTECTOR\29AEB4A0365755F6-B862CAE984EA4D0E\02F01F553A112DCE-00C9DB38C18D5FD1\

• HKEY_CURRENT_USER\SOFTWARE\ENIGMADEVELOPERS\

The following files have been added to the system:

* %WINDIR%\SYSTEM32\svhest.dll

* %WINDIR%\SYSTEM32\svhest.exe

To remove Generic Trojan BackDoor!cyh!E437DACF​F88B Virus

Download Malwarebytes’ Anti-Malware if you do now have this free software, from  here and save it to your computer.

• Double click mbam-setup.exe and install
• At the end of the installation be sure a checkmark
  • Update Malwarebytes’ Anti-Malware
  • and Launch Malwarebytes’ Anti-Malware
  • do a full scan and allow your computer to fix your virus.
    

Open RootRepeal, click the Drivers tab and select Scan. Right click and select Wipe File on:

H8SRTmeyqxwbpxd.sys

Click the Files tab and select Scan. Right click and select Wipe File on any file that begins with the following:

H8SRT

Do the same for the Hidden Services tab.

Reboot your machine

Then let’s run RootRepeal again:

• Double click ROOTREPEAL to start the program
• Click on the Report tab at the bottom of the program window
• Click the SCAN button
• In the Select Scan dialog, check:

  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
  • Shadow SSDT

• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, click the SAVE REPORT button and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

HOW DOES IT Stuxnet really WORK?

The virus is a malicious software or malware attacks widely used industrial control systems built by the German firm Siemens. Experts say the virus could be used for espionage or sabotage.

Siemens said that the malware is spread via infected USB memory devices thumb drive, exploiting a vulnerability in Microsoft operating system Windows that has been resolved.

The attacks malware software running Supervisory Control and Data Acquisition, or SCADA, systems. These systems are used to control automated installations – plant chemicals to food and energy generators.

Analysts said the attackers may have chosen to spread malicious software by the way of a memory unit because many SCADA systems are not connected to the Internet, but do not have USB ports.

Once the worm infects a system, it quickly communicates with a remote server computer can be used to steal proprietary corporate data or take control of the SCADA system, said Randy Abrams, ESET investigator, a private security company Stuxnet been studied.

1.Disable System Restore windows XP only, Win 7 will not work.

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan using AGG or Microsoft security or Kaspersky

Modifications made to the system Registry  files for the purposes of hooking system startup will be removed if cleaning with the recommended engine and DAT combination.

Update the definition and scan your computer, it will find any traces of Trojan.Zlob.P now delete and you should be good to go.

The following files were analyzed:

urdvxc.exe
The following files have been added to the system:

* %COMMONPROGRAMFILES%\microsoft shared\stationery\bzqlkhrh.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\vkjljzrn.exe

* %COMMONPROGRAMFILES%\microsoft shared\web server extensions\40\bin\1033\ebsjlbhn.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\bhrhnkht.exe

* %PROGRAMFILES%\Adobe\Reader 9.0\rrtkrbtl.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\elwtjnbj.exe

* %TEMP%\0A5A6FE619B07BBAFB1F9C1B5F798F7DF96745D9

* %COMMONPROGRAMFILES%\microsoft shared\stationery\bnbtzwxt.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\bcwvzwbh.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\ehbebsrn.exe

* %PROGRAMFILES%\msn\msncorefiles\tlbhnrlv.exe

* %PROGRAMFILES%\Microsoft Office\OFFICE11\rsrrhtck.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\nsqjttkv.exe

* %PROGRAMFILES%\netmeeting\rsewzjqn.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\qjllsjhl.exe

* %COMMONPROGRAMFILES%\system\ado\tsektjkj.exe

* %COMMONPROGRAMFILES%\microsoft shared\web server extensions\40\bin\brbvhsvx.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\brvrjrke.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\njbsvtll.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\tlcwjrwt.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\czjevcet.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\xrljqjzn.exe

* %COMMONPROGRAMFILES%\microsoft shared\web server extensions\40\bin\tjnwrhns.exe

How to remove this virus.

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

So for those of you who always want to install beta software from another company rather then the company who created the app in the first place, then this is what you get. I installed Google Chrome version 10.0.628.0 which is a beta version published by a third party company and after using it for a few weeks, i then did a spybot scan and found out that this version of chrome is not good at all. It found the following tracking cookies which can harm ones comptuer.

Win32.PornPopUp: Tracking cookie (Chrome: Chrome)
MediaPlex: Tracking cookie (Chrome: Chrome)
Adbrit: Tracking cookie (Chrome: Chrome)
DoubleCLick: Tracking cookie (Chrome: Chrome) doubleclick.net

so if you are using a beta version of chrome, uninstall it asap and install the real version from google. Click here to download google chrome

some of the path values that have been replaced with environment variables as the location may vary with different configurations for example.

%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

The following files were scanned:

urdvxc.exe

REMOVAL

Although this is a low threat virus, the removal of W32/RAHack Worm/Allaple.A Virus  can be a pest but i have found that COMBFIX will remove this threat from your PC. Simply download CombFix by clicking here, save it to your desktop, double click and and press next a few times and let the program scan your PC and clean it. Very simple really, might take some time and make sure you close all browsers and applications before you run CombFix.

Or you may just use MelwareBytes to remove the W32/RAHack virus. I would scan with both apps just to make sure. Good luck

CoolWebSearch or short for CWS is a pretty harsh hijacker which attacks firefox or chrome and even internet explorer browsers. One thing to take note is that if this threat is not stopped, it will keep growing like a nasty virus as its knowing coolwebsearch keeps coming up with a newer threat every week. This Malware goes adn alters your homepage on your browser and or might redirect your homepage or any other website y ou visit to another website that might contain a virus or malware. The good news is, its pretty easy to remove this virus.

To remove this nasty browser hijacker malware, simply download Malwarebytes Anti Malware by clicking here and save it to your desktop. Run and install the free application. Now run Malwarebytes and make sure you update the program first before you scan your PC. Scan your PC now and it will remove CoolWebSearch.olehelp Malware and your PC will be save once again.

I was able to capture this W32.SillyFDC.BDO worm on my test machine and run a few tests to see which software did the best cleaning and its safe to say Spy Sweeper by Webroot was the winner.
Webroot AntiVirus 2010 with Spy Sweeper is one of the best apps that will protect your PC from virus threats,  spyware, adware, worms and Trojans malware. One great thing i found about spy sweeper is that it protects your PC real time without bottle necking or slowing down your net speed or even your PC’s resources. Unlike Norton which really takes away a good portion of your memory and hogs your system resources.

W32.SillyFDC.BDO worm
When executed this worm copies itself as the following files:

• %SystemDrive%\services.exe
• %Windir%\services.exe

It then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”ServiceControlApp” = “%SystemDrive%\services.exe”

The worm also modifies the following registry entries:

• HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0″
• HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”HideFileExt” = “1″

To clean this threat, simply run Webroot Spy Sweeper

Clean this threat manually:

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

Stop the Fake Microsoft Security Essentials Alert Trojan processes below by pressing CTRL + Alt + Delete:

antispy.exe
defender.exe
tmp.exe
hotfix.exe

Remove these Fake Microsoft Security Essentials Alert Trojan Registry Entries:
Click start menu and type “regedit”

HKEY_CURRENT_USER\Software\PAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = “0?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnPostRedirect” = “0?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “tmp”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “SelfdelNT”
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%UserProfile%\Application Data\antispy.exe”
Remove these Fake Microsoft Security Essentials Alert Trojan files:
%UserProfile%\Application Data\PAV\
%UserProfile%\Application Data\antispy.exe
%UserProfile%\Application Data\defender.exe
%UserProfile%\Application Data\tmp.exe
%UserProfile%\Application Data\hotfix.exe
%UserProfile%\Local Settings\Temp\[random characters].bat

For Vista/7:
%UserProfile%\AppData\Local\antispy.exe
%UserProfile%\AppData\Local\defender.exe
%UserProfile%\AppData\Local\tmp.exe
%UserProfile%\AppData\Local\hotfix.exe

C:\END
It is impossible to list all file names and locations of modern parasites. You can identify remaining parasites, other Fake Microsoft Security Essentials Alert Trojan infected files and get help in Fake Microsoft Security Essentials Alert Trojan removal by using free Malwarebytes.

The applications attempted the following network connections.

77.55.21.***:80
95.211.21.***:82
95.211.21.***:80
72.233.89.***:80
hxxp://95.211.21.184:89/*****
194.71.107.**:80
95.211.21.***:89
209.190.24.**:80
95.211.21.***:85

Indication of Infection

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

Security experts advise the use of legitimate anti malware applications such as MalwareBytes or SpyBot to clean your PC.

Unlike viruses, trojans do not self replicate. They are handwritten, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer, etc.

Indication of Infection

• • Presence of above mentioned files and registry keys.
  • Presence of above mentioned activities.
  • It connects to the the following sites and downloads malicious files
    • [removed]eaarc.com/down/update10h.rar
    • [removed]eaard.com/down/hou.rar
    • [removed]eaarb.com/down/hou.rar

File Information –

MD5 – 05f964429ecfe93cfee5f03a4ab92f5b
SHA1 – 8c801922f21423f7062fd638cea0072e6c23d5dc

Aliases –

Kaspersky  – Trojan-Downloader.Win32.Agent.fdt
Microsoft – TrojanDownloader:Win32/Agent.ZAL
NOD32 – Win32/Mefir.AA
Symantec – Downloader

Characteristics -

“Generic Downloader.g” is a trojan detection which downloads files from the site “korea[removed].com” and executes on the user machine.

Upon execution, the Trojan copies a file into the following locations

• • %Windir%\system32\notepod.exe

And drops the following files

• • %Windir%\system32\odbcwyp32.dll [Detected as Generic.Downloader.g]
  • %Windir%\system32\disk.ico
  • %Windir%\config\systemprofile\Cookies\system@koreaard[1].txt
  • %Windir%\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8WEL7ODI\hou[1].htm

The following registry keys have been added

• • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepod.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepod.exe\shell
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepod.exe\shell\open
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepod.exe\shell\open\command
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Enum

The following registry values have been added

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepod.exe\shell\open\command]
= “”%Windir%\system32%\notepod.exe” “%1″”

The above registry entry confirms that, the Trojan changes the file  notepad.exe into notepod.exe.
When ever user tries to open any notepad application, the trojan will executes immediately.

• • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RSVP\0000\Control]
    NewlyCreated = 0×00000000
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RSVP\0000]
    Service = “RSVP”
    Legacy = 0×00000001
    ConfigFlags = 0×00000000
    Class = “LegacyDriver”
    ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
    DeviceDesc = “QoS RSVP”
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RSVP]
    NextInstance = 0×00000001
  • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    ProxyEnable = 0×00000000

The following registry Values have been modified

• • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\]
    = 0x0000000D
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\]
    Start = 0×00000002
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\]
    ErrorControl = 0×00000000

The following file has been modified

• • %Windir%\system32\rsvp.exe

The following folders have been added

• • %Windir%\Web\webdc
  • %Windir%\Web\webhp
  • %Windir%\Web\webpf
  • %Windir%\Web\webpt
  • %Windir%\Web\webxs

[Note : %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)]

This symptoms of this detection are the files registry and network communication referenced in the characteristics section.

Methods of Infection
Viruses are self replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Characteristics -

This Virus has been seen in large spam runs with the subject line: “Here you have”.

When executed, the following files are dropped:

* %WINDIR%\system\Administrator CV 2010.exe
* %WINDIR%\system\updates.exe
* %WINDIR%\Administrator CV 2010.exe
* %WINDIR%\autorun.inf
* %WINDIR%\autorun2.inf
* %WINDIR%\csrss.exe
* %WINDIR%\vb.vbs
* %DIR%\Administrator CV 2010.exe
* %WINDIR%\tryme1.exe
* %WINDIR%\im.exe
* %WINDIR%\csrss.exe
* %WINDIR%\vb.vbs
* %TEMP%\~DF1DC7.tmp
* %WINDIR%\ie.exe
* %WINDIR%\rd.exe
* %WINDIR%\re.exe
* %WINDIR%\system\updates.exe
* %WINDIR%\SYSTEM32\SendEmail.dll
* %WINDIR%\gc.exe
* %WINDIR%\hst.iq
* %WINDIR%\ff.exe
* %WINDIR%\op.exe
* %WINDIR%\pspv.exe
* %WINDIR%\re.iq
* %WINDIR%\ff.dlm
* %APPDATA%\addons.dat

Where %WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)

The following files were temporarily written to disk then later removed:

* %WINDIR%\ff.iq
* %WINDIR%\ie.iq
* %WINDIR%\SendEmail.iq
* %WINDIR%\w.iq
* %WINDIR%\m.iq
* %WINDIR%\gc.iq
* %WINDIR%\SYSTEM32\drivers\etc\hosts
* %WINDIR%\pspv.iq
* %WINDIR%\w.exe
* %WINDIR%\tryme.iq
* %WINDIR%\im.iq
* %WINDIR%\rd.iq
* %TEMP%\~DFAFA.tmp
* %WINDIR%\m.exe
* %WINDIR%\SendEmail.dll
* %WINDIR%\b.bat
* %WINDIR%\op.iq

The following file was modified:

* %WINDIR%\SYSTEM32\wbem\logs\wbemprox.log

The malware has been known to randomly delete certain existing executables and replaces the current host file.

Registry changes are made like the ones below to prevent certain system tools from running. This is a subset of the complete changes :

* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\0w.com
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.ExE
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.ExE
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.ExE
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.ExE
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6.bat
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6fnlpetp.exe
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6x8be16.cmd
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2cmd.ExE
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2free.ExE
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.ExE
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2upd.ExE
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\abk.bat
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adobe Gamma Loader.exe
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algsrvs.exe
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algssl.exe
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\angry.bat
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aNtIaRP.ExE
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antihost.exe
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aNtS.ExE
* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apu-0607g.xml
* HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS SCRIPT HOST\
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS SCRIPT HOST\SETTINGS\

The following registry element was modified:

* HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\LOCKED = 1

The following registry key was added to get past the outlook security message prompt

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Outlook\Security\ObjectModelGuard = 0×00000002

Connections to the following resources are attempted:

* hxxp://members.multimania.co.uk/yahoophoto/*****
* 213.131.252.***:80

This virus will search and ternminate processes and services belonging to various security products. It searches for the following strings of any running process or service:

* ‘wscsvc’
* ‘MpsSvc’
* ‘WinDefend’
* ‘wuauserv’
* ‘AntiVirWebService’
* ‘McNaiAnn’
* ‘Avast! Antivirus’
* ‘aswUpdSv’
* ‘avast! Mail Scanner’
* ‘avast! Web Scanner’
* ‘AntiVirService’
* ‘AntiVirMailGuard’
* ‘AntiVirSchedulerService’
* ‘McShield’
* ‘AntiVirFirewallService’
* ‘mfefire’
* ‘McNASvc’
* ‘Mc0obeSv’
* ‘McMPFSvc’
* ‘McProxy’
* ‘Mc0DS’
* ‘mcmscsvc’
* ‘McAfee SiteAdvisor Service’
* ‘mfevtp’
* ‘Avgfws9′
* ‘AVG Security Toolbar Service’
* ‘avg9wd’
* ‘AVGIDSAgent’
* PAVFNSVR’
* ‘Gwmsrv’
* ‘PSHost’
* ‘PSIMSVC’
* ‘PAVSRV’
* ‘PavPrSrv’
* ‘PskSvcRetail’
* ‘Panda Software Controller’
* ‘TPSrv’
* SfCtlCom’
* ‘TmProxy’
* ‘TMBMServer’
* Arrakis3′
* ‘LIVESRV’
* ‘scan’
* ‘VSSERV’
* sdAuxService’
* ‘sdCoreService’
* ‘AVP’
* rescue32
* vzkrnl
* hcomm
* hrule
* cll
* hum
* iffs
* fssync
* msvcm80
* msvcp80
* msvcr80
* mzvkb
* com
* rescuec
* rvins32
* vemu
* curi
* vgcc
* msvr
* vgserv
* vgcc32
* sSvc
* meworkService
* Mgr
* erUI
* shs
* skMgr
* 360rp
* 360s
* febo
* 360
* rSwp
* oRun
* oRunKiller
* vMoni
* CCen
* meworkservice
* GFUp
* IceSwor
* rmor
* v32
* VPFW
* kissvc
* ilmon
* KPfwSvc
* KRegE
* KVSrv
* KVWSC
* Mmsk
* psvc
* PFW
* vservice
* rfwm
* rfwPro
* rfwsrv
* Rfws
* SREngL
* oruns
* orunsc
* reg
* ini
* bin
* 8be16
* 00hoe
* 6fnlpe
* lky
* m2nl
* rcuk
* whi
* msiz
* wscn
* 32krn
* 32kui
* swBoo
* isp
* shServ
* Vis
* shWebSv
* shM
* iSv
* shLogV
* swRegSvr
* shSkPcc
* swUp
* shQuick
* shEnhc
* shPopWz
* sche
* shUp
* vgine
* vgrssvc
* vgsc
* vgupsvc
* vgemc
* vgw
* svc
* vgrs
* vgn
* vno
* ify
* vsc
* vgu
* vcen
* min
* licmgr
* ekrn
* vconfig
* ilc
* gui
* preup
* wsc
* ool
* gen
* subwiz
* Survey
* seccen
* uisc
* vsserv
* IEShow
* unins
* iss
* licreg
* VCm
* VRep
* fIns
* VRi
* Msg
* VServer
* FPro
* fpsc
* yproc
* FPWin
* fssf
* llC
* user
* ump
* mcregwiz
* mcup
* mgr
* ppins
* mcinfo
* mgh
* mcmnh
* mcinsup
* McShiel
* mcvsm
* McVSEscn
* mcvsf
* scln
* vfin
* VP32
* VPCC
* VPM
* PW32
* VW32
* ICLO
* ICMON
* ICSUPP95
* ICSUPPN
* mserv
* FRW
* ckice
* zone
* vsmon
* WrC
* cle
* ner3
* ner
* MooLive
* lock
* own2000
* Sphin
* VSHWIN32
* VSECOMR
* WEBSC
* VCONSOL
* VSS
* 2free
* 2service
* 2up
* 2cm
* vEmSrv
* vmr
* vMU
* VSCons
* vse
* vSn
* vSub
* VSubmi
* vUM
* vUserUp
* vvl
* CEmRep
* Ins
* Lsp
* ccessIns
* ller
* unp_
* UPS
* ker
* UUp
* F5Serv
* FrzS
* e2k
* obe G
* Lo
* WIN
* vcim
* VENGINE
* PSHos
* vFnSvr
* VSRV51
* PsC
* rlS
* PsImSvc
* PSC
* pskmssvc
* vRepor
* vsche
* PSrv
* WEBPRO

This spy software can be downloaded from certain remote sites.

Check if the following applications are installed on the affected system to steal login credentials:

* Ftpcommander
* SmartFTP
* Steam (an online gaming platform)

It also oversees the relevant users’ browsing habits to steal sensitive information.

Save the information gathered in a text file using the file name () Name of the team. Txt and upload to a specific Web site.

Stopzilla says to use their app to remove this threat, but you can simply use http://www.malwarebytes.org to remove this threat. Make sure you first download this app, update it, disconnect your PC from the internet, then run malwarebytes.

In AV Comparative’s most recent report on malware removal, Microsoft Security Essentials was the only free antivirus app rated TOP in comparison to  Norton, Kaspersky, Mcafee.  Microsoft Security Essentials also beat out technician favorite ESET which managed only an Advanced rating.

So not only has Microsoft Security Essentials beaten free competitors like AVG, Avira, and Avast, it also posted test scores equal to or better than a dozen anti-virus programs you’d have to pay for and that includes the heavy bottle necking Norton and Mcafee which slow down your PC in a big way.

So if you are in it to win it, i suggest you grab yourself a cup of coffee,  go to Microsoft.com and downlaod Microsoft Security Essentials, it will sure put a smile on your face.

Description

A vulnerability exists in Microsoft Internet Explorer that could allow remote code execution. The vulnerability is in the way Internet Explorer accesses an object that has not been correctly initialized or deleted. The vulnerability can be exploited by creating a specially crafted Web page. When the Web page is viewed, the vulnerability could allow remote code execution.

Recommendations -

The vendor has released an update to address this issue http://www.microsoft.com/technet/security/bulletin/ms10-035.mspx

Folder Size for Windows is a free addon for Windows XP/Vista that adds a new column to the Windows Explorer details view to displays the sizes of files and folders.

Download Folder Size in Windows

PopupMaster places the popup blocker icon in the status bar, regardless of site settings. PopupMaster contains no functionality to block popups. It simply forces Firefox to always show the popup-blocker icon in the status bar. Great little app written by yellow5.us

Click here to download and install the PopupMaster 1.2.4 Firefox Popup Blocker addon

Here is a simple way to fix this solution.

Download the Windows Installer CleanUp Utility

http://support.microsoft.com/default…b;en-us;290301

Run the CleanUp utility and look for any string that has quicktime as a title.
Select the entries and click remove and exit out of the program.

You should now be able to reinstall quick time or itunes.

If this does not work, remove windows live photo gallery from your PC and the problem should be fixed.

Another thing you might want to try is to uninstall quicktime and reinstall quick time, this might work for some people.

This bug seems to only occur on windows 7 64x opertating systems only and i assume this bug will be fixed on the next windows service pack.

These can be followed up by double-clicking them, then clicking Event Log Online at the bottom. In XP and Vista, Microsoft’s Process Explorer is a boon. I haven‘t tried it in Win7 but I see no reason why it shouldn‘t work.

One other thing that can be done is disabled CTxfihlp.exe in msconfig, that should also fix the issue.

Upon execution, certain scareware releases will not only prevent legitimate security software from loading, but it will also prevent it from reaching its update locations in an attempt to ensure that the end user will not be able to get the latest signatures database. Moreover, it will also attempt to make its removal a time-consuming process by blocking system tools and third party applications from executing.

Here is a list of scareware sites below:

• antivirus-live-pro.org (Antivirus Pro Scareware)
• internetantivirusplus.com (Fake Antivirus)
• mybestantivirusplus.com
• securesoftwarebill.com (Rogue System Security Antivirus)
• yourantimalware.com
• totalsurfguard.com
• systemsecuritysupport.com
• stabilitysuite.com
• powersystemstability.com
• onlinecentersupport.net
• identitysecuritysuite.com
• etotalsecurity.com
• defenseinteractive.com
• defenseinteractive.com
• antispyinteractive.com
• antispyavailable.com
• protectionsystem.org(Like Antivirus Pro Scareware)
• realbestantivirusplus.com

Remember these sites are active and are scaring people into buying or installing there product, you should not go to these sites.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select “Perform Quick Scan“, then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Next step would be to download OTL.  Click here to download OTL

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Under the Standard Registry box change it to All.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

SONAR.ProcessHijack.2 is a heuristic detection that is designed to detect new malware based on how it launches new processes. Malware will commonly launch and hijack trusted Windows processes like svchost.exe in order to perform malicious actions.

Antivirus Protection Dates

• Initial Rapid Release version pending
• Latest Rapid Release version pending
• Initial Daily Certified version pending
• Latest Daily Certified version May 4, 2010 revision 048
• Initial Weekly Certified release date pending

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 – 49
• Number of Sites: 0 – 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: Low

W32.Palevo.B is a worm that spreads through instant messaging clients.

Antivirus Protection Dates

• Initial Rapid Release version May 4, 2010 revision 009
• Latest Rapid Release version May 4, 2010 revision 020
• Initial Daily Certified version May 4, 2010 revision 048
• Latest Daily Certified version May 4, 2010 revision 048
• Initial Weekly Certified release date May 5, 2010

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 – 49
• Number of Sites: 0 – 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Payload: Spreads through instant messaging programs.

Distribution

• Distribution Level: Medium

A remote code execution vulnerability exists in some versions of Microsoft Internet Explorer. The flaw can occur during processing of objects that have not been properly initialized or have been deleted. An attacker may exploit this flaw via a specially-crafted web page. Successful exploitation may result in remote code execution.

Recommendations -

The vendor has released an update to address this issue: http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx