Jump to content
Sign in to follow this  
Wademan

I have The Kama Sutra WorM

Recommended Posts

Back up the things you want to keep Wademan. If you've been hit, it's gonna get worse before it gets better. This is a sleeping worm and if like those before when the trigger is pulled, it will destroy only enough to own your rig.

 

The hardware firewall will prevent external to internal contact, but will allow sessions from internal to external sessions while the inquiry is in progress.

 

I honestly hate to say it, but it could account for the multiple problems that you've been so painstakingly fighting.

 

Going through this thread, knowing your history, HijackThis logs and the utilities that you have at hand, I, personnally, would flush and start clean.

 

I do not recommend a format and re-installation often, but if it were me, I'd be downloading updates for my new installation by now.

 

JMHO

:)Y

 

Y....dang...well i will wait a bit...for that...TY tho...i think there is just a glitch...cuz i called norton, an payed them to answer, 2 techs said...all onlines scans could be glitch from worm, on ya dsl servers..of people over reacting, an mass scanning.....so ill wait a day or so...my history, an hjt logs huh?.....ya prolly think i am nuts..oh well... :blink: EDIT have now software firewall on as well...working now Edited by Wademan

Share this post


Link to post
Share on other sites

Y....dang...well i will wait a bit...for that...TY tho...i think there is just a glitch...cuz i called norton, an payed them to answer, 2 techs said...all onlines scans could be glitch from worm, on ya dsl servers..of people over reacting, an mass scanning.....so ill wait a day or so...my history, an hjt logs huh?.....ya prolly think i am nuts..oh well... :blink: EDIT have now software firewall on as well...working now

 

well Just woke up an pc runs just fine, Eztrust av is on in real time, but havent ran anymore online av scanners since last nights BitDefender, which worked flawlessly, even tho it took like 80 mins, kinda like Kapersky's take forever, anyways if i had that worm my pc shouldnt even boot up by now 3 tech support guys said. so i dunno..all started with the dang Eztrust updating servers an messing up millions of users as Jaycee also confirms in THIS Thread, so least i know I am not insane, ty jaycee. Ill run scans later, but today is my dumb birthday, the 4th, an friends wants to Take Me out for a steak dinner an take me out afterwards...for god knows what :blink: ...lol...so could be like 12 hours or even tommorrow before i update my thread...thanks to all who helped thus far.. ;) Edited by Wademan

Share this post


Link to post
Share on other sites

:sparkle:Happy Birthday Wademan... :sparkle:

If things appear normal.........take comfort in that and enjoy your day.

If something is wrong it will show it's face......Take the day off and leave the computer behind.

Doesn't steak dinner sound better? :sparkle:

Share this post


Link to post
Share on other sites

:sparkle:Happy Birthday Wademan... :sparkle:

If things appear normal.........take comfort in that and enjoy your day.

If something is wrong it will show it's face......Take the day off and leave the computer behind.

Doesn't steak dinner sound better? :sparkle:

 

Juliet...I so Appreicate that thank you...an I will try an enjoy this day...only comes once a year ya know.. :rolleyes:

Share this post


Link to post
Share on other sites

Turn off system restore, then turn it back on. Go here and look toward the bottom, it'll tell you to turn it off.

http://securityresponse.symantec.com/[email protected]

 

I ran that tool a few times.

 

What I've heard is that the updates for the AV will show a way outdated date and that you can get it also from it spreading through a network (even if you never had the email described). I don't know how true both statements are.

 

Happy Birthday, Wademan. :)

Share this post


Link to post
Share on other sites

Just a random question... Would changing your system clock change the day this virus arises from it's dormant state?

Share this post


Link to post
Share on other sites

Hiya wademan :birthday: Hope you have a great day....... :banana::banana2:

Edited by pacman123

Share this post


Link to post
Share on other sites

Just a random question... Would changing your system clock change the day this virus arises from it's dormant state?

That's the same thing I was thinking. I think so, because I heard that people with the worm that had incorrect clock settings had already been affected by the worm before the real February 3rd.

 

Happy B'day Wademan! :banana::mrgreen:

 

with regards

Edited by Champion_Munch

Share this post


Link to post
Share on other sites

 

That's the same thing I was thinking. I think so, because I heard that people with the worm that had incorrect clock settings had already been affected by the worm before the real February 3rd.

 

Happy B'day Wademan! :banana::mrgreen:

 

with regards

 

 

You found people with incorrect clock settings? How did you manage to do that?! I'd think it's a rarity to find a user with a messed up windows clock (unless they miscalculated their time zone when they install windows).

 

Oh yeah, :birthday: Wademan!

Share this post


Link to post
Share on other sites

I hadn't personally found people with incorrect clock settings, just heard about it. Dodgy or old CMOS batteries can really screw up the time. :)

 

Here's an article about it (you'll have to scroll down a bit): http://www.f-secure.com/weblog/#00000797

 

Tuesday, January 31, 2006

The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you're infected and your clock is not set right, things could start to happen at any time - even though the official activation time is the 3rd of the month. We've already received first reports from users who've had files on their system overwritten by the worm.

with regards

Share this post


Link to post
Share on other sites

happy birthday wademan :beer: :beer:

 

Thank you everyone for Happy Birthday wishes!!! It was a good night...Ate Whole rack of Lamb, 2 pounds crab legs, stuffed baked potaoe, an french onion soup!!...then went out till late..so TY all ;) ....as for my pc, all is running fine...STILL cant run any online AV except BidDefender, Housecall Is way messed up, an panda gives wild error about active x, norton does the same...yet all my scans on pc ,Ewidio, a2, spybot, adaware, ms anti-spy, and my Av Eztrust, all scan an come up ZERO, all clean. At a total loss as why the online scanners dont work, except BitDefender..still think its "possible" i got bad download of the new update for mvps host file, because that was when online scanners stopped working...i know it would be rare, but what else could it be...If i had worm, PC would be huge mess by now, ..Eztrust AV DID mess up millions of users by trying to block worm as i state in this thread already. maybe very odd coincidence?.. :unsure: I glad there tech support waived $50 fee for live help :blink: ...so STILL trying to figure this mess out....TY all... ;) Edited by Wademan

Share this post


Link to post
Share on other sites

Hiya wademan any chance you could do a system restore to before you downloaded your mvps hoet file...

 

just a thought ...........

 

glad you had a good day..

Share this post


Link to post
Share on other sites

Hiya wademan any chance you could do a system restore to before you downloaded your mvps hoet file...

 

just a thought ...........

 

glad you had a good day..

 

Hey Pacman...tried that man..even went back 6 weeks before, tried 3 other restore points, didnt change mvps host file at all...its stuck at Jan 29th update..now tho system restore was turned off so i could av scan there, an now back on, so all restore points gone...except, of course new one, when i re-enabled sys restore....wonder if i just try an remove host file completly ..an see if online scans work.. :blink: ...

Share this post


Link to post
Share on other sites

I wouldn't remove the entire HOSTS file (besides I don't think you can anyway), but if you use MVPS HOSTS they should create a backup of the original HOSTS file before they added their own entries. :)

 

with regards

Share this post


Link to post
Share on other sites

I wouldn't remove the entire HOSTS file (besides I don't think you can anyway), but if you use MVPS HOSTS they should create a backup of the original HOSTS file before they added their own entries. :)

 

with regards

 

Ty cm i guess i could use hoster an restore it to original host file, ever use it for that?.....

Update on this thread: McAfee online scanner works too, as well as BitDefender, an pcpitstops av online...STILL tho, housecall, Panda, Nortons, wont run at all, veryy strange.... :blink:

Share this post


Link to post
Share on other sites

There is a removal tool if you actually have it. Here's the link:

http://castlecops.com/article6500.html

 

Happy late Birthday, btw :mrgreen:

 

TY Jaycee for the bday wishes an the link :) BTW i ran Kaspersky online an it finds this>> C:\Program File...Trace\NTXconfig.exe what in hell is this?....after googeling for an hour says its a worm/virus,...i do have a file NTXconfig.exe any one know what in hell is this?? maybe THIS IS my problem,?... :blink: symtech says>> http://securityresponse.symantec.com/avcen...door.xeory.html Mcafee says>> http://us.mcafee.com/virusInfo/default.asp...&virus_k=100605 and trend micro says>> http://www.trendmicro.com/vinfo/virusencyc..._CHOD.H&VSect=T what should i do guys??...dang maybe i do have a worm... :mrsgreen: Edited by Wademan

Share this post


Link to post
Share on other sites

Let's take a closer look inside your system with this tool:

 

MicroWorld - Free AntiVirus standalone scanner

 

Make a folder called c:\bases

 

Download mwav.exe http://www.mwti.net/antivirus/free_utilities.asp

to that new folder.

 

Run mwav.exe which will start run mwavscan.com

 

Select 'all files', press 'scan', and when it is completed 'view log'

 

Since the log is so large, we only need to see the lines with "action taken" in them, so copy/paste those into the reply.

 

***Dont post sections if they are in antimalware backups folders.

Share this post


Link to post
Share on other sites

Let's take a closer look inside your system with this tool:

 

MicroWorld - Free AntiVirus standalone scanner

 

Make a folder called c:\bases

 

Download mwav.exe http://www.mwti.net/antivirus/free_utilities.asp

to that new folder.

 

Run mwav.exe which will start run mwavscan.com

 

Select 'all files', press 'scan', and when it is completed 'view log'

 

Since the log is so large, we only need to see the lines with "action taken" in them, so copy/paste those into the reply.

 

***Dont post sections if they are in antimalware backups folders.

 

OMG Jacee! this found some real nasties.... :mrsgreen: >>> ue Feb 07 10:19:41 2006 => System found infected with w32/rbot-ank Email-Flooder ({19e28afc-eae3-4ce5-ac83-2407b42f57c9})! Action taken: No Action Taken.

Tue Feb 07 10:19:41 2006 => System found infected with searchexe Spyware/Adware ({807553e5-5146-11d5-a672-00b0d022e945})! Action taken: No Action Taken.

Tue Feb 07 10:19:41 2006 => System found infected with w32/rbot-ank Email-Flooder ({19e28afc-eae3-4ce5-ac83-2407b42f57c9})! Action taken: No Action Taken.

Tue Feb 07 10:19:45 2006 => Offending Folder found: C:\WINDOWS\DOWNLO~1\conflict.1

Tue Feb 07 10:19:45 2006 => Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.

I see ya said post ones with "action taken" but scanner says no action unless i PAY/buy this product I hope i did this right...it DID find 2 email flooders... which could be these odd emails i get like once a week, an spyagent trojanas ya can see above what should i do now!!!!????? :blink: here is last of log>> Feb 07 10:25:42 2006 => Total Objects Scanned: 17430

Tue Feb 07 10:25:42 2006 => Total Critical Objects: 5

Tue Feb 07 10:25:42 2006 => Total Disinfected Objects: 0

Tue Feb 07 10:25:42 2006 => Total Objects Renamed: 0

Tue Feb 07 10:25:42 2006 => Total Deleted Objects: 0

Tue Feb 07 10:25:42 2006 => Total Errors: 2

Tue Feb 07 10:25:42 2006 => Time Elapsed: 00:08:57

Tue Feb 07 10:25:42 2006 => Virus Database Date: 2/3/2006

Tue Feb 07 10:25:42 2006 => Virus Database Count: 174583 Ohmygoonus... :mrsgreen::pullhair: also in scan this was found but NOT in the log, weird>>> C:\WINDOWS\System32\logonui.exe infected by "Trojan.Win32.Agent.on' Virus! Acton Taken:NoAction Taken wow isnt that a VERY bad virus??? :pullhair:

Edited by Wademan

Share this post


Link to post
Share on other sites

I see ya said post ones with "action taken" but scanner says no action unless i PAY/buy this product

Well, how many lines do you have with "action taken--->no action taken", that's what we need to see.

Share this post


Link to post
Share on other sites

Well, how many lines do you have with "action taken--->no action taken", that's what we need to see.

 

Ok I posted those above here again>> System found infected with w32/rbot-ank Email-Flooder ({19e28afc-eae3-4ce5-ac83-2407b42f57c9})! Action taken: No Action Taken.

Tue Feb 07 10:19:41 2006 => System found infected with searchexe Spyware/Adware ({807553e5-5146-11d5-a672-00b0d022e945})! Action taken: No Action Taken.

Tue Feb 07 10:19:41 2006 => System found infected with w32/rbot-ank Email-Flooder ({19e28afc-eae3-4ce5-ac83-2407b42f57c9})! Action taken: No Action Taken.

Tue Feb 07 10:19:45 2006 => Offending Folder found: C:\WINDOWS\DOWNLO~1\conflict.1

Tue Feb 07 10:19:45 2006 => Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.

C:\WINDOWS\System32\logonui.exe infected by "Trojan.Win32.Agent.on' Virus! Acton Taken:NoAction Taken

:mrsgreen:

Share this post


Link to post
Share on other sites

C:\WINDOWS\System32\logonui.exe infected by "Trojan.Win32.Agent.on' Virus

 

Kaspersky was reporting this too...it turned out to be a false/positive within their scanner and they 'fixed' it.

 

You can upload this file C:\WINDOWS\System32\logonui.exe to jotti's and have it scanned:

http://virusscan.jotti.org/

Share this post


Link to post
Share on other sites

C:\WINDOWS\System32\logonui.exe infected by "Trojan.Win32.Agent.on' Virus

 

Kaspersky was reporting this too...it turned out to be a false/positive within their scanner and they 'fixed' it.

 

You can upload this file C:\WINDOWS\System32\logonui.exe to jotti's and have it scanned:

http://virusscan.jotti.org/

 

what about the other things it found, like email flooder/?? That Jott site says found nothing on that ONE file..what now? :blink: Edited by Wademan

Share this post


Link to post
Share on other sites

You probably still have some left over junk particles. Good that jotti found nothing, the file is okay.

 

Let's make a reg backup:

1. Backup the registry by going to Start>Run> and type "regedit" without the quotes. Then on the file menu choose ‘export’ in XP. Export the file to your Desktop. Name it today's date. You will see a new icon. Leave it alone until you're sure your system is stable.

 

*****If a restore of the registry is required in case of emergency, just click on the exported regfile on your desktop, and answer YES to the question whether you want to merge this file with the registry. Wait until you get a message saying something like Merge Successfull.

 

 

Do you have CCleaner? If not, download it http://www.ccleaner.com/

Before first use, check under Options, Settings, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.

 

In the Windows Tab:

 

Clean all entries in the "Internet Explorer" section except Cookies.

Clean all the entries in the "Windows Explorer" section

Clean all entries in the "System" section (prefetch, etc)

 

In the Applications Tab:

 

Clean all except cookies in the Firefox/Mozilla section if you use it.

Clean all in the Opera section if you use it.

Clean Sun Java in the Internet Section.

 

Then click the "Run Cleaner" button

 

Reboot, and download RegSeeker http://www.hoverdesk.net/freeware.htm .

 

Extract it to it's own folder, open and double click RegSeeker.exe to start the program.

Maximize the window and click clean registry. (in the left column)

Check all sections and click OK.

 

When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again.

Then right click within the search results and select delete.

 

Run it again and again, deleting everything it finds until it finds nothing. Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything).

 

In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back. (or use the emergency reg.file on your desk)

 

A reboot may be required for the effects to be seen.

 

Reboot When done, scan again with MWAV and let's see if the log is clean now.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...