Jump to content

Archived

This topic is now archived and is closed to further replies.

john fechon

Best Friends Virus

Recommended Posts

My friend recently had this start appearing in his away msg's for aim:

WTH LOOK .kovpak.ru/bestfriends.scr link removed?!!!??!?-s

edit: DO NOT CLICK, thought that may be a good idea just in case

 

He had some viruses floating around, and I looked at the processes, and deleted most of the .exe's and other files that help sites suggested to delete. All of them have stayed dead with the exception of msgfix.exe. This one seems to be behind the away msg theft, and it wont let you end its process or delete it normally. When you do delete it, it reappears next reboot. It can quickly rack up 6-8 msgfix.exe's running at once. The pcpitstop virus scan found four viruses, which i deleted. Still the msgfix.exe came back. Running an aimfix.exe that everyone suggests for the BestFriend virus kept trying to delete an av.exe, which i took a guess on and deleted myself. Other than that, it doesn't catch this version.

 

To make matters worse, this program just popped up, not letting me stop it, and not showing up in any google search: "realplaye32.exe"

Its killing the cpu(old laptop) and making doing anythign a pain. It's running windows 2000. Any help would be greatly appreciated, as not only does he have it, but all of his friends made the conscious decision to click the bizarre looking link and immediately complain about a virus.

Share this post


Link to post
Share on other sites

One of this worms GAOBOT.AUS or SDBOT.J or SDBOT-QG after execution drops a copy of itself as MSGFIX.EXE in the system folder. It then adds several registry entries to enable its automatic execution at every system startup.

I creates the registry keys below:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run

Configuration Loader = "msgfix.exe"

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\RunServices

Configuration Loader = "msgfix.exe"

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run

Configuration Loader = "msgfix.exe"

===========================================

 

Also will attempt to establish a connection with the IPC$ share on each randomly-generated IP address it enumerates. It drops a copy of itself in the following directories as MSGFIX.EXE:

\IPC$

\D$

\print$

\c$

\Admin$

\c$\windows\system32

\c$\winnt\system32

\Admin$\system32

====================================

You need to run an up-to-date antivirus scanner to identify the malware program and terminate it.

You may have to disable System Restore because a virus scan may detect a threat in the System Restore folder even though you have removed the threat and the antivirus won't be able to remove it from the System Restore backup.

 

MANUAL REMOVAL INSTRUCTIONS

 

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected by the virus scanner.

 

Open Windows Task Manager.

On Windows 95/98/ME systems, press

CTRL+ALT+DELETE

On Windows NT/2000/XP systems, press

CTRL+SHIFT+ESC, then click the Processes tab.

In the list of running programs*, locate the malware file or files detected earlier.

Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.

Do the same for all detected malware files in the list of running processes.

To check if the malware process has been terminated, close Task Manager, and then open it again.

Close Task Manager.

*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

 

Removing Autostart Entries from the Registry

 

Removing autostart entries from the registry prevents the malware from executing during startup.

 

You will need the name(s) of the file(s) detected earlier. To remove the malware autostart entries:

 

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows>CurrentVersion>Run

In the right panel, locate and delete the entry or the files detected earlier:

Configuration Loader "msgfix.exe"

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>

CurrentVersion>RunServices

In the right panel, locate and delete the entry or the files detected earlier:

Configuration Loader "msgfix.exe"

Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Share this post


Link to post
Share on other sites

Found msgfix.exe in

C:\WINNT

C:\WINNT\system32

 

Tricky, i never checked one of the folders for it, could explain how it kept coming back.

 

Trying to end process resulted in : The operation could not be completed

access is denied.

 

Used moveonboot or something to delete them when you restart since deleting them while they run wont work.

 

Registry entries were deleted from those locations.

 

Upon Reboot, it seems everything is good. With the exception of realplaye32.exe, which returned, but i was able to end task it this time. I forgot to check its file path, but does anyone have any info on it?

 

Thanks for all the help jojesa

Share this post


Link to post
Share on other sites

Everything was fine as of last night, and when we woke up this morning, no chagning of his away msg. But we found 13 msgfix.exe's running, and the file was back where we found it before.

 

Found and delete realplaye32.exe in c:\winnit\system32, does anyone know what that one is? Also deleted two entries for realplaye32 with hijackthis.

 

I've deleted everything and restarted, but this doesn't seem to be working, it just keeps coming back.

Share this post


Link to post
Share on other sites

I did a search through files created this morning after I kept deleting everything, and found a few that looked wrong.

 

MS-DOS Batch File called secure in c:\winnt\Temp

Opening it with notepad showed

@echo off

net share C$ /delete /y

net share D$ /delete /y

net share IPC$ /delete /y

net share ADMIN$ /delete /y

 

Which is pretty much the folders that jojesa said to check but didn't exist.

 

also, Application called ago in c:\

Not sure on this, so I decided what the hell and ran it, and realplaye32.exe started up, right back where it was before.

Share this post


Link to post
Share on other sites

I downloaded the bestfriends.scr from the link you posted and nothing has yet happened.

No viruses or worms found.

Share this post


Link to post
Share on other sites

Not sure what that means. All of his files that were part of the virus he had were dated on may 12, 2004, so it seems like the virus was there for a while. Yet other people who clicked the link got the virus almost immediately. Did you try running it? The last time someone got one of these viruses, i had to walk it through its install and practically tell it how to infect me.

 

On the plus, it seems the virus is gone from his computer. Wait, nevermind, msgfix.exe is back. YAY. It just wont die. Also, it seems to be affecting people differently. His computer had the realplaye32.exe eating up cpu, but his home computer can't access email and another friend's computer can't use IE.

 

 

update: I finally downloaded it to my computer, i had to tell it to run itself a few times before it finally took hold, and it went by msnconfig.exe instead of msgfix.exe. It stopped task manager from running, but hijackthis still worked (roommate sometimes couldn't run hijack). I ended it, searched for new files created, found only one and deleted msnconfig.exe. It created a dll file called rtuyfhf.dll as soon as i deleted it, which i deleted as well, pretty sure its gone from mine, but it won't leave his.

Share this post


Link to post
Share on other sites

:bump:

 

The problem has gotten bigger, avg found stuff the first time, but now it finds nothing. He's up to 68 processes, 30+ of which are msgfix.exe.

Share this post


Link to post
Share on other sites

Only things I can suggest are doing several online virus scans:

 

http://housecall.antivirus.com/housecall/start_corp.asp

 

http://www.windowsecurity.com/trojanscan/

 

http://www.ravantivirus.com/scan/

 

http://support.f-secure.com/enu/home/ols.shtml

 

http://www.pandasoftware.com/activescan/com/

 

 

If no amount of AV scans and manual file deletions will permanently remove this virus, then you may be further ahead to format that hard drive, re-install the operating system from scratch, and start over. 'Course that's just my humble opinion. It just seems to me as if nothing you try is making any difference whatsoever... :( -kd5-

Share this post


Link to post
Share on other sites

If the person has any programs running such as SpyBot's TeaTimer, SpySweeper or anything of that nature, disable them and then try deleting the bad files.

Share this post


Link to post
Share on other sites

I think its finally dead. I ran all those tests you listed kd5 and the first few and the last one found files. A bunch of randomly named .dll files and another secure.bat popped up. It takes about 24 hours to see if it pops back up.

 

I still don't quite understand what virus it was supposed to be. It performed different actions on different computers. It wiped off my computer in one delete, but on my roommate's it could come back. Not to mention how it was like some bizarre combination of different viruses. In any case, thank you everyone for helping, I really appreciate the help.

Share this post


Link to post
Share on other sites

×
×
  • Create New...