URGENT HELP needed for UNKNOWN virus

Discussion in 'malware problems & news' started by MAKPI, Oct 26, 2004.

Thread Status:
Not open for further replies.
  1. MAKPI

    MAKPI Guest

    It doeant let me run antivirus software.
    My windows have been almost destroyed.
    I cant load program (although i see them in task list wasting memory).
    Some .exe files, when i double click them, are copied and spliiter in 2 new files with the same name, plus a 0 and 1.exe added for example
    highjackthis.exe was not executed, but the virus created a highjackthis1.exe and highjackthis0.exe
    I cant see my desktop
    I can see start menu and taskbar
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you see if your Anti-Virus software will run a scan in "Safe Mode", if it will, it may then enable you enough control after a successful scan to boot into normal mode, so you can follow the instructions found here

    Hope this helps...

    Let us know how you go...

    Cheers :D
     
  3. makpi

    makpi Guest

    The problem is that even in safe mode the antivirus is destroyed.
    I m looking for a way to scan from a boot cd antivirus.
    When can i find a boot cd with antivirus?
     
  4. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    HI Mcafee Stinger can be run from a disk, it detects only a set list of malware, but includes most of the latest threats.

    http://vil.nai.com/vil/stinger/


    It might not be a virus, sounds more like a windows problem.
    Have you tried to run two Anti virus or Firewall pros at the same time?
     
  5. makpi

    makpi Guest

    It could be a windows problem, but I m sure it isnt
    because it is evolving,
    and because it was spread also to a windows 2003 server
    via windows file sharing.

    As I told you, for every exe file i want to execute it creates another 2 (!) with the same name plus "0" and "1".
    Very weird.
    Anyone have seen something like that?
     
  6. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    If you are able to download a LinuxDefender and you can start your system from CD (perhaps you have to change your BIOS) you can try this:

    LinuxDefender Live! CD is a BitDefender re-mastered Knoppix distribution. It was designed to provide users of both Windows and Linux computers with virus incident rescue tools.

    Whether your Linux mailserver just got rootkited or your Windows gamestation just got Slammer'd, it's LinuxDefender to the rescue! Just put the bootable CD in your drive to start a turn-key Linux OS which comes packed with almost 1.5 gigabytes of utilities.

    http://www.bitdefender.com/bd/site/presscenter.php?menu_id=25&n_id=58

    Gerard
     
  7. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    HI, Could you please give some more details, Operating system/s, how many PC's networked, what AV/Security software was running, Did the problem just start or has it progressed, have you changed any settings and what have you tried to do to fix the problem so far?

    I know thats alot of questions, but it should help to identify the problem.
     
  8. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Yes more information would be helpful. What OS and it's patch status, what AV and it's update status, what firewall? Any IPS/IDS? This doesn't sound like a virus/worm incident. Most modern virii/worms aren't really interested in doing much system damage as they need a stable system to propagate from or do whatever dirty deed they were designed for, like spamming for instance. Yes they may consume bandwidth to propagate but they generally won't destroy needed networking files/functions. It sounds more to me like a hacking incident and the hacker has discovered whatever it is they needed to know and are now covering their tracks by destroying any way of discovering who they are/were.
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Failing all of the above, disconnect that PC from the network and slave its hard drive off a clean PC and have it then run a scan on the infected drive...

    Hope this helps...

    Cheers :D
     
  10. MAKPI

    MAKPI Guest

    Re: GREGCENTER disaster

    Guys thanks for your concen.

    I search on google and I found that a french guy has a similar problem.
    See this link translated with babelfish (http://babelfish.altavista.com)

    http://www.commentcamarche.net/forum/affich-1034322-help-fichiers-0000-exe-cr%E9%E9s-tout-le-temps

    I run mcafee online scan and it found it on my computer.

    On my computers i use norton which could not trace it :(

    After that I think I will change av software.

    BEWARE, the virus is very dangerous, it spreads through windows file sharing, I probably got it from a web page, and it slowly deteriorate windows (i couldnt even see task bar and start menu! it desets all the programs, and may programs loose their serial numbers, dlls etc)

    I wish not anyone else have the same trouble like me
    I m fighting this for 4 days and my work has gone behind
     
  11. makpi

    makpi Guest

    GREGCENTER / QRAP / GREGORY TROJAN

    I tested one of the infected files at

    http://virusscan.jotti.dhs.org/

    and the results were thes

    Status: INFECTED/MALWARE
    AntiVir W32/GregCenter (2.65 seconds taken)
    Avast Win32:Qrap (7.90 seconds taken)
    BitDefender Trojan.Qrap.A (9.72 seconds taken)
    ClamAV No viruses found (10.38 seconds taken)
    Dr.Web Win32.HLLP.Gregory (13.08 seconds taken)
    F-Prot Antivirus No viruses found (1.20 seconds taken)
    Kaspersky Anti-Virus Trojan.Win32.Qrap (15.75 seconds taken)
    mks_vir Trojan.Qrap (2.77 seconds taken)
    NOD32 No viruses found (4.83 seconds taken)
    Norman Virus Control No viruses found (38.93 seconds taken)

    I downloaded freeav and found the virus.
    Now I have another problem.
    How to repair/dissinfect the files.
    I dont want the av just to delete them because it's a lot of work to reinstall again so many programs i have
     
  12. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Re: GREGCENTER / QRAP / GREGORY TROJAN

    If it affects a few programs you may just have to reinstall those programs, you can try installing straight over the top and see how you go...

    In regards to Windows, you can do the following:

    Place your Windows CD in the CDROM drive, click start > run, type in CMD, when the black window opens type in "sfc /scannow"

    SFC (System File Checker, a part of Windows File Protection) will replace any changed/damaged system files with a clean copy. SFC may not solve every problem, but it's a good start that anyone can do...

    Hope this helps...

    Cheers :D
     
  14. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    This sounds like a pretty nasty trojan, any chance you could submit it to Eset so no one else gets infected with it? And the other AV's that don't detect it as well?
     
  15. makpi

    makpi Guest

    what is eset and how can i send infected files over there?
    I dont think i have any infected file in the pc.
    I will try to find though to send where you tell me.

    As soon as the virus was cleaned, everything worked.
    The reason for programs not working (even start menu and taskbar), was that the virus did not execute the original program, but copies of it, that existed in different directory and different name eg mailwasher01.exe, mailwasher02.exe etc
     
  16. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Eset is the creator of Nod32 AV. Just zip the file and send it here,

    samples@eset.com



    snowbound
     
  17. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Sorry I thought since you were posting here you used NOD32. The address is as snowbound posted above. if you could also research the address for Frisk since F-Prot also missed it. I think jotti automatically forwards samples the AV's don't detect to the provider anyway but just to be sure. Thanks, and I'm really glad you found out what is was and cleaned it, that sounded really bad and aggravating.
     
  18. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    If you find the sample you can also submit to Norton. The preferred way is via Scan-and-Deliver, which is:

    1. Open your Norton Quarantine and click "Add Item", then browse to the file and add it to Quarantine.

    2. Highlight the added file in Quarantine and click "Submit Item". Then follow the directions to submit the file. If you have any problems getting the submission to work, try entering your SMTP server rather than using the default method.

    Since you said you have NAV, that is the best and recommended way to submit files for analysis. For those without the program, send an uncompressed sample to avsubmit@symantec.com {NOTE: zipped samples are likely to be rejected, so send uncompressed samples if possible}.
     
  19. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Symantec doesn't accept zipped samples? Why? That would make it impossible for most users to send to them as most of us have ISPs that scan all outgoing mail and will destroy any sample that is not zipped and password protected. I know I forgot this recently and sent a zipped sample to Frisk that I didn't password protect. They received an empty file. Of course, my ISP didn't bother to let me know they had stripped the file on outgoing but that is what happened. I had to password protect it and resend. (Irony that they use Symantec Corporate scanner so if I was trying to send to Symantec in essence they would be shooting themselves in the foot)! :D
     
  20. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Actually I had in mind password-protected zips. I haven't had much luck sending PW-protected zips to that email address the few times I tried. And if you don't password protect you might as well send the naked sample.

    But the preferred method is Scan-and-Deliver from Quarantine, as that is on a private line back to SARC and the Wizard auto-compresses the file in whatever format or algorithm they are using before transmission. I have submitted thousands of samples via Scan-and-Deliver, only a few to that address, mainly as an experiment.

    There is yet another avenue to try, I received this from a friend. You can try this link: https://submit.symantec.com/gold/ -- I believe that one will accept and analyze zipped archives. ;)
     
  21. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743

    The Public AntiVirus CD v.3.70 has been updated for 2004-11-01:

    McAfee virus defs updated 2004-11-01
    Symantec virus defs updated 2004-10-31
    McAfee Stinger updated 2004-10-29
    Symantec FixTool for W32.Beagle variants updated 2004-10-31

    http://www.dslreports.com/forum/remark,11743366~mode=flat



    No Fancy WebPage Stuff Here....Just My Public AntiVirus CD

    Updated: 2004-11-03

    Public AntiVirus CD (Approx. 95megs)


    MD5 Check Sum for CD
    Updates to the CD
    Contents of the CD

    Here are the contents of the AVCDPUB.ZIP:

    AVCDPUB.ISO - actual bootable CD in ISO format; use Nero, Roxio or other burning software that support ISO's
    McAfee command line scanner
    Ad-Aware 1.05 SE (free) edition, with updated defs list file
    SpyBot 1.3
    Symantec Fixtools for various infections
    Hijack This
    CWShredder 2.00
    PSKill, NMap, Process Explorer, TCPView, FPort (in security folder)


    Guide to Using the Public AntiVirus CD


    Guide to Using SpyBot 1.3


    Guide to Using Ad-Aware

    http://nyquil-kid.dyndns.org/
     
Loading...
Thread Status:
Not open for further replies.