Avast WEBforum
Other => Viruses and worms => Topic started by: chabbo on May 15, 2010, 08:55:37 PM
-
hello, i tink i got a new Facebook virus
its link to atitta på denna bild :D hxxp://yuarel.com/facebook-album-10-05-15-JPG
and its a file who i have on desktop look like Facebook app
but no idea how to send it to avast, avast dont see it as virus,
-
hello, i tink i got a new Facebook virus
its link to atitta på denna bild :D hxxp://yuarel.com/facebook-album-10-05-15-JPG
and its a file who i have on desktop look like Facebook app
but no idea how to send it to avast, avast dont see it as virus,
http://www.virustotal.com/sv/analisis/370e2de98ca15a168e8110fc20bd4d674a919ed92fe934cd9f2742b5fff9a1e9-1273949310
-
I tried to have a look at it through Firefox virtualized but it's not a pic, it's a screen saver, and I don't want to download it for testing ;)
-
that shit did froze my pc and spam over my msn :'(
-
Please go to PROFILE then Modify Profile then Forum Profile Information then Signature: and put information about your system just like my signature about your system just like my signature so that the helpers can offer pertinent advice.
In Account Related Settings select Hide email address from public to prevent scammers and spammers harvesting your chli_peppar hotmail.com email address.
hxxp://yuarel.com/facebook-album-10-05-15-JPG is .scr malware!
-
that s**t did froze my pc and spam over my msn :'(
ok use this:
http://www.malwarebytes.org/mbam.php (although I swore I would never recommend it again, not very friendly guys over there)
run a quick scan with it, post the log here; if anything found follow the instructions and reboot.
-
Malwarebytes is very friendly to people that have malware and have a malware problem.
It i
-
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4104
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2010-05-15 21:39:53
mbam-log-2010-05-15 (21-39-53).txt
Scan type: Full scan (C:\|)
Objects scanned: 158779
Time elapsed: 25 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\winsvncs.txt (Malware.Trace) -> Quarantined and deleted successfully.
-
its still not deleted :O
-
its still not deleted :O
I suppose you were prompted for action and reboot no? did you do that?
edit: or is it something else now, your system's still infected I presume...
-
Hi lets have a look see - you will need to attach the logs as they are large
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs
-
Hi forum users,
Be cautious with this website link: http://safeweb.norton.com/reviews/41176
http://www.unmaskparasites.com/security-report/?page=http%3A//yuarel.com/facebook
Suspicious inline script: var gaJsHost=(("https:"==document.location.protocol)?"https://ssl.":"http://www.");
document.write(... about what this malicious adcode does:
http://www.google.com/support/forum/p/Webmasters/thread?tid=524385eed6a23eb9&hl=en
and var pageTracker=_gat._getTracker("UA-3938091-1");
pageTracker._initData();
pageTracker._trackPagevi... code outside HTML which is suspicious....
Malware description here: http://forum.malekal.com/http-yuarel-com-facebook-jpg-20100511n-t25590.html
and can be found here: http://support.clean-mx.de/clean-mx/viruses.php?sort=satzart%20asc
seems all profiles are being tracked for dubious purposes...
A way that credential theft is being performed: http://evilcodecave.wordpress.com/2009/01/24/msn-credential-theft-httpzopblobcom/
Malware description: http://www.sophos.com/security/analyses/viruses-and-spyware/malvbinjectt.html
http://www.threatexpert.com/report.aspx?md5=ee04ef11df3b09a8235790af3521f520
and this somewhat earlier variant:
http://www.threatexpert.com/report.aspx?md5=39aa7adf2cb4d7b3d9b1cf319b983f5c
For succesful removal one needs:
1. Temporarily Disable System Restore;
2. Update the virus definitions or definitions of MBAM and/or SAS. Reboot computer in SafeMode;
3. Delete the IE temp files,some Mal/VBInject-T temp file exist there,
but better you follow essexboys' instructions to the dot, he will lead you through the necessary cleansing steps
polonus
-
Your file is too large. The maximum attachment size allowed is 200 KB.
-
Could you upload the main txt file to Mediafire (http://www.mediafire.com/) and post the sharing link.
-
Have sendt sample to avast and malwarebytes......
-
Hi Pondus,
Thank you for forwarding this where this should go,
pol
-
arent pondus and polonodus same ppl?
I'm getting wierd now :O
http://www.mediafire.com/?zkrivmmedlq
-
Hi chabbo,
Pondus and Polonus are both interested in analyzing online malicious website malcoded scripts and help protecting against these. Pondus is a Norwegian and Polonus is Dutch, they are two different persons. But when malicious websites are being reported you may see their nicks here. Essexboy is a trained malware eliminator and to my experience he is one of the best around and whit malware removal you are lucky if he comes to the rescue,
polonus
-
arent pondus and polonodus same ppl?
tjena grabben......hur mår ni.... ;)
no i am me, and he is he.......polonus...... ;D
-
problem solve with Formate pc :'(
but are both polonius working at Avast house there they build and work with avast or are they just sitting home and work for avast?
-
OK your log was large because you have either just re-installed or updated to SP3
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
[2010-05-15 20:47:50 | 000,274,432 | RHS- | C] (Ogbh4L2MOks73vCqx) -- C:\Documents and Settings\elmou\Application Data\msng.exe
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
but are both polonius working at Avast house there they build and work with avast or are they just sitting home and work for avast?
we do not work for avast,just normal avast user like you
-
my mother got the virus how should i help she remove it on a easy and fast way without Reinstall xp
-
Run OTL as directed to you previously - I will remove the elements and then all should be OK. There was no requirement for you to have reformated
-
Now detected by Malwarebytes as " Worm.Palevo "