Flash.exe

[mrkefly]

Hye there...
Actually i got new virus (or worms), i dont know.
I'm detected that virus from my experience because no scanner cant detect that virus even i use new update from kaspersky, pc-cilin, norton, and else.

That virus has disable a few program like dos (note: admin has disabled this function), run missing (start menu), folder option (tools>folder option), hidden files cant open, and else..

That virus copy themselves as flash.exe where i'm find that virus at common files as a flash.exe, system32 as w(something i forgot), system as flash.exe. and also at msn folder (msn.ece) all that files contain 53.0kb that same with brontok worms.

And for your infomation, all that 3 pc's didnt have internet connection, but we linking with others via LAN. I already format all Pc's but they cam back maybe using our cd backup.

I need find that solution....
Before other Pc's has infected with us..

[raman]

Due to the Filename it could be a new Zhelatin Worm. I hope you did not click/start that file?

Please check the file here: http://www.virustotal.com/en/indexf.html

[polonus]

Hi mrkefly & Raman,

First upload to virustotal to establish what virus we have at hand.
In the case of zhelatin go here: http://www.pspl.com/virus_info/worms/zhelatinch.htm
If it is not the zhelatin worm but rather Amara-virus , then below are the manual removal instructions for this Amara malware:

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

   1. Open Windows Task Manager.
      On Windows 9x/ME systems, press
      CTRL+ALT+DELETE
      On Windows NT/2000/XP systems, press
      CTRL+SHIFT+ESC, and click the Processes tab.
   2. In the list of running programs*, locate the process:
      Svchost.exe
   3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
   4. To check if the malware process has been terminated, close Task Manager, and then open it again.
   5. Close Task Manager.

*NOTE: On systems running Windows 9x/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from System Files

A malware may modify system files so that it automatically executes at every Windows startup. These startup entries must be removed before the system can be restarted safely.

   1. Open System Configuration Editor. To do this, click Start>Run, type SYSEDIT, then press Enter.
   2. In System Configuration Editor, select the WIN.INI window.
   3. Under the [windows] section, locate the line that begins with:
      run =
   4. From the same lines, delete the malware path and filename:
      C:\%Windir%\svchost.exe
      *where %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.
   5. Close System Configuration Editor and click Yes when prompted to save.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

polonus

[mauserme]

So scvhost.exe with the transposed letters or c:\windows\svchost.exe might be OK to terminate and delete but definitely not c:\windows\system32\svchost.exe?


EDIT:  Added some clarification

[polonus]

Hi mauserme,

That is right, it is also important to know where flash.exe resides to know if  it is a virus or not.
flash.exe is a process belonging to the Microsoft HTML Help Workshop which assists in Flash design. This is a non-essential process. Disabling or enabling it is down to user preference.

Note: flash.exe is a process belonging to an advertising program. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This process is a security risk and should be removed from your system.

Determining whether flash.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from.
If a virus there are various possibilities, consider also this:
http://www.f-secure.com/v-descs/major.shtml

polonus

[mrkefly]

here that virus... how can i run regedit without using run (start menu)? that menu already disabled with my new administrator (flash.exe.) ok this flash.exe is not a macromedia application. below i'm attach with picture where they infected my system.. okay... now check your system... if same with my system.. congras... u already infected by that virus (or worm)... hahahah just joke...

regards,
mrkefly

[mauserme]

In your original post you said these computers have no internet access and you've now reformatted, so the malware is either finding it's way onto your computer through the LAN or from removable media (like a thumb drive).  The original infection must have come from removable media.  You will need to isolate these computers from each other and keep whatever removable drives might have been infected in your pocket for now.

If you have access to a computer you know is clean (not part of this LAN) download and burn to a new, unused CD this tool from Symantec which may help reset some off the commands you're looking for

http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99

Do the same with Deckard's System Scanner, install it from CD to the infected computer, and follow these directions

Download Deckard's System Scanner (DSS) to your Desktop.

• Close all applications and windows.
  
• Double-click on DSS.exe to run it, and follow the prompts.
  
• The scan may take a minute. When the scan is complete, a text file will open - Main.txt
  

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the  Deckard's System Scanner  to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the  main.txt from the C:\Deckard\System Scanner folder into your next reply.



EDIT:  Please don't use that backup disc you mentioned either.  Lets work on the malware problem first, then figure out if that disc can be used.

[mrkefly]

here analaysis from DSS..
I need that cure as soon as posible...

About thumb drive, i dont think so. because if that virus came from my thumb drive, why this pc not infect. A new news, that virus has broken my id at thumb drive.. format that id is .exe.

Erm i already use much scanner but nothing can do... now, i'm just waiting from you guys to help me out..

[raman]

You have to rename this files in save mode:

2007-04-09 03:41:39     54272 -----n--- C:\WINDOWS\system32\w32sys.exe
2007-04-09 03:41:39     54272 --ahs---- C:\WINDOWS\system32\Flash_8_Player.exe<FLASH_~1.EXE>
2007-04-09 03:41:39     54272 --ahs---- C:\WINDOWS\system32\6666.com
2007-04-09 03:41:39     54272 -----n--- C:\WINDOWS\system\Flash Player.exe<FLASHP~1.EXE>

and have to fix(disable) this entrie using MSCONFIG or hijackthis(http://www.bleepingcomputer.com/tutorials/tutorial42.html#HowToUse):
O4 - HKLM\..\Run: [W32SYS] C:\WINDOWS\system32\w32sys.exe


Please test one of the files here: http://www.virustotal.com/en/indexf.html

BTW: Your systemtime seems to be completly wrong( low Cmos Battery?)
Scan saved at 2002-01-01 10:21:42

[mauserme]

I think a run with SDFix might be of use.  Please do this prior to renaming any files:

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose "Extract All",
Open the extracted folder and double click "RunThis.bat" to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


Do these computers never have internet access?

[mrkefly]

Thanks pal..
here that flash.exe has detected as w32/Jambu (worms)
Avast can detect that virus but I'm using symantec anti virus,and that worms known as w32/jambu..
it just minor worms.. but new worms.. release anti virus around 18/4/2007 by symantec and others..

Thanks for helping me..

[mauserme]

No problem.

Everything is OK now?