Author Topic: cawajanga.biz  (Read 35296 times)

0 Members and 1 Guest are viewing this topic.

Offline SUSZANNAH

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1954
  • There We Are Then
Re: cawajanga.biz
« Reply #15 on: April 27, 2007, 11:44:19 PM »
Thank you everyone for you help     :)

Hi again David, do you want me to just remove the ones Spyros pointed out?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: cawajanga.biz
« Reply #16 on: April 27, 2007, 11:46:36 PM »
Hi Susz,

There is your second op. All flags down now, go hit that HJT "hogwart" tool button and finalize this cleansing routine. In the meantime I keep my fingers crossed for ye, all's well that ends well,

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline SUSZANNAH

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1954
  • There We Are Then
Re: cawajanga.biz
« Reply #17 on: April 28, 2007, 12:05:41 AM »
OK woohoo got 3 of them off.....but

2 are in the system32\EXSMgr.dll not sure how I get them from HJK to avast chest....


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: cawajanga.biz
« Reply #18 on: April 28, 2007, 12:14:46 AM »
Hi Susz,

What is the one that stayed behind? What you got off with HJT or toolbarcop has gone to electronic nowhere land, this malware has "evaporated" - you cannot put that back to the chest or forward it to Avast. HJT has got rid of it, definitely period. What's gone is gone.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline SUSZANNAH

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1954
  • There We Are Then
Re: cawajanga.biz
« Reply #19 on: April 28, 2007, 12:33:46 AM »
nooo lol didnt understand what David meant by the 2 in SYSTEM32\EXZMgr.dll so I didn't delete them........yet till I know what I am doing     ;D

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89015
  • No support PMs thanks
Re: cawajanga.biz
« Reply #20 on: April 28, 2007, 01:02:42 AM »
OK woohoo got 3 of them off.....but

2 are in the system32\EXSMgr.dll not sure how I get them from HJK to avast chest....

You don't. HJT tackles the registry entries that run the files, etc. once that is cleaned up, the files don't run, you then have to manually remove (delete) them. I'm proposing that you first add them to the avast chest so that they can be sent to the Alwil for analysis.

There were two entries in the HJT log for the 'system32\EXSMgr.dll' one file so there is only one to find.

1. First open the avast chest and click the User Files section and add the c:\windows\system32\EXSMgr.dll to the chest, see the Image that I posted it shows how to do it, File, Add.
2. There will be an explorer like pop-up navigate to the c:\windows\system32\EXSMgr.dll and click Open, this will add the file to the chest.
3. Right click on the file in the chest and select Email to Alwil Software.
4. Don't change any settings in the window, Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus.
5. Send.

Once you have sent the sample to avast, you now need to delete the copy in the system32 folder. Before you do that you will need to disable system restore and reboot, otherwise windows will save a copy as a restore point. At any time in the future if use system restore you could be reinfecting your system.

How to disable System Restore.

Once you have deleted the file, you can enable system restore and reboot.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline SUSZANNAH

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1954
  • There We Are Then
Re: cawajanga.biz
« Reply #21 on: April 28, 2007, 01:26:46 AM »
mmmmmm have opend the chest, gone to files it wont let me add, it's greyed out? what am i doing wrong?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89015
  • No support PMs thanks
Re: cawajanga.biz
« Reply #22 on: April 28, 2007, 02:08:49 AM »
You haven't opened the User Files section, click on the Icon.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline SUSZANNAH

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1954
  • There We Are Then
Re: cawajanga.biz
« Reply #23 on: April 28, 2007, 02:31:41 AM »
right with you so far... system restore is off and sent mail to alwil.....and the last lap is??? lol

told you i was out of practice    ;D

Offline SUSZANNAH

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1954
  • There We Are Then
Re: cawajanga.biz
« Reply #24 on: April 28, 2007, 02:57:11 AM »
hjt wont remove the 2 files in SYSTEM32\EXMgr.dll, this is driving me nuts...... >:(

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: cawajanga.biz
« Reply #25 on: April 28, 2007, 09:04:22 AM »
Susz,

The malware is active in memory and is protecting itself against removal. You need a program like FileAssassin to remove it on reboot before it can activate:

http://www.malwarebytes.org/fileassassin.php

Install the program and enter the file name as follows:



Note that I have selected the 'Use delete on Windows reboot functions.'

PS You also have a seriously out of date and vulnerable version of Java. Run this scanner to confirm this and any other possible vulnerabilities:

http://secunia.com/software_inspector/

It will give you links to download new versions. Don't forget you need to remove older versions of Java from Add/Remove.  ;)
« Last Edit: April 28, 2007, 09:26:32 AM by FreewheelinFrank »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: cawajanga.biz
« Reply #26 on: April 28, 2007, 01:32:35 PM »
Hi FwF,

Why cannot I find any info on this particular dll. Has to be related to malware that comes in after the ANI-hole is exploited, I told SUSZ also that she has to download all the critical M$ patches onto her computer. But I cannot find technical info on EXSMgr.dll. Have you seen anything?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89015
  • No support PMs thanks
Re: cawajanga.biz
« Reply #27 on: April 28, 2007, 02:06:11 PM »
Firstly the file name is EXMgr.dll. Second the only hit I find is relater to a common mis-spelling of extmgr.dll (a legit windows file), which is often a common tactic. The fact that there is no google hits makes it even more suspicious, however, there is nothing to say this is an .ani exploit, that deduction came from where the hijacks were going cawajanga.biz.

The O20 - Winlogon Notify: EXSMgr - C:\WINDOWS\SYSTEM32\EXSMgr.dll entry is what I believe we all found suspicious, backed up by an almost total lack of information. We know it shouldn't be there but we can't say for sure what it does.

Perhaps Susz should check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89015
  • No support PMs thanks
Re: cawajanga.biz
« Reply #28 on: April 28, 2007, 02:15:59 PM »
hjt wont remove the 2 files in SYSTEM32\EXMgr.dll, this is driving me nuts...... >:(

HJT may not be able to directly remove files, only the registry entries that is why I always say you should check after if the file is still in the location and if so you should manually remove them. It does have a means of deleting a file on reboot, on the bottom right of the window click the Config... button. Click the Misc Tools and there is a Delete file on reboot option. Click that button and you can select the file to delete on reboot.

There is also the tool Frank mentioned to remove files and others:
- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
 
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline SUSZANNAH

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1954
  • There We Are Then
Re: cawajanga.biz
« Reply #29 on: April 28, 2007, 02:34:45 PM »
Thank you all so much, I have enough things to try here to keep me going for a while lol

Will get back with the results.........keep fingers crossed