multiple infection!!!!!

[DavidR]

<snip>
and thanks for ur help dravid
u still havent told me what siftware u use to take screenshots ..its pretty good
<snip>

I didn't notice you had asked but I use SnagIt 8.2.1 though it isn't free it is an excellent program, but there are some that may not be as flexible they are more than adequate for most peoples limited needs. But if you do a lot of screenshot work it is well worth the cost. 

WinSnap screen capture - version 1 is FREE for personal - http://www.filehippo.com/download_winsnap/?2173

[sasin44]

http://rapidshare.com/files/38715503/malware.7z
password: virus

some one download it from there and pass it on to awil.. all have exe files dont be stupid and click on one of them. there is a collection of malware with downloaders,torjans,dll injectors and root kits which avast does not detect yet
 and dravid thanks for that link ..
and do u use AVG anti spy..
u use the free version or the paid version

[DavidR]

and dravid thanks for that link ..

Your welcome it is David not dravid

[FreewheelinFrank]

Background

Since June of 2006, numerous users have reported experiencing similar issues with their browser which were later found attributable to a malicious trojan - specifically one based on Poison Ivy, an advanced "reverse connection", firewall-bypassing remote administration tool. The trojan creates a 'server' file on the affected system which alerts the trojan-maker when an affected system is online and which then gives access to, monitoring of, and even complete control of an infected user's system - giving him (among other things) the possibility to steal usernames & passwords, banking or credit card info, or any other private information that may have been stored, typed or viewed on-screen while the computer is infected. The default settings is for the malicious 'server' file to inject itself into the target system's Default Browser memory space and then run as a phony 'duplicate' browser process, which enables it to bypass detection by firewalls and routers. So while many Firefox users naturally assumed the problems they were experiencing were a 'Firefox problem', they would in fact have happened whichever browser was set as their system Default.

While there are other similar Remote-Admin apps used by trojan-makers, Poison Ivy quickly became popular for a number of reasons - it was new, it could be deployed without arousing much suspicion, it injected itself into the Default Browser process, and it had an attractive range of monitoring & set-up features. One such feature was the apparently unique 'Persistence' option - if enabled, the server file located on the infected system will restart itself even when the process is manually killed by the user - which means more 'up time' for the hacker - no waiting for the infected user to reboot their system or manually restart an affected application. Another handy feature is the 'Melt' function - which deletes the original infected file upon first run, so that a user cannot inspect it or uploaded to an anti-virus company's database.

Removal

Caution: While these steps should be safe to perform if followed correctly, you should never edit the registry if you don't feel confident or are unsure of what you are doing. If your Anti-virus software failed to remove the trojan, but you are not comfortable removing it yourself, please seek support from your security software provider, your pc manufacturer or a local repair shop - or anyone you trust with your machine.

If any of the above tell-tale signs were found but your AV/spyware scanner failed to quarantine/clean a trojan from your system, you can use the following steps to manually remove the trojan and its all related traces from your system:

   1. Reboot into Windows Safe Mode (Reset the computer and press the F8 key repeatedly until Safe Mode prompt comes up prior to Windows startup)
   2. Run Registry Editor (Start Button -> Run, then type "regedit" and click OK) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components and look for, back up, and remove any sub-key(s) that *only* have a StubPath entry. It's advisable to back up any registry keys before you remove them (just in case). Right-click on the appropriate Key(s) in the left-side pane and choose Export from the context-menu. Give the file a name and save it to your Desktop as a .reg file. ex: SuspiciousKey1.reg. If you later wish to undo the deletion of the Key, double-click the .reg file and say "Yes" to merge the Key back into your registry.
   3. Delete the suspicious files you found during the 'confirming the presence of malware' step (above).
   4. Reboot into Windows (normal mode).
   5. Double-check everything to make sure it hasn't returned!
   6. Please Note: As of April 6, 2007; Ivy will re-create the regestry key. Instead of deleting the random key, change the value of "stubpath" to something that is not a file path, such as: Disabled This will ensure the process does not start again, and should clear your task manager up.

Alert!

Worth mentioning again: If you were indeed affected by Poison Ivy or a similar trojan, be warned that a hacker may have had access to all of your user-names, passwords and other private information that was either stored on your computer or that you had typed during the period that you were infected. The Webroot SpySweeper webpage for the Poison Ivy trojan warns:

    It is recommended that you change all of your passwords AFTER removing this [trojan]. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity.

Prevention

    * Be especially wary of downloading & installing executable files posted on messageboards or arriving via email. If you weren't expecting the file but it appears to be from someone you know, email them back and confirm that they sent it - viruses are known for using Address Books to spread.
    * Update your virus scanner / spyware software regularly.
    * Go into your firewall configuration's Program Control area and remove all references to Firefox so that any inadvertently-allowed Ports that may have previously been granted access privileges can be reset.
    * Pay attention to firewall alerts. If you were not expecting a Port to be accessed, take the time to find out what it is, where it is, and why it is trying to connect to your computer. Perform a web-search on the IP address and on the Port number, and on the application filename that requested it. You are probably not the first to experience it and question it. Use that to your advantage - be safe rather than sorry.
    * Be aware of what processes normally run on your system so that you can recognize any unusual activity. It's possible to add the Task Manager to your Startup Folder, and change its Properties to 'Run Minimized' so that it loads with Windows and hides in the tray where it's always quickly accessible.

http://kb.mozillazine.org/Firefox.exe_always_open

[sasin44]

thanks for that tip so should i send the orginal file which i still have in the zipped format to avast
i sent only the extracted file...
and one mor thing i would like to clarify ..
when we use virus total .. there is option on the page that says not to give the uploaded sample for analysis....
so by not clicking that and uploading the file does it mean that the file will be passed on to all the anti virus companies ..and also avast? 

[Lisandro]

does it mean that the file will be passed on to all the anti virus companies ..and also avast? 

Yes.

[DavidR]

does it mean that the file will be passed on to all the anti virus companies ..and also avast? 

Yes.

Whilst yes, is the correct answer, but by all accounts this isn't very prompt and one of the team has mentioned that al lot of junk is also generated also. So I wouldn't rely on it I would say if possible to send it directly to avast, preferably from the chest.

We all await the planned update to the avast submission process, though they aren't forthcoming about a timetable for it.

[sasin44]

yeah but i always press the donr distribute to anti-vir companies option cos.
why give free samples to companies like
bitdefender,norton,microsoft
who sell there products at elevated prices..
its like they are selling wat we give them for free..
and that the least of the concern considering the
buggy,non user-friendly,CPU gobbling ,crapy interface software they try to sell..
in fact i think they should be paying us to use that...

[DavidR]

That action would also deny it to avast if avast didn't detect it. So you would have to find a way to send the samples as you have web based email.

[sasin44]

yes i promptly send all my samples with the virustotal analysis and added comment..to avast but it takes weeks for them to put it in the data base... and some samples are not yet detected ..thats the matter of concern.....

[Lisandro]

Thats the matter of concern

Yeah... we complain a lot about detection... but never seems enough :'(

[sasin44]

hi i totally forgot to mention another symptom when i was effected with that root kit that fsecure detected...
u people know that there is a system hidden folder called "system volume information" in each drive that stores the restore points.. when we untick the "show hidden system files" in the foder option box..it is seen and when u try to to click on it the access is denied..............
well when u are infected with that root kit. the folder becomes accesiable, imean u can go into the folder and explore it and stuff.
now its ok since i have removed the root kit.... i guess avast should give root kit more importance..when they are updating their detection   

[sasin44]

system volume information accessible+rootkit

guys i could not get u any direct links sorry my net is down.. so try giving these words in the google search box.. i guess it is a little known root kit.. and if any virus analyists are here in the forum i woul gladly pass a sample on to them no problem . cause root kits are more dangerous