I'm infected with a new UNCURABLE trojan known as chinappi.exe and chinappi2.exe

[yoshi523]

Hi,
I have some virus/trojans that have just come up and infected a number of system files including iexplore.exe. Initially there came up a number of files described as trojan horse PSW and others and moved them to the vault. I have tried booting in safe mode and tried the Avast clean software but it found nothing. I googled and other users have run a whole host of anti malware programs only to find no fix. Only on opening Windows XP to an active internet connection does it come up with more instances of the trojan. I believe that it has created a hole in my firewall and it going on to the net to download this trojan and causing more hard each time I start up windows with the internet connection running.

Every time I run Windows this is the main alert I will see each time:

File: install.8800.org/files/chinappi.exe
Infection: Trojan horse PSW.OnlineGames_r.CC

 and

install.8800.org/files/chinappi2.exe
Infection: Trojan horse PSW.OnlineGames.BQNV


I have googled chinappi.exe including "fix" "remove" ect ect but there are very very few hits and no info in it except from the anti virus website www.prevx.com they claim on their front page that chinappi.exe is a new virus/trojan that not detected by other major virusscanners such as AVG, Kasperski, Avast! and others. There is a longer list of other new viruses the claim this about also. When I click on chinappi.exe link on their site it says it is a cloaked malware. It says it offers a free trial software with included free cleaning funtion but after I download it and run it says it detects problems then stops and will not clean anything but rather prompts me to go to their site to pay for a registration before cleaning anything!! How rude this is by no means truth in advertising in my opinion and I feel that in Australia the consumer watchdog would be on to them about this wrongful marketing.

Anyway it still leads me back to my problem. I have a system that is definetly infected and getting worse and there is no info out there how to remove this sneaky malware/trojan/virus. More worrying is that since currect major virusscanners aren't picking up the root problem and fixing it which makes me wonder if this could spread to other computers in our network under the radar. I hope not. I hope there is a solution soon!! :'(

[YoKenny]

Anything from 8800.org is suspect as McAfee SiteAdvisor rates the site RED:
http://www.siteadvisor.com/sites/8800.org

You will probably have to go to a non-infected system to download SUPERAntiSpyware then put it on a CD or Flash card and run it on the infected system:
http://www.superantispyware.com

[micky77]

Hi,
I have some virus/trojans that have just come up and infected a number of system files including iexplore.exe. Initially there came up a number of files described as trojan horse PSW and others and moved them to the vault. I have tried booting in safe mode and tried the Avast clean software but it found nothing. I googled and other users have run a whole host of anti malware programs only to find no fix. Only on opening Windows XP to an active internet connection does it come up with more instances of the trojan. I believe that it has created a hole in my firewall and it going on to the net to download this trojan and causing more hard each time I start up windows with the internet connection running.

Every time I run Windows this is the main alert I will see each time:

File: install.8800.org/files/chinappi.exe
Infection: Trojan horse PSW.OnlineGames_r.CC

 and

install.8800.org/files/chinappi2.exe
Infection: Trojan horse PSW.OnlineGames.BQNV


I have googled chinappi.exe including "fix" "remove" ect ect but there are very very few hits and no info in it except from the anti virus website www.prevx.com they claim on their front page that chinappi.exe is a new virus/trojan that not detected by other major virusscanners such as AVG, Kasperski, Avast! and others. There is a longer list of other new viruses the claim this about also. When I click on chinappi.exe link on their site it says it is a cloaked malware. It says it offers a free trial software with included free cleaning funtion but after I download it and run it says it detects problems then stops and will not clean anything but rather prompts me to go to their site to pay for a registration before cleaning anything!! How rude this is by no means truth in advertising in my opinion and I feel that in Australia the consumer watchdog would be on to them about this wrongful marketing.

Anyway it still leads me back to my problem. I have a system that is definetly infected and getting worse and there is no info out there how to remove this sneaky malware/trojan/virus. More worrying is that since currect major virusscanners aren't picking up the root problem and fixing it which makes me wonder if this could spread to other computers in our network under the radar. I hope not. I hope there is a solution soon!! :'(

The site 'prevx' you have a link to is the pro 'prevx edge'. There is a free version called prevx CSI, which will clean malware,however it used to be prone to false alarms. As YoKenny suggested, try Superantispyware.Also try Malwarebytes Antimalware. and try HijackThis,choose 'scan and save a log file'.Copy and paste the log results that will appear in notepad, as well as the results of the othe r two programs

MBAM ( free )  http://www.malwarebytes.org/mbam.php

HJT http://filehippo.com/download_hijackthis/

[Mr.Agent]

So Yoshi its worked ? let us know because if its didnt we will maybe can help you more !

[graham.lv]

I got it yesterday!   (I'm in Australia) Using Windows 7 (7000) beta and Firefox.  Believe it came through Firefox on a click to redirect web page. Went straight to IE 8 beta that I don't use because IE came up to configure it! So, I may not have used IE 8 before.

**** It is Advast! antivirus that I'm using on Win 7 that picked it up - just comes up a couple of times to abort connection then no more. does not stop connection but says it will terminate DOWNLOAD.  Yes, I know I'm on Advast! forum, but you may have thought I was using another AV as I Googled to find this... did not come here direct.. was looking for cures, same as org. poster.

Lost my Vodafone Mobile Connect and ati Catalyst control panel (beta for Windows 7).  Luckily, Windows 7 has Network and Sharing Center, so still able to connect to Net on wireless 3G.

I blocked the URL 8800.org thingy in Internet Explorer 8, but has no effect.

*Fortunately, as using Windows 7 (7000) beta, only a month till RC on 10th April, so everything gets wiped then...  And can use Vista PC if necessary.

Found this below ............. Chinese but used Google translate.

How to get rid of CHINAPPI.EXE
Author:CHINAPPI.EXE Hits: Author: CHINAPPI.EXE Hits: 13 UpdateTime:2009-3-2 17:04:00 UpdateTime :2009-3-2 17:04:00
How to remvoe CHINAPPI.EXE How to remvoe CHINAPPI.EXE

Description of CHINAPPI.EXE : Description of CHINAPPI.EXE:

Same kind threat(Some information from Virus Total and Virscan):The threat same as the virus:Cloaked MalwareFile BehaviorCHINAPPI.EXE was detected the following harmful actions: Adds products to the system registryThis process creates other processes on diskCreates a new Background Service on the machineCHINAPPI.EXE harmful action: Created as a process on diskDeleted as a process from diskExecuted as a ProcessDownloaded from covert web sites without the user knowingThis program is often downloaded from the web The threat CHINAPPI.EXE detected Feb 23 2009 of Virus Alert online:SPAIN on Feb 23 2009NORWAY on Feb 23 2009 CHINAPPI.EXE same kind threat: 53271861.DAT03702669.EXEATLSYSTEM7236.EXEFORX719764.EXEFORX740914.EXEKOPI AV FORX38988.EXEW0W.EXEFORX152203.EXEFORX107665.EXEFORX442783.EXEFORX186558.EXECHINAPPI[n].EXE Threat file size 103,424 bytes 115,200 bytes 97,792 bytes Same kind threat (Some information from Virus Total and Virscan): The threat same as the virus: Cloaked MalwareFile BehaviorCHINAPPI.EXE was detected the following harmful actions: Adds products to the system registryThis process creates other processes on diskCreates a new Background Service on the machineCHINAPPI.EXE harmful action: Created as a process on diskDeleted as a process from diskExecuted as a ProcessDownloaded from covert web sites without the user knowingThis program is often downloaded from the web The threat CHINAPPI.EXE detected Feb 23 2009 of Virus Alert online: SPAIN on Feb 23 2009NORWAY on Feb 23 2009 CHINAPPI.EXE same kind threat: 53271861.DAT03702669.EXEATLSYSTEM7236.EXEFORX719764.EXEFORX740914.EXEKOPI AV FORX38988.EXEW0W.EXEFORX152203.EXEFORX107665.EXEFORX442783.EXEFORX186558.EXECHINAPPI [n]. EXE Threat file size 103424 bytes 115200 bytes 97792 bytes

CHINAPPI.EXE removal process CHINAPPI.EXE removal process

1. For remove CHINAPPI.EXE need temporarily disable System Restore and Reboot computer in SafeMode; 1. For remove CHINAPPI.EXE need temporarily disable System Restore and Reboot computer in SafeMode;

2. Locate CHINAPPI.EXE and Delete any values added to the registry related with CHINAPPI.EXE,then restart the computer; 2. Locate CHINAPPI.EXE and Delete any values added to the registry related with CHINAPPI.EXE, then restart the computer;

3.Delete CHINAPPI.EXE virus files or unlock CHINAPPI.EXE(download killbox to unlock CHINAPPI.EXE); 3.Delete CHINAPPI.EXE virus files or unlock CHINAPPI.EXE (download killbox to unlock CHINAPPI.EXE);

4.Delete IE temp files with CHINAPPI.EXE and run a whole scan with antivirus program ; 4.Delete IE temp files with CHINAPPI.EXE and run a whole scan with antivirus program;

Seek help in removing CHINAPPI.EXE? Post Hijack log on Free Virus Remove Help forum . Seek help in removing CHINAPPI.EXE? Post Hijack log on Free Virus Remove Help forum.

CHINAPPI.EXE Language: English CHINAPPI.EXE Language: English

Infected Platform: Windows 98, ME, NT, 2000, XP, Server 2003; Infected Platform: Windows 98, ME, NT, 2000, XP, Server 2003;

MD5 : yhh11857r849itkg11857jpriwc973re11857ir89gj11857; MD5: yhh11857r849itkg11857jpriwc973re11857ir89gj11857;

Update Time:2009-3-2 17:04:00; Update Time :2009-3-2 17:04:00;

Infected Times:11857 Infected Times: 11857 14

CHINAPPI.EXE File type: PE CHINAPPI.EXE File type: PE 15

http://72.14.203.132/translate_c?hl=en&sl=zh-TW&u=http://oral8.com.cn/VirusAlert/VirusAlert_11857.html&prev=/search%3Fq%3Dchinappi%2B2.exe%26hl%3Den%26sa%3DX&usg=ALkJrhgkLboNl7WFQg2Ew5z8sAnpYDnvGQ


==========================================================================

***Just been running Malwarebytes while posting - put in results with edit.  SUPERAntiSpyware will not install on Windows 7 beta, or the malware is effecting it - causes BLUE SCREEN OF DEATH!

Malwarebytes' Anti-Malware 1.34
Database version: 1813
Windows 6.1.7000

14/03/2009 3:23:50 AM
mbam-log-2009-03-14 (03-23-50).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 204622
Time elapsed: 47 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdss.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCSHIELD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xccinit (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\inf\xccefb090310.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\inf\rundll33.exe (Spyware.OnlineGames) -> Delete on reboot.

------------------------

[DavidR]

I would suggest you beef up firefox with the NoScript add-on. If the redirect is in javascript then it wouldn't execute unless you specifically allowed or temporarily allow the original site.

This can also get in by the use of injected iFrame tags, which aren't scripts so by default wouldn't be blocked by noscript, but you can add iFrame blocking to the NoScript options.