New Facebook virus ?

[chabbo]

hello, i tink i got a new Facebook virus

its link to atitta på denna bild hxxp://yuarel.com/facebook-album-10-05-15-JPG

and its a file who i have on desktop look like Facebook app

but no idea how to send it to avast, avast dont see it as virus,

[chabbo]

hello, i tink i got a new Facebook virus

its link to atitta på denna bild hxxp://yuarel.com/facebook-album-10-05-15-JPG

and its a file who i have on desktop look like Facebook app

but no idea how to send it to avast, avast dont see it as virus,

http://www.virustotal.com/sv/analisis/370e2de98ca15a168e8110fc20bd4d674a919ed92fe934cd9f2742b5fff9a1e9-1273949310

[Hermite15]

I tried to have a look at it through Firefox virtualized but it's not a pic, it's a screen saver, and I don't want to download it for testing

[chabbo]

that shit did froze my pc and spam over my msn :'(

[YoKenny]

Please go to PROFILE then Modify Profile then Forum Profile Information then  Signature: and put information about your system just like my signature about your system just like my signature so that the helpers can offer pertinent advice.

In Account Related Settings select Hide email address from public to prevent scammers and spammers harvesting your chli_peppar hotmail.com email address.

hxxp://yuarel.com/facebook-album-10-05-15-JPG is .scr malware!

[Hermite15]

that s**t did froze my pc and spam over my msn :'(

ok use this:
http://www.malwarebytes.org/mbam.php (although I swore I would never recommend it again, not very friendly guys over there)

run a quick scan with it, post the log here; if anything found follow the instructions and reboot.

[YoKenny]

Malwarebytes is very friendly to people that have malware and have a malware problem.

It i

[chabbo]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4104

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-05-15 21:39:53
mbam-log-2010-05-15 (21-39-53).txt

Scan type: Full scan (C:\|)
Objects scanned: 158779
Time elapsed: 25 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\winsvncs.txt (Malware.Trace) -> Quarantined and deleted successfully.

[chabbo]

its still not deleted :O

[Hermite15]

its still not deleted :O

I suppose you were prompted for action and reboot no? did you do that?

edit: or is it something else now, your system's still infected I presume...

[essexboy]

Hi lets have a look see - you will need to attach the logs as they are large

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs

[polonus]

Hi forum users,

Be cautious with this website link: http://safeweb.norton.com/reviews/41176
http://www.unmaskparasites.com/security-report/?page=http%3A//yuarel.com/facebook
Suspicious inline script:

Code: [Select]

var gaJsHost=(("https:"==document.location.protocol)?"https://ssl.":"http://www.");
document.write(...     about what this malicious adcode does:
http://www.google.com/support/forum/p/Webmasters/thread?tid=524385eed6a23eb9&hl=en
and

Code: [Select]

 var pageTracker=_gat._getTracker("UA-3938091-1");
pageTracker._initData();
pageTracker._trackPagevi...  code outside HTML which is suspicious....
Malware description here: http://forum.malekal.com/http-yuarel-com-facebook-jpg-20100511n-t25590.html
and can be found here: http://support.clean-mx.de/clean-mx/viruses.php?sort=satzart%20asc
seems all profiles are being tracked for dubious purposes...
A way that credential theft is being performed: http://evilcodecave.wordpress.com/2009/01/24/msn-credential-theft-httpzopblobcom/
Malware description: http://www.sophos.com/security/analyses/viruses-and-spyware/malvbinjectt.html
http://www.threatexpert.com/report.aspx?md5=ee04ef11df3b09a8235790af3521f520
and this somewhat earlier variant:
http://www.threatexpert.com/report.aspx?md5=39aa7adf2cb4d7b3d9b1cf319b983f5c
For succesful removal one needs:
1. Temporarily Disable System Restore;
2. Update the virus definitions or definitions of MBAM and/or SAS. Reboot computer in SafeMode;
3. Delete the IE temp files,some Mal/VBInject-T temp file exist there,
but better you follow essexboys' instructions to the dot, he will lead you through the necessary cleansing steps

polonus

[chabbo]

Your file is too large. The maximum attachment size allowed is 200 KB.

[essexboy]

Could you upload the main txt file  to Mediafire and post the sharing link.

[Pondus]

Have sendt sample to avast and malwarebytes......