bad virus

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


Ok heres what happened, I feel like quite an idiot.

A few months ago my hard drive died a natural death, so I got a new one of
course ... I have been meaning to reinstall my favorite game, Dark Crusade,
and finally got around to doing it, I was just jonsin to play.

Wouldn't install, there were errors on the disc, I got 3 CD/DVD players in
my computer, tried all 3 and they all couldn't install it. Tried cleaning
it, still no luck, I was fixated on playing this game so I decided to
download it, and of course using my legit serial #, there would be no
problems.

So I found it and downloaded it, pretty big file 3.5 gb, took a few hours,
so I put the image in my ******* drive, and right off the bat Avast popped
up a virus warning.
I thought it was a false alarm, I figured why would anyone hide a virus in
a 3gb file ?
So like an idiot I disable the virus and tried it again, clicked on setup
and all hell broke lose.
Pop up windows galore, warnings left and right from programs I never
installed, this disabled that disabled. In a panic I reactivated the anti
virus, but it was too late.

This program, called Windows XP virus removal tool, popped up and started
running a scan, finding dozens of virus and malicious programs, flashing
all kinds of warnings.
At first I thought cool, never knew I had this program, it looks official,
right from Microsoft.
But it has a button that says "click here to get the full version so you
can be fully protected", so I got suspicious and figured it was the virus
trying to get me to do something.
Couldn't stop this program, ctrl/alt/delete had no affect, closed down my
firewall ect, and who knows what else.

So I ran spybot, took quite a while to scan, but it found a load of
problems, including malicious registry entries, malware, spyware, bots, you
name it.
So I clicked "fix the problems", and spybot froze right up.
This damn virus disabled any preventive measures I was trying to take.

So I tried running Avast again, it said warning, virus detected in memory.
It is dangerous to work in this state, recommend reboot so Avast can scan
and remove files before they load".
Sounded good to me, so I rebooted and Avast ran, found at least a dozen
infections, and cleared them out.

So I booted normally, and hell was still breaking lose, damn.
So I tried botting in safe mode, I ran spybot again and it found all those
probelms again, including the bogus registry entries.
Apparently the virus couldn't affect it in safe mode, and it deleted most
of them, it said there was 1 it couldn't delete, and would do it on next
boot up.
So I restarted again, and spybot started scanning, a deep scan, took damn
near 4 hours.
Found more problems, deleted them so I ran Avast again, and now Avast is
corrupted, won't run.
Tried installing AVG, it said Avast needs to be uninstalled first.
Fine - But the virus has got that covered, it won't uninstall. Same with
Kaspery or whatever its called, tried to install that, but it needs Avast
unistalled, which ain't happening.

Tried rebooting in safe mode again, and was greeted by a blank screen.
So now, I ran spybot again and it found 100's on infections, they seem to
regenerate.

This virus seems to want to trick me into thinking everythings Ok, right
now I can browse around almost normal, but I'm going to pull the internet
connection as soon as I post this, who knows what its trying to do ?

So any advice to get rid of this thing ?
Edit - Did it again, all of those problems above, spybot is unable to get
rid of.
Oh, and tried system restore, virus has got that covered too.
Only 1 restore point, and thats today - Got this virus about 3am this
morning.

Edit - Booted into safe mode sucessfully, spybot found the infections
again, and deleted all but 1, which was apparently running.
1 is in a folder c/windows/system32/lowsec
I could see the actul files in safe mode, tried to manually delete them but
I couldn't.
In normal mode they aren't visible.

Re: bad virus



Xray wrote:

Quoted text here. Click to load it

It was too late the microsecond you ran whatever it is you ran -- though
you were probably infected from a web site.

Get these two free-for-home-use programs.
Download, install, update, scan.
MalwareBytes AntiMalware: http://malwarebytes.org /
SUPERAntiSpyware: http://superantispyware.com /

Use a better browser. Get a firewall.

--
   -bts
   -Four wheels carry the body; two wheels move the soul

Re: bad virus



$3fd$1@news.eternal-september.org:

Quoted text here. Click to load it

Yes, I realize it was too late - And so do most people who slam on the brakes
before slamming into a light pole.
I didn't get infected from a web site, I got infected from a 3gb file I
downloaded from the usenet, after I carelessly turned off my anti virus.

Quoted text here. Click to load it


Browsers fine, firewalls fine, thanks.


Re: bad virus



Xray wrote:

Quoted text here. Click to load it

I sorta doubt is was the 3GB file. I personally know of no instances
where a malware-doer purposely set out to infect files of that size. Who
would download them?  Oh wait!  I know who would!!!   ;-)

What was the website (so it can be examined)?  Post the URL - but mung
it so it is not clickable.

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010
(please excuse the IntelliTXT ads on this otherwise okay page)

--
   -bts
   -Four wheels carry the body; two wheels move the soul

Re: bad virus




Quoted text here. Click to load it
though

Well, that logic was exactly what made me think the anti virus was giving a
false alarm, sadly for me, it wasn't - And the file is more like 4gb.

There is no URL for this, it was downloaded from the usenet,
alt.binaries.games "Warhammer 40,000 Dawn of War Dark Crusade" posted Oct

If you really want to investigate this large file, here is the complete
header info, I'm here to tell ya it is infected, and infected big.
Premium servers like easynews or giganews are likely to be the only ones
still carrying this nearly half year old file.

date: 24 Oct 2009 01:31:40 GMT
lines: 566
x-trace: DXC=WB9m0E82BT5\nWXJLoiYd:L?0kYOcDh@:BK2jREKf`g:8S2RAnKBM\>h5gfcj>
lJI87Bf`@U07lA7=h7VX^H1@S?
nntp-posting-host: 0a548bf5.news.astraweb.com
organization: Unlimited download news at news.astraweb.com
xref: easynews.com alt.binaries.games:238756069
x-newsreader: JBinUp 0.90 Beta 7 - Build: 2008120403
(http://www.JBinUp.com )
subject: "Warhammer 40,000 Dawn of War Dark Crusade.par2" 594 yEnc (1/1)
path: sc-01!news-in-04.newsfeed.easynews.com!easynews.com!easynews!
npeer01.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-
media.com!nx02.iad01.newshosting.com!newshosting.com!novia!news-
out.octanews.net!mauve.octanews.net!news.astraweb.com!
border1.newsrouter.astraweb.com!not-for-mail
newsgroups: alt.binaries.games
x-no-archive: yes
 


Re: bad virus





Quoted text here. Click to load it



| though
Quoted text here. Click to load it





| Well, that logic was exactly what made me think the anti virus was giving a
| false alarm, sadly for me, it wasn't - And the file is more like 4gb.

| There is no URL for this, it was downloaded from the usenet,
| alt.binaries.games "Warhammer 40,000 Dawn of War Dark Crusade" posted Oct

| If you really want to investigate this large file, here is the complete
| header info, I'm here to tell ya it is infected, and infected big.
| Premium servers like easynews or giganews are likely to be the only ones
| still carrying this nearly half year old file.

Like I said...

Usenet binaries are FULL of injected trojans.  Either the binary is the trojan, a
legitimate application is repackaged with a trojan or some other method but
Usenet
binaries can NOT be trusted -- EVER.

In certain circles I am well known for investgating Usenet binaries.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: bad virus




Quoted text here. Click to load it

Theres alot of crap out there, to be sure.
To say that every signle one is infected is clearly ludicrous, there are
many clean programs available - I've never had much of a problem, for
years, until this one time I made the poor decision to ignore the anti
virus warning and procede anyhow.
Live and learn.


Re: bad virus




[...]

Quoted text here. Click to load it

[...]

Quoted text here. Click to load it

No-one is saying that.

Quoted text here. Click to load it

The best practice is to get your programs *only* from trustworthy
sources - *and* scan them.



Re: bad virus



@news.eternal-september.org:

Quoted text here. Click to load it

Saying "Usenet binaries can NOT be trusted -- EVER." comes pretty close.

Quoted text here. Click to load it

I agree.
In a perfect world, everyone would do that, every time.


Re: bad virus



Quoted text here. Click to load it

Usenet binaries can only be trusted if you are *looking* for malware.
The fact that malware is often dispensed through that channel makes the
entire channel untrustworthy. There is no accountability for posters
posting programs, and even many viruses are first injected as germ files
(mainly trojans) posted to usenet.



Re: bad virus {credibility alert}



On Sun, 21 Mar 2010 06:43:03 -0400, FromTheRafters wrote:


Quoted text here. Click to load it

Including all the many jpegs found on binaries newsgroups?

Re: bad virus {credibility alert}



Quoted text here. Click to load it

I was going to write "program binaries" above, but figured the context
was already established.

I have an excellent collection of usenet binaries (an M.C.Escher
collection and some really interesting fractal geometry and other math
related pieces).

But yes, even jpegs - if a popular program mishandles jpeg data, you
will probably find malware exploiting it in those groups as well. This
would not be as likely on a website with a contactable webmaster (or an
FTP from a personal contact).



Re: bad virus {credibility alert}



On Sun, 21 Mar 2010 07:32:14 -0400, FromTheRafters wrote:


Quoted text here. Click to load it

PBS's NOVA series did an interview documentary on Benoît Mandelbrot back
in 2005, real likeable guy. http://tinyurl.com/6s845a
 
Quoted text here. Click to load it

Wasn't it the renowned 'Soooge' who crafted just such a jpg viewer?
then there was that MP3 player by Kim Vanvaeck...

ya rilly gotta be careful whatcha click anymore ;-)

(confession)
and yes in addition to disks of fractals,
I've got many full of mp3s as well.

Re: bad virus {credibility alert}



Quoted text here. Click to load it

Thanks for the link (nabbed a couple of small pics as well while I was
there - can't help myself).

Quoted text here. Click to load it

...while others might do it by accident (an unintended vulnerability),
doing it on purpose is crafting a trojan.

Quoted text here. Click to load it

Hadn't heard of that - Google here I come...

Quoted text here. Click to load it

Yes indeed!

Quoted text here. Click to load it

Same things apply, but you already knew that. :o)



Re: bad virus {credibility alert}




Quoted text here. Click to load it

Could you expand on that?



Re: bad virus {credibility alert}



On Sun, 21 Mar 2010 09:20:44 -0400, FromTheRafters wrote:

Quoted text here. Click to load it

I was being a bit facetious,
it wasn't actually a player per se
but a variant of 'scrambler' from a decade ago
http://vil.nai.com/vil/content/v_98665.htm
(scroll down to characteristics)

Re: bad virus {credibility alert}



Quoted text here. Click to load it

Okay.



Re: bad virus {credibility alert}




| I was going to write "program binaries" above, but figured the context
| was already established.

| I have an excellent collection of usenet binaries (an M.C.Escher
| collection and some really interesting fractal geometry and other math
| related pieces).

| But yes, even jpegs - if a popular program mishandles jpeg data, you
| will probably find malware exploiting it in those groups as well. This
| would not be as likely on a website with a contactable webmaster (or an
| FTP from a personal contact).

Some of the binaries that are malicious are NOT executables but are media files
exploiting
Windows DRM such as Wimad trojans.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: bad virus {credibility alert}



Quoted text here. Click to load it

Exploiting in this case meaning the utilization of an IMO ill conceived
feature of the filetype which is supported by the player rather than an
exploit of a software flaw. Still, I would file that under "mishandling
data" and I have long considered WMP to be a trojan. Why would anyone
want a media file to cause the browser to fire up and visit a URL
supplied by what should always be considered untrusted input?



Re: bad virus {credibility alert}





Quoted text here. Click to load it




| Exploiting in this case meaning the utilization of an IMO ill conceived
| feature of the filetype which is supported by the player rather than an
| exploit of a software flaw. Still, I would file that under "mishandling
| data" and I have long considered WMP to be a trojan. Why would anyone
| want a media file to cause the browser to fire up and visit a URL
| supplied by what should always be considered untrusted input?


Some believe it is a good idea to connect to the web to get a license for a
media file or
such things ans artist or album information.  That concept is what's being
exploited.
Instead of getting a licence the malwre is obtained.  Zango is well known for
exploting
the DRM "feature".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Site Timeline