the Obfustat virus

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My aunt has the obfustat virus on her computer.

Specifially, "obfustat.UVE".

It resides in "c:\windows\system32\pccapcc.dll".

AVG free, up-to-date, detects it, but cannot delete it.
(select "heal", or "put in vault", and it thinks it did,
but the file is still there in system32).

Safe-mode boot, no difference.

I found several references to pccapcc.dll in the
registry, 2 under CLSID/,
and one under windows services, so I think its being
loaded as a service (under svchost perhaps?)

What I would like to know is:
Is pccapcc.dll a file that is supposed to be in XP and
the virus has simply infected it, or is this a bogus dll
that has no business being there in the first place?

In other words, is it safe to chop out all references to
pccapcc.dll in the registry, so that XP will allow me to
delete the file without "access denied" ?
(The file permissions on pccapcc.dll look like deletion
is allowed, but any deletion attempt is still denied)

Anyone else out there had problems with an obfustat virus
that AVG couldn't remove?

--
Buzzard


Re: the Obfustat virus

Use one of these utilities to delete it.
Unlocker http://ccollomb.free.fr/unlocker /
Move on boot http://www.softwarepatch.com/software/moveonboot.html
Also try it in safe mode.


--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com , David
H. Lipman, Max M Wachtell III  aka What's in a Name?, Fitz, Beauregard T.
Shagnasty,Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



Quoted text here. Click to load it



Re: the Obfustat virus

in alt.comp.virus on Tue, 11 Dec 2007 18:55:59 -0500 and shouted for
all to hear..

Quoted text here. Click to load it

Have you tried using Spybot Search & Destroy to see if it detects any
problems on the comp?

Quoted text here. Click to load it

I use Windows 98 Second Edition on this comp, my wife uses Windows XP
Home on hers. I searched her registry and found no reference to that
file, let alone the file itself on her comp. So it's safe to assume
that the file has nothing to do with Windows itself. I also did a
search for the file at Yahoo! and Google. No information at either
site on that file.

Quoted text here. Click to load it

Not personally since I use Norton Anti Virus version 5.0 on my comp.
But you may want to download System Mechanic (http://www.iolo.com ) and
disable any rogue programs in Windows Startup Manager.

I would also recommend disabling System Restore before performing any
scans and fixing any problems if you haven't done so already.

In my search I did happen to make note that there are others out there
using AVG that say they're having the same problems removing the bug
that you're having. So you can rest assured that you're not alone.

Unfortunately I've found nothing in my searches on what the malware
is. Some sites call it a trojan, others a virus and a couple, a
rootkit.

If the IP you're posting from is your aunt's IP address and not yours,
I'd be happy to run an nmap scan on the IP to determine if there are
any ports open to the outside world that would be opened by a trojan.

I could post the results here or email. I would rather prefer using
email to inform you of any vulnerable ports that I find opened as
opposed to posting them in a public forum as anyone with malicious
intent could use the information and cause harm or damage.
--
With TV dinners, you don't get leftovers, you get reruns.

Re: the Obfustat virus

Sycho wrote:
Quoted text here. Click to load it

So far I've only tried the AVG.  It'll take me awhile
to dnld the other stuff, due to the snail-slow internet
in this area.  (Dialup only, and nowhere near 56k)

Quoted text here. Click to load it

My pc is win98 also.  Haven't had any viruses at all since
august 2005.

What I don't like about XP is that you can't boot to plain
DOS and still get to your files.  I would have deleted, or
moved, pccapcc.dll that way.

Quoted text here. Click to load it

Disabling sys restore...  I'll try that next time I'm at my aunt's.
Will a functioning sys restore put the virus right back on reboot,
or only if someone reverts to an infected restore point?

Quoted text here. Click to load it

I'd bet AVG has been hearing some comments, then

Quoted text here. Click to load it

No, I'm posting from my own pc.

--
Buzzard

Thanks for the help.  I'll be back later to see about
other solutions if this doesn't work, and also about
getting the aol connectivity dialer and an expired
McAfee (both of which REFUSE to uninstall) removed.


Re: the Obfustat virus

in alt.comp.virus on Fri, 14 Dec 2007 01:33:50 -0500 and shouted for
all to hear..

Quoted text here. Click to load it

Ah damn. :( Well I can still hook you up with anything you might need
regardless of your connection speed.

Quoted text here. Click to load it

Ah yes! That's why I still refuse to switch to XP for that very reason
alone. If I can't work straight in DOS mode there's no point in having
the OS. I shouldn't have to load a boot disk just to get to the
command prompt. That's just gay. Hell I won't use an FTP client if I
need to upload or download anything from any of the three computers on
my network. I do that right from the command prompt. I guess I'm old
fashioned that way. lol

Quoted text here. Click to load it

I'm not really sure on that to be perfectly honest, I just know that
that's how some reinfections occur is if system restore is enabled
while ridding the problem. Another stupid feature Micro$oft added that
wasn't needed.

Quoted text here. Click to load it

It wouldn't surprise me. It's a shame that your aunt is using XP
otherwise I would have you get Norton Anti Virus v5 off my warez page.
That particular version won't run on XP unfortunately. Otherwise my
wife would have that installed on her comp immediately.

Quoted text here. Click to load it

Ah, ok. Well I'm guessing then that she's also on dial-up? If so it
wouldn't do any good getting the IP address to me since it would
change at every logon you/she made.

You are more than welcome at any time to connect to my IRC server
should you want to discuss this in more detail. My IRC is open 24/7 to
anyone.

Connect to 3wd.no-ip.org:9800

And the channel is #3wd.

Feel free to register your nick on there.

Syntax is: /msg nickserv register <nickname> <password> <email>
Ex: /msg nickserv register Foo skittles lol@you.org

Once you've register and want to connect at a later time, to ID use
this:

/pass <password>
Ex: /pass skittles

I don't ask that anyone use their real email address. Make up one.

If you have a CD burner I'll hook you up with anything that I think
you can use on your comp as well as your aunt's comp to clean the
infection. Most of the stuff I have is in ISO format.
--
Unofficial M$ Motto: "Micro$oft: Have you hugged your BSoD today?"

Site Timeline