viri help

mo2332 · Post by **mo2332** » 17 Sep 2008, 17:22

Quote:
Trojan.Agent.AAQK

( Troj/FakeAV-CC, W32/Agent.AAQ!tr, Win32/Small.NEB trojan, Trojan W32/Agent.GYHC, Trojan.Fakealert.1260 )
Spreading: low
Damage: low
Size: 24,5KB, 40KB
Discovered: 2008 Aug 27

SYMPTOMS:

A file named __a00[some-hexa-digits].exe in C:\Documents and Settings\\local settings\temp having a dimension of 40KB.

One or more files named __c00[five-hexa-digits].dat in the system directory (c:\windows\system32) with a size of 24,5KB (25088 Bytes)

The presence of a mutex named vmc_mm.

TECHNICAL DESCRIPTION:

The malware copies itself to
C:\Documents and Settings\\local settings\temp under the name
__a00[some-hexa-digits].exe

and adds the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \A00[some-hexa-digits].exe
C:\Documents and Settings\\Local Settings\Temp\__a00[some-hexa-digits].exe

Aftewards, the trojan will drop a .dll file (in the directory from where it was run) under its original file name and extension followed by .dat. It will load this dll and will execute it's exported function named A.

Running that code will copy the dll in the system directory (C:\windows\system32) under a name of the form __c00[five-hexa-digits].dat and will set the following registry key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00[five-hexa-digits]
* Logon -> B
* Impersonate -> 0x00000000
* DllName -> C:\WINDOWS\system32\__c00[five-hexa-digits].dat
* Startup -> B
* Asynchronous -> 0x00000001

Also, it will create a mutex named vmc_mm and will download a file from a link that was down at the moment this description was made.

yeh help plz

Nerdz · Post by **Nerdz** » 17 Sep 2008, 20:11

kaspersky free trial.

mo2332 · Post by **mo2332** » 18 Sep 2008, 17:53

cant delete it

Nerdz · Post by **Nerdz** » 18 Sep 2008, 20:22

try to run it at startup

mo2332 · Post by **mo2332** » 18 Sep 2008, 22:00

like in safe mode?

Post by **bad_brain** » 19 Sep 2008, 02:58

yep!

Still_Learning · Post by **Still_Learning** » 19 Sep 2008, 08:29

So all windows virus can be deleted completely by entering safemode first? if not which ones cant? Master boot record virus and rootkits?

Post by **bad_brain** » 19 Sep 2008, 09:31

never seen a rootkit or a MBR virus on a home computer, rootkits are mostly used on servers and for a MBR virus you need physical access (I guess)....so it's more likely to win the jackpot in the lottery than to catch an infection with one of those...

the reason why most viruses can't be deleted that easy is because they are running processes, and MS is a little crippled compared to Linux when it's about stopping them....and the files involved in the running process can't be deleted as long as the process is not stopped. booting in safe mode just starts the basic system processes, so the chance is goot that the virus process will not be started which makes deletion easier...

Oppconsulting · Post by **Oppconsulting** » 20 Sep 2008, 19:07

I have yet to run into a true virus in over 5 years.
my point its mostly all active x and other web trash.
I dont evan run virus anymore just use etrust pest patroll
adaware pro old version not new adaware its crap and also use windows washer and cc cleaner or go to a boot disk and go to the windows online files and empty it

good luck

kd1210 · Post by **kd1210** » 15 Nov 2008, 01:55

hey da post seemed really helpful...
can u provide sm info of other viruses as well like how they attack n hw can they b removed manually???
i use avast on my vista home...

Post by **bad_brain** » 15 Nov 2008, 04:24

hm, in context with viruses http://vx.netlux.org/ is THE place to start, you can get all kind of info and even the virus source codes there, also check out the link section.

rhysh · Post by **rhysh** » 15 Nov 2008, 04:40

use msconfig
start>run>msconfig

startup>disable it there
also check services and click hide all microsoft services,and disable the virus seric(es)

a startup item runs at current user privs
'a service runs at admin privs always