?

Log in

LiveJournal for prog_threats.

View:User Info.
View:Friends.
View:Calendar.
View:Memories.
You're looking at the latest 20 entries. Missed some entries? Then simply jump back 20 entries.

Thursday, April 6th, 2006

Subject:I have a problem...
Posted by:coexist_love.
Time:7:58 pm.
I got an e-mail from my mail delivery subsystem:

You have a virus in your email, we will not deliver your mail item to [insert sender e-mail]. Please fix your
system before sending additional emails (virus found Win32:Netsky-AF [Wrm] SOAC Systems)
The original message was received at Thu, 6 Apr 2006 10:23:18 -0700
The message was sent from: [insert my e-mail here]
The message was sent to: [insert sender e-mail]

The virus found was: Win32:Netsky-AF [Wrm]

but when I scanned my computer it said there was nothing wrong. I scanned it with both nortona and AVG and neither said anything about it. Should I be concerned. I should also mention that I don't know the e-mail the message was sent to so this is an even bigger concern for me.

Please help. Much appreciated.
Comments: Read 6 orAdd Your Own.

Monday, January 2nd, 2006

Posted by:lennyisbuff.
Time:3:05 am.
please please please help me!!!



Virus alert: a virus has been detected on your computer


Thank you for submitting an error report.

Problem description

The error was likely caused by a computer virus that is known by the following names:

Win32/Apropos.B
WinNT/Zufyx.A
Spyware.Apropos.C
Trojan.Win32.Crypt.t



i dont have the internet in safemode, so i cant do what the windows site tells me!


thank you for any help guys!
Comments: Read 3 orAdd Your Own.

Friday, October 7th, 2005

Posted by:lunar_mantra.
Time:7:08 pm.
guys help...

i found these weird icons on my desktop after going online last night - they were these porn and casino shortcuts. assuming they were some virus/adware, i ran adaware, but it didnt find anything! i ran norton too but it didnt find anything too...

i though they were just some minor crap, until earlier today when i double-clicked my dialer (coz i'm a dial-up user).... the properties were changed (it didn't show the username/password box, so i clicked properties and enabled it). my username and passwords were changed too, along with the number to dial. everytime i changed em back to what they should be and dialed, it would just close up on me on the third redial... plus, once i open it again, the settings and the usernames and stuff are changed again.

did i make sense? i hope i did....T__T

i tried to run the antivirus programs in safe mood too, but it still didnt find anything... no programs are listed in the add/remove programs panel too. X__X

hope you guys can help...thanks in advance...
Comments: Read 1 orAdd Your Own.

Thursday, April 14th, 2005

Subject:not sure if this is on-topic . . .
Posted by:badkitty1782.
Time:10:36 pm.
I've asked about this in a couple of other computer-related communities, but I haven't gotten any real help. Here's he post I put in my personal journal (under a cut in case it's too off-topic . . . I don't know much about computers):

Read more...Collapse )


I have also tried logging in on the other PC and the laptop in my house, and still no luck. I thought it could be some sort of virus or something . . . I don't know. No one else seems to be having this problem.
Comments: Add Your Own.

Posted by:brynderoy.
Time:6:55 pm.
Haldo. I've recently come across a rather nasty malware threat. It started after I downloaded some 'critical updates'from the Microsoft website. First I was just receiving SpyBot dialogue windows like this:



I'd check the 'Remember this decision box' and click 'Deny change', but it wouldn't stop appearing. Then I noticed that whenever I used Internet Explorer (I normally use Firefox), I'd instantly get a pop-up ad. After a few days a foreign Search bar appeared at the bottom of my display, just above the task bar. This has since disappeared.

I've run countless AdAware and SpyBot searches and constantly update them but nothing helps. AVG Anti-Virus has told me a few times that its detected a virus but won't allow me to delete, heal or quarantine it. It also gives me a location that doesn't exist and makes brief referance to a trojan.

I would be greatly appreciative should anyone be able to help me, say thankya. =)
Comments: Read 2 orAdd Your Own.

Friday, February 18th, 2005

Subject:Spyware and viruses galore
Posted by:pezzy387.
Time:9:05 pm.
So, lately I load Internet Explorer just to be greated with the following:

-My homepage loading to a search page with the url "about:blank"

-A boatload of popups informing me that I have spyware

-An error window that announces that an "se.dll" file loaded improperly

-A pop-up from Norton announcing that Trojan.StartPage has been successfully deleted (yet it comes back everytime I load Explorer)

-A "Magic Search Toolbar" that has installed itself on my computer

-A folders full of bookmarks added to my Favorites

So, I run PestPatrol and it lists the following "pests":

-"GoHip" a hijacker

-"I-Lookup Directory" another hijacker

-"I-Lookup?" yet another hijacker

I've run Norton, deleted files through PestPatrol numerous times, and nothing seems to work. How do I get rid of this junk?
Comments: Add Your Own.

Thursday, February 17th, 2005

Subject:For Spybot users
Posted by:detlev409.
Time:2:26 am.
This note was sent around today at my work, where we use Spybot daily:
~~~
I don't know if you guys are aware, but recently I discovered that both Spybot and Adaware are beginning to remove, or at least ignore, certain malware threats via updates. Obviously this is a double edged sword. The updates are needed to get rid of new stuff, but it seems these companies are building in patches in the updates to decrease functionality. I'm not sure this is fixable in Adaware, but it is in Spybot (thus far, anyway). Some things it's set to ignore include New.net and MySearch; both are things that you'd want to remove.

1. Open Spybot and make sure the mode is set to 'advanced.'
2. On the bottom left side, choose 'settings.'
3. Click on 'Ignore Products.'
4. You should now see a bunch of different tabs for different types of threats (Keyloggers, Hijackers, LSP, etc).
5. Scroll through each tab and make sure that NO entries are checked. A checked item means that Spybot will not even DETECT it as a threat upon scanning.
~~~
I checked this out after receiving the email and found that a brand new install (after updates) will have 3 instances of New.Net being blocked, but nothing else. Unfortunately, I can't remember which tabs they're in, and I've already unchecked those entries on this machine, so you'll have to look, but it's not brain surgery. Nothing huge, especially since New.Net seems to be one of the few crapware progs that will actually work with Add/Remove, but it's something to check after doing an update.
Comments: Add Your Own.

Wednesday, January 19th, 2005

Subject:bringing work home with me...
Posted by:detlev409.
Time:8:16 pm.
Mood: exhausted.
I have a particularly stubborn subject at work just now that I'm hoping for some input on. It's a Win2k Pro Desktop, about 3 years old. Upon startup, I receive messages that some system files are corrupted and need to be be replaced, and I need to insert the Win2k CD to replace the files. Inserting the CD gets you past the notices with a minimum of fuss, but the problem reappears upon restart. Adding to the fun was Symantec AV's refusal to un/re-install. We have an automated installer for the most recent version that should remove whatever version is currently installed, and it seemed to get most of the original install, but the new version was nowhere to be found. Retries garnered you errors, but nothing useful. Finally had to perform a manual removal of all previous installs, and fell back to the second most recent version, which installed, but would not update. Manually downloading the updates seemed to work fine. At first I thought the installer service was hosed, but obviously, I was able to install progs. Oh, also, the event log was corrupt. I've run chkdsk, but to no good. Nothing seems to faze this thing.

I'm also blocked from getting Windows Updates. I give you the error, but I dozed off writing this twice already; I just can't remember.

Any help at all is appreciated.
Comments: Add Your Own.

Tuesday, January 11th, 2005

Posted by:detlev409.
Time:4:08 pm.
I have an odd problem. We've experienced an outbreak of epidemic proportions on our campus and I'm unsure of whether or not it's even a virus. The culprit is "calsp.dll," contained within the \system32\ folder. The symptoms of the problem include receipt of an error prior to login (our campus runs the Novell client on all machines) that reads "Remote Communications Management Error" or something similar. Affected computers pull 169 IP addresses, but when one attempts a release and renew, the system refuses, returning a message that "such an action cannot be taken on an object that is not a socket" (paraphrasing, can't remember exact words after the day I've had). Obviously, the user is unable to connect to the network. Our campus also runs Symantec AV corporate, which is unable to quarantine/kill/look in the general direction of the file at first. Our current solution consists of running the winsock fix, then running a virus scan upon reboot, as the winsockxpfix appears to free up calsp for SAV to get rid of.

Obviously this is extremely time consuming, and to be honest, it's just not 100% effective. I'm wondering, have any of you had experience with this? Why did it suddenly come out of the woodwork? I've been removing calsp.dll with LSPfix for months now, without any problem, but suddenly they're all borked. We have ~100 student laptops in at this moment right now, and the tide ain't slowing.

All systems are pretty similar.

XP Pro
1-2 Ghz
SAV Corporate
Novell installed.

-- Come to think of it, none of the affected machines is Win2k. Anyone know why that should make a difference? I'm out of my depth.
Comments: Add Your Own.

Tuesday, December 14th, 2004

Posted by:detlev409.
Time:7:46 pm.
Have any of you come across any good ways of combatting the VX2 scumware? The Ad-aware plugin just doesn't have the consistency or effectiveness I need.

x-posted
Comments: Add Your Own.

Saturday, November 27th, 2004

Posted by:detlev409.
Time:8:47 pm.
How many people here are users of Hijackthis? Personally, I find it invaluable for the removal of browser hijacks, BHOs, and other malware.

I ask this because it doesn't seem to be widely known among LJ anti-malware communities. I know I was the first to list it as an interest of mine, which surprised the heck out of me.

I was considering opening a community for the posting and review of hijackthis logs, but I don't nearly have the time to be the sole reviewer. And honestly I'm 100% sure of my skill at reading the logs, so some verification would be good, too.

What are your thoughts? Anyone want to be a mod/reviewer?

Incidentally, for those wish to be self-sufficient, there's a pretty good tutorial at Merijn, originator of HJT.

x-posted
Comments: Add Your Own.

Friday, September 24th, 2004

Subject:viruses include: win32.parite.2, trojan.keenValAd, and backdoor.generic.665
Posted by:myheartyrhammer.
Time:3:22 pm.
A friend of mine sent me a Mcafee virus scanner through aim, and it didn't really work, cause it said that I had no viruses, but my computer is going way too slow, and I can't update my windows service packet at all, and sometimes my internet explorer shuts itself down, which is extremely annoying. But then I downloaded a free virus scanner from the internet called stop-sign something[?] but it doesn't delete the viruses, it only detects the infected files. It said that I had 465 viruses, most of them were windows files. I was wondering if you guy knew of any freeware antivirus programs that might be able to fix my computer :\

thank you.
Comments: Read 1 orAdd Your Own.

Sunday, August 1st, 2004

Subject:x-posted to a few other communties
Posted by:badkitty1782.
Time:3:22 pm.
My computer is infected with viruses (virii?) and worms galore. At first it had W32Netsky.C@mm, then I guess I got rid of it . . . but there's still other stuff on it that I can't get rid of, mainly adware. I use ad-aware religiously, but it doesn't get rid of everything. I've also downloaded a trial version of Norton Anti-Virus, but it is unable to delete some possible virus threats. Then there's this TechPro thing . . . which I think I downloaded to get rid of the Netsky thing . . . but I don't really know how it works. Oh, and there was a Netsky remover I downloaded from the Symantec website, which I think is why the Netsky thing is gone. I'm using the Panda ActiveScan too . . . and it detected (and I guess deleted) a Trojan Horse. Something still isn't right though. I know there's still stuff on here (especially adware . . . grr). I'm also getting E-mails appearing to be from myself on my various E-mail accounts. Plus those damn pop-ups tat my pop-up killer won't kill. My mom's had issues with worms, viruses (virii), and such before and our computer guy took care of it . . . but I'm a bit nervous about having him looking at mine since I have some ::ahem:: questionable material on my computer (hey, I'm 22 years old. I'm allowed to look at naughty-bad stuff if I want to). Sooo . . . help! I don't know if I need to go buy a hardcore virus killer or if there's freeware online I can get or not. I don't like dowloading so much stuff on here since one of the things I downloaded to get rid of the virus early on ended up having spyware galore on it, which is probably my problem now. I also don't really understand when I should be turning "system restore" off or not. Some directions recommend doing it before scanning the files, but then I'm not sure when I should turn it back on. Can someone help me out? Please???
Comments: Read 1 orAdd Your Own.

Monday, July 5th, 2004

Subject:Netsky Worm
Posted by:rpeate.
Time:6:57 am.
The Netsky worm (version Q) is currently in my Outlook. I would like someone's help in removing it. Thank you.
Comments: Add Your Own.

Sunday, June 6th, 2004

Subject:ntsearch.com spywear
Posted by:ns_tulkas.
Time:5:00 pm.
Mood:desperate.
Random links are appearing everywhere on my web pages. The links direct to a search site called ntsearch.com. I tried scanning the computer with Anti-virus and Ad-aware 6 Professional and still I cannot get rid of the damn links. Can ANYONE please tell me how I can get rid of this spywear and how to make sure the computer won't catch it again?

Thank you in advance,
Yours desperately,
N. S. T.
Comments: Read 1 orAdd Your Own.

Tuesday, April 13th, 2004

Subject:Trojan.Popdis, W32.Kotira, W97M.Adren, W32.Maddis.B
Posted by:jeffsworld.
Time:9:50 am.
Trojan.Popdis

Trojan.Popdis is a Trojan horse that modifies the registry keys and overwrites the Hosts file.

W32.Kotira

W32.Kotira is a virus that overwrites executable files.

W97M.Adren

W97M.Adren is a Microsoft Word Basic Macro virus that spreads using Normal.dot and other templates in the Office\Startup folder. This virus contains two modules, ANDRENALINE and DEFTONES.

W32.Maddis.B

W32.Maddis.B is a network-share worm that injects itself into various windows System processes. The worm will open several ports on an infected host. It also operates as a proxy and possibly a spam relay.

This threat is written in x86 Assembly and is packed with ASPack 2.12.
Comments: Add Your Own.

Monday, April 12th, 2004

Subject:Backdoor.IRC.Aladinz.P, W32.HLLW.Gearbug@mm, W32.Dumaru.AI
Posted by:jeffsworld.
Time:5:25 pm.
Backdoor.IRC.Aladinz.P

Backdoor.IRC.Aladinz.P is a backdoor Trojan horse that uses malicious mIRC scripts. This Trojan allows an attacker to access your computer. By default the Trojan listens on TCP port 2688.

W32.HLLW.Gearbug@mm

W32.HLLW.Gearbug@mm is a simple mass-mailing worm that sends itself to all the addresses in the Microsoft Outlook Address Book. The email has the following characteristics:

Subject: Security Update
Attachment: ElimB.exe

W32.Dumaru.AI

W32.Dumaru.AI is a Trojan horse that attempts to steal information from an infected computer.
Comments: Add Your Own.

Sunday, April 11th, 2004

Subject:W32.Gaobot.YN, W32.HLLW.Donk.M
Posted by:jeffsworld.
Time:2:29 pm.
W32.Gaobot.YN

W32.Gaobot.YN is a variant of W32.HLLW.Gaobot.gen that attempts to spread to network shares and allows access to an infected computer through an IRC channel.

The worm uses multiple vulnerabilities to spread, including:

  • The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP port 135
  • The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001), using TCP port 445
  • The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007), using TCP port 80

W32.Gaobot.YN is packed with UPX and IHMOWrap3.

W32.HLLW.Donk.M

W32.HLLW.Donk.M is a network-aware worm. It attempts to connect to a predetermined IRC server to get instructions from the attacker.

This variant may be compressed with PeX.
Comments: Add Your Own.

Subject:New Ad-aware reference
Posted by:jeffsworld.
Time:2:25 pm.
========================================================
Reference File Notification - Lavasoft News
========================================================
01R286 11.04.2004

Here is a breakdown explaining what is included:


Updated Items
--------------------------------------------------------
ActualNames
EPSystems DialerMaker
Infotel srl
MediaCharger
Roings
WinFavorites (3 variants)


Reference File Details
--------------------------------------------------------
Reference Number : 01R287 11.04.2004
Internal build : 216
Total size : 1025091 Bytes
Signature data size : 1007474 Bytes
Reference data size : 17553 Bytes
Signatures total : 22681
Target categories : 10
Target families : 442


Additional Information
--------------------------------------------------------
You can use Webupdate to install the new reference
file, or download it manually from:
http://www.lavasoft.de/update/refs/reflist.zip
Comments: Add Your Own.

Subject:Guess what?
Posted by:jeffsworld.
Time:5:44 am.
========================================================
Reference File Notification - Lavasoft News
========================================================
01R286 11.04.2004

Here is a breakdown explaining what is included:


New Items
--------------------------------------------------------
GreatSearch-biz
WebHlpr


Updated Items
--------------------------------------------------------
AdShooter (2 variants)
BroadCastPC
Golden Palace Casino
IBIS Toolbar
JRaun
PromulGate
Roings
VX2.BetterInternet


Reference File Details
--------------------------------------------------------
Reference Number : 01R286 11.04.2004
Internal build : 215
Total size : 1023918 Bytes
Signature data size : 1006301 Bytes
Reference data size : 17553 Bytes
Signatures total : 22655
Target categories : 10
Target families : 442


Additional Information
--------------------------------------------------------
You can use Webupdate to install the new reference
file, or download it manually from:
http://www.lavasoft.de/update/refs/reflist.zip
Comments: Add Your Own.

LiveJournal for prog_threats.

View:User Info.
View:Friends.
View:Calendar.
View:Memories.
You're looking at the latest 20 entries. Missed some entries? Then simply jump back 20 entries.