how-to block ads
|
|
Uniqs:
10738 |
Share Topic
 |
 |
|
| reply to HiVolt
Re: W.32 Licum virus, help! Anyone have a concrete fix to this yet?
I just put in my DSL modem yesterday, I assume it came through the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. I logged on remotely to my PC from my college and was hit with a Norton warning about one of my files being infected. So far that's all it's stated to be infected. Googling the virus comes up with many people having to format, however several seemed to have scanned with Norton and removed it with little trouble.
I can't head home to work on this problem yet, so any more information before I go at it would be excellent. | |
DrT8
join:2005-09-25
Australia | reply to sbhusted
I've got the bastard too, and I've discovered that it mimics other programs. I ran the M$ malicious software removal tool and after it exited, having claimed to have removed
W32/Gael.a
W32/Spyboter!(something)
and partially removed
W32/Spybot!3861
a "smaller" MST (around 4K) popped up in the task manager. Then something tried to phone home with my dialler. Killing the new MST process tree killed the dialler without disturbing the system (in fact, making it run smoother).
This explains why wcsntfy and userinit would sometimes appear twice, or re-appear after being killed. If the HijackThis authors are reading this, we need a version that not only lists processes, but gives the KB and identifies who started them and what's in the process tree!
This pig also seems to recognize Karen's Window Watcher (or at least proggies that work like it), which I tried to use to identify the threads. When looking at some of the no-name windows I'd get down to #3 and suddenly the prog would have the same sort of error that Regedit seems to get when dealing with this (unless you copy regedit.exe to editreg.exe and ONLY use the latter!).
When the thing is resident, you can sometimes tell because there will be two versions of one of the programs you're running in the task manager, eg you might have one notepad up, but there are two. When it's resident, you can't load AV websites, or sometimes anything at all, in the browser. When you kill the smaller of the two, suddenly the broswer works for a while. Then I get a 16 Bit MSDos subsystem error due to DL.EXE (on XP) encountering an illegal instruction, often associated with NTVDM and suddenly the browser is crippled again. Sometimes, though there aren't two copies, and you have to make an educated guess about which process to kill. SInce it's 16-bit, the recently-run program NTVDM is often the culprit, so if it's in the taskman and there's no DOS window, that's the prick right there.
I guessed wrong once, though and the demise of CSRSS took out the whole shebang (although I'm pretty sure csrss *was* infected, which could mean that the thing works as part of a program that is really doing other legitimate things too).
For me, the file c:\windows\system32\userinit.exe seems to be the reason it keeps coming back. My educated guesses kept identifying it correctly as the 'carrier' that was fscking up the browser. The MS tool claimed to have cleaned it from other progs in safe mode, but then the second I'd reboot, user initialization (I assume) re-created the virus, and the MST had to remove it again from userinit.exe. Run the browser, and the browser's infected. It re-infected about 2000 files in the few minutes it took for me to work out a) what was going on, and b) that the M$ Tool was written by M$ tools... I *know* userinit.exe was infected because I opened it in Notepad and it had the fatal "utenti.lycos.it" string at the end of the file (see below for a variant).
I've found that I can buy more time to do the research online by locating trojan download DL.EXE and over-writing it (as DL.EXE) with C:\DL.OLD, which is a copy of DL.EXE (actually a Java prog) in which all are ! and all website references are changed to localhost, which I modified for that purpose. Then if I can kill the offending process in taskman as we go, I can get some searching done. If you're getting the same error message that I described above, this seems to stop them, until (I think) the process eventually re-writes itself from the code added to some poor EXE somewhere. Once DL.EXE is back in its original form, the problems come fast and furious. And it won't necessarily come back in the directory where you found it...you need a running Search window in the BG to monitor for new versions.
Speaking of the downloader, unfortunately, today I've discovered (while looking for info) that the utenti.lycos.it page appears to have been resuscitated at »utenti.lycos.it/campanella/links.html
so there will be a new variant of the downloader spreading.
BTW, checking my log history, it appears that a popup ad from the site a.tribalfusion.com was the only unrequested page on my system at the time of infection... My machine was temporarily insecure because XP had had its own problems, and M$ forced me to delete my usual protection software in order to do the reinstall...just hadn't had a chance to reinstall the usual stuff before the fscker got in 
If anybody knows a good fix, PLEASE email me as well as replying, tgee a.t dodo d.o.t com d.o.t au. All spammers who parse this manually will be tracked down and reported to the appropriate authorities. Mansfield, this *especially* means you.
DrT | | |
|
| reply to HiVolt
I successfully removed this from a XP SP2 machine.
1. On a clean XP SP2 machine, download from www.microsoft.com the Microsoft Malicious Software Removal Tool.
2. Burn to CD the removal tool and a copy of C:\windows\system32\userinit.exe
3. Boot the infected machine in safe mode and run the removal tool from the CD. Let it do it's thing but... !!!DON'T restart the machine at the end like it asks!!! Bring up the task manager and kill the 'userinit' process. Overwrite the current c:\windows\system32\userinit.exe file with the clean one on the CD.
3. Now reboot and enjoy. | |
| Ok... now in safe mode, how many svchost.exe's should be running? I'm infected by this virus too (Avast! 4 Home Edition called it 'Win32:Tenga' but it's the same virus, he almost removed it) and i thought there were only 4 svchost.exe files running, and now i got 5. Could anybody answer this question?
Greetz,
joepie91
PS. I really got bad luck, as i was running a webserver, i hope nobody downloaded an .exe file from it..... | |
| reply to CalamityJane
Hope this would help.
Virus Description:
the virus only infect exe files. but it would infect your antivirus software and userinit.exe which
would be run as you logon. the DL.exe keep downloading the virus from "utenti.lycos.it" which could be see if you open
the dl.exe or userinit.exe with ultraedit32 and search for "lycos.it". The virus would attach the dl.exe to some important
windows exe files like userinit.exe, regedit.exe, iexplore.exe, rundll32.exe(it is run when you use the windows add/remove programs).
So it come back quickly.
Want to know more:
The description of McAfee of this Virus:
»vil.nai.com/vil/content/v_134857.htm
Somehow difference is that I didn't find the GAELICUM.EXE nor the CBACK.exe on my laptop.
A virus analysis:
»www.nod32.com/msgs/tengaa.htm
Remove instruction:
1.kill excess process in the windows task manager, which means leave the the svchost.exe there, end the other process you could kill.
Those process showing two name there, the one with about 4~6k memory should be the virus dl.exe.
2.after killing the excess process, you should be able to access to internat temporary. Download the Malware remove tools
from Microsoft quickly:
»www.microsoft.com/downloads/deta···ylang=en
run it and it should find the w32/Gael virus, thousands of files infected, repaired them.
Some of the exe files may be removed here, so far I only got two of my program files missing.
after that, would be asked to restart, before you restart, do these things:
a. del any values in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
b. del anything in the windows/prefatch and set the folder to read only
c. open your administrative tools/services, stop any excess services related to your installed programs, which are usually with a short description, and set them or manual or disabled.
d. DISCONNECT your computer from internat, unplug the cable and stop wireless network. This make sure virus won't come back from internat again.
when the virus is there, although it seem that you could not access to internat through internat explore, the virus could still access the virus server.
3.Now after restart your computer, open your task manager quickly, if any excess process is there,like the userinit.exe, cftmon.exe,wscntfy.exe,kill them quickly.
4.Do a quick check with the Malware remove tools from microsoft, should be not files infected. Don't run any excess programs, they may still be infected.
5.Bring up the windows add/remove programs and remove your antivirus software and reinstalled it, make sure you install from cd and the installation files are not infected, while doing this,
keep tracking the process with the task manager, any process(except svchost.exe) appear with two,should kill the one with about 4~6k memory quickly.
if you are asked to restart after remove program, make sure step 2.a, 2.b, 2.c, 2.d are done. after restart, do a quick check with malware remove tool
6.restart after you reinstall you antivirus software, if the antivirus software is working, job is almost done. Make sure step 4 is done. If the antivirus software is still not working, go back to step 1, make sure you are disconnected from internat from step3 to step6.
if this still doesn't work, leave me a message.
7.Now you could plug in your cable, do the antivirus update first, after restart, do the full scan, you should still find some virus on your computer,
kill them or repair them. Now it is done. | |
| Anyone find a solution to this, still having a b*tch of a time with it on my computer..
I run vcleaner, even ran the trend av program, it removes a bunch of them but they just keep coming..
I reboot to safe mode. Same deal..
Damn I dont want to reimage this if it isnt going to kill the bugger. | |
Reviews:
 ·PenTeleData
| After attempting to remove that thing for 3 months.. I finally bit the bullet and reformatted and re-installed WindowsXP. I tried every solution, removal tool, safe mode, scans at boots, checked the registry, etc and I couldn't find the damn culprit.
My machine would run perfectly fine, until I donwloaded any .exe files. If I downloaded any .exe file and left my PC on overnight, I would wake up and see a Norton Virus Message saying it detected it and was removed. The .exe file was now useless. The only way to prevent it from happening was to immediately zip the files in a compressed file. But this was just a work around, not a real solution. So I bit the dust and formatted both drives on my primary PC.
--
Scott B. Hustedhttp://www.Husted.cc | |
| reply to gtchris
THIS IS IT!!! SOMEBODY ELSE ALREADY POSTED THIS FIX BUT I'M REPOSTING HOPING IT WILL MAKE IT TO THE TOP OF THE LIST. THE FIX IS SO EASY... THIS FIXED EVERYTHING ON MY XP SP2 MACHINE! You're welcome and thank you!!!
this pertains that that pesky dl.exe virus/worm where all my executable files no longer worked and couldn't use virus protection to fix the problem and reg keys were not affected.
I successfully removed this from a XP SP2 machine.
1. On a clean XP SP2 machine, download from www.microsoft.com the Microsoft Malicious Software Removal Tool.
2. Burn to CD the removal tool and a copy of C:\windows\system32\userinit.exe
3. Boot the infected machine in safe mode and run the removal tool from the CD. Let it do it's thing but... !!!DON'T restart the machine at the end like it asks!!! Bring up the task manager and kill the 'userinit' process. Overwrite the current c:\windows\system32\userinit.exe file with the clean one on the CD.
3. Now reboot and enjoy. | |
|
