One of our computers has become a mess tonight.
I've been working on it all night and have been unable to stop what's
happening.
Despite the fact that we have Avast! running in real time, and
Malwarebytes running occasionally ( free version ) something got into the
computer and has been sending out emails referring to itself as
"Authorized Viagra Distributor" all over the darn place, and even Avast!
wont stop them, it just keeps popping open windows asking if you want to
stop this email or that, while the thing is thrashing the HD with some
process doing this!
It appears to be related to something called ashmaisv.exe, which is also
eating up the RAM while it does this.
Any ideas on how to stop this thing?
The "Exe" file is the required startup file for Avast.
I'd take the machine offline now.
Install and run "hijackthis". It may help determine what the culprit is.
Also, you may want to install comodo firewall.
Comodo will show you what connections are happening right now.
Go into your email client and uncheck anything related to automatic
connections. If you can, rename the folder the client is in. Just add a
letter or two to the beginning of the name. That may thwart the software
from locating the client.
Open up task manager and watch what's happening in the "process" tab.
You may get a clue as to what's causing the resource hogging.
If the culprit appears to be avast, you may want to uninstall it completely
and install a clean copy.
Disable avast and see if the thing still wants to connect.
I dont know if it's Avast! or that's just Avast! trying to deal with it
all.
Thanks for the suggestions though, will print and try...
Avist do not send ads/viagra stoff
you definitively have a trojan/virus
clean it , avast like all antivirus are not 100%
in clear , antivirus worth nothing
--
Posted via : news.mccarragher.com
We remove Bad spam/sex/ads/other
>On Sun, 3 Jan 2010 00:57:05 -0700, richard <mem...@newsguy.com> wrote:
>
>>Go into your email client and uncheck anything related to automatic
>>connections. If you can, rename the folder the client is in. Just add a
>>letter or two to the beginning of the name. That may thwart the software
>>from locating the client.
>
>WTF? You REALLY think it's his e-mail program sending out these
>e-mails, and not apparently the virus / worm / trojan?
>
>>Open up task manager and watch what's happening in the "process" tab.
>>You may get a clue as to what's causing the resource hogging.
>
>"It appears to be related to something called ashmaisv.exe, which is
>also eating up the RAM while it does this."
>
>>If the culprit appears to be avast, you may want to uninstall it completely
>>and install a clean copy.
>>
>>Disable avast and see if the thing still wants to connect.
>
>Wow..
Ya..I was kinda speechless on this one too
With the computer offline, I took a look at the processes running, with
most things shut down, and noticed a notifyapp.exe using exactly 50% of
CPU time, all the time, which seemed very suspicious.
I googled it and it appears to come from Jenkat Games, which my sister
downloaded on 11-23-09 and google searching says is related to a virus or
something, linked to that notifyapp.exe.
I deleted Jenkat Games and will see if that fixes it.
I got a warning from Avast! that the file wjvwbujx.sys was a virus, and
deleted it, but it came right back in the windows\sys32\drivers folder.
I watched it using Servan Salamander and it changes from over 500k in size
to zero and back again. It cant be deleted using Salamander either, and
when Avast! tries to delete it, it pops right back up there.
I find no mention of wjvwbujx.sys though, on Google.
> Update: The computer quieted down so I hooked it up online again. The
> thing sending out the Viagra emails started right back up again.
Please explain how you know it is sending *Viagra* email. My experience
is that rogue SMTP virus/trojans use their own SMTP and quietly send in
the background. So how are you able to read it?
> I got a warning from Avast! that the file wjvwbujx.sys was a virus,
> and deleted it, but it came right back in the windows\sys32\drivers
> folder.
Sounds like a typical bad guy.
> I watched it using Servan Salamander and it changes from over 500k in
> size to zero and back again. It cant be deleted using Salamander
> either, and when Avast! tries to delete it, it pops right back up
> there.
Truly nasty.
> I find no mention of wjvwbujx.sys though, on Google.
Because it is a randomly generated filename. It is not the parent
problem.
Suggestions:
1. run SuperAntiSpyware in safe mode
2. run Avast! in safe mode
3. try anti-rootkit software
4. shoot sister
--
-bts
-Four wheels carry the body; two wheels move the soul
Nice addition. He didn't say he ran Avast in Safe Mode. Good chance
it's sitting in his back ups and coming back each time.
Shooting his sister might help but you have to realize this could be a
genetic problem that runs in the entire family. I suggest a basic
Windows course so he can learn more about protecting his computer.
> Shooting his sister might help but you have to realize this could be a
> genetic problem that runs in the entire family. I suggest a basic
> Windows course so he can learn more about protecting his computer.
..starting with separate non-admin log-ins for all users!
Wouldn't it be a good idea for him to disable System Restore before doing
all that? Suggestion 4, of course, could be followed at any stage.
--
Las autoridades sanitarias advierten:
Fumar perjudica gravemente su salud
y la de los que están a su alrededor
> Wouldn't it be a good idea for him to disable System Restore before
> doing all that? Suggestion 4, of course, could be followed at any
> stage.
Sure. I keep forgetting Windows has that... <g>
Hi!
Try Dr Web - from here http://www.freedrweb.com/?lng=en
Maybe download onto clean machine, update, then install on rogue via a
memory stick?
Run Dr Web in safe mode.
--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)
> Devils_Advocate wrote:
>
>> Update: The computer quieted down so I hooked it up online again. The
>> thing sending out the Viagra emails started right back up again.
>
> Please explain how you know it is sending *Viagra* email. My
experience
> is that rogue SMTP virus/trojans use their own SMTP and quietly send
in
> the background. So how are you able to read it?
Avast! is showing me little windows saying that the outbound email is
over the limit of emails per time, and it's in there.
>> I find no mention of wjvwbujx.sys though, on Google.
>
> Because it is a randomly generated filename. It is not the parent
> problem.
>
> Suggestions:
> 1. run SuperAntiSpyware in safe mode
> 2. run Avast! in safe mode
> 3. try anti-rootkit software
> 4. shoot sister
LOL
Well Avast! was nice enough to reply to my email about it, so I gotta
follow their instructions now.
Did you fix things?
Did you look at/try Dr.Web?
> Aardvark wrote:
>
>> Wouldn't it be a good idea for him to disable System Restore before
>> doing all that? Suggestion 4, of course, could be followed at any
>> stage.
>
> Sure. I keep forgetting Windows has that... <g>
>
I followed a whole page of email instructions that Avast! support sent me,
including that, and the virus is still there.
> On 05/01/2010 21:21, Devils_Advocate wrote:
>> Well Avast! was nice enough to reply to my email about it, so I gotta
>> follow their instructions now.
>>
>
> Did you fix things?
No, nothing works.
> Did you look at/try Dr.Web?
No, if all these other products wont work, I'm wasting my time with this.
Will have to reinstall the OS, I guess.
Wild guess - look up Happy '99. Very nasty at the time. It's been reused
ever since.
--
(setq (chuck nil) car(chuck) )
I just tried DLing it and put it on a thumb drive, took it in there and ran
it. All it does is keep rebooting the computer and not coming up again after
that. Tried twice already.
DA, ashmaisv.exe is a component for Avast!
http://www.processlibrary.com/directory/files/ashmaisv/
"ashmaisv.exe is a part of the Avast Anti-Virus application from Alwil
Software. This process should not be removed to ensure that your system
is secure."
I'm guessing that the reason why it's eating up processor usage is
that it's trying to kill the mass mailer/whatever on your PC. The only
way to make 100% sure this is killed is to format/reload the OS and
restore from a recent backup. You could also copy data files you need
over to an external USB drive, but there isn't a 100% guarantee you're
not copying the malware over with it...
n0i
> "Devils_Advocate" <Devils_Advocate@devils_.xxx> wrote :
<SNIP>
>> Will have to reinstall the OS, I guess.
<SNIP>
As someone has pointed out in the other post, this is an Avast
file, your problem I would guess is that you keep Avast running
/all the time/. This is absolutely unnecessary. You CAN - if you
are extremely paranoid and tend to be absent-minded - turn it on
when you are online but I personally do not. However, after I
get offline, I scan everything that I have DL'd.
Aside from that, once a month or so I do a full C: drive scan (I
have 9 partitions and C: is sys/prog only). I have been doing
this for over 15 years - used to use F-Prot for DOS, but it's
dead, so I bought ESET NOD32. It's the best.
In almost 20 years (this included the years when I did NOT use a
virus scanner at all) I have gotten ONE virus in an email from a
clueless friend. Since I had scripting files removed from win
sys it couldn't do anything anyway. The only other one I found
was in a cracked warez file, but it was only a call-home "extra"
and I caught it in InCtl4 (install tracker) before even running
the AV - in those days I was less careful.
Just my 2 cents. Although I must say for a free program, a full
page of emailed help instructions is pretty amazing.
--
There are only two classifications of disk drives: Broken drives
and those that will break later.
- Chuck Armstrong (This one I think, http://www.cleanreg.com/,
not the ball player. But who knows. I can't remember where I got
the quote. But it's true.)
I just let the virus run while connected online for a few minutes and did
scans and log files with those. Got something suspicious, but the avast
cleaner says it found no virii.
But look at this:
1/12/2010, 11:24:05 PM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (35.4s).
----------
Files scanning started...
C:\WINDOWS\system32\CatRoot2\edb.log... file could not be scanned!
C:\WINDOWS\system32\CatRoot2\tmp.edb... file could not be scanned!
C:\WINDOWS\system32\drivers\wjvwbujx.sys... file could not be scanned!
No virus body found.
Files scanning finished (91749 files, 0 infected, 1271.3s).
Drives scanned: C:
The ones that cant be scanned, contain that one I posted about, that cant
be deleted!
And what is Catroot2???
> As someone has pointed out in the other post, this is an Avast
> file, your problem I would guess is that you keep Avast running
> /all the time/. This is absolutely unnecessary. You CAN - if you
> are extremely paranoid and tend to be absent-minded - turn it on
> when you are online but I personally do not. However, after I
> get offline, I scan everything that I have DL'd.
>
> Aside from that, once a month or so I do a full C: drive scan (I
> have 9 partitions and C: is sys/prog only). I have been doing
> this for over 15 years - used to use F-Prot for DOS, but it's
> dead, so I bought ESET NOD32. It's the best.
>
> In almost 20 years (this included the years when I did NOT use a
> virus scanner at all) I have gotten ONE virus in an email from a
> clueless friend. Since I had scripting files removed from win
> sys it couldn't do anything anyway. The only other one I found
> was in a cracked warez file, but it was only a call-home "extra"
> and I caught it in InCtl4 (install tracker) before even running
> the AV - in those days I was less careful.
>
> Just my 2 cents. Although I must say for a free program, a full
> page of emailed help instructions is pretty amazing.
problem is, it's still sending out Viagra emails.
I see your later post. You can post your HJT file here for a quick
review http://www.hijackthis.de/
Probably best to save all files you want to keep on other media
(CD/DVD/external hard drive) then flatten and burn your machine. Make
sure you delete all partitions in the process!
Good luck!
Downloaded it and ran it. It claimed to have found all kinds of adware,
backdoors, hijacks & trojans ( 57 items in all ) but then wants bucks to
eliminate them. Sure. Sounds like they want bucks and you cant tell if all
those results are real or not.
Hi :)
A slightly sideways move! Uniblue/ProcessLibrary.com
Might this be a tool used by Cybercriminals to catch the unsuspecting?
Have you ever explored the Forums here?
http://forum.processlibrary.com/index.php?
If you haven't, and have the time, just have a 'play' and read lots of
the users posts (if you can find any!)
It seems to me that Uniblue is not all that it appears to be on the surface.
What do you think?
Another poster there, linked it to some russian sites, so beware!
But...
Looks like I found something. Instead of keeping the PC offline, I went on
and DL-ed the latest defs from Avast!
Then ran a scan and it found what was causing that wjvwbujx.sys to be
generated.
Win32: rootkit-gen [rtk]
I sent it to the chest.
Read here! http://www.malwarebytes.org/forums/index.php?showtopic=5928&st=0
HTH
A *very* good point!
> Another poster there, linked it to some russian sites, so beware!
>
Nasty!
> But...
>
> Looks like I found something. Instead of keeping the PC offline, I went on
> and DL-ed the latest defs from Avast!
>
> Then ran a scan and it found what was causing that wjvwbujx.sys to be
> generated.
>
> Win32: rootkit-gen [rtk]
>
> I sent it to the chest.
>
>
Has this fixed your problem?
CatRoot is windows update. You should worry about "wjvwbujx.sys".
> On 13/01/2010 08:05, Devils_Advocate wrote:
>> By the way, that Exterminate It! was listed on one forum as being
>> "unconscionable" for not eliminating what it finds before asking for
>> money, being the computer it's using to ask for payment is STILL
>> INFECTED!
>>
>>
> A *very* good point!
>
>> Another poster there, linked it to some russian sites, so beware!
>>
> Nasty!
>
>> But...
>>
>> Looks like I found something. Instead of keeping the PC offline, I went
>> on and DL-ed the latest defs from Avast!
>>
>> Then ran a scan and it found what was causing that wjvwbujx.sys to be
>> generated.
>>
>> Win32: rootkit-gen [rtk]
>>
>> I sent it to the chest.
>>
>>
> Has this fixed your problem?
You complete and utter fuckwit.
Format and clean install.
I try not to think, as it gets me in trouble. :)
n0i
*Exterminate It!*
I downloaded the programme on to my iMac and then copied to a memory stick.
I then installed onto a clean machine running XP Home SP3 and with MSE
and IE8
I ran a full scan. The programme found only 6 cookies (good!)
Then I pressed a button to remove malware and was taken to a URL which
produced a 'Certificate' warning.
I chose to ignore the warning and proceeded to the URL.
The address bar in IE8 turned red with a 'Certificate' warning alongside.
I closed the window - got a pop-up saying "don't go - discount
available!" (or similar)
I proceeded to the next stage and was sent here: (obfuscated with xx)
hxxps://209.87.178.183/softsell/nph-softsell.cgi?items=16843-2&sn=637a4401a586c64473a55aeaf6faa72f
Another 'Certificate' warning was received.
http://i46.tinypic.com/ixclqb.jpg
I did *not* purchase thr programme!
~BD~ wrote:
> I downloaded the programme on to my iMac and then copied to a memory stick.
>
> I then installed onto a clean machine running XP Home SP3 and with MSE
> and IE8
... and then when you get all thru' with this experiment on your spare
hardware testbed XPsp3/IE8, what do you do with that software/hardware
testbed?
That is, do you restore it to a clean machine or do you sanitize it of
malware with some anti-malware tools, or what?
--
Mike Easter
Check that the system date and time are correct on the XP machine: Reboot,
go into BIOS settings. If it's wrong, correct it. Save settings and exit,
then try your experiment again (after making sure the Windoze date/time is
also correct).
If system and Windows date/time is already correct, there *may* be
something dodgy about the site.
--
Algy met a bear
The bear was bulgy
The bulge was Algy
Thanks for your thoughts. The date and time is identical to that on my
other computers! (Phew)
Maybe you didn't get around to reading this item - in *this* thread -
earlier today:
**
I've just read an interesting thread about Exterminate It! I wouldn't
touch it with a barge pole!
Read here! http://www.malwarebytes.org/forums/index.php?showtopic=5928&st=0
HTH
--
Nah.Scrub that. I just visited the link and got this:
"209.87.178.183 uses an invalid security certificate.
The certificate is only valid for www.regnow.com.
(Error code: ssl_error_bad_cert_domain)"
The IP belongum the following:
"OrgName: Digital River, Inc.
OrgID: DIGITA-123
Address: 9625 West 76th Street
Address: Suite 150
City: Eden Prairie
StateProv: MN
PostalCode: 55344
Country: US"
The security certificate apparently belongum regnow.com. Unless Digital
River is somehow connected with Regnow, it may be that DR has stolen the
identity of RN.
Further than this, do your own research.
My 'testbed' hadn't been used for a week or two - it was completely
flattened and burned before Christmas and a complete re-installation
carried out. I have my own retail version of XP and also have SP1, SP2
and SP3 CD's which I obtained from Microsoft by post. I hadn't used it
again until today!
I also installed my Acronis True Image Home 2009 at the same time
(bought in a box from PC World) so can re-image if I wish at any time.
FYI - I don't trust cleaning my machines with anti-malware 'tools'. I
most certainly *distrust* going to a 'help' forum (in particular,
Aumha!) and downloading onto my machine software programmes about which
I know nothing - in the blind hope that the folk purporting to be
helping me are not the Cybercriminals themselves! ;)
Does this help? ;)
Do you not think there *may* be a connection? ;)
http://i49.tinypic.com/ek11fc.jpg
Have you been down the pub?!!!
You owe Dan C some royalites now.
Btw, wjvwbujx.sys is a totally valid file.
it stands for
Windows Just Veiws What Bugs Utter Jackoff Xtians.
<nods>
--
http://home.comcast.net/~wizardofwhimsy/index.html
cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
_____ ____ ____ __ /\_/\ __ _ ______ _____
/ __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
_\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
/___/_/|_/\____/_//_/ \_@_/ \__|\__|\____/\____\_\
Don't know. Don't care.
> Have you been down the pub?!!!
Nope. I wish.
What's up? Did you actually look at the picture to see the obvious?
<rolling eyes>
>> Have you been down the pub?!!!
>>
> Nope. I wish.
>
So why the sadness? And why the re-installation? Please email me.
>>> I then installed onto a clean machine running XP
>> ... and then when you get all thru' with this experiment on your spare
>> hardware testbed XPsp3/IE8, what do you do with that software/hardware
>> testbed?
>>
>> That is, do you restore it to a clean machine or do you sanitize it of
>> malware with some anti-malware tools, or what?
Notice that my questions are: when you get all thru' with the
experiment, do you restore it to a clean machine (as you say flatten) or
do you sanitize it.
Notice that you don't answer forthwith:
> My 'testbed' hadn't been used for a week or two - it was completely
> flattened and burned before Christmas
This is you again saying you were starting with a flattened or clean
install...
> I also installed my Acronis True Image Home 2009 at the same time
> (bought in a box from PC World) so can re-image if I wish at any time.
... this is you saying you can image restore. But also notice that you
are not saying that you created an image before doing your abusive
malware experiment.
> FYI - I don't trust cleaning my machines with anti-malware 'tools'.
I guess this means that you won't be anti-malwaring it by way of
obliquely referring to something in my question.
> Does this help? ;)
So, then the short answer is:
... after the experiment you plan to restore from an image.
I think.
Or, else you mean, you foolishly failed to create an image using the
Acronis before you mucked up the machine with your experiment -- and
now, since you contaminated the clean install which you (it sounds like)
had *not* imaged (installing acronis isn't the same as using it to
create an image!) and now since you don't use antimalware, you will by
necessity doing the clean/flatten install *again* and perhaps in the
future you will be making an image *before* you contaminate your system
as you did.
--
Mike Easter
Correct - but only if I feel it necessary.
> Or, else you mean, you foolishly failed to create an image using the
> Acronis before you mucked up the machine with your experiment -- and
> now, since you contaminated the clean install which you (it sounds
> like) had *not* imaged (installing acronis isn't the same as using it
> to create an image!) and now since you don't use antimalware, you will
> by necessity doing the clean/flatten install *again* and perhaps in
> the future you will be making an image *before* you contaminate your
> system as you did.
Sheeesh! I have, of course, an image of the machine when pristine and
before connecting to the internet. The machine also had MSE installed
from a memory stick before connecting to the 'net.
What on earth makes you think that my test-bed machine has been
contaminated?
>> Don't know. Don't care.
>>
>>
>>
>>
> What's up? Did you actually look at the picture to see the obvious?
> <rolling eyes>
>
>
Visited regnow, glanced at the first page. Didn't take in any details.
>>> Have you been down the pub?!!!
>>>
>> Nope. I wish.
>>
>>
> So why the sadness?
Who's sad?
> And why the re-installation?
Because I want to. No other reason.
> I have, of course, an image of the machine when pristine and
> before connecting to the internet.
You didn't actually say that before. You only said you installed acronis.
> What on earth makes you think that my test-bed machine has been
> contaminated?
Your own description^1 in this message:
Date: Wed, 13 Jan 2010 14:32:43 +0000
From: ~BD~
Subject: Re: Is this some new virus?
Message-ID: <eM2dnQSr2vwWRNDW...@bt.com>
... which (your own) description sounds like the behavior of
rogue/suspect antispyware, which Exterminate It has been accused a few
places - search on that.
That is, I don't know whether exterminateit is rogue or not, but from
what I've read, I wouldn't have installed it in a system which I wanted
to be pristine.
So my (original) question was; what will you do to make/restore it
pristine? -or (now a new question)-
Do you think simply uninstalling the app will satisfy your definition of
pristine?
^1 <q> Then I pressed a button to remove malware and was taken to a URL
which produced a 'Certificate' warning. -- I chose to ignore the warning
and proceeded to the URL. -- The address bar in IE8 turned red with a
'Certificate' warning alongside. -- I closed the window - got a pop-up
saying "don't go - discount available!" (or similar) -- I proceeded to
the next stage and was sent here: (obfuscated with xx) -- Another
'Certificate' warning was received. </q>
--
Mike Easter
No - the test machine can *not* now be considered to be pristine - not
quite! http://www.merriam-webster.com/dictionary/pristine
Just exactly *would* you do with a pristine machine, Mike? ;)
>>> What on earth makes you think that my test-bed machine has been
>>> contaminated?
>>
>> Your own description^1 in this message:
>> So my (original) question was; what will you do to make/restore it
>> pristine? -or (now a new question)-
>>
>> Do you think simply uninstalling the app will satisfy your definition
>> of pristine?
> No - the test machine can *not* now be considered to be pristine - not
> quite! http://www.merriam-webster.com/dictionary/pristine
>
> Just exactly *would* you do with a pristine machine, Mike? ;)
This entire thread is made up of me asking you questions and your not
answering them directly or responsively.
The solution to that problem is *NOT* your asking me questions instead
of answering any of them.
If I had a pristine machine I would make an image. I would not use that
machine for such a stupid experiment as this one, but if I did/had, say
accidentally, I guess my next step would be to see if restoring my image
worked OK. That restoration is a more useful experiment.
--
Mike Easter
I carried out the experiment with a view to helping another poster -
Devils_Advocate@devils_.xxx
You help me.
In return, I try and help another.
Go ahead. Ping me and ask me a direct question about anything you like.
I promise to answer as best as I am able! ;)
> On 13/01/2010 07:37, Devils_Advocate wrote:
>> I was googling for that stuff I just posted from the log, and came
>> across a program called Exterminate It!
>>
>> Downloaded it and ran it. It claimed to have found all kinds of adware,
>> backdoors, hijacks& trojans ( 57 items in all ) but then wants bucks
>> to eliminate them. Sure. Sounds like they want bucks and you cant tell
>> if all those results are real or not.
>>
>>
> I've just read an interesting thread about Exterminate It! I wouldn't
> touch it with a barge pole!
>
> Read here!
> http://www.malwarebytes.org/forums/index.php?showtopic=5928&st=0
>
> HTH
>
The thing I read was at
http://www.malwarebytes.org/forums/index.php?showtopic=5928&st=40
"I already work 18 hours a day and don't have the time to deal with never
ending threads so lets cut to the chase .
I did a scan and your software wants $ to remove what it has found , this
is unconscionable . If the user has malware that will capture their payment
information then you have just traded a couple of bucks for potentially
destroying their credit .
If you want even one more second of time on this forum you will do one of
the following :
Allow removal for free (there is nothing wrong with even a 5 day trial for
this , hell a 1 day trial is better than typing your credit card # into an
infected machine) .
Prevent an infected scan result from allowing a user to make a purchase
online (I do not care how you go about preventing this) .
I don't want hear one word about hurting your sales or other BS because as
you can tell with 5 seconds of research on google that in one year MBAM has
made a place for itself all the while handing out a fully functional
removal tool for free."
After reading that, I exterminated "Exterminate It" from the system.
> On 13/01/2010 08:05, Devils_Advocate wrote:
>> By the way, that Exterminate It! was listed on one forum as being
>> "unconscionable" for not eliminating what it finds before asking for
>> money, being the computer it's using to ask for payment is STILL
>> INFECTED!
>>
>
> A *very* good point!
>
>> Another poster there, linked it to some russian sites, so beware!
>>
> Nasty!
>
>> But...
>>
>> Looks like I found something. Instead of keeping the PC offline, I went
>> on and DL-ed the latest defs from Avast!
>>
>> Then ran a scan and it found what was causing that wjvwbujx.sys to be
>> generated.
>>
>> Win32: rootkit-gen [rtk]
>>
>> I sent it to the chest.
>>
>>
> Has this fixed your problem?
>
No, it popped up again afterwards. It seems to have a dormant timer or
something, where everything looks fine for awhile and then it starts
sending the Viagra spams again. This sucks.
The guy at Avast! is kind enough to continue working with me on this, but
it gives me real doubts about anti-virus software.
If the free stuff cant stop it, why would I think that the stuff I might
pay for WOULD?
Can ANYTHING stop this stuff?
And of course, the best way is to arrest it before it infects the system,
which it didn't do.
> I carried out the experiment with a view to helping another poster -
> Go ahead. Ping me and ask me a direct question about anything you like.
> I promise to answer as best as I am able! ;)
Actually, I still haven't gotten a comprehensive answer to my original
question about this exact issue.
In the beginning you started with a pristine clean 'flattened' install
which had been imaged.
In the beginning you started with a 'philosophy' that if a machine
should become 'compromised' that it was your strategy/attitude to not
try to sanitize it with antimalware, but instead to restore the pristine
image.
In the middle, you decided to experiment with some shaky flaky
suspicious antimalware which debatably is considered to be suspicious of
being rogue antimalware.
In the middle, indeed you encountered some 'ugly' suspicious rogue-ish
behavior from the antimalware.
Now, here you are at the end of that particular experiment with
introducing/installing that antimalware -- which end I consider
suspicious if not downright negative, but missing any 'positive'
complaints out of MSE.
So, my question persists: given your philosophy about antimalware,
given your preparation about imaging your pristine setup, given your
exact recent experience with this antimalware exterminateit 'reactions'
What are your (next) intentions? Choose one or more or name your own:
- uninstall the exterminateit
- change your mind and use some kind of antimalware
- do absolutely nothing
- restore the original image using acronis
- something else
--
Mike Easter
Agreed
> In the beginning you started with a 'philosophy' that if a machine
> should become 'compromised' that it was your strategy/attitude to not
> try to sanitize it with antimalware, but instead to restore the
> pristine image.
Correct (or flatten and burn - then re-install. As the mood takes me!)
As I'm sure you appreciate, with 'modern' malware it is often difficult
to know when one's machine *has* been compromised.
How do *you* deal with this conundrum?
> In the middle, you decided to experiment with some shaky flaky
> suspicious antimalware which debatably is considered to be suspicious
> of being rogue antimalware.
>
> In the middle, indeed you encountered some 'ugly' suspicious rogue-ish
> behavior from the antimalware.
>
> Now, here you are at the end of that particular experiment with
> introducing/installing that antimalware -- which end I consider
> suspicious if not downright negative, but missing any 'positive'
> complaints out of MSE.
With you so far! :)
> So, my question persists: given your philosophy about antimalware,
> given your preparation about imaging your pristine setup, given your
> exact recent experience with this antimalware exterminateit 'reactions'
>
> What are your (next) intentions? Choose one or more or name your own:
>
> - uninstall the exterminateit
Yes - already done!
> - change your mind and use some kind of antimalware
I'm *already* using MSE
> - do absolutely nothing
N/A
> - restore the original image using acronis
No - not at this time (unless you can suggest a good reason for so doing!)
> - something else
Yes - switch the PC off again!.. The fans are just soo ... oo noisy when
compared to the iMac! ;)
HTH
Personally, I think I would restore the image, so that you know that
will work, unless you have already tested it.
http://www.siteadvisor.com/sites/exterminate-it.com exterminate-it.com
- (Red Verdict Image) - McAfee TrustedSource web reputation analysis
found potential security risks with this site. Use with extreme caution.
<follows a big defense presentation by the site's owner> <follows a
bunch of back and forth green and red tagged dialog - more red than
green which red means the poster rated it adware, spyware, or viruses>
One example: Rogue security, fake antivirus distribution site, detected
and listed by hpHosts Online. Find more details at http://hosts-file.net
At hosts-file, the site is classified as FSA which is not the worse
classification (EXP or EMD), but...
FSA - sites engaged in the selling or distribution of bogus or
fraudulent applications -- This classification is assigned to site's
being used for the distribution of "rogue" security or other such
applications, for example: SpyHunter, SpyFalcon, SpywareQuake,
AdwareAlert etc
--
Mike Easter
Every time I reboot her PC, it pops right back up again.
win32: rootkit-gen
win32: zbot-mns
win32: trojan-gen
win32: mebload-b
Avast! keeps finding and putting them in the chest and they pop right back up
on the next reboot and start sending out those spams!
People who right stuff like this, should be tracked down and publicly shot.
Good job!
I did too ..... and a System Restore as well!
Did you do that too?
Not that you aren't having a lot of fun and meaningful experience, but
what would be the big disadvantage of blasting off that install and
having a clean install?
> Every time I reboot her PC, it pops right back up again.
>
> win32: rootkit-gen
> win32: zbot-mns
> win32: trojan-gen
> win32: mebload-b
>
> Avast! keeps finding and putting them in the chest and they pop right back up
> on the next reboot and start sending out those spams!
The only 'attack' which you have described using is that of Avast and
whatever instructions the Avast support sent you.
There are a lot of other useful agents which you have not described using.
--
Mike Easter
Do you remember me saying this earlier? ;)
"Probably best to save all files you want to keep on other media
(CD/DVD/external hard drive) then flatten and burn your machine. Make
sure you delete all partitions in the process!
Good luck! "
Having been 'experimenting' with 'bad stuff' for years now, I know from
experience that it's the best way to go.
It's no good going on-line *before* you have an AV installed. You may be
infected in minutes - and not even know it!
It's the Wild, Wild, Web out there! :)
> The guy at Avast! is kind enough to continue working with me on this,
> but it gives me real doubts about anti-virus software.
You don't have a virus, so why would anti-virus software fix it? :-)
Just checking: have you given the Avast guy the name of the trojan you
mentioned in another post?
You describe (and named) a trojan. You should be using anti-trojan
software, such as MBAM and SuperAntiSpyware.
--
-bts
-Four wheels carry the body; two wheels move the soul
> On 13/01/2010 21:11, Devils_Advocate wrote:
>> After reading that, I exterminated "Exterminate It" from the system.
>
> Good job!
>
> I did too ..... and a System Restore as well!
>
> Did you do that too?
>
>
Dont use System Restore.
> Devils_Advocate wrote:
>> This is disgusting. I've literally spent a couple of days of time on
>> this.
>
> Not that you aren't having a lot of fun and meaningful experience, but
> what would be the big disadvantage of blasting off that install and
> having a clean install?
Trying to find the darn disk. We moved and some things are still in boxes,
we know not where...
>> Every time I reboot her PC, it pops right back up again.
>>
>> win32: rootkit-gen
>> win32: zbot-mns
>> win32: trojan-gen
>> win32: mebload-b
>>
>> Avast! keeps finding and putting them in the chest and they pop right
>> back up on the next reboot and start sending out those spams!
>
> The only 'attack' which you have described using is that of Avast and
> whatever instructions the Avast support sent you.
>
> There are a lot of other useful agents which you have not described
> using.
I've used Malwarebytes too, it doesnt do a thing, and HijackThis, which
also doesnt help, nor does AdAware.
My big problem is not knowing what else might fix this, so I can avoid DL-
ing something that may add to the problem instead.
> On 13/01/2010 22:31, Devils_Advocate wrote:
She likes to do surveys and stuff, and gets tons of adware that way.
My PC has been fine without a major infection since 1987. ( yes, I started
in MSDOS ) Been on the net since 1994 though.
I don't interpret that as an instruction!
Rather that you are advising me that *you* don't use the facility. If
the latter ..... *why* don't you use System Restore? <puzzled>
Have you cleared all old restore points?
Your AV may be picking up nasties held there in the cache.
> In 24hoursupport.helpdesk, Devils_Advocate wrote:
> [Mickeysoft test group removed]
>
>> The guy at Avast! is kind enough to continue working with me on this,
>> but it gives me real doubts about anti-virus software.
>
> You don't have a virus, so why would anti-virus software fix it? :-)
> Just checking: have you given the Avast guy the name of the trojan you
> mentioned in another post?
>
> You describe (and named) a trojan. You should be using anti-trojan
> software, such as MBAM and SuperAntiSpyware.
>
I guess I dont know a whole lot about these things, but will try them, thanks
Shaggy.
I did a little web reading on them though, describing backdoors, root
infections etc. Sounds truly nasty.
> On 14/01/2010 02:36, Devils_Advocate wrote:
>> ~BD~<BoaterDave'remo.ve'@hotmail.co.uk> wrote :
>>
>>
>>> On 13/01/2010 21:11, Devils_Advocate wrote:
>>>
>>>> After reading that, I exterminated "Exterminate It" from the system.
>>>>
>>> Good job!
>>>
>>> I did too ..... and a System Restore as well!
>>>
>>> Did you do that too?
>>>
>>>
>>>
>> Dont use System Restore.
>>
>>
>
>
> I don't interpret that as an instruction!
>
> Rather that you are advising me that *you* don't use the facility. If
> the latter ..... *why* don't you use System Restore? <puzzled>
>
> Have you cleared all old restore points?
>
> Your AV may be picking up nasties held there in the cache.
>
No, we havent used them on either computer.
> Kadaitcha Man <an...@no.email> clouded the waters of pure thought with
> news:cd7f6k$1g4$x...@tongue-tied-pig-meat.biz.solomon-islands:
>
>> "Devils_Advocate", thou currish dog easily won to fawn on any man.
>> Lord, how subject ye old men are to this vice of lying. Ye made public:
>>
>>> By the way, that Exterminate It! was listed on one forum as being
>>> "unconscionable" for not eliminating what it finds before asking for
>>> money, being the computer it's using to ask for payment is STILL
>>> INFECTED!
>>>
>>> Another poster there, linked it to some russian sites, so beware!
>>>
>>> But...
>>>
>>> Looks like I found something. Instead of keeping the PC offline, I
>>> went on and DL-ed the latest defs from Avast!
>>>
>>> Then ran a scan and it found what was causing that wjvwbujx.sys to be
>>> generated.
>>>
>>> Win32: rootkit-gen [rtk]
>>>
>>> I sent it to the chest.
>>
>> Format and clean install.
>>
>>
> You owe Dan C some royalites now.
I was doing it donkeys' years ago. In this case, it also happens to be
the right answer.
You no doubt have good reason(s) why you didn't answer my question.
Might wanna use a disc overwrite proggy before to clean the smeg
out...
--
http://home.comcast.net/~wizardofwhimsy/index.html
cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
_____ ____ ____ __ /\_/\ __ _ ______ _____
/ __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
_\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
/___/_/|_/\____/_//_/ \_@_/ \__|\__|\____/\____\_\
> On 14/01/2010 06:03, Devils_Advocate wrote:
>> ~BD~<BoaterDave'.remove'@hotmail.co.uk> wrote :
>>
>>
>>> On 14/01/2010 02:36, Devils_Advocate wrote:
>>>
>>>> ~BD~<BoaterDave'remo.ve'@hotmail.co.uk> wrote :
>>>>
>>>>
>>>>
>>>>> On 13/01/2010 21:11, Devils_Advocate wrote:
>>>>>
>>>>>
>>>>>> After reading that, I exterminated "Exterminate It" from the system.
>>>>>>
>>>>>>
>>>>> Good job!
>>>>>
>>>>> I did too ..... and a System Restore as well!
>>>>>
>>>>> Did you do that too?
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Dont use System Restore.
>>>>
>>>>
>>>>
>>>
>>> I don't interpret that as an instruction!
>>>
>>> Rather that you are advising me that *you* don't use the facility. If
>>> the latter ..... *why* don't you use System Restore?<puzzled>
>>>
>>> Have you cleared all old restore points?
>>>
>>> Your AV may be picking up nasties held there in the cache.
>>>
>>>
>> No, we havent used them on either computer.
>>
>>
> You no doubt have good reason(s) to have disabled System Restore.
>
> You no doubt have good reason(s) why you didn't answer my question.
>
Maybe I dont understand exactly what you're asking.
> Devils_Advocate wrote:
>
>> The guy at Avast! is kind enough to continue working with me on this,
but
>> it gives me real doubts about anti-virus software.
>>
>> If the free stuff cant stop it, why would I think that the stuff I might
>> pay for WOULD?
>>
>> Can ANYTHING stop this stuff?
>
> 1: Stop looking at suspect websites.
>
> 2: Install and use Linux instead. Ubuntu installs in around 10-15
> minutes these days.
Ubuntu???
Will it run AutoCAD for XP?
> 3: Format your hard drive.
System Restore is a component of Microsoft's Windows Me, Windows XP,
Windows Vista and Windows 7 operating systems that allows for the
rolling back of system files, registry keys, installed programs, etc.,
to a previous state in the event of malfunctioning or failure.
> Andy <no@invalid> wrote :
>> 2: Install and use Linux instead. Ubuntu installs in around 10-15
>> minutes these days.
>
> Ubuntu???
http://ubuntu.com/ a rather nice operating system
> Will it run AutoCAD for XP?
Probably not. However, unless you expressly need the high end stuff,
there are Linux-based 'autocad' programs that might suffice.
[snipped odd test newsgroup]
--
-bts
-Linux viruses: a few dozen, and they only exist in the lab
-Mac viruses: maybe a hundred, and also mostly in the lab
-Windows viruses: I've lost track; do we have a quarter-million yet?
I looked for it when they suggested disabling it to help rid the PC of this
mess, but it said that it was disabled by the administrator, which is weird
because we got it from Dell and she doesnt know a thing, and I wouldnt have
done it.
> Devils_Advocate wrote:
>
>> Andy <no@invalid> wrote :
>>> 2: Install and use Linux instead. Ubuntu installs in around 10-15
>>> minutes these days.
>>
>> Ubuntu???
>
> http://ubuntu.com/ a rather nice operating system
>
>> Will it run AutoCAD for XP?
>
> Probably not. However, unless you expressly need the high end stuff,
> there are Linux-based 'autocad' programs that might suffice.
>
Groovy and all, but all my software is for XP and I DO have a registered pack
of AutoCAD here.
Ok then. If you get tired of fighting viruses and such, consider having
a look again at Linux OS and software. Generally, there is a replacement
for just about everything you can do in Windows.
> Devils_Advocate wrote:
Heh....
This sucks.
Yes...yes it does.
Use a drive wiping software and harden your system before you get
back out on the internets tubes.
Best of luck.
^_^
> "Devils_Advocate" <Devils_Advocate@devils_.xxx> clouded the waters
> of pure thought with
> news:OY2dnb8AV91eSs3W...@forethought.net:
>
>> Jeez, the Avast! guy told me to try booting in safe mode and
>> reinstall Avast! and run it, but the PC wont even boot in safe
>> mode now, it crashes.
>>
>> This sucks.
>>
> Yes...yes it does.
> Use a drive wiping software and harden your system before you get
> back out on the internets tubes.
>
> Best of luck.
> ^_^
>
I contacted Dell, they're nice enough to send us a new OS disk, even though
we bought the PC in 2005. So that will be coming soon at least.
But I'm still frustrated about protection software.
Ok, so there's no one thing that will protect your PC 100%, but a bunch of
free scanners and other products out there that cost money.
So what do you have to do, to be safe then? Or is it even possible?
I mean, I could literally pay hundreds for the registered versions of half
a dozen programs that are supposed to shield my PC, but then will they even
work?
I can just Feeeeeel your frustration DA!
Do this:
Download MSE from Microsoft onto a clean machine from here
http://www.microsoft.com/security_essentials/?mkt=en-us
Save the programme to a Memory Sick/Thumb Drive
Install MSE on your pristine machine *before* you connect it to the Internet
From then on always assume that you will have to reinstall again (and
again and again!) so make sure you back-up
important items and store them on CD/DVD's or an external hard drive.
This slightly out of date article (MSE itself is fairly new) may be of
help to you!
OR
http://snurl.com/u3p1s (same place!)
HTH
ROTFPMSL!!!!!!!!!
Yeah, sure, whatever.
Thanks.
I dont want to look a gift ( trojan? ) horse in the mouth, but there seems
to be a teensie bit of irony in Microsoft offering that, given their
propensity for developing OS' you could drive a trojan horse through? LOL
Oh the puns, oh the humanity... LOL
Arent data files corruptible by the foul products of these two legged vermin,
or do they just go for the system files?
I'm not a computer guru but believe *any* file can be corrupted. That is
why any 'data' stored external to one's PC
should be scanned by an anti-malware programme before installing onto a
pristine machine. My personal view, from
all that I've gleaned from many sources, is that after installing one's
operating system (talking Microsoft here!) the
very first thing necessary *nowadays* (much has changed in recent years)
is the installation of an anti-virus programme.
That's before going on-line and *before* loading items from one's
back-up sources!
> Sidebar question. You mentioned backing up only data as a strategy and
> being prepared to reload the OS.
That's one strategy, and a good one. Might depend on the amount of data
you have. I know some people that have no more data than this week's
email messages. Others have terrabytes of video and music. Some even
have CAD/CAM data. <g>
> Arent data files corruptible by the foul products of these two legged
> vermin, or do they just go for the system files?
Sure. Any file can be attacked, but what is the frequency? I'd say these
days your data is likely to be left alone, because the miscreant is more
interested in using your computer as part of a bot-net for sending
thousands of spam emails.
As long as you're only downloading Windows updates, behind a firewall,
you don't need to install the AV product before you do all the updates.
The key is knowing what you're doing and what the threats are, not
guessing.
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam9...@rrohio.com (remove 999 for proper email address)
> .. is that after installing one's operating system (talking Microsoft
> here!) the very first thing necessary *nowadays* (much has changed in
> recent years) is the installation of an anti-virus programme.
>
> That's before going on-line and *before* loading items from one's
> back-up sources!
No, the first thing is to have some sort of firewall in place. Your
Windows computer could be found and owned before you ever updated your
anti-virus program's database.
Tell me, how do *you* stay ahead of the *bad guys* - no-one else can, or
so it seems!
I just don't believe that *you* know what *tomorrow's* threat will be.
Sorry. :-(
Most AV products nowadays will afford at least *some* protection, even
if not fully up-to-date. I still believe that loading an AV programme,
before connecting to the Internet, is good practice. YMMV.
I also believe that a firewall (software) is insufficient protection.
IMO a SOHO router is *essential* before going on line!
> but what is the frequency?
Kenneth.
--
Algy met a bear
The bear was bulgy
The bulge was Algy
You're wrong, many people stay way ahead of the bad-guys by properly
filtering content from their connections - it's the only way to stay
ahead of them.
> I just don't believe that *you* know what *tomorrow's* threat will be.
> Sorry. :-(
Ah, that's why it's so obvious that you don't know what you're talking
about most of the time, when it comes to threat protection.
If you don't visit sites that are bad, if you block content in html
sessions, if you block attachment types in SMTP..... If you remove bogus
headers, url hacks, etc.....
That's the beautiful thing about blocking based on the threat types - if
you know what types of files to block from entry, and I'm talking about
extension types, not actual file names, then you don't have to know what
the next threat is, you already know how to prevent it.
> Most AV products nowadays will afford at least *some* protection, even
> if not fully up-to-date. I still believe that loading an AV programme,
> before connecting to the Internet, is good practice. YMMV.
>
> I also believe that a firewall (software) is insufficient protection.
> IMO a SOHO router is *essential* before going on line!
A soft firewall is only good if it's not running on the computer you're
using. In almost all cases, your windows firewall is less protective
than a NAT router, when used/configured by the typical computer user.
BD, if you understood ANYTHING about security you would not make
assumptions, you would learn from others.