Thursday, December 25, 2008

Worm - WYAutoIT Sohanad Imaut Variant REMOVAL

Worm - WYAutoIT Sohanad Imaut Variant REMOVAL

Symptoms:

> There is an AutoIT script error which appears very oft (Screenshot attached)

Line 0 (File "C:\Windows\system32\SVCIICHOST.exe");
$mang[$i] = "\\" & $read
^ ERROR
Error: Array Variable has incorrect number of subscripts or subscript dimension range exceeded.

> the following entries are detected by HijackThis

F2: REG:system.ini: Shell=Explorer.exe SVIICHOST.exe

D4: HKCU\..\Run: [Yahoo Messengger] C:\windows\system32\SVIICHOST.exe
further to symantec / sophos detail i chekced up for new folder.exe and this is there

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
Value: "shared" = "\New Folder.exe"

> There is a scheduled task entry which enables SVIICHOST.exe to run daily
c:\windows\tasks\AT1.* is found.

> Task Manager and Registry Editor are disabled.

> SVIICHOST.exe is found running as an active process.

> During an online scan, ClamAV is supposed to detect it but clamwin 0.94.1 or WinClamavShield latest version doesnt detect it.

> It creates exe files in the name of all the folders opened just like any other autorun type worms.thereby spreading very easily through removable drives (thats how my colleague got it in first place)

> While runing messenger there is strange messages broadcasted every now and then.

> host of file names reported is available here - http://www.threatexpert.com/threats/w32-yautoit.html shows how variable and masquerading this is . threat levelmight be low but just a while ago i logged on to our storage server and it is fully infected with the folder name.exe files....

> broadcasts messages ilke this to all of your messenger contacts..

"E may, vao day coi co con nho nay ngon lam http://nhattruongquang.0catch.com

"Vao day nghe bai nay di ban http://nhattruongquang.0catch.com"

"Vao day nghe bai nay di ban http://nhattruongquang.0catch.com"

"Biet tin gi chua, vao day coi di http://nhattruongquang.0catch.com"

"Trang Web nay coi cung hay, vao coi thu di http://nhattruongquang.0catch.com"

"Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? http://nhattruongquang.0catch.com"

"Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... http://nhattruongquang.0catch.com"

more error messages may be there on the syste,..

To remove! Just follow the Standard Removal Procedure Guide
Posted by at 1 comment:

Sunday, December 7, 2008

Standard Procedure on removing virus,spyware,malware and trojans

Standard Procedure to Remove Virus,Trojan, Malware, Spywares from windows! - proven and tested on I.T department, internet cafe's, offices and homes

Follow this Guide.

1.) Download This files and removal Tools needed!
Download Combofix
Download ATF cleaner
Download COMODO FIREWALL With AntiVirus
(this are all the tools you needed) if theres and update i will update this guide..Please leave a comment or questions then you can post to our forum if you need help on something.

2.) After Downloading all files - Unplug your network or your wireless connection, make sure you are not connected to the network.. just to be safe.

Some infections will put malicious lines into your hosts files. We will reset your hosts file with HostGuard. but you can use this later.

2.) (You can skip this Part) and go to step 3.
* download HostGuard.zip to your desktop and unzip the contents. hostguard can be downloaded here at haktech
* Install HostGuard
* Run HostGuard and Click Fix Windows Host - this will fix Your Windows Host
* Close or Hide HostGuard
(You can skip this part)

If you or SpyBot-SD have added modifications to your hosts file, they will need to be re-added
Or you can use the HostGuard to Guard your Windows Host this is much better..

3.) Run ATF-Cleaner Clean All Click main and Checll All and click Empty Selected, then if you have Mozilla Firefox Click FireFox and Select All then Click Empty Selected and also for opera if you have it in your system. (NOTE: Just to make sure. but you can skip this part if you want)

4.) # Close any open browsers before we can start removal process.
# Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

* Now Make Sure all windows are close and no browser is open.and also make sure you are unpluged from the network and
if you are using wireless make sure you have turn it off.

combofix will search and remove all known threats, so keep your combofix updated!

Restart your computer after completing these steps.
this will remove Explorer.exe

(remember to send a thanks ;) )
Guide Copyright by Mark Sheldon Wong
Http://haktech.blogspot.com
Area51.Network - Nsfive.Net
Webcargo.Networks
Posted by at 5 comments:
Subscribe to: Posts (Atom)

tags

Friend Connect