Virus warning!!!

LFX

LFX

Expert Member
Joined
Jul 26, 2007
Messages
1,883
Reaction score
22
Location
Cape Town
Approximately 15 minutes ago my anti virus software reported two trojans which I chose to delete immediately. But 3 to 4 minutes down the line these files would reappear, so it was being spawned somehow.

I checked my connection log and discovered a suspicious connection by explorer.exe to 207.126.115.245 (ninja.chatx.net) on port 3211

after blacklisting this ip address the respawning stopped.

so i was sure that this was the culprit, however I wanted to make sure, so i allowed the system to connect to it again.

what this connection actually does is initiate a new connection also through explorer.exe to 213.193.4.11 (members-tmm.vip.lycey.net) on default http port 80

this is where the two malicious files are downloaded from.

they are as follows:

asdsdsdss.exe
Mywife[1].exe

avast reports it as containing Win32:Trojan-gen {Other}
 
Congratulations, your PC is now participating in a Botnet.
 
hmm no daffy, like i said, the ip is blacklisted. i just have to replace explorer.exe with an uninfected version.

@veroland: that must be one hell of a resource hog. i suggest you format and reinstall lol
 
The C&C's of Botnets move the whole time. And I'm pretty sure they've got their hooks into you in more than one place.
Don't think you've fixed it just yet. Keep an eye on things, and look our for any funny looking network traffic.
 
ISP McColo Shut Down After Connection Found To Spammers

ISP McColo was taken offline Tuesday by its upstream ISP after a research report by several security vendors alleged McColo helped cybercriminals promote spam, online fraud and child pornography.
Click to expand...

Gives a bit of insight on how botnet herders operate.

I just wish every single ISP would block these siff guys permanently....
 
Help please!!

Lord Fubar, can you help me with a couple of things?

1 How do I blacklist ip and hosts?
2 Where can I download an uninfected copy of explorer.exe?
3 In wich path were the files that contained the virus?

Thanx a lot
 
andresmtg2 said:
Lord Fubar, can you help me with a couple of things?

1 How do I blacklist ip and hosts?
2 Where can I download an uninfected copy of explorer.exe?
3 In wich path were the files that contained the virus?

Thanx a lot
Click to expand...

Boot your PC into Safe-Mode (switch it on and press F8 repeatedly), choose Safe Mode.

Press ctrl+alt+del and click File>new task> type in: msconfig and press enter. Check the services (hide all microsoft services and disable everything except microsoft), disable all startup entries except Microsoft. Explorer.exe shouldn't be "infected" perse, so just check your Startup items first.


Look for and delete these registry keys if present (File>new task in Task Manager and type: regedit )
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe


Get Trend Rubotted:
http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted

Get Spybot Search and Destroy with latest definition updates:
http://www.spybot.com/en/spybotsd/index.html

Run a scan with Spybot First (you may need to do it in normal mode, after configuring startup items). Clean all spyware/trojans and install Trend Rubotted, let it run.

After that, get an antivirus program, Avast! Home Edition is free and works pretty well.

You can also conduct online virus scans here (use Internet Explorer):
http://www.eset.com/onlinescan/
http://www.pandasecurity.com/homeusers/solutions/activescan/
http://www.bitdefender.com/scan8/ie.html
 
get nod32 and zone alarm, it will be the end of your problems.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X