Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
AnonyTerrorNinja
Minmatar Buggers' Advanced Interstellar Transport
|
Posted - 2009.03.04 15:03:00 -
[1]
Just a little heads up.
I managed to get this charming little worm/trojan from my friend's pc recently... I'd already seen iterations of it (which were thankfully blocked by my antivirus) in october/november, that were managing to find their way to his mom's computer (she's clueless when it comes to protecting her computer and turns her antivirus off just to get rid of the messages warning her about unsafe files; great going, huh?).
I'm not sure of all of what this one is capable of, but I do know that my NOD32 is now unable to find nor remove it, as obvious as it is.
Easiest way to see if you have it on your system is to go find its obnoxious entry in your registry at:
\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
And look for an entry to run the file at "%root%\%windows%\system32\ohlwref.exe"
Even if you find it and delete that entry, it won't clean your system outright as this little bastard is doing a lot to stay alive.
Once I get a concrete method of removing it I'll post it here.
(for those of you that don't want to go into your registry, just open any folder and click 'tools -> folder options -> view -> show hidden files and folders' and click OK. Open the same process again; if it's reverted to 'Do not show hidden files and folders', then that's the worm keeping itself hidden. ---
Incognito - Fierce - Deadly - IFD (Intergallactic Federation of Dummies) aka ATN
Ikari Dimji > I mustn't run away... I MUSTN'T RUN AWAY... I MUSTN'T RUN AWA- ooh, skittles! :D
|
Cedric Diggory
Perfunctory Oleaginous Laocoon Mugwumps
|
Posted - 2009.03.04 15:33:00 -
[2]
Download Linux Live CD of your choice (with NTFS support) Boot, mount and delete.
Log back into Windows and clean up the aftermath. ---
Originally by: 7shining7one7 a) there are no conspiracies whatsoever b) those who believe there are are nuts
|
Taedrin
Gallente Golden Mechanization Protectorate
|
Posted - 2009.03.04 16:01:00 -
[3]
Originally by: Cedric Diggory Download Linux Live CD of your choice (with NTFS support) Boot, mount and delete.
Log back into Windows and clean up the aftermath.
Perhaps the trojan has other services that will recreate the file? Removing well crafted viruses and trojans is a lot harder than simply deleting a single file - Especially if it's a *true* virus which infects other files that you use.
On an aside - the reason why your computer got infected was because you were running as an administrator. This is one of the largest complaints with Windows - virtually ALL software requires you to give it administrator privileges to function or install properly. This is very bad behavior, as you are essentially giving that program permission to **** your computer. If you never run ANY program as an administrator, you will be protected from 99% of malware. The only malware that you can be infected by is stuff that uses security vulnerabilities to gain admin privileges without user intervention.
A better behavior is to have Linux style permissions, where if a user accidentally executes a trojan or virus, he can only screw over his own files - system files remain safe and unaffected so long as you don't execute the malware with root privileges.
|
Cedric Diggory
Perfunctory Oleaginous Laocoon Mugwumps
|
Posted - 2009.03.04 16:08:00 -
[4]
Quote: Perhaps the trojan has other services that will recreate the file? Removing well crafted viruses and trojans is a lot harder than simply deleting a single file - Especially if it's a *true* virus which infects other files that you use.
This is absolutely true. However experience has taught me that in 99% of cases using another operating system to remove one or two offensive files will allow the point and click windows anti virus/malware tools to do their job where otherwise they could not. ---
Originally by: 7shining7one7 a) there are no conspiracies whatsoever b) those who believe there are are nuts
|
Taedrin
Gallente Golden Mechanization Protectorate
|
Posted - 2009.03.04 16:12:00 -
[5]
I suppose the only danger to that is if system boot files have somehow gotten infected and restore the malware to full functionality before the anti-virus gets a chance to do a scan. Perhaps we should also suggest that he do the virus scan under safe mode? Or better yet, run a virus scan FROM Linux on the Windows partition. That's one of the main reasons why Linux even HAS virus scanners, isn't it?
|
AnonyTerrorNinja
Minmatar Buggers' Advanced Interstellar Transport
|
Posted - 2009.03.04 16:14:00 -
[6]
Edited by: AnonyTerrorNinja on 04/03/2009 16:15:07 Cedric, in this one's case, it does infect other files and creates several services (even embedding itself into some other services' files so that if its own stuff gets removed, it can simply recreate itself using them).
With regards to the administrator user comment, I guess that's where I went wrong.
I'd reinstalled windows again recently, and in my frustration of having to deal with a scratched disc and having to dump the install files to my hard drive to install from there, after formatting the partition to FAT32 and a host of other crap, I no doubt forgot to create my profile as a normal user instead of admin. -_-'
Oh well, guess it's time for another hearty formatting, if I can't get this blasted thing removed! :D
*ATNinja edit*
Oh, and I have myself an Ubuntu live disc and such lying around here somewhere, but you don't want to know what my study-slash-bedroom looks like right now... ---
Incognito - Fierce - Deadly - IFD (Intergallactic Federation of Dummies) aka ATN
Ikari Dimji > I mustn't run away... I MUSTN'T RUN AWAY... I MUSTN'T RUN AWA- ooh, skittles! :D
|
Cedric Diggory
Perfunctory Oleaginous Laocoon Mugwumps
|
Posted - 2009.03.04 16:16:00 -
[7]
Originally by: Taedrin I suppose the only danger to that is if system boot files have somehow gotten infected and restore the malware to full functionality before the anti-virus gets a chance to do a scan. Perhaps we should also suggest that he do the virus scan under safe mode? Or better yet, run a virus scan FROM Linux on the Windows partition. That's one of the main reasons why Linux even HAS virus scanners, isn't it?
Yup, throw CLAM at it and it'll no doubt clean it up no bother. However depending on the voracity of the malware, you might find windows totally unbootable afterwards. ---
Originally by: 7shining7one7 a) there are no conspiracies whatsoever b) those who believe there are are nuts
|
Taedrin
Gallente Golden Mechanization Protectorate
|
Posted - 2009.03.04 16:22:00 -
[8]
Originally by: AnonyTerrorNinja Edited by: AnonyTerrorNinja on 04/03/2009 16:15:07 Cedric, in this one's case, it does infect other files and creates several services (even embedding itself into some other services' files so that if its own stuff gets removed, it can simply recreate itself using them).
With regards to the administrator user comment, I guess that's where I went wrong.
I'd reinstalled windows again recently, and in my frustration of having to deal with a scratched disc and having to dump the install files to my hard drive to install from there, after formatting the partition to FAT32 and a host of other crap, I no doubt forgot to create my profile as a normal user instead of admin. -_-'
Oh well, guess it's time for another hearty formatting, if I can't get this blasted thing removed! :D
*ATNinja edit*
Oh, and I have myself an Ubuntu live disc and such lying around here somewhere, but you don't want to know what my study-slash-bedroom looks like right now...
You MIGHT be able to do a "repair installation" of windows, which will essentially rollback your system files to the version found on your disk. Do a virus scan/removal from Linux, then do a repair installation. If that doesn't work, then a blanket reformat is probably your only real hope.
|
Bish Ounen
Gallente Best Path Inc. Ethereal Dawn
|
Posted - 2009.03.04 16:31:00 -
[9]
Originally by: Taedrin
You MIGHT be able to do a "repair installation" of windows, which will essentially rollback your system files to the version found on your disk. Do a virus scan/removal from Linux, then do a repair installation. If that doesn't work, then a blanket reformat is probably your only real hope.
Just don't forget to use the bootable Ubuntu CD to back up your critical files to an external hard drive first.
Personally, I'd just back up the important stuff, and then run the installer on the Ubuntu CD, wiping the entire hard drive in the process. But that's just me.
Fix the Wardec System! |
AnonyTerrorNinja
Minmatar Buggers' Advanced Interstellar Transport
|
Posted - 2009.03.04 17:06:00 -
[10]
Well, looks like I got rid of it.
Requesting permission from the mods to post a link to the removal tool I used for it.
I cannot verify myself (obviously, since I managed to get this worm in the first place) that this removal tool itself is entirely clean, and as such cannot guarantee for those that may use it that it will not cause (further) damage to their systems.
Sooooo, if there's someone I can submit the link to that can check it before I post it here, please speak up. ---
Incognito - Fierce - Deadly - IFD (Intergallactic Federation of Dummies) aka ATN
Ikari Dimji > I mustn't run away... I MUSTN'T RUN AWAY... I MUSTN'T RUN AWA- ooh, skittles! :D
|
|
LaVista Vista
|
Posted - 2009.03.04 17:38:00 -
[11]
If your computer has been infected by a virus, it's compromised. Any measure you might take won't change that fact but wiping the machine entirely.
Find your windows CD and get busy. It's the only reasonable thin to do.
|
FOl2TY8
The Athiest Syndicate
|
Posted - 2009.03.04 21:22:00 -
[12]
People that are recommending re-installing windows are completely ignorant. I have been cleaning viruses for years and have only done a full re-install a couple of times.
1. Delete your existing system restore points. 2. download and install Malwarebytes 3. Download and install spybot and adaware 4. Download and install smitrem and vundofix 5. Download and install hijackthis and ccleaner 6. Reboot into safe mode and run all the apps you downloaded. If they don't clear the virus then you will need help that I can't give in these forums. Go to MajorGeeks and they can help you.
You can reformat but wouldn't you rather learn how to remove a virus without resorting to a clean install? Also pick up a copy of Ghost and image your clean computer so when there is no other option you can just re-image your pc quickly and efficiently. ---------- This post brought to you by the worst PVP'er in Eve |
Elysarian
Minmatar dudetruck corp
|
Posted - 2009.03.04 21:33:00 -
[13]
Originally by: Taedrin
Originally by: Cedric Diggory Download Linux Live CD of your choice (with NTFS support) Boot, mount and delete.
Log back into Windows and clean up the aftermath.
Perhaps the trojan has other services that will recreate the file? Removing well crafted viruses and trojans is a lot harder than simply deleting a single file - Especially if it's a *true* virus which infects other files that you use.
On an aside - the reason why your computer got infected was because you were running as an administrator. This is one of the largest complaints with Windows - virtually ALL software requires you to give it administrator privileges to function or install properly. This is very bad behavior, as you are essentially giving that program permission to **** your computer. If you never run ANY program as an administrator, you will be protected from 99% of malware. The only malware that you can be infected by is stuff that uses security vulnerabilities to gain admin privileges without user intervention.
A better behavior is to have Linux style permissions, where if a user accidentally executes a trojan or virus, he can only screw over his own files - system files remain safe and unaffected so long as you don't execute the malware with root privileges.
Of course... the only time you'd be logged in with administrator priv's is:
1. You're one of those people who refuses to upgrade to Vista/download and install the Windows 7 beta. 2. You upgraded to Vista but are lazy/stupid and disabled UAC (though even UAC can't protect the truly stupid "click yes to everything" kind of person).
UAC may not be perfect but it is about the closest thing Windows users have to the *Nix way of doing things (Linux does a very similar thing: if you want to do anything that requires administrator-level rights, it prompts you for the root password). ===================================== It smells of spoon! ===================================== |
Chainsaw Plankton
IDLE GUNS IDLE EMPIRE
|
Posted - 2009.03.04 22:02:00 -
[14]
Originally by: LaVista Vista If your computer has been infected by a virus, it's compromised. Any measure you might take won't change that fact but wiping the machine entirely.
Find your windows CD and get busy. It's the only reasonable thin to do.
*sniff* It's for your own good babe *sniff*
|
AnonyTerrorNinja
Minmatar Buggers' Advanced Interstellar Transport
|
Posted - 2009.03.04 22:06:00 -
[15]
Originally by: FOl2TY8 People that are recommending re-installing windows are completely ignorant. I have been cleaning viruses for years and have only done a full re-install a couple of times.
1. Delete your existing system restore points. 2. download and install Malwarebytes 3. Download and install spybot and adaware 4. Download and install smitrem and vundofix 5. Download and install hijackthis and ccleaner 6. Reboot into safe mode and run all the apps you downloaded. If they don't clear the virus then you will need help that I can't give in these forums. Go to MajorGeeks and they can help you.
You can reformat but wouldn't you rather learn how to remove a virus without resorting to a clean install? Also pick up a copy of Ghost and image your clean computer so when there is no other option you can just re-image your pc quickly and efficiently.
This looks suspiciously like the list of things my friend received in a mail from Blizzard when he first reported that his WoW account had been hacked...
In any event, I know that he downloaded a lot of these tools and that we were sitting here watching them be completely ineffective against this same worm/trojan (he got it from his mom, who being the highly computer literate person she is, turns off her anti-virus to get rid of the annoying 'we found something wrong!' messages whenever plugging in usb thumb drivers, friends' ipods or putting cds/dvds her friends/clients had written into her pc).
In any event, my friend, not having anything on his pc he couldn't get from someone else, just opted to go for a full format rather than bothering to try and get rid of this thing (or risking it still being there after cleaning up).
Lavista, your suggestion sounds like the average lazy techie's response to a virus infection. Just because you have been infected does not mean the only course of action is a full wipe and reinstall. Not all viruses/trojans/worms require what you were suggesting - in fact, many are so benign you can almost leave them on your system as is, since all they want to do is say hello to you every time you log in. ---
Incognito - Fierce - Deadly - IFD (Intergallactic Federation of Dummies) aka ATN
Ikari Dimji > I mustn't run away... I MUSTN'T RUN AWAY... I MUSTN'T RUN AWA- ooh, skittles! :D
|
AnonyTerrorNinja
Minmatar Buggers' Advanced Interstellar Transport
|
Posted - 2009.03.04 22:26:00 -
[16]
Oh yeah, here's the link for the tool I used to clean up with, since no mods are giving me a go/no-go in the thread.
http://www.windowsvistaplace.com/vista/olhrwefexe
And hyperlinked
Hopefully, if anyone else comes across this thread and has this trojan, they'll be able to get rid of it using the same tool. ---
Incognito - Fierce - Deadly - IFD (Intergallactic Federation of Dummies) aka ATN
Ikari Dimji > I mustn't run away... I MUSTN'T RUN AWAY... I MUSTN'T RUN AWA- ooh, skittles! :D
|
KingsGambit
Caldari Knights
|
Posted - 2009.03.05 11:52:00 -
[17]
Originally by: LaVista Vista If your computer has been infected by a virus, it's compromised. Any measure you might take won't change that fact but wiping the machine entirely.
*picks something up from the floor* I think you dropped your tinfoil hat just here dude. -------------
|
AnonyTerrorNinja
Minmatar Buggers' Advanced Interstellar Transport
|
Posted - 2009.03.06 13:35:00 -
[18]
In other news; NOD32 now picks this delightful little virus up and can remove it.
Hoorah for month-and-a-half-late definition updates!
More amusing is that if you go read about ohlwref on the Symantec site, they tell you it creates the registry group
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\
That this is a part of the virus and that you should remove it. I rather like my NOD32 Anti-Virus, Symantec, and would rather not render the program inoperable. :D ---
Incognito - Fierce - Deadly - IFD (Intergallactic Federation of Dummies) aka ATN
Ikari Dimji > I mustn't run away... I MUSTN'T RUN AWAY... I MUSTN'T RUN AWA- ooh, skittles! :D
|
Jana Clant
New Dawn Corp New Eden Research
|
Posted - 2009.03.06 14:42:00 -
[19]
Sorry to hijack the thread, have a quick question I'd like to ask:
My computer has been infected by a virus recently, and my efforts to get rid of it have failed so far. I am considering formatting C:, the partition containing the OS and most of my stuff, but the virus has also infected files in partitions D: and E:, which are used mostly for file storage.
If I were to format just C:, reinstall the OS and get security programs up and running before I even attempt to open the D: and E: partitions, is there any chance the virus could infect the OS again before the anti-virus is fully installed? (I can't format D: and E: for now as I have important files there, and copying them to another computer would probably just infect that one as well, making things worse)
New Eden Research, where your research gets done!
|
AnonyTerrorNinja
Minmatar Buggers' Advanced Interstellar Transport
|
Posted - 2009.03.06 15:34:00 -
[20]
If the partitions are mounted at startup in the new OS installation, then yes, they could infect your boot partition again before you can clean them up.
I haven't had to do this in years, so I don't remember the results, but you may be able to unmount the partitions before formatting, and then when installing the new OS on the formatted C partition, they may/may not start up mounted.
An alternative is that you run, as suggested earlier in the thread, a linux distro's live cd (ubuntu being an example) and do a virus scan from there. ---
Incognito - Fierce - Deadly - IFD (Intergallactic Federation of Dummies) aka ATN
Ikari Dimji > I mustn't run away... I MUSTN'T RUN AWAY... I MUSTN'T RUN AWA- ooh, skittles! :D
|
|
Gin G
Federal Navy Academy
|
Posted - 2009.03.06 18:12:00 -
[21]
There is a farm mores simple way to remove it just take your hard drive (s) and blow then to pieces
survive that
|
FOl2TY8
The Athiest Syndicate
|
Posted - 2009.03.06 18:28:00 -
[22]
Originally by: AnonyTerrorNinja In other news; NOD32 now picks this delightful little virus up and can remove it.
Hoorah for month-and-a-half-late definition updates!
More amusing is that if you go read about ohlwref on the Symantec site, they tell you it creates the registry group
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\
That this is a part of the virus and that you should remove it. I rather like my NOD32 Anti-Virus, Symantec, and would rather not render the program inoperable. :D
Lol that is awesome.... ---------- This post brought to you by the worst PVP'er in Eve |
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |