Look at here below the abstracts of an e-mail I posted last week.
Go to safe mode in order not to load all the drivers and the resident
programs. This will prevent the trojan to protect itself against cleaning.
I 've to add that this Sunday I discovered another turd in my system. It's
the log the trojan wrote in order to send it to the remote site:
"E:\Win98\system\ulwy.blf".
The trojan has been identified as "Backdoor.beastdoor.202" by the different
labs I contacted.
Lotta other backdoors operate more or less the same. The filenames may vary
from one to another.
Don't ask me too much, I'm not an expert. I just described a recent
experience. This stuff is mainly troubleshooting.
Good luck
____________________________________________________
I finally restored my computer defences. At least I hope so ! The
virus-trojan-worm (?) is probably still present but doesn't appear active
anylonger.
Its actions:
It disabled Zone Alarm, VirusScan when launched, TC-Active and T-C Monitor,
The Cleaner (scaning machine on demand), The Windows System File Compare
(SFC), every attempt done with scan engines.
It didn't stop the functioning of "Ad-Aware 6" (free), dedicated virus
removers as "fixSbigF;exe, "stinger.exe", "The cleaner" launched from the
network server, even under normal sessions of Windows. I didn't try
VirusScan from the server.
Its activity/detection:
It wasn't active under the safe mode (probably because it was loaded by the
run keys).
Neither detected by "The cleaner", nor "stinger", "fixSbigF", "VirusScan"
unless the heuristics scanning was selected. In that case only the
"image023.pif" was recognized to contain "NewBackdoor1".
Later on I applied VirusScan to the other files without positive result,
even in heuristics mode.
Its system installation:
There were three "Com Service = "Wins98\command\" " entries in the registry
Run keys (HKCU, HKLM, and HKUD\Software\Microsoft\Windows\Current
version\Run) pointinh to E:\Win98\command\mshxbh.com.
This NewsGroup gave me the idea to look for strange file names with the same
date as the two known files (image023.pif and mshxbh.com).
I found two other occurrences: Win98\services.exe and
Win98\System\msulwy.com. They've exactly the same date (05.05.99 22:22)
identical to the Windows file's date and the same length (54 048bytes) and
the same contents (with Quick view). These characteristics also apply to
"image023.pif".
The characteristics of the four infected files follow here-below in case
this could bring some information more.
The three files have the attributes "system" & "hidden"
The disabling:
I went again in safe mode, (off then boot) and renamed "mshxbh.com",
"msulwy.com" and "Services.exe". I edited the registry searching for these
filenames as well as for "Com Service" and deleted the run keys launching
"mshxbh.com". I found a new one:
HKLM\Software\Microsoft\Active Setup\Installed
Components\{42AC0312-EE51-A3CC-EA32-40AA12E6115C}
containing "StubPath=E:\Win98\System\msulwy.com". I renamed its name &
value. It will be deleted later on if necessary.
Nothing concerning "Services.exe". This looks rather strange for me because
it's never called by any key or something else.
"TNS" <TNS RemoveThis @Nospamintexasoranywhereelse.com> a écrit dans le message news:
rl6aqv049gnhmbcvrh3pq3u225tmm82t8a RemoveThis @4ax.com...
>
> I have removed AVG6 Pro from my PC, but the AVG_CC still shows in
> registry in HKLM...RUN as c:program files/grisoft/AVG6/avg_cc32
> /startup
>
> I cannot get this thing off as if the key is deleted, or disabled in
> msconfig, it just comes right back.
>
> Any help would be greatly appreciated. I've used all sorts of reg
> cleaners, tried from safe mode, etc, but back it comes.
>
> ---TNS
>
>
FAQ
Profile
Private Messages
Log in
