|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
Off Topic Zone Here all other messages... |
| LinkBack | Thread Tools | Display Modes |
04-28-2007, 14:58 | #1 (permalink) |
No Life Poster Join Date: Apr 2005 Location: PAKISTAN Age: 45
Posts: 1,790
Member: 133436 Status: Offline Sonork: 100.1577364 Thanks Meter: 191 | New Threat & KeyLogger has been Detected DeepScan.Generic.Malware.SP!dldPk!g.01C03DEE. The virus carries high system risk as the malicious dropper will disable some commonly used anti-virus software and unable to open security applications. Other reported infected symptoms include unable to update virus signatures, unable to access or load antivirus websites or forums. All these effects caused the removal or disinfection process for Worm.Pabug.ck/co virus a little bit harder. The worm can’t self-propagate. It is likely that the system could be infected when a user downloads an executable file from email, messenger, board, and download centers and run the file. Or, it is possible that it is installed by other malicious codes (worms, viruses and trojan horses). The worm which is a dropper, when executed, will create the following files: %systemroot%\system32\gfosdg.exe or jusodl.exe %systemroot%\system32\gfosdg.dll or jusodl.dll %systemroot%\system32\severe.exe %systemroot%\system32\drivers\mpnxyl.exe or pnvifj.exe %systemroot%\system32\drivers\conime.exe %systemroot%\system32\hx1.bat %systemroot%\system32\noruns.reg X:\OSO.exe X:\autorun.inf X represents non-system hard drive. %systemroot% folder is usually C:\Windows on most systems (so the path to the infected files are C:\Windows\System for Windows 95/98/ME, C:\WinNT\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP). Beside, the dropper also adds the following value to Windows registry key entries by executing noruns.reg and then delete the file once done to run itself automatically whenever Windows starts. [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer] “NoDriveTypeAutoRun”=dword:b5 Above change the auto run method of the drive. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] “jusodl” = “C:\WINDOWS\system32\severe.exe” “pnvifj” = “C:\WINDOWS\system32\jusodl.exe” or “mpnxyl” = “C:\WINDOWS\system32\gfosdg.exe” “gfosdg” = “C:\WINDOWS\system32\severe.exe” [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “Shell” = “explorer.exe C:\WINDOWS\system32\drivers\conime.exe” [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] Debugger = Windows system folder\drivers\pnvifj.exe or “Debugger”=”C:\WINDOWS\system32\drivers\mpnxyl.exe ” The above registry value is for the child registry key which based on the executables file names of the security programs, so that when these security software are been double clicked, the virus file that is been run. The child registry keys include: + 360Safe.exe + adam.exe + avp.com + avp.exe + IceSword.exe + iparmo.exe + kabaload.exe + KRegEx.exe + KvDetect.exe + KVMonXP.kxp + KvXP.kxp + MagicSet.exe + mmsk.exe + msconfig.com + msconfig.exe + PFW.exe + PFWLiveUpdate.exe + QQDoctor.exe + Ras.exe + Rav.exe + RavMon.exe + regedit.com + regedit.exe + runiep.exe + SREng.EXE + TrojDie.kxp + WoptiClean.exe The worm terminates following running process(es). Targets (listed below) are antivirus software, firewall, system process, and other malicious codes. The command used in ‘net stop’ and using sc.exe to configure forbid usage of these services with the command “config [service_name] start=disabled” srservice sharedaccess KVWSC KVSrvXP kavsvc RsRavMon RsCCenter The virus also terminates and stops the following process from running: PFW.exe Kav.exe KVOL.exe KVFW.exe adam.exe qqav.exe qqkav.exe TBMon.exe kav32.exe kvwsc.exe CCAPP.exe EGHOST.exe KRegEx.exe kavsvc.exe VPTray.exe RAVMON.exe KavPFW.exe SHSTAT.exe RavTask.exe TrojDie.kxp Iparmor.exe MAILMON.exe MCAGENT.exe KAVPLUS.exe RavMonD.exe Rtvscan.exe Nvsvc32.exe KVMonXP.exe Kvsrvxp.exe CCenter.exe KpopMon.exe RfwMain.exe KWATCHUI.exe MCVSESCN.exe MSKAGENT.exe kvolself.exe KVCenter.kxp kavstart.exe RAVTIMER.exe RRfwMain.exe FireTray.exe UpdaterUI.exe KVSrvXp_1.exe RavService.exe It also modifies HOSTS file to keep the user from connecting specifiec addresses. Generally, the addresses are homepages of Internet security sites and antivirus engine updates servers. So the infected system’s user can’t get information or engine updates to scan and remove the malicious code. Following is the addresses that are blocked: 127.0.0.1 localhost 127.0.0.1 mmsk.cn 127.0.0.1 ikaka.com 127.0.0.1 safe.qq.com 127.0.0.1 360safe.com 127.0.0.1 www.mmsk.cn 127.0.0.1 www.ikaka.com 127.0.0.1 tool.ikaka.com 127.0.0.1 www.360safe.com 127.0.0.1 zs.kingsoft.com 127.0.0.1 forum.ikaka.com 127.0.0.1 up.rising.com.cn 127.0.0.1 scan.kingsoft.com 127.0.0.1 kvup.jiangmin.com 127.0.0.1 reg.rising.com.cn 127.0.0.1 update.rising.com.cn 127.0.0.1 update7.jiangmin.com 127.0.0.1 download.rising.com.cn 127.0.0.1 dnl-us1.kaspersky-labs.com 127.0.0.1 dnl-us2.kaspersky-labs.com 127.0.0.1 dnl-us3.kaspersky-labs.com 127.0.0.1 dnl-us4.kaspersky-labs.com 127.0.0.1 dnl-us5.kaspersky-labs.com 127.0.0.1 dnl-us6.kaspersky-labs.com 127.0.0.1 dnl-us7.kaspersky-labs.com 127.0.0.1 dnl-us8.kaspersky-labs.com 127.0.0.1 dnl-us9.kaspersky-labs.com 127.0.0.1 dnl-us10.kaspersky-labs.com 127.0.0.1 dnl-eu1.kaspersky-labs.com 127.0.0.1 dnl-eu2.kaspersky-labs.com 127.0.0.1 dnl-eu3.kaspersky-labs.com 127.0.0.1 dnl-eu4.kaspersky-labs.com 127.0.0.1 dnl-eu5.kaspersky-labs.com 127.0.0.1 dnl-eu6.kaspersky-labs.com 127.0.0.1 dnl-eu7.kaspersky-labs.com 127.0.0.1 dnl-eu8.kaspersky-labs.com 127.0.0.1 dnl-eu9.kaspersky-labs.com 127.0.0.1 dnl-eu10.kaspersky-labs.com The virus is may also affect USB flash drive or portable hard disk, by autorun OSO.exe. All non system partition will contains OSO.exe and autorun.inf virus files too. Beside, system time may be changed too to cause some anti virus programs to expire. How to Remove and Disinfect Worm.Pabug.ck or Worm.Pabug.co Manually To run antivirus program that has been disabled, you can try to rename the antivirus executable file name to another file name, and then run the new file name. Terminate and end the following processes (tasks) using Task Manager (alternative you can use procexp): %systemroot%\system32\gfosdg.exe %systemroot%\system32\severe.exe %systemroot%\system32\drivers\conime.exe Remove the registry key added by virus under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key using Registry Editor or Autoruns (for Autoruns, remember to first select Options -> Hide Microsoft Entries to avoid mistaken delete valid entries). This process will allow anti virus or security software or system utilities such as IceSword, SREng and etc to be able to function properly again: + 360Safe.exe c:\windows\system32\drivers\mpnxyl.exe + adam.exe c:\windows\system32\drivers\mpnxyl.exe + avp.com c:\windows\system32\drivers\mpnxyl.exe + avp.exe c:\windows\system32\drivers\mpnxyl.exe + IceSword.exe c:\windows\system32\drivers\mpnxyl.exe + iparmo.exe c:\windows\system32\drivers\mpnxyl.exe + kabaload.exe c:\windows\system32\drivers\mpnxyl.exe + KRegEx.exe c:\windows\system32\drivers\mpnxyl.exe + KvDetect.exe c:\windows\system32\drivers\mpnxyl.exe + KVMonXP.kxp c:\windows\system32\drivers\mpnxyl.exe + KvXP.kxp c:\windows\system32\drivers\mpnxyl.exe + MagicSet.exe c:\windows\system32\drivers\mpnxyl.exe + mmsk.exe c:\windows\system32\drivers\mpnxyl.exe + msconfig.com c:\windows\system32\drivers\mpnxyl.exe + msconfig.exe c:\windows\system32\drivers\mpnxyl.exe + PFW.exe c:\windows\system32\drivers\mpnxyl.exe + PFWLiveUpdate.exe c:\windows\system32\drivers\mpnxyl.exe + QQDoctor.exe c:\windows\system32\drivers\mpnxyl.exe + Ras.exe c:\windows\system32\drivers\mpnxyl.exe + Rav.exe c:\windows\system32\drivers\mpnxyl.exe + RavMon.exe c:\windows\system32\drivers\mpnxyl.exe + regedit.com c:\windows\system32\drivers\mpnxyl.exe + regedit.exe c:\windows\system32\drivers\mpnxyl.exe + runiep.exe c:\windows\system32\drivers\mpnxyl.exe + SREng.EXE c:\windows\system32\drivers\mpnxyl.exe + TrojDie.kxp c:\windows\system32\drivers\mpnxyl.exe + WoptiClean.exe c:\windows\system32\drivers\mpnxyl.exe Remove the following auto run on Windows startup registry entries located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run registry key by using Registry Editor or SREng (System Repair Engineer) “mpnxyl”=”C:\WINDOWS\system32\gfosdg.exe” “gfosdg”=”C:\WINDOWS\system32\severe.exe” Also navigate to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key, double click on it and remove the text behind “Explorer.exe” in the value data, so that it will become looked like as below: “shell”=”Explorer.exe” Next delete all files planted by the virus. Note that even if you right click on these infected files may trigger the infection process, so it’s recommended to use IceSword or WinRAR to delete these files: %systemroot%\system32\gfosdg.exe %systemroot%\system32\gfosdg.dll %systemroot%\system32\severe.exe %systemroot%\system32\drivers\mpnxyl.exe %systemroot%\system32\drivers\conime.exe %systemroot%\system32\hx1.bat %systemroot%\system32\noruns.reg X:\OSO.exe X:\autorun.inf X mean all non system partitions, including your USB flash drive and portable hard disk. System Recovery and Clean Up Navigate to the following registry keys and add back the original value. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] “CheckedValue”=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer] “NoDriveTypeAutoRun” value is vary depending on system, normally by default it will set as 91 (in HEX value) Next remove all contents added by the worm in Hosts file. Use Notepad to open %systemroot%\system32\drivers\etc\hosts, and remove the entries or lines specified above. If you’re using SREng, simply click on “System Recovery” -> “Hosts file”, then click “Replace” and then “Save”. Finally, you will need to recover or repair or reinstall the anti virus program, if it has been damaged. Take Care ENJOY |
The Following User Says Thank You to imran_qasim For This Useful Post: |
Bookmarks |
| |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
+ New firmware update for Nokia N76 has been released and brings new features | apocalypso | Nokia Base Band 5 ( BB-5 ) | 2 | 10-06-2007 22:04 |
A trojan has been detected | chinex14 | Off Topic Zone | 25 | 08-29-2005 08:08 |
New WinTesla version 6.46.002 has been released. | Bert | Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) | 3 | 09-16-2002 19:04 |
New Ericssons Remote Unlocker ( T39, T6x, R520 ) has been released !!! | bontek | Old Ericsson Phones & Sony Phones | 0 | 08-22-2002 21:48 |
new MCU soft has been released | mudboy | Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) | 2 | 01-13-2002 22:13 |