Go Back   Rage3D » Rage3D Discussion Area » Gaming and Computing Forums » General Software
Rage3D Subscribe Register FAQ Members List Calendar Mark Forums Read

General Software Anything software that is not operating system related goes here. Talk about the latest applications or discuss betas of upcoming products.

Reply
 
Thread Tools Display Modes
Old Aug 1, 2009, 03:22 PM   #1
Advertisement (Guests Only)

Login or Register to remove this ad
Dr. Zhivago
Sound: Serious Business
 
Join Date: Feb 2003
Location: United States Oregon
Posts: 8,226
Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'


Default Watch for the Autorun Virus

I came across a new virus (to me) on Thursday at work. It's the autorun.exe virus. It's been around for a few years and it seems it is becoming more common. It also goes by smss.exe. I'm not sure what it's purpose is, but it what it does is write 2 files to the root of USB drives when you insert them into an infected PC. The file names are autorun.exe and autorun.inf. The .exe file name will change to a random name like device_driver.exe or usb_smss.exe or other names.

It hides itself by setting Folder Options Views to hide everything and setting the file attributes on the files it creates as hidden. When you change those settings to show everything and hit Apply, they are changed back to hide everything. It accomplishes this by changing some registry entries so that the unchecked value is the same as the checked value. The registry value is here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

It sets the CheckedValue item to "0" instead of the default of "1".

It creates a hidden directory: C:\Windows\system32 \ (Note the space or more likely it uses a null character.) It puts itself in there. The file name is smss.exe, which is also the same name as a legitimate Windows file, the Windows Session Manager. The creation and modified dates even mimic the legit version. The file size is much larger, however; around 1.3MB. The stock file is around 50KB.

It also modifies two other registry entries so that it will almost certainly stay resident. They are located in these locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

It changes the Userinit string to this:

C:\Windows\system32\userinit.exe, c:\Windows\system32 \smss.exe

This makes it launch when anyone logs into the machine, even in Safe Mode.

It should look like this:

C:\Windows\system32\userinit.exe,

The other registry entry makes it particularly troublesome to remove:

HKEY_CLASSES_ROOT\exefile\shell\open\command

It prefixes the Default value so that it looks like this:

"c:\Windows\system32 \smss.exe" "%1" %*

The Default value of that string should look like this: "%1" %*

The modified setting causes the virus to run and modify the behavior of any program that is launched from within Windows, even if you manage to stop the process, it will just relaunch when you launch ANY program.

I had plenty of time to observe it while I figured out a way to clean it up. It's pretty cleverly written and I don't think you can get rid of it with any tools available to a stock Windows install. Prevx detected it, and Avast detected it on my laptop, which is how I discovered it in the first place after putting the USB stick I own back into my laptop after it had been in one of the infected PC's. They are using McAffee corporate AV and it does not detect it and is disabled by the virus on an infected PC. I wanted to get rid of it without having to buy any software or replace their AV since I am not authorized to do that.

I first used Winternals ERD Commander 2005 to boot to and attach the Windows XP installation, edit the registry and remove the hidden files and folders. One of the infected PC's had a broken optical drive, so another way to get rid of it while Windows is running is to use Sysinternals Process Explorer:

1. Run Process Explorer, kill the smss.exe rogue. It has a goofy, squid-like or octopus-like purple icon.
2. Start/Run/cmd
3. Kill smss.exe again using Process Explorer.
4. Launch regedit from the cmd Window and make the registry changes.
5. Launch explorer.exe from the cmd Window. Set the Folder View options to show everything including System Files and navigate to the Windows directory and delete the \system32 \ folder. It will be lighter in color as it has the hidden attribute set.
6. Check the root of C:\ for smss.exe or autorun.exe and autorun.inf.
7. Do the same for USB or removable drives. Make sure you hold down the Shift key to prevent them from auto running. Better yet, kill Autorun altogether.
8. Reboot.
9. Done and done.

By launching programs from the cmd window instead of from the GUI, the modified shell\open\command string is rendered inert and the virus does not re-launch itself. You cannot kill smss.exe from Task Manager, you need to use Process Explorer.

See here how to permanently disable Autorun forever for all users:

http://support.microsoft.com/kb/967715

Autorun is responsible for the Sony Rootkit infecting so many machines. Winternals and Sysinternals tools were developed in part by Mark Russinovich, who discovered the Sony Rootkit and who now works for Microsoft. Some of his tools have made it into Vista and Windows 7 and so on since they were acquired by MS in a non-hostile buyout a few years ago. He is highly responsible for the vast improvements we have seen concerning the new versions of Windows. http://technet.microsoft.com/en-us/s.../bb896653.aspx

All the free tools he developed are still free, including Process Explorer.
__________________


Bedroom PC - Gigabyte GA-970A-UD3 - AMD 1100T @3.7/4GHz - H50 - 8GB DDR3-1600 - HD 7870 OC - Samsung 840 250GB - WD 640GB Blue - Xonar DX - LG BDROM - Logitech 6110 - TT Volos - Antec 900 - CM 500W PSU - Samsung 32" HDTV - Onkyo TX-SR606 - BIC L/R & MTX Surround Speakers - Mission C70 Center - Sony 10" Sub - Windows 7 Ultimate 64Bit

HTPC - Gigabyte GA-890GPA~UD3H - AthlonII X4 630 - HD6450 - 8GB DDR3-1333 - WD 500GB Black - WD 640GB Green - WD 2TB Green - LG BDROM - Ceton InfiniTV 4 w/ MCE Remote - Logitech MX5000 Laser Desktop - Corsair 450W - Silverstone LC10B-E - Sharp Aquos 46" HDTV - Onkyo TX-SR606 - PE 15" Sub - Classic Mission Speakers - Windows 7 Ultimate 64Bit

Office PC - Gigabyte GA-Z77X-UD3H - Intel 3570K - 16GB DDR3-1866 - HD 7950 FLEX - Samsung 840 250GB - WD 500GB Blue - WD 1TB Black - Xonar DX - Corsair 600W PSU - Antec ON1E - Logitech G5 - Logitech USB Media KB - AOC 23" LCD - Creative Inspire 2.1 - Windows 10 Pro 64Bit

5x Presentation Machines - Gigabyte GA-990XA-UD3 - FX-8350 w/ FX WC - 8GB DDR3-1600 - 5870 or 7870 Eyefinity 6 - 2x Samsung 840 EVO 120GB - WD 500GB Black - DVDRW - Cooler Master Sileo 500 - 600W PSU - Windows 7 Ultimate 64 Bit - Office 2010 Pro

Last edited by Dr. Zhivago : Aug 2, 2009 at 09:48 AM. Reason: Clarification
Dr. Zhivago is offline   Reply With Quote
Old Aug 1, 2009, 03:36 PM   #2
caveman-jim
Deposed King of Rage3D
 
Join Date: Oct 2003
Posts: 48,918
caveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badges


Default

Good post, thanks for the info
caveman-jim is offline   Reply With Quote
Old Aug 1, 2009, 04:06 PM   #3
Dr. Zhivago
Sound: Serious Business
 
Join Date: Feb 2003
Location: United States Oregon
Posts: 8,226
Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'


Default

Thanks Jim. One of the telltale signs of a PC being infected is the Folder View options not sticking.
__________________


Bedroom PC - Gigabyte GA-970A-UD3 - AMD 1100T @3.7/4GHz - H50 - 8GB DDR3-1600 - HD 7870 OC - Samsung 840 250GB - WD 640GB Blue - Xonar DX - LG BDROM - Logitech 6110 - TT Volos - Antec 900 - CM 500W PSU - Samsung 32" HDTV - Onkyo TX-SR606 - BIC L/R & MTX Surround Speakers - Mission C70 Center - Sony 10" Sub - Windows 7 Ultimate 64Bit

HTPC - Gigabyte GA-890GPA~UD3H - AthlonII X4 630 - HD6450 - 8GB DDR3-1333 - WD 500GB Black - WD 640GB Green - WD 2TB Green - LG BDROM - Ceton InfiniTV 4 w/ MCE Remote - Logitech MX5000 Laser Desktop - Corsair 450W - Silverstone LC10B-E - Sharp Aquos 46" HDTV - Onkyo TX-SR606 - PE 15" Sub - Classic Mission Speakers - Windows 7 Ultimate 64Bit

Office PC - Gigabyte GA-Z77X-UD3H - Intel 3570K - 16GB DDR3-1866 - HD 7950 FLEX - Samsung 840 250GB - WD 500GB Blue - WD 1TB Black - Xonar DX - Corsair 600W PSU - Antec ON1E - Logitech G5 - Logitech USB Media KB - AOC 23" LCD - Creative Inspire 2.1 - Windows 10 Pro 64Bit

5x Presentation Machines - Gigabyte GA-990XA-UD3 - FX-8350 w/ FX WC - 8GB DDR3-1600 - 5870 or 7870 Eyefinity 6 - 2x Samsung 840 EVO 120GB - WD 500GB Black - DVDRW - Cooler Master Sileo 500 - 600W PSU - Windows 7 Ultimate 64 Bit - Office 2010 Pro
Dr. Zhivago is offline   Reply With Quote
Advertisement (Guests Only)
Login or Register to remove this ad
Old Aug 1, 2009, 04:19 PM   #4
genci88
lololololol
 
Join Date: May 2002
Location: United States USA
Posts: 13,696
genci88 is still being judged by the masses


Default

I ****ing hate that virus (also called Kinza). I've had to deal with it several times. There is a script (.bat file) out there that makes its removal as easy as a double click, but it disables autorun forever.
__________________
Member of the Glorious PC Gaming Master Race.
Reasons why it’s worth to be a PC gamer in 2012.




- The hardest thing about getting a Mac is telling your parents that you're gay.

- If I had the choice between being gay and owning a Mac, I would rather be gay, because if I owned a Mac I would be both gay and own a horrible computer.

- Imagine a giant cock flying towards your mouth, and there's nothing you can do about it. And you're like "Oh man, I'm gonna have to suck this thing", and you brace yourself to suck this giant cock. But then, at the last moment, it changes trajectory and hits you in the eye. You think to yourself "Well, at least I got that out of the way", but then the giant cock rears back and stabs your eye again, and again, and again. Eventually, this giant cock is penetrating your gray matter, and you begin to lose control of your motor skills. That's when the giant cock slaps you across the cheek, causing you to fall out of your chair. Unable to move and at your most vulnerable, the giant cock finally lodges itself in your anus, where it rests comfortably for 4, maybe 5 hours. That's what using Mac OSX is like.
genci88 is offline   Reply With Quote
Old Aug 1, 2009, 04:38 PM   #5
GanjaStar
Jalouise
 
Join Date: Feb 2007
Location: Croatia Strawberry Fields
Posts: 14,762
GanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badges


Default

awesome detailed post, just checked my rig and im not infected with this

should help ohter folks
GanjaStar is offline   Reply With Quote
Old Aug 1, 2009, 07:14 PM   #6
wonder squirrel
Godlike
 
Join Date: Nov 2004
Posts: 13,971
wonder squirrel once held a door open for a complete strangerwonder squirrel once held a door open for a complete strangerwonder squirrel once held a door open for a complete strangerwonder squirrel once held a door open for a complete stranger


Default

I just checked my setup out. I'm somewhat unclear about if I have this or not. My folder options seem to stick (i've not noticed anything differing atleast), but when I checked the registry, I find the value you mentioned:

"%1" %*

in the directory:

HKEY_CLASSES_ROOT\exefile\shell\open\command

I've also found three instances of smss.exe, one in the $NTservicepackunistall$ folder, one in the system32 folder (notice no space or weird chracters) and one in the i386 folder. That leads me to believe those are legit windows files. Their sizes are all 49.5kb. The last two of these have august 2008 modified dates, the first has a 2004 date. This install is only a year old at the most I believe.

The only instance of autorun I've found is in a P965 folder (old file) that goes with an intel chipset driver.

Any helpful input would be appreciated.
__________________
The last of a dying breed..
wonder squirrel is offline   Reply With Quote
Old Aug 1, 2009, 08:47 PM   #7
caveman-jim
Deposed King of Rage3D
 
Join Date: Oct 2003
Posts: 48,918
caveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badges


Default

smss.exe is a part of windows, which is why the malware changes itself to be named that. running a system file check my help you relieve your anxiety.
caveman-jim is offline   Reply With Quote
Old Aug 1, 2009, 09:04 PM   #8
wonder squirrel
Godlike
 
Join Date: Nov 2004
Posts: 13,971
wonder squirrel once held a door open for a complete strangerwonder squirrel once held a door open for a complete strangerwonder squirrel once held a door open for a complete strangerwonder squirrel once held a door open for a complete stranger


Default

Quote:
Originally Posted by caveman-jim View Post
smss.exe is a part of windows, which is why the malware changes itself to be named that. running a system file check my help you relieve your anxiety.
A command prompt window pops up and closes automatically with SFC [Scannow/ once]

Am I being mildly retarded?
__________________
The last of a dying breed..
wonder squirrel is offline   Reply With Quote
Old Aug 1, 2009, 09:04 PM   #9
GanjaStar
Jalouise
 
Join Date: Feb 2007
Location: Croatia Strawberry Fields
Posts: 14,762
GanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badgesGanjaStar doesn't need no stinkin' badges


Default

Quote:
Originally Posted by wonder squirrel View Post
but when I checked the registry, I find the value you mentioned:

"%1" %*
you misread his guide i think. when it says smss.exe "%1" %* then your infected. just :%1" %* is normal.
GanjaStar is offline   Reply With Quote
Old Aug 1, 2009, 09:06 PM   #10
caveman-jim
Deposed King of Rage3D
 
Join Date: Oct 2003
Posts: 48,918
caveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badgescaveman-jim doesn't need no stinkin' badges


Default

Quote:
Originally Posted by wonder squirrel View Post
A command prompt window pops up and closes automatically with SFC [Scannow/ once]

Am I being mildly retarded?
No, if nothing pops up then its good. It'll tell you if system files have been replaced with suspicious ones.

Looks like you're in the clear.
caveman-jim is offline   Reply With Quote
Old Aug 1, 2009, 09:07 PM   #11
Dr. Zhivago
Sound: Serious Business
 
Join Date: Feb 2003
Location: United States Oregon
Posts: 8,226
Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'


Default

Hey wonder squirrel,
Your shell\open\command strings looks correct. What the virus prefixes to that string looks like this:

"c:\Windows\system32 \smss.exe" "%1" %*

I edited my original post so that information is clearer.
__________________


Bedroom PC - Gigabyte GA-970A-UD3 - AMD 1100T @3.7/4GHz - H50 - 8GB DDR3-1600 - HD 7870 OC - Samsung 840 250GB - WD 640GB Blue - Xonar DX - LG BDROM - Logitech 6110 - TT Volos - Antec 900 - CM 500W PSU - Samsung 32" HDTV - Onkyo TX-SR606 - BIC L/R & MTX Surround Speakers - Mission C70 Center - Sony 10" Sub - Windows 7 Ultimate 64Bit

HTPC - Gigabyte GA-890GPA~UD3H - AthlonII X4 630 - HD6450 - 8GB DDR3-1333 - WD 500GB Black - WD 640GB Green - WD 2TB Green - LG BDROM - Ceton InfiniTV 4 w/ MCE Remote - Logitech MX5000 Laser Desktop - Corsair 450W - Silverstone LC10B-E - Sharp Aquos 46" HDTV - Onkyo TX-SR606 - PE 15" Sub - Classic Mission Speakers - Windows 7 Ultimate 64Bit

Office PC - Gigabyte GA-Z77X-UD3H - Intel 3570K - 16GB DDR3-1866 - HD 7950 FLEX - Samsung 840 250GB - WD 500GB Blue - WD 1TB Black - Xonar DX - Corsair 600W PSU - Antec ON1E - Logitech G5 - Logitech USB Media KB - AOC 23" LCD - Creative Inspire 2.1 - Windows 10 Pro 64Bit

5x Presentation Machines - Gigabyte GA-990XA-UD3 - FX-8350 w/ FX WC - 8GB DDR3-1600 - 5870 or 7870 Eyefinity 6 - 2x Samsung 840 EVO 120GB - WD 500GB Black - DVDRW - Cooler Master Sileo 500 - 600W PSU - Windows 7 Ultimate 64 Bit - Office 2010 Pro
Dr. Zhivago is offline   Reply With Quote
Old Aug 2, 2009, 12:15 AM   #12
wonder squirrel
Godlike
 
Join Date: Nov 2004
Posts: 13,971
wonder squirrel once held a door open for a complete strangerwonder squirrel once held a door open for a complete strangerwonder squirrel once held a door open for a complete strangerwonder squirrel once held a door open for a complete stranger


Default

My bad, I just misread the info, thanks for the help fellas

__________________
The last of a dying breed..
wonder squirrel is offline   Reply With Quote
Old Aug 2, 2009, 09:49 AM   #13
MaxSt
Radeon Arctic Islands
 
Join Date: Dec 2003
Location: USA
Posts: 14,400
MaxSt once held a door open for a complete strangerMaxSt once held a door open for a complete strangerMaxSt once held a door open for a complete stranger


Default

Having a good LiveCD with a functional Windows XP helps a lot in such cases.
MaxSt is offline   Reply With Quote
Old Aug 2, 2009, 08:52 PM   #14
Guset
Radeon HD4850 512MB
 
Join Date: Oct 2003
Posts: 349
Guset is still being judged by the masses


Default

Quote:
Originally Posted by MaxSt View Post
Having a good LiveCD with a functional Windows XP helps a lot in such cases.
Very good hint also!
__________________
Gigabyte GA-EP45-DS3P
Bios F8 30-9-2008
Intel Core 2 Duo E8400 @ 4.05GHz (450MHz x 9.0), 1.43V
4x1GB G.Skill @ 4-4-4-12 2T, 900MHz, 2.1V
1x 64GB SSD Corsair X64 (Rev. 2.1)
1x 150GB WD Velociraptor (WD1500HLFS)
2x 250GB Seagate SATA II (3250620AS)
1x 640GB WD Black Caviar SATA II (WD6401AALS)
1x 640GB Samsung SATA II (HD640JJ)
1x 1TB Samsung Spinpoint F3
Pioneer DVR-111L
NEC 3520A DVD-RW
HIS HD4850 512MB (Core 710MHz - Mem. 2230MHz) (Cat. 10.6)
Samsung 206BW on DVI
Zalman ZM-850HP 850W
SB X-Fi XtremeMusic
Coolermaster CM690 case (modified)
Win XP Pro SP3 Final & W7 Home Premium x64 (Dual boot)
Guset is offline   Reply With Quote
Old Aug 2, 2009, 08:55 PM   #15
Guset
Radeon HD4850 512MB
 
Join Date: Oct 2003
Posts: 349
Guset is still being judged by the masses


Default

Excellent article Dr.!! It does not happen often (at least to me) but it will happen at least once in 2 years time and then is the time to look for a solution. Sometimes easy, sometimes hard. Not everyone has the time to observe the virus like you did and congratulations on your patience! I am sure your article will help a lot of people looking to get rid of the darn thing! Thumbs up! (high up!)
__________________
Gigabyte GA-EP45-DS3P
Bios F8 30-9-2008
Intel Core 2 Duo E8400 @ 4.05GHz (450MHz x 9.0), 1.43V
4x1GB G.Skill @ 4-4-4-12 2T, 900MHz, 2.1V
1x 64GB SSD Corsair X64 (Rev. 2.1)
1x 150GB WD Velociraptor (WD1500HLFS)
2x 250GB Seagate SATA II (3250620AS)
1x 640GB WD Black Caviar SATA II (WD6401AALS)
1x 640GB Samsung SATA II (HD640JJ)
1x 1TB Samsung Spinpoint F3
Pioneer DVR-111L
NEC 3520A DVD-RW
HIS HD4850 512MB (Core 710MHz - Mem. 2230MHz) (Cat. 10.6)
Samsung 206BW on DVI
Zalman ZM-850HP 850W
SB X-Fi XtremeMusic
Coolermaster CM690 case (modified)
Win XP Pro SP3 Final & W7 Home Premium x64 (Dual boot)
Guset is offline   Reply With Quote
Old Aug 4, 2009, 01:23 PM   #16
Dr. Zhivago
Sound: Serious Business
 
Join Date: Feb 2003
Location: United States Oregon
Posts: 8,226
Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'


Default

As an update to this, when I discovered the virus on Thursday, I reported it to the Corporate Help Desk in detail. They suggested taking the machines off-line, which I did. They also issued a ticket and support personnel were supposed to come look at the machines. When I updated the ticket with the total number of machines we found infected, they supposedly "escalated" the ticket.

An email conversation took place between one of the staff employees who took ownership of the ticket and who watched me clean the machines. The Tech Support email basically challenged the veracity of the information regarding the virus and whether or not the infection came from my USB stick instead of the way it actually happened.

They never showed by the time I had cleaned all the machines myself. As of this morning, they still have not showed. Way to go IT...
__________________


Bedroom PC - Gigabyte GA-970A-UD3 - AMD 1100T @3.7/4GHz - H50 - 8GB DDR3-1600 - HD 7870 OC - Samsung 840 250GB - WD 640GB Blue - Xonar DX - LG BDROM - Logitech 6110 - TT Volos - Antec 900 - CM 500W PSU - Samsung 32" HDTV - Onkyo TX-SR606 - BIC L/R & MTX Surround Speakers - Mission C70 Center - Sony 10" Sub - Windows 7 Ultimate 64Bit

HTPC - Gigabyte GA-890GPA~UD3H - AthlonII X4 630 - HD6450 - 8GB DDR3-1333 - WD 500GB Black - WD 640GB Green - WD 2TB Green - LG BDROM - Ceton InfiniTV 4 w/ MCE Remote - Logitech MX5000 Laser Desktop - Corsair 450W - Silverstone LC10B-E - Sharp Aquos 46" HDTV - Onkyo TX-SR606 - PE 15" Sub - Classic Mission Speakers - Windows 7 Ultimate 64Bit

Office PC - Gigabyte GA-Z77X-UD3H - Intel 3570K - 16GB DDR3-1866 - HD 7950 FLEX - Samsung 840 250GB - WD 500GB Blue - WD 1TB Black - Xonar DX - Corsair 600W PSU - Antec ON1E - Logitech G5 - Logitech USB Media KB - AOC 23" LCD - Creative Inspire 2.1 - Windows 10 Pro 64Bit

5x Presentation Machines - Gigabyte GA-990XA-UD3 - FX-8350 w/ FX WC - 8GB DDR3-1600 - 5870 or 7870 Eyefinity 6 - 2x Samsung 840 EVO 120GB - WD 500GB Black - DVDRW - Cooler Master Sileo 500 - 600W PSU - Windows 7 Ultimate 64 Bit - Office 2010 Pro
Dr. Zhivago is offline   Reply With Quote
Old Aug 4, 2009, 08:55 PM   #17
Argoon1981
Radeon Evergreen
 
Join Date: Apr 2007
Location: Portugal Braga
Posts: 1,939
Argoon1981 once held a door open for a complete strangerArgoon1981 once held a door open for a complete strangerArgoon1981 once held a door open for a complete strangerArgoon1981 once held a door open for a complete stranger


Default

Is this also a vista virus? I looked in regedit and didnt saw the changed values.
__________________
Intel i7 2.8 Ghz Quad core
AMD/ATI R9 270X OC 2GB
8GB DDR3

My modeling portfolio
Argoon1981 is offline   Reply With Quote
Old Aug 4, 2009, 09:38 PM   #18
Guset
Radeon HD4850 512MB
 
Join Date: Oct 2003
Posts: 349
Guset is still being judged by the masses


Default

Quote:
Originally Posted by Dr. Zhivago View Post
As an update to this, when I discovered the virus on Thursday, I reported it to the Corporate Help Desk in detail. They suggested taking the machines off-line, which I did. They also issued a ticket and support personnel were supposed to come look at the machines. When I updated the ticket with the total number of machines we found infected, they supposedly "escalated" the ticket.

An email conversation took place between one of the staff employees who took ownership of the ticket and who watched me clean the machines. The Tech Support email basically challenged the veracity of the information regarding the virus and whether or not the infection came from my USB stick instead of the way it actually happened.

They never showed by the time I had cleaned all the machines myself. As of this morning, they still have not showed. Way to go IT...

If i was to tell you i was surprised i would be lying...
__________________
Gigabyte GA-EP45-DS3P
Bios F8 30-9-2008
Intel Core 2 Duo E8400 @ 4.05GHz (450MHz x 9.0), 1.43V
4x1GB G.Skill @ 4-4-4-12 2T, 900MHz, 2.1V
1x 64GB SSD Corsair X64 (Rev. 2.1)
1x 150GB WD Velociraptor (WD1500HLFS)
2x 250GB Seagate SATA II (3250620AS)
1x 640GB WD Black Caviar SATA II (WD6401AALS)
1x 640GB Samsung SATA II (HD640JJ)
1x 1TB Samsung Spinpoint F3
Pioneer DVR-111L
NEC 3520A DVD-RW
HIS HD4850 512MB (Core 710MHz - Mem. 2230MHz) (Cat. 10.6)
Samsung 206BW on DVI
Zalman ZM-850HP 850W
SB X-Fi XtremeMusic
Coolermaster CM690 case (modified)
Win XP Pro SP3 Final & W7 Home Premium x64 (Dual boot)
Guset is offline   Reply With Quote
Old Aug 4, 2009, 10:01 PM   #19
Dr. Zhivago
Sound: Serious Business
 
Join Date: Feb 2003
Location: United States Oregon
Posts: 8,226
Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'


Default

Quote:
Originally Posted by Argoon1981 View Post
Is this also a vista virus? I looked in regedit and didnt saw the changed values.
It's possible that it could infect Vista if UAC is turned off. I doubt UAC would let it onto the machine without pitching a major fit.

But, on the other hand, a typical end user would probably just click "Allow" on every UAC prompt anyway...
__________________


Bedroom PC - Gigabyte GA-970A-UD3 - AMD 1100T @3.7/4GHz - H50 - 8GB DDR3-1600 - HD 7870 OC - Samsung 840 250GB - WD 640GB Blue - Xonar DX - LG BDROM - Logitech 6110 - TT Volos - Antec 900 - CM 500W PSU - Samsung 32" HDTV - Onkyo TX-SR606 - BIC L/R & MTX Surround Speakers - Mission C70 Center - Sony 10" Sub - Windows 7 Ultimate 64Bit

HTPC - Gigabyte GA-890GPA~UD3H - AthlonII X4 630 - HD6450 - 8GB DDR3-1333 - WD 500GB Black - WD 640GB Green - WD 2TB Green - LG BDROM - Ceton InfiniTV 4 w/ MCE Remote - Logitech MX5000 Laser Desktop - Corsair 450W - Silverstone LC10B-E - Sharp Aquos 46" HDTV - Onkyo TX-SR606 - PE 15" Sub - Classic Mission Speakers - Windows 7 Ultimate 64Bit

Office PC - Gigabyte GA-Z77X-UD3H - Intel 3570K - 16GB DDR3-1866 - HD 7950 FLEX - Samsung 840 250GB - WD 500GB Blue - WD 1TB Black - Xonar DX - Corsair 600W PSU - Antec ON1E - Logitech G5 - Logitech USB Media KB - AOC 23" LCD - Creative Inspire 2.1 - Windows 10 Pro 64Bit

5x Presentation Machines - Gigabyte GA-990XA-UD3 - FX-8350 w/ FX WC - 8GB DDR3-1600 - 5870 or 7870 Eyefinity 6 - 2x Samsung 840 EVO 120GB - WD 500GB Black - DVDRW - Cooler Master Sileo 500 - 600W PSU - Windows 7 Ultimate 64 Bit - Office 2010 Pro
Dr. Zhivago is offline   Reply With Quote
Old Sep 14, 2009, 11:01 PM   #20
sittal
Radeon Arctic Islands
 
Join Date: Jul 2005
Location: Manches Tulsa, OK
Posts: 21,883
sittal can beat 'Minesweeper' on any difficultysittal can beat 'Minesweeper' on any difficultysittal can beat 'Minesweeper' on any difficulty


Default

sent this article around work, we sent the lackey's to look at suspicious computers, found two computers with this infected. a coworker pushed the system file checker to everyone and it will run on the next reboot

several cases of this virus populating within the network, thanks for the tip
__________________
BBCode for Rage3D

Learn to embed videos in your posts, highlight text, and even post code!
sittal is offline   Reply With Quote
Old Sep 16, 2009, 02:52 PM   #21
Dr. Zhivago
Sound: Serious Business
 
Join Date: Feb 2003
Location: United States Oregon
Posts: 8,226
Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'


Default

I didn't see this when you posted it. Glad this was helpful!
__________________


Bedroom PC - Gigabyte GA-970A-UD3 - AMD 1100T @3.7/4GHz - H50 - 8GB DDR3-1600 - HD 7870 OC - Samsung 840 250GB - WD 640GB Blue - Xonar DX - LG BDROM - Logitech 6110 - TT Volos - Antec 900 - CM 500W PSU - Samsung 32" HDTV - Onkyo TX-SR606 - BIC L/R & MTX Surround Speakers - Mission C70 Center - Sony 10" Sub - Windows 7 Ultimate 64Bit

HTPC - Gigabyte GA-890GPA~UD3H - AthlonII X4 630 - HD6450 - 8GB DDR3-1333 - WD 500GB Black - WD 640GB Green - WD 2TB Green - LG BDROM - Ceton InfiniTV 4 w/ MCE Remote - Logitech MX5000 Laser Desktop - Corsair 450W - Silverstone LC10B-E - Sharp Aquos 46" HDTV - Onkyo TX-SR606 - PE 15" Sub - Classic Mission Speakers - Windows 7 Ultimate 64Bit

Office PC - Gigabyte GA-Z77X-UD3H - Intel 3570K - 16GB DDR3-1866 - HD 7950 FLEX - Samsung 840 250GB - WD 500GB Blue - WD 1TB Black - Xonar DX - Corsair 600W PSU - Antec ON1E - Logitech G5 - Logitech USB Media KB - AOC 23" LCD - Creative Inspire 2.1 - Windows 10 Pro 64Bit

5x Presentation Machines - Gigabyte GA-990XA-UD3 - FX-8350 w/ FX WC - 8GB DDR3-1600 - 5870 or 7870 Eyefinity 6 - 2x Samsung 840 EVO 120GB - WD 500GB Black - DVDRW - Cooler Master Sileo 500 - 600W PSU - Windows 7 Ultimate 64 Bit - Office 2010 Pro
Dr. Zhivago is offline   Reply With Quote
Old Nov 2, 2009, 03:07 PM   #22
genci88
lololololol
 
Join Date: May 2002
Location: United States USA
Posts: 13,696
genci88 is still being judged by the masses


Default

OK, Bitdefender could delete this virus entirely, while both Avira AntiVir and McAfee (installed for testing purposes) couldn't.

Avira and McAfee could detect it (and prevented it from auto loading), but they couldn't clean it (as soon as they "deleted" it, the warning would pop up again after a few seconds.)

Bitdefender also denied access when the virus tried to autorun. But a full scan of the USB drive, deleted all traces of the virus. Bitdefender gets two thumbs up from me.
__________________
Member of the Glorious PC Gaming Master Race.
Reasons why it’s worth to be a PC gamer in 2012.




- The hardest thing about getting a Mac is telling your parents that you're gay.

- If I had the choice between being gay and owning a Mac, I would rather be gay, because if I owned a Mac I would be both gay and own a horrible computer.

- Imagine a giant cock flying towards your mouth, and there's nothing you can do about it. And you're like "Oh man, I'm gonna have to suck this thing", and you brace yourself to suck this giant cock. But then, at the last moment, it changes trajectory and hits you in the eye. You think to yourself "Well, at least I got that out of the way", but then the giant cock rears back and stabs your eye again, and again, and again. Eventually, this giant cock is penetrating your gray matter, and you begin to lose control of your motor skills. That's when the giant cock slaps you across the cheek, causing you to fall out of your chair. Unable to move and at your most vulnerable, the giant cock finally lodges itself in your anus, where it rests comfortably for 4, maybe 5 hours. That's what using Mac OSX is like.
genci88 is offline   Reply With Quote
Old Nov 2, 2009, 05:46 PM   #23
VW_Factor
ÜBERVERBOTEN!
 
Join Date: Dec 2002
Location: Germany Leesburg, GA
Posts: 21,684
VW_Factor can recite pi backwardsVW_Factor can recite pi backwardsVW_Factor can recite pi backwardsVW_Factor can recite pi backwardsVW_Factor can recite pi backwardsVW_Factor can recite pi backwardsVW_Factor can recite pi backwards


Default

Quote:
Originally Posted by genci88 View Post
OK, Bitdefender could delete this virus entirely, while both Avira AntiVir and McAfee (installed for testing purposes) couldn't.

Avira and McAfee could detect it (and prevented it from auto loading), but they couldn't clean it (as soon as they "deleted" it, the warning would pop up again after a few seconds.)

Bitdefender also denied access when the virus tried to autorun. But a full scan of the USB drive, deleted all traces of the virus. Bitdefender gets two thumbs up from me.
Avira got it for me. However, when dealing with any sort of virii these days, I just yank the drive and clean it on my bench rig. With Windows not running, its very very easy to get even the nastiest **** cleaned up.
__________________
Quote:
Originally Posted by Redeemed
Granted, this is coming from the fella' who's had over 1,000lbs of bucking muscle under neath him.
Quote:
Originally Posted by John Smith
"Fail" = verb "Failure" = noun
VW_Factor is offline   Reply With Quote
Old Nov 3, 2009, 11:54 PM   #24
Dr. Zhivago
Sound: Serious Business
 
Join Date: Feb 2003
Location: United States Oregon
Posts: 8,226
Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'


Default

Thanks for the info genci! you too, V-dub.
__________________


Bedroom PC - Gigabyte GA-970A-UD3 - AMD 1100T @3.7/4GHz - H50 - 8GB DDR3-1600 - HD 7870 OC - Samsung 840 250GB - WD 640GB Blue - Xonar DX - LG BDROM - Logitech 6110 - TT Volos - Antec 900 - CM 500W PSU - Samsung 32" HDTV - Onkyo TX-SR606 - BIC L/R & MTX Surround Speakers - Mission C70 Center - Sony 10" Sub - Windows 7 Ultimate 64Bit

HTPC - Gigabyte GA-890GPA~UD3H - AthlonII X4 630 - HD6450 - 8GB DDR3-1333 - WD 500GB Black - WD 640GB Green - WD 2TB Green - LG BDROM - Ceton InfiniTV 4 w/ MCE Remote - Logitech MX5000 Laser Desktop - Corsair 450W - Silverstone LC10B-E - Sharp Aquos 46" HDTV - Onkyo TX-SR606 - PE 15" Sub - Classic Mission Speakers - Windows 7 Ultimate 64Bit

Office PC - Gigabyte GA-Z77X-UD3H - Intel 3570K - 16GB DDR3-1866 - HD 7950 FLEX - Samsung 840 250GB - WD 500GB Blue - WD 1TB Black - Xonar DX - Corsair 600W PSU - Antec ON1E - Logitech G5 - Logitech USB Media KB - AOC 23" LCD - Creative Inspire 2.1 - Windows 10 Pro 64Bit

5x Presentation Machines - Gigabyte GA-990XA-UD3 - FX-8350 w/ FX WC - 8GB DDR3-1600 - 5870 or 7870 Eyefinity 6 - 2x Samsung 840 EVO 120GB - WD 500GB Black - DVDRW - Cooler Master Sileo 500 - 600W PSU - Windows 7 Ultimate 64 Bit - Office 2010 Pro
Dr. Zhivago is offline   Reply With Quote
Old Nov 9, 2009, 02:06 PM   #25
biscuitownz
R.I.P 9600GT 2008-2009
 
Join Date: Dec 2008
Location: United States sacramento
Posts: 1,797
biscuitownz is still being judged by the masses


Default

Crap...I think i've seen that smss.exe in my task manager before....always thought it was some crap in windows by default...not sure if i've seen it in win 7 yet though..
__________________
Knowledge is only limited to how far your imagination can go

biscuitownz is offline   Reply With Quote
Old Nov 10, 2009, 11:06 AM   #26
Dr. Zhivago
Sound: Serious Business
 
Join Date: Feb 2003
Location: United States Oregon
Posts: 8,226
Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'


Default

There is a legitimate process with that name. Please read the original post more carefully.

__________________


Bedroom PC - Gigabyte GA-970A-UD3 - AMD 1100T @3.7/4GHz - H50 - 8GB DDR3-1600 - HD 7870 OC - Samsung 840 250GB - WD 640GB Blue - Xonar DX - LG BDROM - Logitech 6110 - TT Volos - Antec 900 - CM 500W PSU - Samsung 32" HDTV - Onkyo TX-SR606 - BIC L/R & MTX Surround Speakers - Mission C70 Center - Sony 10" Sub - Windows 7 Ultimate 64Bit

HTPC - Gigabyte GA-890GPA~UD3H - AthlonII X4 630 - HD6450 - 8GB DDR3-1333 - WD 500GB Black - WD 640GB Green - WD 2TB Green - LG BDROM - Ceton InfiniTV 4 w/ MCE Remote - Logitech MX5000 Laser Desktop - Corsair 450W - Silverstone LC10B-E - Sharp Aquos 46" HDTV - Onkyo TX-SR606 - PE 15" Sub - Classic Mission Speakers - Windows 7 Ultimate 64Bit

Office PC - Gigabyte GA-Z77X-UD3H - Intel 3570K - 16GB DDR3-1866 - HD 7950 FLEX - Samsung 840 250GB - WD 500GB Blue - WD 1TB Black - Xonar DX - Corsair 600W PSU - Antec ON1E - Logitech G5 - Logitech USB Media KB - AOC 23" LCD - Creative Inspire 2.1 - Windows 10 Pro 64Bit

5x Presentation Machines - Gigabyte GA-990XA-UD3 - FX-8350 w/ FX WC - 8GB DDR3-1600 - 5870 or 7870 Eyefinity 6 - 2x Samsung 840 EVO 120GB - WD 500GB Black - DVDRW - Cooler Master Sileo 500 - 600W PSU - Windows 7 Ultimate 64 Bit - Office 2010 Pro
Dr. Zhivago is offline   Reply With Quote
Old Nov 10, 2009, 10:48 PM   #27
biscuitownz
R.I.P 9600GT 2008-2009
 
Join Date: Dec 2008
Location: United States sacramento
Posts: 1,797
biscuitownz is still being judged by the masses


Default

Quote:
Originally Posted by Dr. Zhivago View Post
There is a legitimate process with that name. Please read the original post more carefully.

Yep, i just checked my regedit and it seems like i'm not infected with it since it's still "1" Thanks!
__________________
Knowledge is only limited to how far your imagination can go

biscuitownz is offline   Reply With Quote
Old Nov 10, 2009, 11:20 PM   #28
Dr. Zhivago
Sound: Serious Business
 
Join Date: Feb 2003
Location: United States Oregon
Posts: 8,226
Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'Dr. Zhivago once won a refrigerator on 'The Price is Right'


Default

Yw!
__________________


Bedroom PC - Gigabyte GA-970A-UD3 - AMD 1100T @3.7/4GHz - H50 - 8GB DDR3-1600 - HD 7870 OC - Samsung 840 250GB - WD 640GB Blue - Xonar DX - LG BDROM - Logitech 6110 - TT Volos - Antec 900 - CM 500W PSU - Samsung 32" HDTV - Onkyo TX-SR606 - BIC L/R & MTX Surround Speakers - Mission C70 Center - Sony 10" Sub - Windows 7 Ultimate 64Bit

HTPC - Gigabyte GA-890GPA~UD3H - AthlonII X4 630 - HD6450 - 8GB DDR3-1333 - WD 500GB Black - WD 640GB Green - WD 2TB Green - LG BDROM - Ceton InfiniTV 4 w/ MCE Remote - Logitech MX5000 Laser Desktop - Corsair 450W - Silverstone LC10B-E - Sharp Aquos 46" HDTV - Onkyo TX-SR606 - PE 15" Sub - Classic Mission Speakers - Windows 7 Ultimate 64Bit

Office PC - Gigabyte GA-Z77X-UD3H - Intel 3570K - 16GB DDR3-1866 - HD 7950 FLEX - Samsung 840 250GB - WD 500GB Blue - WD 1TB Black - Xonar DX - Corsair 600W PSU - Antec ON1E - Logitech G5 - Logitech USB Media KB - AOC 23" LCD - Creative Inspire 2.1 - Windows 10 Pro 64Bit

5x Presentation Machines - Gigabyte GA-990XA-UD3 - FX-8350 w/ FX WC - 8GB DDR3-1600 - 5870 or 7870 Eyefinity 6 - 2x Samsung 840 EVO 120GB - WD 500GB Black - DVDRW - Cooler Master Sileo 500 - 600W PSU - Windows 7 Ultimate 64 Bit - Office 2010 Pro
Dr. Zhivago is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help!! run.exe & autorun.ini bigmac12 General Software 4 Jun 9, 2009 04:11 AM
autorun issues with windows xp...... tgg Operating Systems 6 Nov 20, 2006 01:44 AM
W2K autoplay/autorun ruym General Software 2 Jul 7, 2003 09:37 AM
Autorun and Unreal 2 gravioli PC Gaming 2 Feb 19, 2003 02:49 PM
Watch Out! Retail Copy Of Black And White Has A Virus In The Installer! Ogreboy AMD Radeon Discussion and Support 16 Apr 2, 2001 02:06 AM


All times are GMT -5. The time now is 08:47 PM.



Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
All trademarks used are properties of their respective owners. Copyright ©1998-2011 Rage3D.com
Links monetized by VigLink