Vista - Help!!! Virus!!!

**Riptorn** · 03-15-2009

Hi, I have vista ultimate 32 bit. Recently, everytime I start up vista, my antivirus software BitDefender Internet Security 2009, blocks a virus ... goasi.cn/ex/a.php
Does anyone know what this is??, and how can I remove it, it is very annoying??..Please can you help me??
Regards
Riptorn.

**rive0108** · 03-15-2009

Well, first of all, Bitdefender isnt very good. It did very poorly in recent testing (Vista SP1 Antivirus Performance)

Clean system here with NOD32:Free ESET Online Antivirus Scanner

**Riptorn** · 03-15-2009

Quote: Originally Posted by rive0108

Well, first of all, Bitdefender isnt very good. It did very poorly in recent testing (Vista SP1 Antivirus Performance)

Clean system here with NOD32:Free ESET Online Antivirus Scanner

Thanks rive0108, well??.. what Is the best internet security???. I was told BitDefender was the Best?. It only blocked the Trojan.Injector.C2 goasi.cn/ex/a.php.. I scanned everything it is not there? How to remove it?

**rive0108** · 03-15-2009

Source:PE_VIRUT.ASA - Technical details

Arrival, Installation and Autostart Technique
This file infector may be downloaded unknowingly by a user when visiting malicious Web sites.
It creates the following registry entry to bypass the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List
\??\%System%\winlogon.exe = "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"

File Infection

It hooks the following APIs so that when any of these APIs are called, it proceeds to its infection routine:

NtCreateFile
NtOpenFile
NtOpenProcess
NtCreateProcessEx

This file infector infects by appending its code to target host files. It infects files of the following types:

.EXE
.SCR

It does not infect files that contain the following strings in their file names:

WC32
WCUN
WINC

Backdoor Capabilities
It searches for the Winlogon process by enumerating the running processes and injects a thread that is responsible for its backdoor routines.

It connects to the following IRC server irc.zief.pl and waits for a command from a remote user. Using this connection, it downloads TROJ_INJECTOR.AR from the following URL:

http://goasi.cn/ex/a.php

**rive0108** · 03-15-2009

Actually on second thought you may want to do System restore to a point before you picked up the file infector Malware. Apparently It is causing significant registry/Windows corruption that may be difficult to repair. Did you allow it past UAC? That should have contained it in the IE7 sandbox.

Assumming for a moment it is still In the IE temp files, delete all files/cookies, etc.

**rive0108** · 03-15-2009

The best Antivirus/Antimalware programs on the market

Avira
NOD32

**Riptorn** · 03-15-2009

Quote: Originally Posted by rive0108

Actually on second thought you may want to do System restore to a point before you picked up the file infector Malware. Apparently It is causing significant registry/Windows corruption that may be difficult to repair. Did you allow it past UAC? That should have contained it in the IE7 sandbox.

Assumming for a moment it is still In the IE temp files, delete all files/cookies, etc.

scanning now.. will let you know the outcome. thanks.

**rive0108** · 03-16-2009

Manual removal
posted from:TROJ_INJECTOR.AR - Description and solution
Turn off System restore/Shadow Copy, then:

Step 1: Remove malware files dropped/downloaded by TROJ_INJECTOR.AR

TROJ_AGENT.ALHH
TROJ_FAKEAV.MCS
TROJ_STOPSEC.MCL
TSPY_FESTEAL.B

Step 1: Remove malware files dropped/downloaded by TROJ_INJECTOR.AR
TROJ_AGENT.ALHH

TROJ_FAKEAV.MCS

TROJ_STOPSEC.MCL

TSPY_FESTEAL.B

[Back]
Step 2: Delete this registry value [learn how] Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
Desktop
- host = "{BLOCKED}.{BLOCKED}.126.195"
- id = "861628374673"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- FirewallDisableNotify = "1"
- FirewallOverride = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
- services = "%WINDOWS%\services.exe"
In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\DomainProfile
- EnableFirewall = "0"
In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\StandardProfile
- EnableFirewall = "0"

Step 2: Delete this registry value [back]
To delete the registry value this malware/grayware/spyware created:

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>
Desktop
In the right panel, locate and delete the entry:
host = "{BLOCKED}.{BLOCKED}.126.195"

id = "861628374673"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Security Center
In the right panel, locate and delete the entry:
FirewallDisableNotify = "1"

FirewallOverride = "1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
CurrentVersion>Run
In the right panel, locate and delete the entry:
services = "%Windows%\services.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft>
WindowsFirewall>DomainProfile
In the right panel, locate and delete the entry:
EnableFirewall = "0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft>
WindowsFirewall>StandardProfile
In the right panel, locate and delete the entry:
EnableFirewall = "0"
Close Registry Editor.

Perform FULL System Scan with Antivirus/Windows Defender.

03-15-2009	#1 (permalink)
Riptorn VISTA ULTIMATE SP2 395 posts	Help!!! Virus!!! Hi, I have vista ultimate 32 bit. Recently, everytime I start up vista, my antivirus software BitDefender Internet Security 2009, blocks a virus ... goasi.cn/ex/a.php Does anyone know what this is??, and how can I remove it, it is very annoying??..Please can you help me?? Regards Riptorn.
My System Specs

03-15-2009	#2 (permalink)
rive0108 Vista Ultimate X64 SP2 2,073 posts	Re: Help!!! Virus!!! Well, first of all, Bitdefender isnt very good. It did very poorly in recent testing (Vista SP1 Antivirus Performance) Clean system here with NOD32:Free ESET Online Antivirus Scanner
My System Specs

03-15-2009	#3 (permalink)
Riptorn VISTA ULTIMATE SP2 395 posts	Re: Help!!! Virus!!! Quote: Originally Posted by rive0108 Well, first of all, Bitdefender isnt very good. It did very poorly in recent testing (Vista SP1 Antivirus Performance) Clean system here with NOD32:Free ESET Online Antivirus Scanner Thanks rive0108, well??.. what Is the best internet security???. I was told BitDefender was the Best?. It only blocked the Trojan.Injector.C2 goasi.cn/ex/a.php.. I scanned everything it is not there? How to remove it?
My System Specs

03-15-2009	#4 (permalink)
rive0108 Vista Ultimate X64 SP2 2,073 posts	Re: Help!!! Virus!!! Source:PE_VIRUT.ASA - Technical details Arrival, Installation and Autostart Technique This file infector may be downloaded unknowingly by a user when visiting malicious Web sites. It creates the following registry entry to bypass the Windows Firewall: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List \??\%System%\winlogon.exe = "\??\%System%\winlogon.exe::enabled:@shell32.dll,-1" File Infection* It hooks the following APIs so that when any of these APIs are called, it proceeds to its infection routine: NtCreateFile NtOpenFile NtOpenProcess NtCreateProcessEx This file infector infects by appending its code to target host files. It infects files of the following types: .EXE .SCR It does not infect files that contain the following strings in their file names: WC32 WCUN WINC Backdoor Capabilities It searches for the Winlogon process by enumerating the running processes and injects a thread that is responsible for its backdoor routines. It connects to the following IRC server irc.zief.pl and waits for a command from a remote user. Using this connection, it downloads TROJ_INJECTOR.AR from the following URL: http://goasi.cn/ex/a.php Last edited by rive0108; 03-19-2009 at 10:08 PM..
My System Specs

03-15-2009	#5 (permalink)
rive0108 Vista Ultimate X64 SP2 2,073 posts	Re: Help!!! Virus!!! Actually on second thought you may want to do System restore to a point before you picked up the file infector Malware. Apparently It is causing significant registry/Windows corruption that may be difficult to repair. Did you allow it past UAC? That should have contained it in the IE7 sandbox. Assumming for a moment it is still In the IE temp files, delete all files/cookies, etc. Attached Thumbnails Last edited by rive0108; 03-15-2009 at 10:30 PM..
My System Specs

03-15-2009	#6 (permalink)
rive0108 Vista Ultimate X64 SP2 2,073 posts	Re: Help!!! Virus!!! The best Antivirus/Antimalware programs on the market Avira NOD32
My System Specs

03-15-2009	#7 (permalink)
Riptorn VISTA ULTIMATE SP2 395 posts	Re: Help!!! Virus!!! Quote: Originally Posted by rive0108 Actually on second thought you may want to do System restore to a point before you picked up the file infector Malware. Apparently It is causing significant registry/Windows corruption that may be difficult to repair. Did you allow it past UAC? That should have contained it in the IE7 sandbox. Assumming for a moment it is still In the IE temp files, delete all files/cookies, etc. scanning now.. will let you know the outcome. thanks.
My System Specs

03-16-2009	#8 (permalink)
rive0108 Vista Ultimate X64 SP2 2,073 posts	Re: Help!!! Virus!!! Manual removal posted from:TROJ_INJECTOR.AR - Description and solution Turn off System restore/Shadow Copy, then: Step 1: Remove malware files dropped/downloaded by TROJ_INJECTOR.AR TROJ_AGENT.ALHH TROJ_FAKEAV.MCS TROJ_STOPSEC.MCL TSPY_FESTEAL.B Step 1: Remove malware files dropped/downloaded by TROJ_INJECTOR.AR TROJ_AGENT.ALHH TROJ_FAKEAV.MCS TROJ_STOPSEC.MCL TSPY_FESTEAL.B [Back] Step 2: Delete this registry value [learn how] Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ Desktop host = "{BLOCKED}.{BLOCKED}.126.195" id = "861628374673" In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center FirewallDisableNotify = "1" FirewallOverride = "1" In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run services = "%WINDOWS%\services.exe" In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ WindowsFirewall\DomainProfile EnableFirewall = "0" In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ WindowsFirewall\StandardProfile EnableFirewall = "0" Step 2: Delete this registry value [back] To delete the registry value this malware/grayware/spyware created: Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer> Desktop In the right panel, locate and delete the entry: host = "{BLOCKED}.{BLOCKED}.126.195" id = "861628374673" In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Security Center In the right panel, locate and delete the entry: FirewallDisableNotify = "1" FirewallOverride = "1" In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows> CurrentVersion>Run In the right panel, locate and delete the entry: services = "%Windows%\services.exe" In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft> WindowsFirewall>DomainProfile In the right panel, locate and delete the entry: EnableFirewall = "0" In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft> WindowsFirewall>StandardProfile In the right panel, locate and delete the entry: EnableFirewall = "0" Close Registry Editor. Perform FULL System Scan with Antivirus/Windows Defender. Last edited by rive0108; 03-19-2009 at 10:09 PM..
My System Specs

Similar Threads
Thread	Forum
Virus or What?	Vista performance & maintenance
HELP! I have a virus...	System Security
Virus???	Vista file management
Got a virus alert on a virus that is over a year old	System Security
Help is it a virus	System Security