Travis
December 5th 03, 01:23 AM
I had the very same problem on my computer (windows task manager
closing down). I was also suspended from my internet service due to a
bunch of port activity. What it was was the net devil virus, a
backdoor virus that can totally control every aspect of your computer.
It was making my computer run like crap and shutting me out of IRC.
Look it up at the symantec website, under backdoor.devil. it infected
my kernel32.dll file but i was able to clean it up using safe mode.
It also leaves traces of itself in your registry under:
HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion \Run
there were two entries there which i deleted. good luck
'Travis
(Virage) wrote in message >...
> Thanks for your contribution: neither Symantec nor Trend Micro was
> able to isolate the virus. Have you had any experience with other
> a-virus software and this version of Bug Bear / Milkit?
>
> "Sir_George" > wrote in message >...
> > Virage,
> >
> > In reference to your June 6, 2003 post where you stated that Norton
> > Antivirus was unable to identify or fix the problem caused by the virus; are
> > you unaware that Norton and Symantec are synonymous terms referring to the
> > same company? Therefore, if you tried using the removal tool from Norton and
> > it failed then Symantec's tool will also fail as it is the same thing.
> >
> > --
> > Sir_George
> > For better access to newsgroups;
> > http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
> >
> >
> > "Virage" > wrote in message
> > m...
> > > Good work guys! Beating the virus sounds almost exciting unless you
> > > rely on your server / pc for your daily bread! That's what really
> > > makes me want to meet the good ole' folks from Hackarmy or the social
> > > reject that wrote the virus: I'd love to take him/her for couple of
> > > rounds * ugh *.
> > >
> > > On a more calm note: has anyone tried the Symantec removal tool for
> > > this? Does it work? I can't imagine that it would if (and only if) the
> > > file names are randomly generated.
> > >
> > > In my last post, I neglected to mention that you have to do all your
> > > cleaning up in Safe Mode: otherwise, you can observe the service being
> > > re-crated by the virus engine everytime you try to delete the file or
> > > registry entry. Best seen in AnVir Task Manager.
> > >
> > >
> > > (Michael Jenkin) wrote in message
> >...
> > > > You have done some fantastic work to get around this. I to had the
> > > > same issue.
> > > > I actually booted with a boot disk (NTFS4DOS) and created a folder in
> > > > teh system32 directory called xstyles.exe I then deleted xstyles.exe
> > > > and rebooted. I then found the DLL, deleted it and removed the entry
> > > > from the registery.
> > > >
> > > > I did note that renaming Taskmgr.exe or regedit.exe to taskmgr1.exe or
> > > > regedit1.exe allowed the tools to run free from the weird shutdown
> > > > issue.
> > > >
> > > > I run Trend PcCillin and to this day it does not pick up the virus.
> > > >
> > > > Weird !
> > > >
> > > > Michael J Jenkin
> > > >
> > > > "PPJ" > wrote in message
> news:<CTJDa.1138152$S_4.1170144@rwcrnsc53>...
> > > > > Thanks!
> > > > >
> > > > > You just made my life alot easier!
> > > > >
> > > > > My story is different (so far...)
> > > > > I have been having problems the last 2 days and I tried to figure out
> what
> > > > > was going on..
> > > > > I just did a CLEAN install last week, already I was noticing slow
> downs...
> > > > > I tried to install mcafee -I usually do this right after installing,
> but I
> > > > > guess I missed it this time :.(
> > > > > I could not install, so I tried to run MSCONFIG, and it would just
> fkip on
> > > > > to the screen and the right off!
> > > > > I then tried to run taskman, well we already know what it does!
> > > > > I then did a safe boot (w network) an ran MSCONFIG... Suprise! Here
> are some
> > > > > of the entries I found:
> > > > > xstyles.exe (This is what lead me to your post!)
> > > > > iexpilorer (noticed the mis spelling!!!)
> > > > >
> > > > > I am currentlty scanning with Mcafee (I will also do Symantec) and so
> far I
> > > > > have found
> > > > > backdoor-fk.srv and downloader-af the source file (I am turnind bright
> > > > > red....) "14 year old cock sucking anal sex.exe"
> > > > >
> > > > > I will post updated info when done....
> > > > >
> > > > > I WILL reformat and reinstall....But I will first post the results of
> the
> > > > > virus scans when done for everybodied knowledge
> > > > >
> > > > > P
> > > > >
> > > > > "Virage" > wrote in message
> > > > > ...
> > > > > > I have compiled this note because despite of what most anti-virus
> > > > > > software companies would like you to believe, none of the virus
> scans
> > > > > > and "remove applications" were able to identify or fix the virus.
> > > > > > This includes Norton Antivirus and Trend Micro House Call.
> > > > > >
> > > > > > Isolation of this virus was nearly impossible! After solid 26 hours
> > > > > > of hunting for solutions, inspecting the system, and auditing regist
> ry
> > > > > > entries, here are some useful hints in case any one of you comes
> > > > > > across some of the following symptoms (one or more):
> > > > > >
> > > > > > The Virus
> > > > > >
> > > > > > The virus found on my PC was very similar to PE_BUGBEAR.B is a
> > > > > > file-infecting variant of WORM_BUGBEAR.A. This variant includes all
> > > > > > the functionalities of the previous variant with the addition of the
> > > > > > file infection routine.
> > > > > >
> > > > > > Symptoms:
> > > > > >
> > > > > > 1. Network connection gets dropped about every 10 - 30 minutes:
> your
> > > > > > network connection icon shows "Network cable unplugged"
> > > > > > 2. If working behind a firewall (router), suddenly you are not able
> to
> > > > > > browse the Web or download email from the server: "Cannot locate
> > > > > > server..." message box appears.
> > > > > > 3. After re-booting, your computer is constantly sending out packets
> > > > > > even though no processes to substantiate this are running: you are
> not
> > > > > > running a Web server, Database server, or FTP server.
> > > > > > 4. Most Obvious: when you try to open Windows Task Manager, it
> appears
> > > > > > for about 1-3 sec. and then disappears.
> > > > > > 5. Most Obvious: when trying to run Registry Editor (from
> > > > > > Start/Run/Regedit.exe), it appears for about 1-3 sec. and then
> > > > > > disappears.
> > > > > >
> > > > > >
> > > > > > Characteristics:
> > > > > >
> > > > > > 1. Virus is distributed via email from many parts of the world and
> is
> > > > > > really well disguised: here is a link for a comprehensive overview:
> > > > > >
> > > > > > a.
> > > > >
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUGBEAR
> > > > > .A
> > > > > >
> > > > > > 2. This worm propagates via shared network folders and via email. It
> > > > > > also terminates antivirus programs, acts as a backdoor server
> > > > > > application, and sends out system passwords - all of which
> compromise
> > > > > > security on infected machines.
> > > > > >
> > > > > > 3. As a backdoor, this worm allows remote users to connect to
> infected
> > > > > > systems and obtain information, manipulate files, and execute
> programs
> > > > > > on the infected systems
> > > > > >
> > > > > > 4. This worm drops 3 .DLL and 2 .DAT files in the Windows System and
> > > > > > Windows folders respectively using random filenames. One of the
> three
> > > > > > .DLL files is a key logger program that hooks some events from the
> > > > > > keyboard.
> > > > > >
> > > > > > 5. This key logger component intercepts keystrokes made on the
> > > > > > infected machine and saves the keystrokes encrypted into the other
> > > > > > dropped .DLL files. The key logger component is also detected as
> > > > > > WORM_BUGBEAR.A, while the two other .DLLs are non-malicious. The two
> > > > > > dropped .DAT files are also non-malicious data files and are
> > > > > > encrypted.
> > > > > >
> > > > > > How to find and remove the virus:
> > > > > >
> > > > > > 1. Your anti-virus software may initially detect the virus and as
> such
> > > > > > it will be quarantined or deleted.
> > > > > >
> > > > > > a. If quarantined, the removal tool may be able to locate the source
> > > > > > file and remove all of its components
> > > > > > b. If deleted, the link to the source will be lost and you may not
> be
> > > > > > able to find the active components
> > > > > >
> > > > > > 2. In the latter case, if you observe the symptoms shown above, you
> > > > > > may try to download removal tools from Symantec or Trend Micro but
> in
> > > > > > my case, neither was able to find any virus files on my PC!!
> > > > > >
> > > > > > 3. The most obvious place where you will find issues related to
> those
> > > > > > type of viruses are two areas in your Registry:
> > > > > >
> > > > > > HKEY_LOCAL_MACHINE>Software>Microsoft>
> Windows>CurrentVersion>RunOnce
> > > > > > HKEY_LOCAL_MACHINE>Software>Microsoft>
> > > > > > Windows>CurrentVersion>RunServices
> > > > > > HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run
> > > > > > HKEY_CURRENT_USER>Software>Microsoft> Windows>CurrentVersion>RunOnce
> > > > > > HKEY_CURRENT_USER>Software>Microsoft>
> > > > > > Windows>CurrentVersion>RunServices
> > > > > > HKEY_CURRENT_USER>Software>Microsoft> Windows>CurrentVersion>Run
> > > > > >
> > > > > > a. Since Regedit.exe will not run now, copy is as Regedit.com and
> run
> > > > > > this one instead
> > > > > > b. When inspecting those areas you have to look for entries that do
> > > > > > not appear to belong there: programs that you would not expect to
> run
> > > > > > automatically when your system is started
> > > > > > c. Most of them will correspond to items in your system tray but
> > > > > > others will not
> > > > > > d. Most worm and Trojans put files to automatically execute in this
> > > > > > area
> > > > > > e. Other references are made in the Classes part of the registry,
> esp.
> > > > > > "exefile" (you will find reference to how to fix these at the above
> > > > > > anti-virus sites)
> > > > > >
> > > > > > 4. Catch 22:
> > > > > >
> > > > > > a. Since you can't run Task Manager, how can you see what services
> are
> > > > > > running and which are not supposed to run?
> > > > > > b. An excellent tools available out there are:
> > > > > > i. Process Explorer: just like Task Manager but much better
> > > > > > 1. http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
> > > > > >
> > > > > > ii. AnVir Task Manager: a really awesome tool that actually showed
> me
> > > > > > when services I tried to delete were automatically restarted by the
> > > > > > virus engine!!
> > > > > > 1. http://anvir.com/taskmanager/index.htm
> > > > > >
> > > > > > c. Now, the biggest catch is to find out what services are being
> > > > > > spawned over and over:
> > > > > > d. My best suggestion to those that may not know much about Win
> > > > > > services is ... to start from the top and stop each services; those
> > > > > > that are required will not be aborted or will restart
> > > > > > e. To see what the services are try this link:
> > > > > > i.
> http://www.liutilities.com/products/wintaskspro/processlibrary/tcpsvcs/
> > > > > > f. Those that are referenced in the registry by the virus will be
> > > > > > restarted and you will be able to see that in AnVir (really great
> > > > > > tool!)
> > > > > >
> > > > > > 5. Since none of the removal tools nor anti-virus software were able
> > > > > > to find any reference to the viruses, this was trial and error
> > > > > > process, esp. with this group of viruses which produce RANDOM FILE
> > > > > > NAMES:
> > > > > > a. In my case, the three culprits where:
> > > > > > i. xstyles.exe
> > > > > > ii. rwtrisfg32.dll
> > > > > > iii. Perflib_Perfdata_34c.dat
> > > > > >
> > > > > > b. As you can see, none make any sense!
> > > > > > i. The Registry Entry that tied them together was NvXpLDeamon
> > > > > > ii. The "deamon" gave it away a bit
> > > > > > c. Since these are random files you will not be able to find
> reference
> > > > > > to them on the Web
> > > > > >
> > > > > > 6. Upon inspection of the content of the virus files I was able to
> > > > > > confirm that rwtrisfg32.dll was referencing spybot.dll and was
> > > > > > performing the following functions:
> > > > > > a. Quoting from the virus source code: that is truly scary!!
> > > > > > b. "Searsing for passwords"
> > > > > > c. ":netdevil IP:"
> > > > > > d. "passed pleaz_run_done pleaz_run"
> > > > > > e. "Server uploaded to kuangserver IP:" - note that kuangserver is
> > > > > > part of the Kuang2 virus which this one piggybacks on!!
> > > > > > f. read: http://www.lurhq.com/sig-milkit.html
> > > > > > g. "already logging keys to %s use "stopkeylogger" to stop Spying on
> > > > > > port"
> > > > > > h. as well as nearly 2000 words and phrases that are potentially
> used
> > > > > > as passwords: "LOCAL SERVER SYSTEM BACKUP USER ACCESS TEST DEMO
> FILES
> > > > > > READ BOTH FULL WRITE SHARE TEMP PASSWORD ADMIN ROOT GUEST
> > > > > > ADMINISTRATOR "
> > > > > >
> > > > > > Highlights:
> > > > > >
> > > > > > 1. Anti-Virus Software may or may not remove known viruses
> > > > > > 2. 2. If the main virus file is deleted, you may not be able to find
> > > > > > the remaining pieces even using the removal tools.
> > > > > > 3. If you quarantine your viruses, record their names so you can
> > > > > > narrow down your search later.
> > > > > > 4. Use the tools abovementioned to help you in finding the culprits
> > > > > > 5. Use Port Monitors such as Statistics part of Symantec's Internet
> > > > > > Security to see what's happening when the virus is running
> > > > > >
> > > > > > a. I saw communication from net.hackarmy.tk attempting to get into
> my
> > > > > > PC while the worm was running:
> > > > > > b. read: http://www.lurhq.com/sig-milkit.html
> > > > > > c. this is how I was able to put the hackarmy and milkit and bear
> bug
> > > > > > together
> > > > > >
> > > > > > 6. Removal of the previously mentioned files, esp. xstyles.exe
> > > > > > reinstated by Task Manager and Regedit!
> > > > > > 7. Set up your Virus Scan to run nightly
> > > > > > 8. Set up Internet Sercurity to block Trojan Horse intrisions
> > > > > > 9. Set up your Router to notify you of intrusion attempts
> > > > > > 10. Set up update to virus definitions to take place automatically
> as
> > > > > > soon as they are available.
> > > > > > 11. Change your password after the attack for all profiles on
> > > > > > particular PC
> > > > > >
> > > > > >
> > > > > > For more info, contact me at www.prism-itc.com
closing down). I was also suspended from my internet service due to a
bunch of port activity. What it was was the net devil virus, a
backdoor virus that can totally control every aspect of your computer.
It was making my computer run like crap and shutting me out of IRC.
Look it up at the symantec website, under backdoor.devil. it infected
my kernel32.dll file but i was able to clean it up using safe mode.
It also leaves traces of itself in your registry under:
HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion \Run
there were two entries there which i deleted. good luck
'Travis
(Virage) wrote in message >...
> Thanks for your contribution: neither Symantec nor Trend Micro was
> able to isolate the virus. Have you had any experience with other
> a-virus software and this version of Bug Bear / Milkit?
>
> "Sir_George" > wrote in message >...
> > Virage,
> >
> > In reference to your June 6, 2003 post where you stated that Norton
> > Antivirus was unable to identify or fix the problem caused by the virus; are
> > you unaware that Norton and Symantec are synonymous terms referring to the
> > same company? Therefore, if you tried using the removal tool from Norton and
> > it failed then Symantec's tool will also fail as it is the same thing.
> >
> > --
> > Sir_George
> > For better access to newsgroups;
> > http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
> >
> >
> > "Virage" > wrote in message
> > m...
> > > Good work guys! Beating the virus sounds almost exciting unless you
> > > rely on your server / pc for your daily bread! That's what really
> > > makes me want to meet the good ole' folks from Hackarmy or the social
> > > reject that wrote the virus: I'd love to take him/her for couple of
> > > rounds * ugh *.
> > >
> > > On a more calm note: has anyone tried the Symantec removal tool for
> > > this? Does it work? I can't imagine that it would if (and only if) the
> > > file names are randomly generated.
> > >
> > > In my last post, I neglected to mention that you have to do all your
> > > cleaning up in Safe Mode: otherwise, you can observe the service being
> > > re-crated by the virus engine everytime you try to delete the file or
> > > registry entry. Best seen in AnVir Task Manager.
> > >
> > >
> > > (Michael Jenkin) wrote in message
> >...
> > > > You have done some fantastic work to get around this. I to had the
> > > > same issue.
> > > > I actually booted with a boot disk (NTFS4DOS) and created a folder in
> > > > teh system32 directory called xstyles.exe I then deleted xstyles.exe
> > > > and rebooted. I then found the DLL, deleted it and removed the entry
> > > > from the registery.
> > > >
> > > > I did note that renaming Taskmgr.exe or regedit.exe to taskmgr1.exe or
> > > > regedit1.exe allowed the tools to run free from the weird shutdown
> > > > issue.
> > > >
> > > > I run Trend PcCillin and to this day it does not pick up the virus.
> > > >
> > > > Weird !
> > > >
> > > > Michael J Jenkin
> > > >
> > > > "PPJ" > wrote in message
> news:<CTJDa.1138152$S_4.1170144@rwcrnsc53>...
> > > > > Thanks!
> > > > >
> > > > > You just made my life alot easier!
> > > > >
> > > > > My story is different (so far...)
> > > > > I have been having problems the last 2 days and I tried to figure out
> what
> > > > > was going on..
> > > > > I just did a CLEAN install last week, already I was noticing slow
> downs...
> > > > > I tried to install mcafee -I usually do this right after installing,
> but I
> > > > > guess I missed it this time :.(
> > > > > I could not install, so I tried to run MSCONFIG, and it would just
> fkip on
> > > > > to the screen and the right off!
> > > > > I then tried to run taskman, well we already know what it does!
> > > > > I then did a safe boot (w network) an ran MSCONFIG... Suprise! Here
> are some
> > > > > of the entries I found:
> > > > > xstyles.exe (This is what lead me to your post!)
> > > > > iexpilorer (noticed the mis spelling!!!)
> > > > >
> > > > > I am currentlty scanning with Mcafee (I will also do Symantec) and so
> far I
> > > > > have found
> > > > > backdoor-fk.srv and downloader-af the source file (I am turnind bright
> > > > > red....) "14 year old cock sucking anal sex.exe"
> > > > >
> > > > > I will post updated info when done....
> > > > >
> > > > > I WILL reformat and reinstall....But I will first post the results of
> the
> > > > > virus scans when done for everybodied knowledge
> > > > >
> > > > > P
> > > > >
> > > > > "Virage" > wrote in message
> > > > > ...
> > > > > > I have compiled this note because despite of what most anti-virus
> > > > > > software companies would like you to believe, none of the virus
> scans
> > > > > > and "remove applications" were able to identify or fix the virus.
> > > > > > This includes Norton Antivirus and Trend Micro House Call.
> > > > > >
> > > > > > Isolation of this virus was nearly impossible! After solid 26 hours
> > > > > > of hunting for solutions, inspecting the system, and auditing regist
> ry
> > > > > > entries, here are some useful hints in case any one of you comes
> > > > > > across some of the following symptoms (one or more):
> > > > > >
> > > > > > The Virus
> > > > > >
> > > > > > The virus found on my PC was very similar to PE_BUGBEAR.B is a
> > > > > > file-infecting variant of WORM_BUGBEAR.A. This variant includes all
> > > > > > the functionalities of the previous variant with the addition of the
> > > > > > file infection routine.
> > > > > >
> > > > > > Symptoms:
> > > > > >
> > > > > > 1. Network connection gets dropped about every 10 - 30 minutes:
> your
> > > > > > network connection icon shows "Network cable unplugged"
> > > > > > 2. If working behind a firewall (router), suddenly you are not able
> to
> > > > > > browse the Web or download email from the server: "Cannot locate
> > > > > > server..." message box appears.
> > > > > > 3. After re-booting, your computer is constantly sending out packets
> > > > > > even though no processes to substantiate this are running: you are
> not
> > > > > > running a Web server, Database server, or FTP server.
> > > > > > 4. Most Obvious: when you try to open Windows Task Manager, it
> appears
> > > > > > for about 1-3 sec. and then disappears.
> > > > > > 5. Most Obvious: when trying to run Registry Editor (from
> > > > > > Start/Run/Regedit.exe), it appears for about 1-3 sec. and then
> > > > > > disappears.
> > > > > >
> > > > > >
> > > > > > Characteristics:
> > > > > >
> > > > > > 1. Virus is distributed via email from many parts of the world and
> is
> > > > > > really well disguised: here is a link for a comprehensive overview:
> > > > > >
> > > > > > a.
> > > > >
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUGBEAR
> > > > > .A
> > > > > >
> > > > > > 2. This worm propagates via shared network folders and via email. It
> > > > > > also terminates antivirus programs, acts as a backdoor server
> > > > > > application, and sends out system passwords - all of which
> compromise
> > > > > > security on infected machines.
> > > > > >
> > > > > > 3. As a backdoor, this worm allows remote users to connect to
> infected
> > > > > > systems and obtain information, manipulate files, and execute
> programs
> > > > > > on the infected systems
> > > > > >
> > > > > > 4. This worm drops 3 .DLL and 2 .DAT files in the Windows System and
> > > > > > Windows folders respectively using random filenames. One of the
> three
> > > > > > .DLL files is a key logger program that hooks some events from the
> > > > > > keyboard.
> > > > > >
> > > > > > 5. This key logger component intercepts keystrokes made on the
> > > > > > infected machine and saves the keystrokes encrypted into the other
> > > > > > dropped .DLL files. The key logger component is also detected as
> > > > > > WORM_BUGBEAR.A, while the two other .DLLs are non-malicious. The two
> > > > > > dropped .DAT files are also non-malicious data files and are
> > > > > > encrypted.
> > > > > >
> > > > > > How to find and remove the virus:
> > > > > >
> > > > > > 1. Your anti-virus software may initially detect the virus and as
> such
> > > > > > it will be quarantined or deleted.
> > > > > >
> > > > > > a. If quarantined, the removal tool may be able to locate the source
> > > > > > file and remove all of its components
> > > > > > b. If deleted, the link to the source will be lost and you may not
> be
> > > > > > able to find the active components
> > > > > >
> > > > > > 2. In the latter case, if you observe the symptoms shown above, you
> > > > > > may try to download removal tools from Symantec or Trend Micro but
> in
> > > > > > my case, neither was able to find any virus files on my PC!!
> > > > > >
> > > > > > 3. The most obvious place where you will find issues related to
> those
> > > > > > type of viruses are two areas in your Registry:
> > > > > >
> > > > > > HKEY_LOCAL_MACHINE>Software>Microsoft>
> Windows>CurrentVersion>RunOnce
> > > > > > HKEY_LOCAL_MACHINE>Software>Microsoft>
> > > > > > Windows>CurrentVersion>RunServices
> > > > > > HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run
> > > > > > HKEY_CURRENT_USER>Software>Microsoft> Windows>CurrentVersion>RunOnce
> > > > > > HKEY_CURRENT_USER>Software>Microsoft>
> > > > > > Windows>CurrentVersion>RunServices
> > > > > > HKEY_CURRENT_USER>Software>Microsoft> Windows>CurrentVersion>Run
> > > > > >
> > > > > > a. Since Regedit.exe will not run now, copy is as Regedit.com and
> run
> > > > > > this one instead
> > > > > > b. When inspecting those areas you have to look for entries that do
> > > > > > not appear to belong there: programs that you would not expect to
> run
> > > > > > automatically when your system is started
> > > > > > c. Most of them will correspond to items in your system tray but
> > > > > > others will not
> > > > > > d. Most worm and Trojans put files to automatically execute in this
> > > > > > area
> > > > > > e. Other references are made in the Classes part of the registry,
> esp.
> > > > > > "exefile" (you will find reference to how to fix these at the above
> > > > > > anti-virus sites)
> > > > > >
> > > > > > 4. Catch 22:
> > > > > >
> > > > > > a. Since you can't run Task Manager, how can you see what services
> are
> > > > > > running and which are not supposed to run?
> > > > > > b. An excellent tools available out there are:
> > > > > > i. Process Explorer: just like Task Manager but much better
> > > > > > 1. http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
> > > > > >
> > > > > > ii. AnVir Task Manager: a really awesome tool that actually showed
> me
> > > > > > when services I tried to delete were automatically restarted by the
> > > > > > virus engine!!
> > > > > > 1. http://anvir.com/taskmanager/index.htm
> > > > > >
> > > > > > c. Now, the biggest catch is to find out what services are being
> > > > > > spawned over and over:
> > > > > > d. My best suggestion to those that may not know much about Win
> > > > > > services is ... to start from the top and stop each services; those
> > > > > > that are required will not be aborted or will restart
> > > > > > e. To see what the services are try this link:
> > > > > > i.
> http://www.liutilities.com/products/wintaskspro/processlibrary/tcpsvcs/
> > > > > > f. Those that are referenced in the registry by the virus will be
> > > > > > restarted and you will be able to see that in AnVir (really great
> > > > > > tool!)
> > > > > >
> > > > > > 5. Since none of the removal tools nor anti-virus software were able
> > > > > > to find any reference to the viruses, this was trial and error
> > > > > > process, esp. with this group of viruses which produce RANDOM FILE
> > > > > > NAMES:
> > > > > > a. In my case, the three culprits where:
> > > > > > i. xstyles.exe
> > > > > > ii. rwtrisfg32.dll
> > > > > > iii. Perflib_Perfdata_34c.dat
> > > > > >
> > > > > > b. As you can see, none make any sense!
> > > > > > i. The Registry Entry that tied them together was NvXpLDeamon
> > > > > > ii. The "deamon" gave it away a bit
> > > > > > c. Since these are random files you will not be able to find
> reference
> > > > > > to them on the Web
> > > > > >
> > > > > > 6. Upon inspection of the content of the virus files I was able to
> > > > > > confirm that rwtrisfg32.dll was referencing spybot.dll and was
> > > > > > performing the following functions:
> > > > > > a. Quoting from the virus source code: that is truly scary!!
> > > > > > b. "Searsing for passwords"
> > > > > > c. ":netdevil IP:"
> > > > > > d. "passed pleaz_run_done pleaz_run"
> > > > > > e. "Server uploaded to kuangserver IP:" - note that kuangserver is
> > > > > > part of the Kuang2 virus which this one piggybacks on!!
> > > > > > f. read: http://www.lurhq.com/sig-milkit.html
> > > > > > g. "already logging keys to %s use "stopkeylogger" to stop Spying on
> > > > > > port"
> > > > > > h. as well as nearly 2000 words and phrases that are potentially
> used
> > > > > > as passwords: "LOCAL SERVER SYSTEM BACKUP USER ACCESS TEST DEMO
> FILES
> > > > > > READ BOTH FULL WRITE SHARE TEMP PASSWORD ADMIN ROOT GUEST
> > > > > > ADMINISTRATOR "
> > > > > >
> > > > > > Highlights:
> > > > > >
> > > > > > 1. Anti-Virus Software may or may not remove known viruses
> > > > > > 2. 2. If the main virus file is deleted, you may not be able to find
> > > > > > the remaining pieces even using the removal tools.
> > > > > > 3. If you quarantine your viruses, record their names so you can
> > > > > > narrow down your search later.
> > > > > > 4. Use the tools abovementioned to help you in finding the culprits
> > > > > > 5. Use Port Monitors such as Statistics part of Symantec's Internet
> > > > > > Security to see what's happening when the virus is running
> > > > > >
> > > > > > a. I saw communication from net.hackarmy.tk attempting to get into
> my
> > > > > > PC while the worm was running:
> > > > > > b. read: http://www.lurhq.com/sig-milkit.html
> > > > > > c. this is how I was able to put the hackarmy and milkit and bear
> bug
> > > > > > together
> > > > > >
> > > > > > 6. Removal of the previously mentioned files, esp. xstyles.exe
> > > > > > reinstated by Task Manager and Regedit!
> > > > > > 7. Set up your Virus Scan to run nightly
> > > > > > 8. Set up Internet Sercurity to block Trojan Horse intrisions
> > > > > > 9. Set up your Router to notify you of intrusion attempts
> > > > > > 10. Set up update to virus definitions to take place automatically
> as
> > > > > > soon as they are available.
> > > > > > 11. Change your password after the attack for all profiles on
> > > > > > particular PC
> > > > > >
> > > > > >
> > > > > > For more info, contact me at www.prism-itc.com