| Author |
Previous Topic | Next Topic |
|
|
frank drigotas j
3871 Posts |
 Posted - 08/07/2008 : 11:17:22 AM
|
Impressive research Greg !
Probably one of the most valuable BO posts ever.
dollar |
|
|
assassin17
7838 Posts |
Posted - 08/07/2008 : 11:30:09 AM
|
8 hours of research long into the night. Mainly from all the long virus scans I kept repeating on the computers.
There was another EXE file I can't remember the name of. That was the third virus and it messes with Outlook. Two were easily removed, just by cleaning the files off, but the last one with the 'buritos.exe' was the big one. All of the viruses seemed to have been created in Russia, where they enjoy nasty food and nastier hacking.
The attack on Yahoo servers and the resetting of your home page to Google show a contempt for Yahoo, for some reason. But the attempt to make you purchase a couple of bogus programs and steal your identity are the ones to worry about.
One other thing... One of the viruses alters your internet security settings so that they can hide what is going on and infiltrate your computer at will.
You definitely need to get these things cleaned off, because it will just keep lowering your internet settings. Ad-aware did NOT detect all of the viruses, but Spyware Doctor did and also removed them. PC-Cillin caught the viruses, but froze the computer when it attempted to clean them. |
|
|
mykal5
6130 Posts |
Posted - 08/07/2008 : 11:31:35 AM
|
To piggy back on Assassins post as best I can (not a smart guy in any way shape or form) I used Hijack This to discover the BHO (browser helper obtect) and was able to identify the file. I just looked for a program I knew I have never installed.
Once I found what I was looking for I removed the files with Hijack This.
Unfortunately I found that was not enough so I used ComboFix, opened my computer in safe mode and ran the fix. |
|
|
assassin17
7838 Posts |
Posted - 08/07/2008 : 11:54:19 AM
|
Files to worry about, found in WINDOWS and/or WINDOWS/SYSTEM32 folder;
buritos.exe
braviax.exe
delself.bat
c:windows\system32\dllcache\beep.sys (modified)
c:windows\system32\dllcache\figaro.sys
winivstr.exe
xpsecuritycenter.exe
c:\windows\temp\~ie19C7.exe
0.log
karina.dat
aspimgr.exe
Some files ending with SCR, VBS, BIN, REG and DBL
A bunch of files with scrambled letters for names
xatcore.dll (Possibly... Wasn't sure, but it had been altered so I removed it)
c:\program files\Unpacker was loaded with virus installation files and I removed it.
In c:\program files\common files, there were 4 files created with Visual Basic with scrambled letter names and the extensions of VBS, SYS and SCR. These were hidden off to the side to reinstall the viruses after cleaning.
In Internet Explorer, ENABLE BROWSER EXTENSIONS is turned on by the virus and all search items and home page are set to Google, including the search bar. This allows the virus to immediately use a hidden Google Search to retrieve more files when you start your browser. It downloads a BINARIES1.ZIP file, unloads whatever viruses they want and then deletes the ZIP file. It also downloads winivstr.exe from a site called virus-quick-scan.com, which you may want to block (No 'www' in front of that address). That file forces the computer to reboot and is the big-daddy of the infection. Another site to block is xpsecuritycenter.com (Which does start with a 'www').
You can use REGEDIT (If skilled!) or MSCONFIG to try and stop files from running at startup. Look for any EXE or COM file that was created or modified on the date of infection. However, if you don't clean the rest of it off immediately, those files will be recopied and reloaded at your next boot.
If you are not in Safe Mode, you will not be able to manually remove all of those files or the viruses. |
|
|
loancloser1342
842 Posts |
Posted - 08/07/2008 : 1:27:17 PM
|
| I stopped using Windows about a month ago. Running Ubuntu linux now. No issues with viruses at all. Even better than Mac. |
|
|
BB
989 Posts |
Posted - 08/07/2008 : 1:43:39 PM
|
| My computer guy is coming to get my computer and will strip it of everything and then reload. Don't think I wil be back to BO. It is going to be fairly expensive but I can't afford to compromise customer information, etc. Best to you all and thanks to Assassin17 for his information. |
|
|
Shuggins
1282 Posts |
Posted - 08/07/2008 : 1:49:34 PM
|
This must be where I got the virus that nocked my machine out for 4 days.
It's pretty nasty. |
|
|
racerx
12112 Posts |
Posted - 08/07/2008 : 1:53:22 PM
|
quote:
Originally posted by assassin17
Files to worry about, found in WINDOWS and/or WINDOWS/SYSTEM32 folder;
buritos.exe
braviax.exe
delself.bat
c:windows\system32\dllcache\beep.sys (modified)
c:windows\system32\dllcache\figaro.sys
winivstr.exe
xpsecuritycenter.exe
c:\windows\temp\~ie19C7.exe
0.log
karina.dat
aspimgr.exe
Some files ending with SCR, VBS, BIN, REG and DBL
A bunch of files with scrambled letters for names
xatcore.dll (Possibly... Wasn't sure, but it had been altered so I removed it)
c:\program files\Unpacker was loaded with virus installation files and I removed it.
In c:\program files\common files, there were 4 files created with Visual Basic with scrambled letter names and the extensions of VBS, SYS and SCR. These were hidden off to the side to reinstall the viruses after cleaning.
In Internet Explorer, ENABLE BROWSER EXTENSIONS is turned on by the virus and all search items and home page are set to Google, including the search bar. This allows the virus to immediately use a hidden Google Search to retrieve more files when you start your browser. It downloads a BINARIES1.ZIP file, unloads whatever viruses they want and then deletes the ZIP file. It also downloads winivstr.exe from a site called virus-quick-scan.com, which you may want to block (No 'www' in front of that address). That file forces the computer to reboot and is the big-daddy of the infection. Another site to block is xpsecuritycenter.com (Which does start with a 'www').
You can use REGEDIT (If skilled!) or MSCONFIG to try and stop files from running at startup. Look for any EXE or COM file that was created or modified on the date of infection. However, if you don't clean the rest of it off immediately, those files will be recopied and reloaded at your next boot.
If you are not in Safe Mode, you will not be able to manually remove all of those files or the viruses.
This would only be for people whose virus protection software did not block it, right?
I'll check my computer just in case.
Greg, do you see that it relates to the search feature? A couple of people have said they were searching when the virus was detected. |
|
|
jeff4567
1607 Posts |
Posted - 08/07/2008 : 2:02:11 PM
|
| What anti-virus program do some of you recommend? I currently have McAfee (it came with the laptop) |
|
|
AK__47
1645 Posts |
Posted - 08/07/2008 : 2:17:40 PM
|
quote:
Originally posted by racerx
quote:
Originally posted by assassin17
Files to worry about, found in WINDOWS and/or WINDOWS/SYSTEM32 folder;
buritos.exe
braviax.exe
delself.bat
c:windows\system32\dllcache\beep.sys (modified)
c:windows\system32\dllcache\figaro.sys
winivstr.exe
xpsecuritycenter.exe
c:\windows\temp\~ie19C7.exe
0.log
karina.dat
aspimgr.exe
Some files ending with SCR, VBS, BIN, REG and DBL
A bunch of files with scrambled letters for names
xatcore.dll (Possibly... Wasn't sure, but it had been altered so I removed it)
c:\program files\Unpacker was loaded with virus installation files and I removed it.
In c:\program files\common files, there were 4 files created with Visual Basic with scrambled letter names and the extensions of VBS, SYS and SCR. These were hidden off to the side to reinstall the viruses after cleaning.
In Internet Explorer, ENABLE BROWSER EXTENSIONS is turned on by the virus and all search items and home page are set to Google, including the search bar. This allows the virus to immediately use a hidden Google Search to retrieve more files when you start your browser. It downloads a BINARIES1.ZIP file, unloads whatever viruses they want and then deletes the ZIP file. It also downloads winivstr.exe from a site called virus-quick-scan.com, which you may want to block (No 'www' in front of that address). That file forces the computer to reboot and is the big-daddy of the infection. Another site to block is xpsecuritycenter.com (Which does start with a 'www').
You can use REGEDIT (If skilled!) or MSCONFIG to try and stop files from running at startup. Look for any EXE or COM file that was created or modified on the date of infection. However, if you don't clean the rest of it off immediately, those files will be recopied and reloaded at your next boot.
If you are not in Safe Mode, you will not be able to manually remove all of those files or the viruses.
This would only be for people whose virus protection software did not block it, right?
I'll check my computer just in case.
Greg, do you see that it relates to the search feature? A couple of people have said they were searching when the virus was detected.
Thats how I found it. I was using the search feature. |
|
|
Captain Mortgage
2559 Posts |
Posted - 08/07/2008 : 2:43:24 PM
|
| didn't find buritos.exe but I did find taco.dll |
|
|
racerx
12112 Posts |
Posted - 08/07/2008 : 3:03:09 PM
|
It appears the same virus was discussed on Symantec's forum last week.
Re: buritos.exe, winivstr.exe & braviax.exe viruses installed after Trojan.Wsnpoem incident Options
We currently have got VirusDefs for at least 5 possible variants of the virus mentioned. The threats mentioned come in 2 forms, either the XP Antivirus 2008, and the UPS_Invoice Virus.
I;ve seen the execution of the UPS threat trigger the download of XP ANtivirus 2008 in one instance, and then infect the system more thoroughly.
In case anyone is facing any issues with an undetected variant of the virus, I'd recommend the you isolate the suspect files, and submit to the Security Response team to make VirusDefs to catch the variants - files can be submitted at
https://submit.symantec.com/websubmit/gold.cgi and wait for the updated signatures to come out.
Best Regards,
Abhishek Pradhan, MCT
Reference: https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&thread.id=13784
|
|
|
racerx
12112 Posts |
Posted - 08/07/2008 : 3:15:08 PM
|
If you google buritos.exe you will find lots of hits. I read something about the virus coming from a fake UPS email.
It doesn't sound like this is limited to BO.
http://www.pchelpforum.com/progress-hijackthis-logs/49014-ups-virus-buritos-exe-braviax-2-pcs.html |
|
|
assassin17
7838 Posts |
Posted - 08/07/2008 : 9:44:26 PM
|
quote:
Originally posted by racerx
This would only be for people whose virus protection software did not block it, right?
I'll check my computer just in case.
Greg, do you see that it relates to the search feature? A couple of people have said they were searching when the virus was detected.
Unfortunately, the answer is NO. Your software may be catching and blocking the attempt to use the internet behind your back, or only catching one virus of the bunch, etc.
If your AV software caught it immediately, you at least blocked one incoming and probably are ok if it's blocking that first main loader. However, if your AV is now catching the OUTBOUND activity, then you are infected and only blocking yourself from infecting others.
The best way to be sure is to look for the files I listed. However, if you blocked the virus and your computer has never shut down IE and immediately rebooted itself after clicking those links, it's a good bet you blocked it. Once that IE closed by itself, you got infected.
Like I said, I tried different programs and Spyware Doctor was the only one that nailed all of them right away. This was AFTER purposely infecting one of my PCs that I use to test software with. I often reformat it, so I could care less if it couldn't be cleaned. I don't suggest anyone risk finding out and THAT LINK SHOULD BE REMOVED OR DISABLED NOW.
I do not use the Search feature here, so I didn't notice that. Only BO can clean that up, so I'd avoid it until the Admin gives an all-clear. These ASP pages are generated by the BO server, so it's really up to their end now.
I really had good success once I booted in Safe Mode and deleted the BEEP.SYS file. Once you do, you need to clear all of your System Restore files, because you can't trust any of them anymore. Start from scratch once you're cleaned. If you ever do need BEEP.SYS, it's an old file and you should be able to find it on your Windows CDs or from a friend. I wouldn't trust downloading it from an internet site, for obvious reasons.
As for using Linux or Mac; Trust me, if they had the market share Windows has, you'd see 10,000 Russian viruses within a week. Any system can be hacked or infected if jerks want to do it. Good programmers are VERY intelligent people and some of them are also very evil.
As for reformatting; That is a complete last resort. Novices always format the hard drive after the slightest problem, which is usually nothing more than an old driver file. Just clean the virus. Backing up your files and then putting them back on is just risking the same viruses being copied right back on. It's a waste of time and possibly data. The way to stop any virus is to remove the executable files and the Registry information that loads an infected file. That's it, the virus cannot run without being loaded or started. If you copy those files right back on, you have merely reformatted for nothing. The instant you use an infected file it will simply run the virus again, even 2 years later. CLEAN IT. You must do this for every PC connected to your network.
This is why people used to pay me money or hire skilled IT people at 5 times my rate. Reformatting is not the best option.
PS - In the case of these viruses, one of them pops up one of TWO programs that say it has caught a virus! If you have gotten an emergency warning and then it asks you to go buy some sftware to clean it, that IS one of the viruses! Don't buy it! You will get your identity stolen and credit card info passed to crooks. |
|
|
racerx
12112 Posts |
Posted - 08/07/2008 : 9:53:28 PM
|
| I didn't find any of those files on my computer. If I find them, I'm telling my husband they came from the gun forum. |
|
|
MisterVA
8643 Posts |
Posted - 08/08/2008 : 06:41:40 AM
|
| I use webroot at home and it lists the prisoners taken. I will look for some of these the next time it runs. |
|
|
|
Previous Topic | Next Topic |
|
|
|
Search for: 
