Help!!! Virus!!!

[Riptorn]

Hi, I have vista ultimate 32 bit. Recently, everytime I start up vista, my antivirus software BitDefender Internet Security 2009, blocks a virus ... goasi.cn/ex/a.php
Does anyone know what this is??, and how can I remove it, it is very annoying??..Please can you help me??
Regards
Riptorn.

 

[rive0108]

Well, first of all, Bitdefender isnt very good. It did very poorly in recent testing (http://www.vistax64.com/system-security/172321-vista-sp1-antivirus-performance.html)

Clean system here with NOD32:Free ESET Online Antivirus Scanner

 

[Riptorn]

Well, first of all, Bitdefender isnt very good. It did very poorly in recent testing (http://www.vistax64.com/system-security/172321-vista-sp1-antivirus-performance.html)

Clean system here with NOD32:Free ESET Online Antivirus Scanner

Thanks rive0108, well??.. what Is the best internet security???. I was told BitDefender was the Best?. It only blocked the Trojan.Injector.C2 goasi.cn/ex/a.php.. I scanned everything it is not there? How to remove it?

 

[rive0108]

Source:PE_VIRUT.ASA - Technical details


Arrival, Installation and Autostart Technique
This file infector may be downloaded unknowingly by a user when visiting malicious Web sites.
It creates the following registry entry to bypass the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List
\??\%System%\winlogon.exe = "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"

File Infection

It hooks the following APIs so that when any of these APIs are called, it proceeds to its infection routine:

• NtCreateFile
• NtOpenFile
• NtOpenProcess
• NtCreateProcessEx

This file infector infects by appending its code to target host files. It infects files of the following types:

• .EXE
• .SCR

It does not infect files that contain the following strings in their file names:

• WC32
• WCUN
• WINC

Backdoor Capabilities
It searches for the Winlogon process by enumerating the running processes and injects a thread that is responsible for its backdoor routines.


It connects to the following IRC server irc.zief.pl and waits for a command from a remote user. Using this connection, it downloads TROJ_INJECTOR.AR from the following URL:

• http://goasi.cn/ex/a.php

 

[rive0108]

Actually on second thought you may want to do System restore to a point before you picked up the file infector Malware. Apparently It is causing significant registry/Windows corruption that may be difficult to repair. Did you allow it past UAC? That should have contained it in the IE7 sandbox.

Assumming for a moment it is still In the IE temp files, delete all files/cookies, etc.

 

[rive0108]

The best Antivirus/Antimalware programs on the market

Avira
NOD32

 

[Riptorn]

Actually on second thought you may want to do System restore to a point before you picked up the file infector Malware. Apparently It is causing significant registry/Windows corruption that may be difficult to repair. Did you allow it past UAC? That should have contained it in the IE7 sandbox.

Assumming for a moment it is still In the IE temp files, delete all files/cookies, etc.

scanning now.. will let you know the outcome. thanks.

 

[rive0108]

Manual removal
posted from:TROJ_INJECTOR.AR - Description and solution
Turn off System restore/Shadow Copy, then:




Step 1: Remove malware files dropped/downloaded by TROJ_INJECTOR.AR

• TROJ_AGENT.ALHH
• TROJ_FAKEAV.MCS
• TROJ_STOPSEC.MCL
• TSPY_FESTEAL.B

Step 1: Remove malware files dropped/downloaded by TROJ_INJECTOR.AR

• TROJ_AGENT.ALHH
• TROJ_FAKEAV.MCS
• TROJ_STOPSEC.MCL
• TSPY_FESTEAL.B

[Back]
Step 2: Delete this registry value [learn how] Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

• In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
  Desktop
  • host = "{BLOCKED}.{BLOCKED}.126.195"
  • id = "861628374673"
• In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
  • FirewallDisableNotify = "1"
  • FirewallOverride = "1"
• In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run
  • services = "%WINDOWS%\services.exe"
• In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
  WindowsFirewall\DomainProfile
  • EnableFirewall = "0"
• In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
  WindowsFirewall\StandardProfile
  • EnableFirewall = "0"

Step 2: Delete this registry value [back]
To delete the registry value this malware/grayware/spyware created:

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
   HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>
   Desktop
3. In the right panel, locate and delete the entry:
   
   
   • host = "{BLOCKED}.{BLOCKED}.126.195"
   • id = "861628374673"
4. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Security Center
5. In the right panel, locate and delete the entry:
   
   
   • FirewallDisableNotify = "1"
   • FirewallOverride = "1"
6. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
   CurrentVersion>Run
7. In the right panel, locate and delete the entry:
   
   
   • services = "%Windows%\services.exe"
8. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft>
   WindowsFirewall>DomainProfile
9. In the right panel, locate and delete the entry:
   
   
   • EnableFirewall = "0"
10. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft>
    WindowsFirewall>StandardProfile
11. In the right panel, locate and delete the entry:
    
    
    • EnableFirewall = "0"
12. Close Registry Editor.

Perform FULL System Scan with Antivirus/Windows Defender.