LarryDalooza Posted September 18, 2008 Posted September 18, 2008 BTW... to kill the virus from SYSTEM32 of WINDOWS... sort the files by date. The virus will be one of the more recent files. Lar. AutoIt has helped make me wealthy
youknowwho4eva Posted September 18, 2008 Posted September 18, 2008 And stop trying to download nudies Giggity
FredrikIdestam Posted September 18, 2008 Author Posted September 18, 2008 i did not download any "nudies" my system was working fine. i dont know how and where from it was come.
tarre Posted September 18, 2008 Posted September 18, 2008 i did not download any "nudies" my system was working fine. i dont know how and where from it was come.yeah right. ^^
Bert Posted September 18, 2008 Posted September 18, 2008 I'm not trying to give work to the developers, but... In the compiler we use to build scripts, have a piece of code built into the compiler that also compile the cookie that saves the ID of the user who logs onto the forum. That way you get the ID and get a idea who builds shit like this. If the person doesn't have a forum ID, then that won't help. It isn't a foolproof way to do it for a different compiler would get past the trap. It would get most of them though. Just a thought. The Vollatran project  My blog: http://www.vollysinterestingshit.com/
Mobius Posted September 18, 2008 Posted September 18, 2008 Sorry to burst your bubble volly but anyone well versed in these techniques would simply nullify such data from their binaries, if in fact they were foolish enough to use a compiler with something like this implemented in it anyway. @OP Ask ChromeFan, he seems to have knowledge of this strain of virus.
FredrikIdestam Posted September 18, 2008 Author Posted September 18, 2008 Sorry to burst your bubble volly but anyone well versed in these techniques would simply nullify such data from their binaries,if in fact they were foolish enough to use a compiler with something like this implemented in it anyway.@OPAsk ChromeFan, he seems to have knowledge of this strain of virus. ChromeFan is a web browser. are you saying to download it?
Mobius Posted September 18, 2008 Posted September 18, 2008 (edited) No dude, Chrome is a Web Browser, ChromeFan is a member of this forum who recently requested/Probed for possible ways to defeat the very samelowtech virus that you are currently having problems with.Check here dude :: http://www.autoitscript.com/forum/index.php?showtopic=80739 Edited September 18, 2008 by Mobius
Richard Robertson Posted September 18, 2008 Posted September 18, 2008 No, Chrome is a browser. ChromeFan is a user here who got this same virus. From what we can tell he downloaded some piece of software and became infected with this same virus. You've already been told how to fix this.
Mobius Posted September 18, 2008 Posted September 18, 2008 Damn this Community on Patrol....I mean Hello Richard Robertso...
FredrikIdestam Posted September 18, 2008 Author Posted September 18, 2008 No dude, Chrome is a Web Browser, ChromeFan is a member of this forum who recently requested/Probed for possible ways to defeat the very samelowtech virus that you are currently having problems with.Check here dude :: http://www.autoitscript.com/forum/index.php?showtopic=80739thanks will try itNo, Chrome is a browser. ChromeFan is a user here who got this same virus. From what we can tell he downloaded some piece of software and became infected with this same virus.You've already been told how to fix this.you are right i think this virus was come from installing "SmartMovie Converter for Mobiles" and after that i did not download any new thing and my pc was attacked.but now the thread where from i download does not exists anymore.can you tell me if this virus can steal passwords? i am hacked or safe?
Anteaus Posted September 18, 2008 Posted September 18, 2008 In the compiler we use to build scripts, have a piece of code built into the compiler that also compile the cookie that saves the ID of the user who logs onto the forum.Ouch. And I thought Phorm was bad enough.... All that would do is to compromise the privacy of honest coders. While it might catch a few of the IQ=-20 jobs mentioned before, the serious malware writer will use a vitual machine, and reset it between jobs so there is nothing personally-identifying in it. In which case this will prove nothing. OP: If it's a custom program then conventional antivirus won't find it. This is not a reflection on AutoIt, the same would be true if it were written in COBOL. Or, whatever. Antivirus programs work by looking for patterns, and a custom piece of malware will not contain any recognisable patterns. I would suggest running sysinternals' Autoruns.exe to see what is being launched that shouldn't be. Select 'Hide Microsoft entries' and then press F5 (refresh) to simplify the listing. Note: beware that this is a powerful utility, and you can do damage with it if incautious. Nirsoft have another useful applet, OpenedFilesView, which can tell you which files are in-use. These between them may give you some idea what the filename (or filenames) are that are being auto-launched, and where they are located.
Mobius Posted September 18, 2008 Posted September 18, 2008 (edited) I recommend Anvir Task manager Free edition, does most of the above and tons more besides, Service management etc, Or if you really want to go dark on it download DTaskManager by Dimio. To sort of mirror what Anteaus said, AutoIt3 is powerful, very powerful, And with such power comes responsibility. There are Many ways to defeat this tool, I would say that 20% of them have already been suggested by other members anyway. Edited September 18, 2008 by Mobius
FredrikIdestam Posted September 18, 2008 Author Posted September 18, 2008 I recommend Anvir Task manager Free edition, does most of the above and tons more besides, Service management etc,Or if you really want to go dark on it download DTaskManager by Dimio.i have already tried this but the virus closes the window very soon before i do something.
Mobius Posted September 18, 2008 Posted September 18, 2008 (edited) If its a similar one to the one we fragged, then all IT does is simply trawl each individual window for strings and titles commonly used by such software, All we did for this was suspend the process (Taskmanager) prior to execution and change the window title to something else and then unsuspend it. This is OTT though dude, we were determined. LOL in the end all we really had to do was open a cmd prompt and use task commands to kill it. How about some of the other members suggestions, they are more akin to what you need to do. ED:: If your CD/DVD or USB drives are still operable why not just use a bootable environment such as BartPE or a linux distro. Since you know the name of the mal exe just delete it. Or NTFS4DOS via a floppy disk should be able to do the same for you. ANOTHER_ED:: Not to bolster my post count... Just remembered that while in safe mode we were able to overload this sucka with repeated attempts to load different task like managers at the same time, but stay away from standard windows task manager because it simply altered the CTRL+ALT+DEL Registry entry to instigate the whole shabang all over again. Stick to 3rd party managers. Edited September 18, 2008 by Mobius
Josbe Posted September 18, 2008 Posted September 18, 2008 (edited) i have already tried this but the virus closes the window very soon before i do something.You already read the post previously recommended? Surely, this kind of virus what know the common actions for avoid any removal. Most AntiVirus software aren't able to detect things like that.Obviously, here isn't a forum for virus infections, but you could try: HijackThis and post the results...but first read the post recommended.edit: typos. Edited September 18, 2008 by Josbe • AUTOIT > AutoIt docs / Beta folder - AutoIt latest beta
FredrikIdestam Posted September 18, 2008 Author Posted September 18, 2008 You already read the post previously recommended? Surely, this kind of virus what know the common actions for avoid any removal. Most AntiVirus software aren't able to detect things like that.Obviously, here isn't a forum for virus infections, but you could try: HijackThis and post the results...but first read the post recommended.edit: typos.i already have this but i can not install or uninstall any software because of virus closes the window and setup.
WeMartiansAreFriendly Posted September 18, 2008 Posted September 18, 2008 i already have this but i can not install or uninstall any software because of virus closes the window and setup.Try Safemode. Don't bother, It's inside your monitor!------GUISetOnEvent should behave more like HotKeySet()
FredrikIdestam Posted September 18, 2008 Author Posted September 18, 2008 Try Safemode.Already tried to Remove the virus in SafeMode but virus also runs there and i was not able to show hidden files. SafeMode is also infected and i don't know locations of virus.
Mobius Posted September 18, 2008 Posted September 18, 2008 (edited) Already tried to Remove the virus in SafeMode but virus also runs there and i was not able to show hidden files. SafeMode is also infected and i don't know locations of virus.So you have booted into safe mode, Probably via your Administrator account, What are you left with?Does this Mal hide/kill ALL types of windows?Does your shell even load?Is this mal obvious? ie when you were in normal booted windows, did it give any sort of indication of existence::Periodic Distorted sounds - If a window did actually appear, did it seem as if certain controls were flickering rapidly?Distorted effects when attempting to use the keyboard?If your shell does still operate, then have you attempted to use SmOke_N's Script discussed in the previous topic?BTW:: check the General tab, it should display the actual location of this exe Edited September 18, 2008 by Mobius
Recommended Posts