PDA

View Full Version : Virus Infostealer



taly
31-07-2006, 11:26 AM
Hi there!
Got the virus Infostealer.snifula that got into file 138762763.exe.
Went to Symantec and used their instractions. Result: 3 files became quarantined but not removed, despite deleting in registry. Alerts don't come up anymore, but now it feels as Windows explorer opens much slower then before.
Any ideas?

Rob99
31-07-2006, 11:46 AM
much slower
How much slower?? 5sec, 30sec, 5mins

SurferJoe46
31-07-2006, 12:33 PM
Infostealer.Snifula (Symantec.com)

Discovered: July 25, 2006
Updated: July 26, 2006 04:35:33 PM GDT

Also Known As: Formspy [McAfee]
Type: Trojan Horse
Infection Length: 42,496 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Infostealer.Snifula is a Trojan horse that steals sensitive information from the compromised computer. It has been reported that the Trojan is downloaded by Downloader.Traus.

Shut off System Restore (I don't let it run at all!), and clean house again with all your anti-stuff while you are in Safe Mode.

Just for kicks and giggles, did you clean it while you had Safe Mode running?

An .exe (executable) file can hide in System Restore and repeatedly infect you.

Reboot in Normal and see how it feels from there.

If that still doesn't feel good...post a HJT in this area and let us see what's going on.

taly
02-08-2006, 12:58 PM
Hi Surfer Joe !
When 1 tried to remove virus, have done it in Normal mode. Of course sys restore disabled first. as result infected files were quarantined. Window explorer now looks a bit slower, but not too bad. But those 3 file sit there in quarantine. Tried to submit to Norton ton analyses, but got just error message. Also tried to use Safe Modebut files were not in the registry any more, so there was nothing to do.
Is it bad to have file in quarantine? By the way this file 138762763. exe supposed to speed up Win explorer.
Cheers

SurferJoe46
02-08-2006, 01:47 PM
Here's what your mystery file is:

Troj/FireSpy-A is an information stealing Trojan for the Windows platform.

Troj/FireSpy-A includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/FireSpy-A copies itself to <System>\138762763.exe.

The following registry entry is created to run 138762763.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run stup<System>\138762763.exe

Registry entries are created under:

HKCU\Software\keys\k1
HKCU\Software\keys\k2

Troj/FireSpy-A checks for an installed version of the Mozilla Firefox browser.

If a Mozilla Firefox installation is detected, Troj/FireSpy-A attempts to create the files:

<Documents and Settings>\Administrator\Application Data\Mozilla\Firefox\
Profiles\<random characters>.default\chrome\chrome.rdf

<Documents and Settings>\Administrator\Application Data\Mozilla\Firefox\
Profiles\<random characters>.default\chrome\overlayinfo\browser\content\
overlays.rdf

<Documents and Settings>\Administrator\Application Data\Mozilla\Firefox\
Profiles\<random characters>.default\extensions\
(1d58a41c-b1a5-4c8f-94bf-6350f2809b06)\chrome.manifest

<Documents and Settings>\Administrator\Application Data\Mozilla\Firefox\
Profiles\<random characters>.default\extensions\
(1d58a41c-b1a5-4c8f-94bf-6350f2809b06)\install.rdf

<Documents and Settings>\Administrator\Application Data\Mozilla\Firefox\
Profiles\<random characters>.default\extensions\
(1d58a41c-b1a5-4c8f-94bf-6350f2809b06)\numberedlinks.jar

<Mozilla Firefox installation folder>\components\AppInterConn.dll

<Mozilla Firefox installation folder>\components\AppInterConn.xpt

These files can be deleted.

Troj/FireSpy-A will then attempt to register the dropped component as a Firefox plugin and begin monitoring the user's browsing habits, stealing information including monitoring and logging information from Web forms.

This information is subsequently sent to a remote location via HTTP POST.

There are very few things that actually improve speeds and download times without turning off security and protection while online or spying on everything you do, as is this case. You got snookered!

If you don't quit taking these things into your system, then you are going to be running slower and slower.

"Window explorer now looks a bit slower, but not too bad" is not acceptable!

You are still infected in many ways...and you still have not posted a HJT file here for people to look at and advise you.

Go back and run it all over again in Safe Mode, but first, what anti-stuff do you have?

You didn't get Bonzi-Buddy too...did you? :blush:

kjaada
02-08-2006, 01:56 PM
Get Linux and forget these frustrations

SurferJoe46
02-08-2006, 02:06 PM
Kjaada...this guy is having enough troubles right now...and Linux is not a noobs haven!


Back to the cure for this problem:

We can do a manual removal of this trojan too. If you are OK with going into the registry...and make sure you are!...then you can follow these instructions:

1. Click Start > Run. (you might have to use the C:\ prompt though if you cannot get Start to run)
2. Type regedit
3. Click OK.

(Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor, you wil need to report back and we can get other help. )

4. Navigate to the subkey:

HKEY_CURRENT_USER\Software\keys

5. In the right pane, delete the values:

"k1"
"k2"

6. Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

7. In the right pane, delete the value:

"stup" = "%System%\138762763.exe"

8. Exit the Registry Editor by changing all the (-) to (+) again before you exit here.

SurferJoe46
02-08-2006, 03:45 PM
I got yelled at for not telling you where and how to get HJT......

So here it is:

Please download HijackThis (http://www.majorgeeks.com/download3155.html) . It will create a directory folder for you in C\Program files. Run a scan and save the log file. Post the whole log file here. Do not fix anything since most of them listed there are harmless (some are system required). This program will help determine what,if any, spyware/malware is on your computer.

taly
03-08-2006, 04:10 AM
Hi. Surfer Joe! Already done all you said in reg. Will do the rest.
Thanks