Virus issue has been resolved! Here is the latest news!

[Darth Unrivaled]

I myself am totally mixed up here. First I'm told that my forums was running the memory high. Then key tables in just about all my databases where disabled.

I can understand that this may just be a cpanel problem, which is not HG fault in this case. However, I don't like being jerked around when I'm paying for the service. All I needed was for them to tell me right off the bad there was a problem with cpanel. I hardly come to these forums so I'm not able to see every little issue that comes up with the network. But when issues have come up support has been on top of it.

But this last week as disappointed me a great deal. Its been over 3 hours form the point my tables got locked out and even after I was sent to this topic and then ask for what tables where effected. I still don't have any clear answers.

In any event I hope this gets clear up and I hope better care it done to insure all customers know of a issue. I mean something like this that totally effects every server with cpanel is something I think a simple email could fix, I don't know if one was sent out but I never got anything about any mass virus.

[skeletincrew]

Quote:

Originally Posted by wwobn

You'll be seeing this for the next few days until net cache is updated properly.

wwobn, I hate to sound stupid but what is 'net cache' and what does 'net cache is updated properly' mean?

[97transam]

I was wondering if this all has a fallout of MySql DB's not functioning properly on "Navigator"?


Updated 11:07am est: A phpBB, and a couple of Invision Power boards were not functioning. Each due to a corrupt table that once recreated from backup, corrected the situation.

Thanks,
ron

[bucket]

I can report I have the virus, trojan horse, or whtever we are calling it. I can report that as of Monday 10:15am, Both Spy Bot, AVG Free and Ad-Aware have not fixed the issue. Spy Bot notifies and says it fixes it but the virus is still on my system as I'm getting the winvirus popups occuring.

Rather than supplying "ideas" to try, does anyone have a proven method to remove this thing other than restoring/reformatting, which isn't an option for me at the moment.

thanks,

Jason

[vtrain]

sorry not giving you any proven method but can you upload some of the infected files to
http://www.virustotal.com/en/indexf.html ?

They share the files and results will many antivirus vendors and this way all antivirus will be updated for this thread in a few days. Also doing this you may find immediately an antivirus that performs better then those that you tried.

Good luck,

Vtrain

[TakeThat!]

Quote:

Originally Posted by bucket

Rather than supplying "ideas" to try, does anyone have a proven method to remove this thing other than restoring/reformatting, which isn't an option for me at the moment.

thanks,

Jason

Perhaps download and run a copy of Hijackthis! and post the results in a forum where someone can tell you what to delete.

http://aumha.org/freeware/freeware.php#hjt

[bucket]

Quote:

Originally Posted by TakeThat!

Perhaps download and run a copy of Hijackthis! and post the results in a forum where someone can tell you what to delete.

http://aumha.org/freeware/freeware.php#hjt

I've run this program and have the log file of the results. Can you suggest somewhere to it? Is this forum appropriate?

I don't mind doing this if it will help resolve the issue for not only me, but anyone else with the issue.

thanks,

Jason

[TakeThat!]

I would try posting it on a forum that is dedicated to HJT logs.

http://forum.aumha.org/viewforum.php?f=30

or perhaps http://www.dslreports.com/forum/cleanup

[UZforce]

I've been having pop-ups for the past couple of days since this attack and have ran several different programs to try to catch the virus/malware including AVG and ewido and none of them could identify this damn thing until I loaded Kaspersky up.

After updating the virus definitons in Kaspersky and rebooting my system Kaspersky caught a file called "gebywwx.dll" located in the windows/system32 directory. Kaspersky has identified this as "Trojan-Downloader.Win32.ConHook.ah". This file was put on my system on 9/21. I have uploaded this file to VirusTotal so that they can analyze it.

I suggest others try Kaspersky, they have a free 30-day trial which is what I'm doing.

I wish that HostGator would get together with their contacts in the anti-virus world and put together some type of document that would explain exactly what we're dealing with as far as trojans/viruses go. I consider myself to be a failry technical person and I have had a hell of a time tracking this damn thing down. A lot of my customers who are probably most definitely infected with these things too will have no clue how to desinfect themselves and probably don't even realize that they're infected. I also want to know what else this thing has downloaded to our PCs that we haven't been able to detect yet.

[skeletincrew]

So far, I have fought with 2 infected systems. Thank God someone finally said virus and I immediately saved my other systems from infection. But here is what I have found.
I scanned over and over with AVG, Trendmicro Online, SpyBot SD, Ad-Aware on both systems that did receive clicks on infected pages. Win2000/sp4, XP/sp2: all scans produced what appeared to me to be wildly varied lists of infections. I finally broke down and decided this was going to cost me money no matter what and I needed to test Kaspersky and ewido as suggested in this thread. Thanks guy's! After one scan/cleaning from both products I can report as of this time things have settled down to just a few tracking cookies. Back to work, gotta try and salvage 3 days of lost time.

[TakeThat!]

That is great news!

I spent several hours last night removing several Spyware applications & a very sneaky Trojan that was being attached /protected by the Winlogon process. The Trojan was creating random filenames (ie: ieakvie.dll) and loading them during startup.

AVG & McAfee were both failing to recognize them. They actually didn't report a single alarm - sad...

Windows Defender & Spybot S&D both failed to recognize them. Althought Spybot DID recognize several others that had been installed (not just cookies either)

So - Here is the solution for removing the Trojan, the OCXDownloadChecker, and the IE Proxy that might have been setup to redirect your network requests.

The following is a breif summary of the breakdown found here:
http://trueallies.byrgius.com/about498.html

1) Open Internet Explorer, go to "Tools -> Manage Add-Ons" and look for items that should not be there - I found one obviously wrong called "ieakvie" while all others read "Google Toolbar" etc... - Select it and "Disable" it.

2) Do a File Search in the Windows folder for a file named the same as what you found in step 1, which you should find in the WINDOWS\System32 folder

3) In another window, filter the files from that folder location by date - note the files that were added with the same timestamp as the one in question.

4) Install & Run HijackThis (free / adware free):
http://www.spywareinfo.com/~merijn/p...php#hijackthis

* NOTE * Each time you run HijackThis it will create a log file of the results but save it as the same filename - make sure to save each log with a unique name so you have a paper trail for helping others * NOTE *

7) Review HijackThis log - look for:

A) Application with NO OWNER that are not obviously good

O2 - BHO: (no name) - {E4232E22-A85A-4630-911B-3F509774FB8E} - (no file)
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)

B) Internet Explorer "PROXY" that you didn't setup

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.190.91:81

C) Anything named OCXDownloadChecker
D) Winlogon Notify Items

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

6) Open RegEdit "Start -> Run -> type `regedit`" and...

A) Perform a Find, Export, and Delete for each:

- The Filenames you've discovered
- The Keynames {47833539-D0C5-4125-9FA8-0819E2EAAC93} you've discovered

B) Go back and search again to make sure nothings being replaced after you've deleted it - NOTE that there may be several instances of a key or filename to begin with.

7) Open Spybot - Run an Update and then a Scan - Correct what you can

8) In Spybot, "Mode -> Advanced Mode", the Tools tab, "System Startup" - Look for the filenames in question - remove them (they may re-appear instantly - refresh by clicking on "System Startup" again)

Removing Winlogon Item

1) Open HijackThis "Config -> Misc Tools -> Delete a file on Reboot"
2) Select the file in question (ie: c:\windows\system32\xyzxyz.dll)
3) Reboot
4) Run Above Steps again

After all that, I have a clean system again. The Trojan, attacked to the Winlogo, cannot be deleted unless you boot in a safe mode or use a tool like HijackThis. In my particular case, MUP.SYS was failing during Safe Mode bootup (presumably because of this Trojan), so I used the WinXP SP2 CD in Repair mode to delete the file the first time, but the file was immediately replaced by another one with a different name - which was replaced along with 3 other files, one of which an executable (all notable by the time stamps)

Hope this helps!!!

[skeletincrew]

Mo info: I have a sneaking suspicion that during reboots new viruses were being downloaded. A ping could have gone out to announce and then the onslaught of trash followed through a common open port on the hardware firewall. I have a software and a hardware firewall and the only time outbound traffic was unmonitored was during reboots. I could be wrong but that would explain the new list of different Trojans each time I scanned and then cleaned those Trojans out. Does this sound feasible to anyone else?

[vtrain]

Quote:

Originally Posted by UZforce

[snip]

After updating the virus definitons in Kaspersky and rebooting my system Kaspersky caught a file called "gebywwx.dll" located in the windows/system32 directory. Kaspersky has identified this as "Trojan-Downloader.Win32.ConHook.ah". This file was put on my system on 9/21. I have uploaded this file to VirusTotal so that they can analyze it.
I suggest others try Kaspersky, they have a free 30-day trial which is what I'm doing.
[snip]

Did VirusTotal show any other antivirus capable of removing/recognize this thread?

Vtrain

[UZforce]

Quote:

Originally Posted by vtrain

Did VirusTotal show any other antivirus capable of removing/recognize this thread?

Vtrain

vtrain,

When the scanning report finaly came back from VirusTotal they actually showed this as "no virus found" for everyone of the antivirus programs they list, including Kaspersky strangely enough. I have a feeling that some of these are so new that most of the antivirus programs don't regonize them.

On a side note, I just finished scanning my other PC with Kaspersky and I hit the mother lode. I was using this PC on Friday a little but not as much as my main PC. I did visit several of my HostGator hosted sites with this PC though. I don't know what this damn thing is but it looks like it is downloading different files to different PCs. Here's a list of what Kaspersky found on this PC if anyone is interested:

Trojan-Downloader.Java.OpenConnection.aj File: Documents and Settings\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav a.jar-47723671-2dc31c91.zip\GetAccess.class

Trojan-Downloader.Java.OpenConnection.aj File: Documents and Settings\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav a.jar-47723671-2dc31c91.zip\Installer.class

Trojan-Downloader.Java.OpenStream.w File: Documents and Settings\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-5aa0b436-360ad057.zip\javainstaller/InstallerApplet.class

Trojan-Downloader.Java.OpenStream.c File: Documents and Settings\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv470.jar-5c362d1c-1ca639d9.zip\Matrix.class

Trojan.Java.ClassLoader.h File: Documents and Settings\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv470.jar-5c362d1c-1ca639d9.zip\Counter.class

Trojan.Java.ClassLoader.d File: Documents and Settings\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv470.jar-5c362d1c-1ca639d9.zip\Parser.class

Trojan-Downloader.Win32.ConHook.ah File: WINDOWS\system32\ddccaxu.dll

Trojan-Downloader.Win32.ConHook.ah File: WINDOWS\system32\ddcyyxy.dll

Trojan-Downloader.Win32.ConHook.ah File: WINDOWS\system32\mljjjgg.dll

Trojan-Downloader.Win32.ConHook.ah File: WINDOWS\system32\vturpqr.dll

Trojan-Downloader.Win32.ConHook.ah File: WINDOWS\system32\vtutsts.dll

[vtrain]

Quote:

Originally Posted by UZforce

vtrain,

When the scanning report finaly came back from VirusTotal they actually showed this as "no virus found" for everyone of the antivirus programs they list, including Kaspersky strangely enough. I have a feeling that some of these are so new that most of the antivirus programs don't regonize them.

Ok thanks for the answer. Probably Kaspersky version was not the latest (you can see which version VirusTotal uses). Maybe tomorrow or the day after VirusTotal already has more up2date definitions. You have submited and that's the important part. I just hope they discard the file thinking it did not have virus

Vtrain
P.S: I was scared with the latest news at VirusTotal. I new malware that makes videos of our browsing at online banking sites... good that it's very rare for me to be in MS systems.

[Kelmas]

Now I am writing from reformatted system... Thought that would be the best way out of the hell

interesting article.

http://www.informationweek.com/news/...leID=193004898

Now my computer is playing music!

Been having same pop-up problems as others past few days. Constant clicking sounds like browser is moving even when nothing visible is.

Have been using AVG and EWIDO. Nothing from AVG. EWIDO had initial screen alerts for a couple of things, but scans show nothing.

Dowloaded a second AV Product: Avira AV (linked from this board.) It found a couple of things, but also failed.

Tried various online scanners:

BitDefender
Trend
Panda
Symantec
Kaspersky
Windows Live OneCare

Trend initially found but failed to remove some trojans/viruses. Panda found something, but it's only a second opinion. Kaspersky removed a couple of things but could remove one.

Some scans show a number of files that cannot be opened...part of the hack?

Obviously, nothing is working.

I'm listening to some radio station? Started off playing Beverly Hillbillies theme.

Browser-like clicking still going on in background as I type this.

Don't want to login or register for anything.

I'd get a new computer, but that could be infected in 24 hours.

I'm thinking of hosing my computer and starting from scratch with a new install of my program CD that came with it. Will this solve problem? Get rid of infection?

Also, what about all of the Microsoft updates for past year or two?

[UZforce]

Just wanted to let everyone know that I was finally able to stomp out this nasty bug by following Byrgius Tech's suggestions in the post above. If you don't do something like this the trojan will keep replicating itself whenever you reboot your system even after you delete it. Kaspersky kept catching the trojans and would delete them but everytime I would reboot they would appear again under different names. Byrgius Tech's method seems to have worked great so far.

Thank you Byrgius Tech...

Updated AVG and rebooted (normal mode). Right away AVG caught a trojan, moved it to vault.

Trojan horse Downloader.Generic2.QKH

But I suspect the infection is more massive than this.

At least the music has stopped...for now.

AVG caught another infected DLL.

But pop-ups still going on. Music still stopped.

This is massive.

Quote:

Originally Posted by skeletincrew

wwobn, I hate to sound stupid but what is 'net cache' and what does 'net cache is updated properly' mean?

Yea I also want to know this! Thanks for telling.

Quote:

Originally Posted by skeletincrew

Mo info: I have a sneaking suspicion that during reboots new viruses were being downloaded. A ping could have gone out to announce and then the onslaught of trash followed through a common open port on the hardware firewall. I have a software and a hardware firewall and the only time outbound traffic was unmonitored was during reboots. I could be wrong but that would explain the new list of different Trojans each time I scanned and then cleaned those Trojans out. Does this sound feasible to anyone else?

I don't know, Bueller (Ferris), Bueller
Someone do tell

Quote:

Originally Posted by UZforce

...Kaspersky has identified this as "Trojan-Downloader.Win32.ConHook.ah". This file was put on my system on 9/21. ...

Same like you. I yesterday did a scan and everything was ok, but tonight the Kaspersky detected this thing, and I've checked the file in system32, it was created on 22.Sep, meaning when yesterday I was running the scan, Kaspersky couldn't recognize it, it may be a very new virus...