Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Password_viewer.exe, Autorun.inf And Entei.exe


  • Please log in to reply
7 replies to this topic

#1 joltnyx

joltnyx

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 09 August 2008 - 07:03 AM

hello, my pc's infected with "password_viewer.exe" along with "autorun.inf" and "Entei.exe"

yes, my pc also shuts down if i go to Start>Run>cmd

everytime i open my pc, there's this "password_viewer.exe" in the task manager and "entei.exe" pops when i
open my drive D:\

i also tried doing this:

Reconfigure Windows XP to show hidden files, folders. Open My Computer, go to Tools > Folder Options and click on the View tab. Under Hidden Files and Folders, check "Show hidden files and Folders", uncheck "Hide Protected operating system Files (recommended)", uncheck "Hide file extensions for known file types", and hit Apply > OK.

Open My Computer, right-click on your primary drive (DO NOT double-click), select "Explore", and search for any autorun.inf at the root, then delete it. Repeat the search on all your drives and delete any autorun.inf files you find.

Use Windows Search feature > More advanced options to search for password_viewer.exe. To do this, go to Start -> Search and click For Files or Folders....
Click All files and folders.
Type in the name of the file under "Search by...criteria."
Click More advanced options and check these options:
"Search system folders"
"Search hidden files and folders"
"Search subfolders"
Then click "Search" to look for the file(s).
When found right-click the file, choose delete and empty your recycle bin. If you get an error when deleting a file, right-click on it and check to see if the read only attribute is checked. If it is, uncheck it and try again. If that does not work, then open Task Manager, look for and kill the process if running, then delete the file.


now if i open my drive D:\ from "My Computer" it will say something like this:

"Open With
Choose the program you want to use to open this file."


although i can access my drive if i type "D:\" in the address bar.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 AM

Posted 09 August 2008 - 07:24 AM

This infection drops several malware files, modifies your registry and shutdowns the computer when you run cmd.exe. Removal will require making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own. As an alternative, you can download and use ERUNT which is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed. For instructions with screenshots, see Take a complete registry backup using ERUNT.

After making your backup, follow the instructions for
How to remove Winzip123, password_viewer.exe, bar311.exe or photos.zip.exe

Then download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 joltnyx

joltnyx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 09 August 2008 - 08:38 AM

quietman7, thanks alot. I followed all your instructions and links and now the malware is gone.
the cmd.exe doesn't shut down the computer anymore.

many thanks again. :thumbsup:

Edited by joltnyx, 09 August 2008 - 08:44 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 AM

Posted 09 August 2008 - 03:57 PM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Tips to protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

Read P2P Software User Advisories and Risks of File-Sharing Technology.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 joltnyx

joltnyx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 09 August 2008 - 11:41 PM

wait quietman7, everytime i open my pc "entei.exe" and "autorun.inf" still remains in my drive D:\
there is no more password_viewer.exe but now there is "project1.exe" and it looks like a windoc file.
will i do another editing in the registry?? pls reply. thanks

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 AM

Posted 10 August 2008 - 07:55 AM

Did you run Flash_Disinfector.exe on drive D?

What is the location of entei.exe and project1.exe (full path they are running from) on your computer?

When you find them go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of each suspicious file(s) and submit (upload) them one at a time for scanning/analysis.
-- Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 joltnyx

joltnyx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 10 August 2008 - 10:06 AM

sorry quietman7, i did the following before i got to read your reply. sorry.


I traced the location of the files:
entei.exe runs from D:\
autorun.inf also runs from D:\

i also found out that everytime time i open my drive D:\ this appears in the Task Manager

>>Applications tab >project1(with a MSword icon)------status (running)

so i right clicked it and selected "Go To Process" this then appeared:

>>Processes tab>89pits89.exe

so then i deleted
"entei.exe" from drive D:\
"autorun.inf" also from D:\
"89pits89.exe" from C:\Documents and Settings\edwin\Start Menu\Programs\Startup
and 89pits89 file from the prefetch folder.

i ran Flash_Disinfector and restarted my computer.
it's ok now, i guess..

thanks again for the help and time quietman7, many thanks. :thumbsup:

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 AM

Posted 10 August 2008 - 02:16 PM

Good investigative work.

I'm not sure if these files were related to the same infection or a new variant which now includes them. I will add them to my notes for future reference.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users