Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Help


  • Please log in to reply
6 replies to this topic

#1 KamakaZ

KamakaZ

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:07:49 PM

Posted 11 December 2008 - 10:38 PM

A mate had a computer that had viruses on it, (one of the processors being algs.exe), i allowed him to borrow my memory stick, he put some files on it and transfered them to another PC. Since then i have had an autorun.ini and a config folder (both hidden) that i can't delete (they regenerate everytime). I have formatted my USB and the files keep coming back, i have ran AVG and Spyware Doctor over it but they found nothing. I have turned system restore off and checked there are no unormal process's strarting/running with sysinternals process explorer and autoruns, everything looked good. Any ideas?

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:49 AM

Posted 12 December 2008 - 01:46 PM

The file "algs.exe" according to BC is part of "W32.linkbot.M". http://www.bleepingcomputer.com/startups/algs.exe-10289.html

http://www.symantec.com/security_response/...echnicaldetails
W32.Linkbot.M is a worm that exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) in order to propagate. It also creates a back door on the compromised computer.

When backdoor is mentioned in a malware's description, most security experts advise reformatting and reinstalling the OS.
In the mean time you should change all passwords and monitor paypal, bank accounts, credit cards, etc. using another computer.

I am not sure which program if any will remove the malware but here are links to two of the best.
http://www.superantispyware.com/
http://www.malwarebytes.org/mbam.php

Instructions for using SAS:
http://www.bleepingcomputer.com/forums/ind...t&p=1040160
Instructions for using MBAM:
http://www.bleepingcomputer.com/forums/ind...st&p=944365

You could run another scan if the two programs above cannot find the malware. Bit Defender Online Scanner
http://www.bitdefender.com/scan8/ie.html
BitDefender Online Scanner uses ActiveX technology which is only compatible with Internet Explorer. Allow it to remove
whatever it finds.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:07:49 PM

Posted 13 December 2008 - 07:13 PM

sorry, the files are sitting on my memory stick.. they regenerate on my memory stick, i've reformatted it, didn't remove them, i have found that if i remove them in safe mode they go away, but if i put the memory stick back into that computer in normal mode, they come back, problem is that is my work computer and i kinda need to put my memory stick back into it...

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#4 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:49 AM

Posted 14 December 2008 - 02:15 PM

Not sure I am picking up what you are putting down.

Have you scanned both computers for the malware?

Have you left the memory stick in the computer while scanning for the malware?
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:07:49 PM

Posted 14 December 2008 - 04:45 PM

My mates computer was infected, he copied (possibley infected) files onto my memory stick, i then put my memory stick into my computer and there are two hidden files that keep coming back when they are deleted. I know my mates computer was infected (we got rid of the viruses) and i have scanned my computer and memory stick, but have found no infections. I have found that if i put my computer into safe mode i can successfully delete the two files, i then check by putting my memory stick into another computer, yes, they are gone, boot my computer back up into normal mode, and put my memory stick back in, the files come back with in 10 seconds of being back in the machine.

The two files are a config (not config.msi) and an autorun.ini (which executes .exe's within the config file)

EDIT: one of the files found on the infected computer was algs.exe

Edited by KamakaZ, 14 December 2008 - 04:46 PM.

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#6 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:49 AM

Posted 14 December 2008 - 04:55 PM

Have you run any of the scans I mentioned in my first post?

Here is another one you could run. Instructions are in the link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1042539
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:07:49 PM

Posted 15 December 2008 - 09:59 PM

Managed to get rid of it, i used a combination of some programs out of the sysinternals suite (process explorer and autoruns). it was just a matter of finding the .exe's in the system32 and system folder, suspending their processes and then deleting the exe's. Once they were deleted i went through the registry and deleted anything to do with them, PC runs spiffy again...

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users