Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to Remove the W32.Changeup Virus?


  • Please log in to reply
20 replies to this topic

#1 D Money

D Money

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 02 November 2009 - 10:57 AM

I am currently running Windows XP Pro with Service Pack 3. I have Symantec Corporate Edition with the latest definition and it keeps detecting the W32.Changeup virus on my external drive. I have ran MBAM, Super AntiSpyware, Spybot Search & Destroy, Windows Defender, and Dr. Web to remove the virus and it does not. Can you please help me remove the virus.

D

BC AdBot (Login to Remove)

 


#2 Skydie

Skydie

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 02 November 2009 - 12:06 PM

http://www.threatexpert.com/report.aspx?md...c04013149ea92e4 For more information on the virus.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:25 AM

Posted 02 November 2009 - 02:24 PM

This worm will travel across a network.
Disconnect from the internet while scanning.
Did you run aFull Mbam/Malwarebytes scan?
Did you use a Flash drive between the drives?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 D Money

D Money
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 03 November 2009 - 02:32 PM

Yes, I did run a full scan with MBAM. No, I did not use a flash drive between drives. The virus is loctated on my external drive which comes up on some computers like a flash drive. I will go back and run another full scanusing MBAM.

Edited by D Money, 03 November 2009 - 02:33 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:25 AM

Posted 03 November 2009 - 04:54 PM

OK, yes the Full scan will scan all drives.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 D Money

D Money
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 05 November 2009 - 01:05 PM

I did run a full version of MBAM and it found no infection. Here are the results:



Malwarebytes' Anti-Malware 1.41
Database version: 3103
Windows 5.1.2600 Service Pack 3

11/5/2009 7:28:52 AM
mbam-log-2009-11-05 (07-28-52).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 213027
Time elapsed: 1 hour(s), 20 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:25 AM

Posted 05 November 2009 - 03:22 PM

Hello, if you are comfortable with it we can edit the registry to fix this.
You must back up the registry first so that if something is done wrong we can get it back.


modifying the registry. Modifying the registry can be dangerous (and can render your system unbootable) so it's advisable that you make a backup of the registry before proceeding.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Registry Modifications

For more information about modifying the registry, see this Microsoft article: http://support.microsoft.com/default.aspx/kb/256986


Now To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Navigate to and delete the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[CURRENT USER NAME]" = "%UserProfile%\[CURRENT USER NAME].exe"

Exit the Registry Editor.

REscan the PC.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 D Money

D Money
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 06 November 2009 - 12:27 PM

I don't see the particular file that you have specified here. The only files I see are: Default, ctfmon.exe, Messenger (yahoo), search protection, and spybotsd tea timer. If it is the ctfmon.exe file please let me know. Thanks.

D

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:25 AM

Posted 06 November 2009 - 03:45 PM

Well not yet. Let's get a second opinion on that file.
Please search your drive for ctfmon.exe
Next upload the file(s) to Virus Total
Post their reply here,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 D Money

D Money
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 09 November 2009 - 11:25 AM

Here are the results from Virus total:



File CTFMON.EXE-0E17969B.pf received on 2009.11.09 16:20:51 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.09 -
AhnLab-V3 5.0.0.2 2009.11.06 -
AntiVir 7.9.1.61 2009.11.09 -
Antiy-AVL 2.0.3.7 2009.11.09 -
Authentium 5.2.0.5 2009.11.09 -
Avast 4.8.1351.0 2009.11.09 -
AVG 8.5.0.423 2009.11.09 -
BitDefender 7.2 2009.11.09 -
CAT-QuickHeal 10.00 2009.11.09 -
ClamAV 0.94.1 2009.11.09 -
Comodo 2897 2009.11.09 -
DrWeb 5.0.0.12182 2009.11.09 -
eTrust-Vet 35.1.7111 2009.11.09 -
F-Prot 4.5.1.85 2009.11.09 -
F-Secure 9.0.15370.0 2009.11.09 -
Fortinet 3.120.0.0 2009.11.09 -
GData 19 2009.11.09 -
Ikarus T3.1.1.74.0 2009.11.09 -
Jiangmin 11.0.800 2009.11.09 -
K7AntiVirus 7.10.891 2009.11.07 -
Kaspersky 7.0.0.125 2009.11.09 -
McAfee 5796 2009.11.08 -
McAfee+Artemis 5796 2009.11.08 -
McAfee-GW-Edition 6.8.5 2009.11.09 -
Microsoft 1.5202 2009.11.09 -
NOD32 4588 2009.11.09 -
Norman 6.03.02 2009.11.09 -
nProtect 2009.1.8.0 2009.11.09 -
Panda 10.0.2.2 2009.11.08 -
PCTools 7.0.3.5 2009.11.09 -
Prevx 3.0 2009.11.09 -
Rising 22.21.00.08 2009.11.09 -
Sophos 4.47.0 2009.11.09 -
Sunbelt 3.2.1858.2 2009.11.08 -
Symantec 1.4.4.12 2009.11.09 -
TheHacker 6.5.0.2.063 2009.11.06 -
TrendMicro 9.0.0.1003 2009.11.09 -
VBA32 3.12.10.11 2009.11.09 -
ViRobot 2009.11.9.2027 2009.11.09 -
VirusBuster 4.6.5.0 2009.11.08 -
Additional information
File size: 17168 bytes
MD5...: 2d87e2243f9dbc6bd647a4b7b8fa7bbd
SHA1..: ee1a0b24ace9e1d1dba0bf8c9d94b1fae8dbd1c7
SHA256: 99b2a4fc58f7b9257817b47aad54011f8888ada1bf81c0576e849725583ac69c
ssdeep: 384:qoRWgbOfbGyKTwtyD6BqZuTv9Mm9qSL9Ke5EvcIct/acE:FUgbOyZkK6QkJZ
ke2vGAcE

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
trid..: Microsoft Windows XP Prefetch file (98.9%)
LTAC compressed audio (v1.71) (1.0%)
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:25 AM

Posted 01 December 2009 - 02:46 PM

Hello,thanks for finding me as sometimes I do lose one. Please rerun this while I look into something.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 D Money

D Money
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 01 December 2009 - 02:51 PM

Boopme,

Here is the info from Virus Total as of today.


Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

File CTFMON.EXE-0E17969B.pf received on 2009.12.01 19:27:13 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 50 and 71 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.01 -
AhnLab-V3 5.0.0.2 2009.12.01 -
AntiVir 7.9.1.88 2009.12.01 -
Antiy-AVL 2.0.3.7 2009.12.01 -
Authentium 5.2.0.5 2009.12.01 -
Avast 4.8.1351.0 2009.12.01 -
AVG 8.5.0.426 2009.12.01 -
BitDefender 7.2 2009.12.01 -
CAT-QuickHeal 10.00 2009.12.01 -
ClamAV 0.94.1 2009.12.01 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.01 -
eSafe 7.0.17.0 2009.12.01 -
eTrust-Vet 35.1.7150 2009.12.01 -
F-Prot 4.5.1.85 2009.11.30 -
F-Secure 9.0.15370.0 2009.11.29 -
Fortinet 4.0.14.0 2009.12.01 -
GData 19 2009.12.01 -
Ikarus T3.1.1.74.0 2009.12.01 -
Jiangmin 11.0.800 2009.12.01 -
K7AntiVirus 7.10.906 2009.11.27 -
Kaspersky 7.0.0.125 2009.12.01 -
McAfee 5819 2009.12.01 -
McAfee+Artemis 5819 2009.12.01 -
McAfee-GW-Edition 6.8.5 2009.12.01 -
Microsoft 1.5302 2009.12.01 -
NOD32 4652 2009.12.01 -
Norman 6.03.02 2009.12.01 -
nProtect 2009.1.8.0 2009.11.28 -
Panda 10.0.2.2 2009.12.01 -
PCTools 7.0.3.5 2009.12.01 -
Prevx 3.0 2009.12.01 -
Rising 22.24.01.09 2009.12.01 -
Sophos 4.48.0 2009.12.01 -
Sunbelt 3.2.1858.2 2009.12.01 -
Symantec 1.4.4.12 2009.12.01 -
TheHacker 6.5.0.2.082 2009.11.30 -
TrendMicro 9.100.0.1001 2009.12.01 -
VBA32 3.12.12.0 2009.11.30 -
ViRobot 2009.12.1.2065 2009.12.01 -
VirusBuster 5.0.21.0 2009.12.01 -
Additional information
File size: 16826 bytes
MD5...: e5afaba0dfbc210f7f01f6efcca741ba
SHA1..: 1a0801ac47368726085a9c0aa9e3b4fe1a4e54b6
SHA256: ed9a6912c160b3ee25ef5b3e1075870596f1e01f7fbe39fbbd0f39fb4069698f
ssdeep: 192:eOLQZo034UlwmG3E9/Smt4RwgzyTiZftgTZFk+s94xjvJd+PZ5no0J7aOzca
Ob:7QZj34Uev3E4mtM76FOijix5ocCl

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Microsoft Windows XP Prefetch file (98.9%)
LTAC compressed audio (v1.71) (1.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned



D Money

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:25 AM

Posted 01 December 2009 - 03:06 PM

This is indicating perhaps a False Positive.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 D Money

D Money
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 01 December 2009 - 03:44 PM

Boopme,

Here are the results from MBAM.


Malwarebytes' Anti-Malware 1.41
Database version: 3268
Windows 5.1.2600 Service Pack 3

12/1/2009 3:02:55 PM
mbam-log-2009-12-01 (15-02-55).txt

Scan type: Quick Scan
Objects scanned: 123202
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:25 AM

Posted 01 December 2009 - 04:33 PM

Ok looking around I found a Symantec fix. I guess it is worth a shot. W32.Changeup - Removal
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users