Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alsys.exe


  • Please log in to reply
7 replies to this topic

#1 cumbiamo

cumbiamo

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 24 January 2007 - 09:48 AM

This morning when trying to check email my Start up monitor alerted me that alsys.exe wanted to run at start up. As soon as I checked no a message I have never seen appeared saying the system would be shutting down and a clock began to countdown. I quickly goggled alsys and saw it was some kind of trojan. Before bleeping down I opened AVG (free) and updated the files.

I booted up in Safe Mode and ran AVG... within seconds alsys was identified. Here is the fun part!! When I checked 20 min later it had identified 500 threats.. by the end i had over 1,000. This thing seemed to have copied itself all across my system. When the AV scan ended, it automatically began to "Heal" files.

I then booted up normal and my system came up, I checked email and it worked but what I discovered is that apparrently in the healing process files we removed or changed or something because programs like itunes, games, icons, would not run.... then I had to come to work... did I handle this right or should I have done something differently... more importantly is there something else I still need to do?

Thanks for your help.. I am feeling a large number of my programs will no longer start until I reinstall...

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:16 AM

Posted 24 January 2007 - 11:24 AM

Info in the link below describes the infection you probably have.
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=60525

I would suggest staying off the net until this threat is removed and avoid infecting others.
As you will read in the above link the malware attempts to download trojans and blocks security programs.
You may want to download to a CD the program below and install and run in safe mode. http://www.superantispyware.com/
In safe mode, run whatever security programs you have now.
Do you remember opening an email that might have given you this infection, yesterday or this morning?
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 cumbiamo

cumbiamo
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 24 January 2007 - 11:53 AM

No did not open email at all yesterday. I asked my son (13) where he had surfed, but did not ask him about email. He was the only one on the pc yesterday so he may have checked his email and the AV being disabled did not pop up ... will follow you recommendation..

#4 cumbiamo

cumbiamo
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 24 January 2007 - 12:05 PM

Sorry for the added commentary.. but would it be normal that in the "healing" process AVG would have altered files that are critical for prorams to run? I tried running a few and got the flash light searching for the appropriate .exe file .. so I can only assume the anti virus did something to the file this thing attached itself to... I have dl the program and have on a mem card, I also assume I can install it in safe mode from a usb port.... Thanks...

#5 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:16 AM

Posted 24 January 2007 - 12:54 PM

It is possible that files were damaged by AVG. Before making the determination though, I would do the scans and review afterwards. There is another antivirus program that is free and fully functional that you could install and run in safe mode.
http://download.drweb.com/drweb+cureit/

I did not mean for you to attempt to install the programs in safe mode, only to run them in safe mode. I used a bad choice of wording.
It would be a good idea to post a Hijack this log in the appropriate forum. The instructions are in the link below. You probably should load the Hijack This program offline, also.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 24 January 2007 - 03:13 PM

IMPORTANT NOTE: Keyloggers are very dangerous because they sit stealthy on your system and monitor all the keys you press including all your logins, passwords and private correspondence. When infected by one of them you should disconnect the computer from the Internet until your system is cleaned. If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech. Because your computer was compromised please read How to report ID theft, fraud, drive-by installs, hijacking and malware.

Edited by quietman7, 24 January 2007 - 03:13 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 cumbiamo

cumbiamo
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 25 January 2007 - 09:49 AM

NOT A HJT Log just the Scan Log for Bitdefender.... I did not perform the scan in safe mode.. does the fact it says disinfected mean the threat is gone or should I be doing something more? I did post a HJT log as instructed, but I am trying to do something while waiting for response.... the Spytech prog is to monitor my 13 yr .. who I forgot to tell not to open emails that have an attachment even if they say "Postcard" .. ;-) Any other pointers are welcome..
----------------------------------------------------------------
//
// Product: BitDefender 9 Professional Plus
// Version: 9.5
//
// Created on: 25/01/2007 06:19:00
//
//-----------------------------------------------------------------


Statistics

Scan path : C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
Folders : 5533
Files : 434253
Archives : 4539
Packed files : 58280
Identified viruses : 9
Infected files : 27
Warnings : 0
Suspect files : 0
Disinfected files : 23
Deleted files : 0
Copied files : 0
Moved files : 2
Renamed files : 0
I/O errors : 800
Scan time : 00:59:12
Scan speed (files/sec) : 122

Virus definitions : 391060
Scan plugins : 14
Archive plugins : 38
Unpack plugins : 6
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: D:\Program Files\Softwin\BitDefender9\Logs\vscan_1169727540.log


Summary:

C:\Documents and Settings\Administrator\Local Settings\Temp\ewido_quarantine\filFFD98E99.dat=>(gzip) Infected: Exploit.HTML.IESlice.C
C:\Documents and Settings\Administrator\Local Settings\Temp\ewido_quarantine\filFFD98E99.dat=>(gzip) Disinfection failed
C:\Documents and Settings\Administrator\Local Settings\Temp\ewido_quarantine\filFFD98E99.dat=>(gzip) Move failed
C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft Ad-Aware SE Personal\Uninstall Ad-Aware SE Personal.lnk=>G:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE Infected: Win32.Mixor.A@mm
C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft Ad-Aware SE Personal\Uninstall Ad-Aware SE Personal.lnk=>G:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE Disinfected
C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft Ad-Aware SE Personal\Uninstall Ad-Aware SE Personal.lnk Update
C:\Documents and Settings\All Users\Start Menu\Programs\Sony\Vegas Movie Studio 4.0\Vegas Movie Studio 4.0.lnk=>K:\Program Files\Sony\Vegas Movie Studio 4.0\moviest40.exe Infected: Win32.Mixor.A@mm
C:\Documents and Settings\All Users\Start Menu\Programs\Sony\Vegas Movie Studio 4.0\Vegas Movie Studio 4.0.lnk=>K:\Program Files\Sony\Vegas Movie Studio 4.0\moviest40.exe Disinfected
C:\Documents and Settings\All Users\Start Menu\Programs\Sony\Vegas Movie Studio 4.0\Vegas Movie Studio 4.0.lnk Update
C:\Documents and Settings\All Users\Start Menu\Programs\Spytech SpyAgent\SpyAgent PC Surveillance.lnk=>E:\Program Files\Spytech Software\Spytech SpyAgent\sysdiag.exe Infected: DeepScan:Generic.Keylogger.99E60D0D
C:\Documents and Settings\All Users\Start Menu\Programs\Spytech SpyAgent\SpyAgent PC Surveillance.lnk=>E:\Program Files\Spytech Software\Spytech SpyAgent\sysdiag.exe Disinfection failed
C:\Documents and Settings\All Users\Start Menu\Programs\Spytech SpyAgent\SpyAgent PC Surveillance.lnk=>E:\Program Files\Spytech Software\Spytech SpyAgent\sysdiag.exe Move failed
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\CRAFGROR\3_z[1].htm Infected: Trojan.Exploit.JS.B
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\CRAFGROR\3_z[1].htm Disinfection failed
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\CRAFGROR\3_z[1].htm Moved
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe Infected: Win32.Mixor.A@mm
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe Disinfected
E:\Program Files\Spytech Software\Spytech SpyAgent\sysdiag.exe Infected: DeepScan:Generic.Keylogger.99E60D0D
E:\Program Files\Spytech Software\Spytech SpyAgent\sysdiag.exe Disinfection failed
E:\Program Files\Spytech Software\Spytech SpyAgent\sysdiag.exe Moved
H:\Program Files\iTunes\iTunes.exe Infected: Win32.Mixor.A@mm
H:\Program Files\iTunes\iTunes.exe Disinfected
I:\Documents\LimeWireWin.exe Infected: Win32.Mixor.A@mm
I:\Documents\LimeWireWin.exe Disinfected
I:\DVD DECRYPT\SetupDVDDecrypter_3.5.2.0.exe Infected: Win32.Mixor.A@mm
I:\DVD DECRYPT\SetupDVDDecrypter_3.5.2.0.exe Disinfected
I:\Guru3D.com\setup\setup.exe Infected: Win32.Mixor.A@mm
I:\Guru3D.com\setup\setup.exe Disinfected
L:\AcroReader51_ENU.exe Infected: Win32.Mixor.A@mm
L:\AcroReader51_ENU.exe Disinfected
L:\Ahead Nero Reloaded\Nero 6\Redist\wmfdist.exe Infected: Win32.Mixor.A@mm
L:\Ahead Nero Reloaded\Nero 6\Redist\wmfdist.exe Disinfected
L:\Ahead Nero Reloaded\Nero Media Player\Redist\wmfdist.exe Infected: Win32.Mixor.A@mm
L:\Ahead Nero Reloaded\Nero Media Player\Redist\wmfdist.exe Disinfected
L:\Ahead Nero Reloaded\NeroVision Express 3\Redist\wmfdist.exe Infected: Win32.Mixor.A@mm
L:\Ahead Nero Reloaded\NeroVision Express 3\Redist\wmfdist.exe Disinfected
L:\AntiVirus\ewido-setup_4.0.0.172b.exe Infected: Win32.Mixor.A@mm
L:\AntiVirus\ewido-setup_4.0.0.172b.exe Disinfected
L:\LimeWireWin.exe Infected: Win32.Mixor.A@mm
L:\LimeWireWin.exe Disinfected
L:\MakeAccessiblePlugIn4Adobe.exe Infected: Win32.Mixor.A@mm
L:\MakeAccessiblePlugIn4Adobe.exe Disinfected
L:\memTest.exe Infected: Win32.Mixor.A@mm
L:\memTest.exe Disinfected
L:\MSI Chipset Drivers\CK804_6.66_2KXP_WHQLMSI Chipset Driver\CK804_6.66_2KXP_WHQL\setup.exe Infected: Win32.Mixor.A@mm
L:\MSI Chipset Drivers\CK804_6.66_2KXP_WHQLMSI Chipset Driver\CK804_6.66_2KXP_WHQL\setup.exe Disinfected
L:\Partition\BTMagic\Rescueme\Setup.exe Infected: Win32.Mixor.A@mm
L:\Partition\BTMagic\Rescueme\Setup.exe Disinfected
L:\Partition\RESCUEME\Setup.exe Infected: Win32.Mixor.A@mm
L:\Partition\RESCUEME\Setup.exe Disinfected
L:\ppviewer.exe Infected: Win32.Mixor.A@mm
L:\ppviewer.exe Disinfected
L:\spersonalfirewall.exe Infected: Win32.Mixor.A@mm
L:\spersonalfirewall.exe Disinfected
L:\WasRendr\Patition Magic\ENGLISH\Acrobat\Acrobat5.exe Infected: Win32.Mixor.A@mm
L:\WasRendr\Patition Magic\ENGLISH\Acrobat\Acrobat5.exe Disinfected
L:\WasRendr\Patition Magic\ENGLISH\BTMagic\Rescueme\Setup.exe Infected: Win32.Mixor.A@mm
L:\WasRendr\Patition Magic\ENGLISH\BTMagic\Rescueme\Setup.exe Disinfected
L:\wma-to-wav.exe Infected: Win32.Mixor.A@mm
L:\wma-to-wav.exe Disinfected

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 25 January 2007 - 01:18 PM

Disinfected means the file was cleaned.
Disinfection failed means it could not clean it.

I did post a HJT log as instructed, but I am trying to do something while waiting for response.

Please refrain from asking for help from other members or staff until the HJT Team has checked your posted log. The HJT Team work very hard to investigate and develop a unique solution to your problem. Just like your computer is different from every other computer, the solution will be tailored to the problems associated with your computer as you receive individual expert assistance. This takes time and effort. The staff here are all professionals and they volunteer their time to help.

Thus, we ask you to please be patient while waiting for assistance and NOT to make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Any modifications you make can result in system changes which may not show it the log you already posted. Further, following advice outside of that post may cause confusion for the team member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

After someone has replied please advise them of this scan and the results with a link to this thread. Please DO NOT make another reply to the thread with your HJT log until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users