Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lost Password And Glupsy


  • Please log in to reply
4 replies to this topic

#1 rajeshontheweb

rajeshontheweb

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 03 May 2007 - 01:12 AM

didnt know where to post it, but i am a newbie, bear with me.. here it goes


in our company, we had complaints of sudden loss of passwords in windows xp pro computers. the password which was working till the day before failed them suddenly..

i had known about 7 computers with same problem over a period of 2 weeks and got a doubt there was something wrong, searched the internet for lost passwords, but got only password reset tools

then one day i got a call saying there was an error message at start up saying "The system DLL user32.dll was relocated in memory. The application will not run properly. The relocation occurred because the DLL C:\WINDOWS\system32\SHELL32.dll occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL" which is seemingly associated with Microsoft KB 935448. i got him install the update, still no use with the same error message referring to flashy.exe

searched for flashy.exe and then Glupsy was found to be the name of the infection.. refer http://fileinfo.prevx.com/spyware/qqe5ae33...FLASHY.EXE.html , http://www.trendmicro.com/vinfo/virusencyc...Y.B&VSect=T and then realised in symantec info http://www.symantec.com/security_response/...-99&tabid=2


only going through symantec's info , i got a clue when it said the worm could change ur password to 'hacked' , tried it on the lost password computers, it works..

the infections i faced were,

1. lost folder options menu item
2. flashy.exe and systemid.pif errors at startup
3. password changed to 'hacked' (only on computers that had an administrator account password - people infected without any admin passwords were the clue which lead us to flashy.worm's true identity)



this is what i did

1. disable system restore (my computer > right click > system restore > turn off system restore)
2. restart in safe mode (press F8 twice before windows boots) and disable any realtime protection from your antivirus / antispyware.
3.run the tools Stinger and AntiVir Removal Tool for Windows (all were run just in case there were other similar worms / trojans)
4. run AutoRuns and search for all entries containing flashy.exe flashybot systemId.pif
5. if folderoptions still doesnot show up , goto registry editor (startmenu > run > regedit) and browse to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and if NoFolderoptions is having a value 1, then change it to 0 or remove (back up before doing it) and search for Nofolderoptions
and change it too
6. restart ur computer, run a compete scan with ur regular antivirus and antispyware (updated definitions of course)
7. restart again and then enable system restore (remove turn off)


PLEASE NOTE IF U HAVE ANY FLASH DRIVES, KEEP THE FLASH DRIVES PLUGGED IN WHEN DOING THE REMOVAL / SCANNING PROCESS


i am posting this only with the intention of helping out people who could be under the impression that they lost their password and be suffering!!

(PS: we have got couple of dozen pcs infected so far and it is spreading rapidly through flash drives easily on a network)

and, we do have symantec corp edition installed in our pc but not knowing why it was not caught out in the first place (this virus is known to symantec definitions since a while now!)

Edited by Papakid, 03 May 2007 - 08:54 AM.


BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:12:52 AM

Posted 03 May 2007 - 01:22 AM

Thanks for the feedback Posted Image

#3 rajeshontheweb

rajeshontheweb
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 03 May 2007 - 03:37 AM

guys, just got a feedback from one of the infected computers..

all the listed av tools and symantec failed to detect and remove the virus in safe mode (only in one computer so far!!!!)

in this case , please use unlocker and unhook the file from the malprocess...

Edited by Papakid, 03 May 2007 - 08:57 AM.


#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,636 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:52 PM

Posted 03 May 2007 - 09:09 AM

Thanks for the heads up. First I want you to know that I've edited your threads as it isn't a good idea to link to direct downloads--we encourage people to read about what they are about to download first, so I've eidited your links.

I also removed the first removal tool you mentioned as I am not familiar with it and there is some doubt about whether it is legit or not--it's probably OK, but there is a file by the same name that is a known trojan when run from a temp folder.

As you say, these general removal tools like Stinger usually aren't kept very up to date on the latest stuff out there. I would suggest running some online scanners--there is a convenient list here--note that some will not remove files but the description tells you which ones will and won't--except for Norton, it is detect only.

Also moving this to Am I Infect? and edited the title. Will post back later with some more advice.

The thing about people

is they change

when they walk away.--Mipso


#5 rajeshontheweb

rajeshontheweb
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 05 May 2007 - 03:23 AM

thanks for the help

but the files i had suggested were scanned at virustotal.com to ensure things were not going wrong. specially because, there was one tool i found specifically saying flashy_killer.zip from supposingly virus removal website but that had a couple of trojans in it..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users