Spyware, Viruses, & Security forum

Alert

Need a virus Identified

I was broswing mystyle themes for Windows XP and found one that I liked. The download happened to be a .exe file. Some of the themes I download happen to contain viruses cause Avast wouls catch it before I get a chance to actually save the file. This one didn't alert Avast and I saved it for last because it was a .exe file. I launched it and saw some wierd behavor. It wanted to add .Net services in my startup. I blocked that from happenening. I knew right then it was a virus. I contained alot of the creation of files by going into safe mode. Now the problem is, is that it still modifies (as far as I know) Exlpore.exe, explorer.scf and also taskmgr.exe into a DOS application. I restored the taskmgr.exe from changing, but it still changes my explorer.exe and explorer.scf file. So I had to create a seperate explorer.exe and rename it just so get the UI to appear every time when I startup (otherwise the UI won't appear).

I need to know what the virus is so can I manually remove what files did get left on my PC.
The link to the file is: customize.org/download/files/86562/16778/kremrem.rar

I would love all the help that I could get on this one.

Note: This post was edited by a forum moderator to disable suspicious download link on 12/05/2011 at 5:13 AM PT

Discussion is locked
You are posting a reply to: Need a virus Identified
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Need a virus Identified
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Submit the file to Virus Total dot com

In reply to: Need a virus Identified

Send the copy of the file to: http://www.virustotal.com/ and upload and scan. Post the scan result url in your reply.

While you are at it, also have Virus Total scan the url link using the other tab available. You might find out some interesting things about this file and the url link. If you wish, post the link for the url scan here as well.

Virus Total is free to use. I use it to clear a site as suspicious before I visit. I also use WOT (Web of Trust) add-on for firefox as a guide as to what is trustworthy or not. Here: http://www.mywot.com/

Suggest changing the the url you posted above to something like hxxp:// to protect others from what may be a malicious and dangerous link in the future. This will make the link unclickable.

Since you have Avast! installed on your system, head over to the avast! user forum here: http://forum.avast.com/index.php?PHPSESSID=cds104ivkkmqs6nq36ot8f3em4&board=4.0

This is the virus and worms help section.

Collapse -
awsome results

In reply to: Submit the file to Virus Total dot com

That was some very helpful advise mchain. I went to Virustotal as you
suggested and ended up getting a lot of results. I do also use firefox
and do have WOT installed as an addon, just this time I didn't use
firefox. Maybe I should have this time. It was also a good idea to use hxxp:// instead of http: So I'll keep that in mind for next time. Although I do have a question... what are the red and green dots an the left hand side of the subject of every forum addy.
Anyway here are the results (looks like I have a bit of studing to do):

AhnLab-V3 2011.12.05.00 2011.12.05 Dropper/Win32.Injector
AntiVir 7.11.18.230 2011.12.05 TR/Offend.6985645.2
Antiy-AVL 2.0.3.7 2011.12.05 -
Avast 6.0.1289.0 2011.12.05 -
AVG 10.0.0.1190 2011.12.05 Generic26.IJT
BitDefender 7.2 2011.12.06 Trojan.Generic.6985645
ByteHero 1.0.0.1 2011.11.29 -
CAT-QuickHeal 12.00 2011.12.05 -
ClamAV 0.97.3.0 2011.12.06 -
Commtouch 5.3.2.6 2011.12.05 -
Comodo 10852 2011.12.05 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.12.05 BackDoor.Comet.55
Emsisoft 5.1.0.11 2011.12.05 Trojan-Dropper.Win32.Injector!
IKeSafe 7.0.17.0 2011.12.04 -
eTrust-Vet 37.0.9605 2011.12.05 -
F-Prot 4.6.5.141 2011.11.29 -
F-Secure 9.0.16440.0 2011.12.06 Trojan.Generic.6985645
Fortinet 4.3.388.0 2011.12.05 -
GData 22.298/22.554 2011.12.06 Trojan.Generic.6985645
Ikarus T3.1.1.109.0 2011.12.05 Trojan-Dropper.Win32.Injector
Jiangmin 13.0.900 2011.12.05 -
K7AntiVirus 9.119.5598 2011.12.05 -
Kaspersky 9.0.0.837 2011.12.05 Trojan-Dropper.Win32.Injector.adnl
McAfee 5.400.0.1158 2011.12.06 -
McAfee-GW-Edition 2010.1D 2011.12.05 Heuristic.LooksLike.Win32.Winwebsec.B
Microsoft 1.7903 2011.12.05 -
NOD32 6681 2011.12.04 a variant of MSIL/Injector.OR
Norman 6.07.13 2011.12.05 -
nProtect 2011-12-05.01 2011.12.05 -
Panda 10.0.3.5 2011.12.05 Trj/CI.APC
Tools 8.0.0.5 2011.12.06 -
Prevx 3.0 2011.12.06 -
Rising 23.87.00.02 2011.12.05 -
Sophos 4.71.0 2011.12.05 -
SUPERAntiSpyware 4.40.0.1006 2011.12.06 -
Symantec 20111.2.0.82 2011.12.05 -
TheHacker 6.7.0.1.352 2011.12.01 -
TrendMicro 9.500.0.1008 2011.12.05 -
TrendMicro-HouseCall 9.500.0.1008 2011.12.06 -
VBA32 3.12.16.4 2011.12.05 -
VIPRE 11207 2011.12.05 -
ViRobot 2011.12.5.4809 2011.12.05 -
VirusBuster 14.1.100.0 2011.12.05 Trojan.DR.Injector!oTyTnJ4HMuI

Collapse -
Well, it looks like you have a problem....

In reply to: awsome results

I show Virus Total as giving 17 out of 43 scanners as a positive malware scan result. Anything around two I regard the file as suspicious and/or possibly false-positive. Any more than that, it is quite likely bad for you and bad for your computer.

Most of the time, if a file is merely downloaded, and not run, your computer is safe. The exception to this rule is when your computer is infected with a Trojan virus, which will, alone by itself, run the malicious file for you, and do this without your consent or knowledge. An infected computer with a Trojan virus will contact its creator and websites and/or server(s) and download additional malware onto your system when you visit your usual sites around the web.

As you can see above, that is exactly what you have on your system. Your system is in peril, even if you believe you stopped the virus from damaging your system any further than it did.

My ISP can, and will, lock me out of the Internet if they believe I have malware on my system, and I fail to respond or convince them I have taken appropriate steps to clean my system of that malware. You may receive a notice from them shortly if that is the case. Just so you know.

Here is an example of a posted Virus Total scan (url link): This link is posted to scan a known clean executable file named BelarcAdvisor.exe here:

http://www.virustotal.com/file-scan/report.html?id=162f7e5acec5b68a78f71b03c2b055308d7c5767e7347871ff3ed4d1af5adfee-1323149413

No need to copy and paste the entire report as you did above as the link is directly connected to the scan results for the file I scanned.

In the future, please scan any program file executable you are considering running on your system at Virus Total and save yourself both the time and the headaches of fixing or repairing your system while you are at it.

No a/v (antivirus) will give 100% protection. Such a program does not exist. A/V vendors do look at files submitted at Virus Total and check them for malicious code, so the work of one can help many.

You probably noted, as I did, that Avast! did not alert on this file. That is because they do not have a current virus definition for that file. If they do not know about it, then they cannot protect you.

Collapse -
Free online scanner

In reply to: awsome results

Collapse -
Question?

In reply to: Free online scanner

Ok.... I have a question. I do know that Virus scans , scan for virus or trojan based software, but do they also look into system files or added or modified code? Like: if logon.exe has added code embedded into the file, would the virus scanners detect that and correct it or atleast make you aware of the bad file?

Collapse -
That is pretty much how they work ...

In reply to: Question?

because a virus MODIFIES the files it infects and the infected file is almost always an executable file.

That is why quite often an Operating System or an application doesn't work properly after a virus has been detected and the infected files "cured" or deleted or even quarantined. ALL virus scanners will not necessarily detect all viruses equally and that is why "second opinion" online scans are valuable.

Collapse -
(NT) Answer-What Edward said.

In reply to: Question?

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.