|
Posted by Sycho on December 14, 2007, 2:50 am
If you were Registered and logged in, you could reply and use other advanced thread options
all to hear..
>Sycho wrote:
>> in alt.comp.virus on Tue, 11 Dec 2007 18:55:59 -0500 and shouted for
>> all to hear..
>>
>>
>>>My aunt has the obfustat virus on her computer.
>>>
>>>Specifially, "obfustat.UVE".
>>>
>>>It resides in "c:\windows\system32\pccapcc.dll".
>>>
>>>AVG free, up-to-date, detects it, but cannot delete it.
>>>(select "heal", or "put in vault", and it thinks it did,
>>>but the file is still there in system32).
>>
>> Have you tried using Spybot Search & Destroy to see if it detects any
>> problems on the comp?
>
>So far I've only tried the AVG. It'll take me awhile
>to dnld the other stuff, due to the snail-slow internet
>in this area. (Dialup only, and nowhere near 56k)
Ah damn. :( Well I can still hook you up with anything you might need
regardless of your connection speed.
>>>Safe-mode boot, no difference.
>>>
>>>I found several references to pccapcc.dll in the
>>>registry, 2 under CLSID/,
>>>and one under windows services, so I think its being
>>>loaded as a service (under svchost perhaps?)
>>>
>>>What I would like to know is:
>>>Is pccapcc.dll a file that is supposed to be in XP and
>>>the virus has simply infected it, or is this a bogus dll
>>>that has no business being there in the first place?
>>
>> I use Windows 98 Second Edition on this comp, my wife uses Windows XP
>> Home on hers. I searched her registry and found no reference to that
>> file, let alone the file itself on her comp. So it's safe to assume
>> that the file has nothing to do with Windows itself. I also did a
>> search for the file at Yahoo! and Google. No information at either
>> site on that file.
>
>My pc is win98 also. Haven't had any viruses at all since
>august 2005.
>
>What I don't like about XP is that you can't boot to plain
>DOS and still get to your files. I would have deleted, or
>moved, pccapcc.dll that way.
Ah yes! That's why I still refuse to switch to XP for that very reason
alone. If I can't work straight in DOS mode there's no point in having
the OS. I shouldn't have to load a boot disk just to get to the
command prompt. That's just gay. Hell I won't use an FTP client if I
need to upload or download anything from any of the three computers on
my network. I do that right from the command prompt. I guess I'm old
fashioned that way. lol
>>>Anyone else out there had problems with an obfustat virus
>>>that AVG couldn't remove?
>>
>> Not personally since I use Norton Anti Virus version 5.0 on my comp.
>> But you may want to download System Mechanic (http://www.iolo.com) and
>> disable any rogue programs in Windows Startup Manager.
>>
>> I would also recommend disabling System Restore before performing any
>> scans and fixing any problems if you haven't done so already.
>
>Disabling sys restore... I'll try that next time I'm at my aunt's.
>Will a functioning sys restore put the virus right back on reboot,
>or only if someone reverts to an infected restore point?
I'm not really sure on that to be perfectly honest, I just know that
that's how some reinfections occur is if system restore is enabled
while ridding the problem. Another stupid feature Micro$oft added that
wasn't needed.
>> In my search I did happen to make note that there are others out there
>> using AVG that say they're having the same problems removing the bug
>> that you're having. So you can rest assured that you're not alone.
>
>I'd bet AVG has been hearing some comments, then
It wouldn't surprise me. It's a shame that your aunt is using XP
otherwise I would have you get Norton Anti Virus v5 off my warez page.
That particular version won't run on XP unfortunately. Otherwise my
wife would have that installed on her comp immediately.
>> Unfortunately I've found nothing in my searches on what the malware
>> is. Some sites call it a trojan, others a virus and a couple, a
>> rootkit.
>>
>> If the IP you're posting from is your aunt's IP address and not yours,
>> I'd be happy to run an nmap scan on the IP to determine if there are
>> any ports open to the outside world that would be opened by a trojan.
>
>No, I'm posting from my own pc.
Ah, ok. Well I'm guessing then that she's also on dial-up? If so it
wouldn't do any good getting the IP address to me since it would
change at every logon you/she made.
You are more than welcome at any time to connect to my IRC server
should you want to discuss this in more detail. My IRC is open 24/7 to
anyone.
Connect to 3wd.no-ip.org:9800
And the channel is #3wd.
Feel free to register your nick on there.
Syntax is: /msg nickserv register <nickname> <password> <email>
Ex: /msg nickserv register Foo skittles lol@you.org
Once you've register and want to connect at a later time, to ID use
this:
/pass <password>
Ex: /pass skittles
I don't ask that anyone use their real email address. Make up one.
If you have a CD burner I'll hook you up with anything that I think
you can use on your comp as well as your aunt's comp to clean the
infection. Most of the stuff I have is in ISO format.
--
Unofficial M$ Motto: "Micro$oft: Have you hugged your BSoD today?"
| 
XML site map