New Virus?

New Virus?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
New Virus? Eugene Taylor 07-06-2005
---> Re: New Virus? David H. Lipman07-06-2005
| ---> Re: New Virus? Eugene Taylor07-06-2005
| | ---> Re: New Virus? David H. Lipman07-06-2005
| | ---> Re: New Virus? Eugene Taylor07-06-2005
| | |--> Re: New Virus? David H. Lipman07-06-2005
| | `--> Re: New Virus? David H. Lipman07-06-2005
| | `--> Re: New Virus? David H. Lipman07-06-2005
| |--> Re: New Virus? Eugene Taylor07-07-2005
| `--> Re: New Virus? David H. Lipman07-07-2005
Posted by David H. Lipman on July 6, 2005, 1:27 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Thanks, scary I was relying on a single anti-virus program


Sophos caught both.

You can use my Multi AC Command Line Scanner tool front end to scan your
computer.

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart
scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and
WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners
to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or
FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related
files.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by David H. Lipman on July 6, 2005, 3:45 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

UPDATED INFO:

My contact at Trend Micro has identified rnaapp2.exe as being "BKDR_GSPOT.E"

McAfee/AVERT identified the two; noadsense.exe as "W32/Sdbot.worm.gen.by" and
rnaapp2.exe as "Generic BackDoor.bc".

Both Trend and Mcafee will have signatures released in their next updates.

The following can be used to create an EXTRA.DAT file for McAfee.
Copy the data between the dashes ("---------------") but not including them and
paste the below into a file called EXTRA.DAT.
Using the find/search utility on your computer search for the following file:
SCAN.DAT
Then copy the EXTRA.DAT to the same folder where SCAN.DAT was found.

EXTRA.DAT
---------------

256 178 156 179 77 51 218 128 63 28 222 215 111 92 249 157
122 92 255 222 49 150 138 37 104 127 130 188 2 105 40 182
65 60 130 188 87 150 132 168 2 60 130 188 35 72 133 187
121 204 140 199 189 49 141 163 232 35 230 15 86 147 65 95
143 186 132 33 24 79 247 201 90 122 128 49 6 53 234 214
99 29 239 202 13 51 140 179 25 204 140 222 67 204 22 19
148 164 141 179 12 164 141 179 13 127 140 179 20 51 154 179
94 92 235 199 122 82 255 214 81 126 228 208 127 92 254 220
107 71 209 252 65 118 141 247 13 51 141 179 78 99 141 218
13 76 140 179 12 22 12 204 14 51 140 150 140 76 143 179
12 22 12 204 9 51 140 150 140 76 143 179 140 76 140 179
140 76 141 179 140 76 142 179 12 22 12 204 13 51 140 150
140 76 136 179 12 22 12 204 15 51 140 150 140 76 143 179
12 20 12 204 12 51 140 150 140 76 141 179 140 76 140 179
140 76 141 179 6 50 141 179 141 4 141 179 17 63 141 193
5 51 141 179 13 47 141 179 127 178 242 126 15 52 141 253
10
16162 256 13045 515 W32/Sdbot.worm

97 178 155 178 77 51 202 214 99 86 255 218 110 19 207 210
110 88 201 220 98 65 163 209 110 15 40 180 155 86 193 188
2 60 215 22 8 127 130 188 2 105 40 186 22 60 130 188
2 29 246 187 5 71 114 178 121 131 143 179 29 214 157 218
231 219 37 86 47 112 133 174 34 71 53 222 188 248 254 190
143 54 141 179 13 50 141 167 242 50 224 253 192 49 138 179
67 52
7381 256 13045 515 Generic BackDoor.bc

---------------

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Sandy Mann on July 6, 2005, 4:52 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
David,

Is that McAfee any version, or just McAfee Professional?

May I take this opportunity to thank you for going to so much trouble.

--

Sandy
sandymann@mailinator.com
Replace@mailinator with @tiscali.co.uk


>
> UPDATED INFO:
>
> My contact at Trend Micro has identified rnaapp2.exe as being
"BKDR_GSPOT.E"
>
> McAfee/AVERT identified the two; noadsense.exe as "W32/Sdbot.worm.gen.by"
and
> rnaapp2.exe as "Generic BackDoor.bc".
>
> Both Trend and Mcafee will have signatures released in their next updates.
>
> The following can be used to create an EXTRA.DAT file for McAfee.
> Copy the data between the dashes ("---------------") but not including
them and
> paste the below into a file called EXTRA.DAT.
> Using the find/search utility on your computer search for the following
file:
> SCAN.DAT
> Then copy the EXTRA.DAT to the same folder where SCAN.DAT was found.
>
> EXTRA.DAT
> ---------------
>
> 256 178 156 179 77 51 218 128 63 28 222 215 111 92 249 157
> 122 92 255 222 49 150 138 37 104 127 130 188 2 105 40 182
> 65 60 130 188 87 150 132 168 2 60 130 188 35 72 133 187
> 121 204 140 199 189 49 141 163 232 35 230 15 86 147 65 95
> 143 186 132 33 24 79 247 201 90 122 128 49 6 53 234 214
> 99 29 239 202 13 51 140 179 25 204 140 222 67 204 22 19
> 148 164 141 179 12 164 141 179 13 127 140 179 20 51 154 179
> 94 92 235 199 122 82 255 214 81 126 228 208 127 92 254 220
> 107 71 209 252 65 118 141 247 13 51 141 179 78 99 141 218
> 13 76 140 179 12 22 12 204 14 51 140 150 140 76 143 179
> 12 22 12 204 9 51 140 150 140 76 143 179 140 76 140 179
> 140 76 141 179 140 76 142 179 12 22 12 204 13 51 140 150
> 140 76 136 179 12 22 12 204 15 51 140 150 140 76 143 179
> 12 20 12 204 12 51 140 150 140 76 141 179 140 76 140 179
> 140 76 141 179 6 50 141 179 141 4 141 179 17 63 141 193
> 5 51 141 179 13 47 141 179 127 178 242 126 15 52 141 253
> 10
> 16162 256 13045 515 W32/Sdbot.worm
>
> 97 178 155 178 77 51 202 214 99 86 255 218 110 19 207 210
> 110 88 201 220 98 65 163 209 110 15 40 180 155 86 193 188
> 2 60 215 22 8 127 130 188 2 105 40 186 22 60 130 188
> 2 29 246 187 5 71 114 178 121 131 143 179 29 214 157 218
> 231 219 37 86 47 112 133 174 34 71 53 222 188 248 254 190
> 143 54 141 179 13 50 141 167 242 50 224 253 192 49 138 179
> 67 52
> 7381 256 13045 515 Generic BackDoor.bc
>
> ---------------
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>



Posted by David H. Lipman on July 6, 2005, 5:00 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| David,
|
| Is that McAfee any version, or just McAfee Professional?
|
| May I take this opportunity to thank you for going to so much trouble.
|
| --
|
| Sandy
| sandymann@mailinator.com
| Replace@mailinator with @tiscali.co.uk

Sandy:

*ANY* version of McAfee AV software, Retail or Enterprise.

It was no problem nor trouble. I get the educational benefit in the process and
I get to
help others while doing so.

It is my pleasure.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Eugene Taylor on July 7, 2005, 2:20 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>
> UPDATED INFO:
>
> My contact at Trend Micro has identified rnaapp2.exe as being
"BKDR_GSPOT.E"
>
> McAfee/AVERT identified the two; noadsense.exe as "W32/Sdbot.worm.gen.by"
and
> rnaapp2.exe as "Generic BackDoor.bc".
>
> Both Trend and Mcafee will have signatures released in their next updates.
>
> The following can be used to create an EXTRA.DAT file for McAfee.
> Copy the data between the dashes ("---------------") but not including
them and
> paste the below into a file called EXTRA.DAT.
> Using the find/search utility on your computer search for the following
file:
> SCAN.DAT
> Then copy the EXTRA.DAT to the same folder where SCAN.DAT was found.
>
> EXTRA.DAT
> ---------------
>
> 256 178 156 179 77 51 218 128 63 28 222 215 111 92 249 157
> 122 92 255 222 49 150 138 37 104 127 130 188 2 105 40 182
> 65 60 130 188 87 150 132 168 2 60 130 188 35 72 133 187
> 121 204 140 199 189 49 141 163 232 35 230 15 86 147 65 95
> 143 186 132 33 24 79 247 201 90 122 128 49 6 53 234 214
> 99 29 239 202 13 51 140 179 25 204 140 222 67 204 22 19
> 148 164 141 179 12 164 141 179 13 127 140 179 20 51 154 179
> 94 92 235 199 122 82 255 214 81 126 228 208 127 92 254 220
> 107 71 209 252 65 118 141 247 13 51 141 179 78 99 141 218
> 13 76 140 179 12 22 12 204 14 51 140 150 140 76 143 179
> 12 22 12 204 9 51 140 150 140 76 143 179 140 76 140 179
> 140 76 141 179 140 76 142 179 12 22 12 204 13 51 140 150
> 140 76 136 179 12 22 12 204 15 51 140 150 140 76 143 179
> 12 20 12 204 12 51 140 150 140 76 141 179 140 76 140 179
> 140 76 141 179 6 50 141 179 141 4 141 179 17 63 141 193
> 5 51 141 179 13 47 141 179 127 178 242 126 15 52 141 253
> 10
> 16162 256 13045 515 W32/Sdbot.worm
>
> 97 178 155 178 77 51 202 214 99 86 255 218 110 19 207 210
> 110 88 201 220 98 65 163 209 110 15 40 180 155 86 193 188
> 2 60 215 22 8 127 130 188 2 105 40 186 22 60 130 188
> 2 29 246 187 5 71 114 178 121 131 143 179 29 214 157 218
> 231 219 37 86 47 112 133 174 34 71 53 222 188 248 254 190
> 143 54 141 179 13 50 141 167 242 50 224 253 192 49 138 179
> 67 52
> 7381 256 13045 515 Generic BackDoor.bc
>
> ---------------
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Thanks David,
I ended up using Grisoft AVG, and TrendMicro Sysclean I have both of these
on my emergency cd/thumbdrive. I also have adaware, spybot, microsoft
antispyware, hijackthis, cwshredder. This one sure was a toughie, I noticed
today that my symantec corporate edition started picking up the
noadsense.exe as a virus but could not delete, or quarrantine it yet. On a
side note I want to remind people that us roaming profiles that they need to
be checked also. I thought I was finished last night, and when I came in the
virii were back. I saw that they had come from the roaming profiles, so I
had to scan the server also.



Similar ThreadsPosted
HELP: Virus is preventing me from installing anti virus software!! January 11, 2007, 2:17 am
I have a virus that uses "anti virus software" downloads as a cover up March 24, 2007, 1:40 pm
I have a worm or virus that does not allow me to go to ANY anti-virus website January 28, 2006, 10:29 pm
Caught a Virus: Virus:Trj/Shutdown.Z -- need advice June 13, 2007, 12:59 am
Vundo fix not finding vundo virus - windows tool deletes virus May 14, 2008, 2:06 pm
Does anybody know what virus i've got? July 5, 2005, 8:23 am
virus July 19, 2005, 12:20 pm
Virus help August 8, 2005, 10:34 am
Virus Help August 13, 2005, 8:00 am
A virus? August 26, 2005, 10:01 am

The site map in XML format XML site map

Contact Us | Privacy Policy