Nasty Anydvd 4581 file on Emule

vbimport

#1

A virus that deletes mp3 files from all drives and then prevents any other programs from running. Task manager is also disabled after this virus has been run. When this virus has done it’s work, a window with “Intelligence Resource Program”,“Cyberbob 33 BX”,“The French Hacker” as well as a picture of a shady looking character and words saying "F*** the Pirates…MP3…Games ETC!!! is displayed whenever a program is attempted to start.
When you try rebooting a second time, the system resets just before the OS selection screen and then does this on each subsequent attempt to restart.
I have had to open windows from another hard drive just to be able to scan the original drive.
No virus program I have tried detects this file as being harmful nor does any spyware program.

If anyone knows a work around please let me know.


#2

Do a web search for Trojan Defense Suite (TDS). Download and run it. It will take a while but it will solve your problem. Also think about adding a firewall.


#3

Thanks pipemanid, I’ll give that a try.


#4

FreqNasty to fix this up will you will need to boot into Windows using the ‘Safe Mode’ option.

[B]To stop the automatic restarts[/B]
Once in proceed to Control Panel > System. Click on the advanced tab. Under ‘Startup and Recovery’ click of settings. Remove the tick from ‘Automatically restart’ and choose ok.

while you are booted in Safe Mode why not just unistall your AnyDVD as well ?? This trogan virus thing you have come accross probably loads as a system service so have a look in the msconfig start-up list as well for anything suspicious.

But one would have to ask. What is the world are you using a copy of AnyDVD from Emule for ? surely not using a cracked version.


#5

:iagree: If you like/use the program support the author and buy it.


#6

Yea the rest of us support and buy it why can’t you??? :frowning: teach’s you for using cracked version $70 is not alot of money for the amount of dvd’s you can copy.


#7

Fu*k me, it only cost me $39 :bigsmile:


#8

No…it was just a version of it. I don’t know if it was cracked. The person who wrote this virus is obviously against Anydvd because it is used to copy dvd’s. Unless Slysoft releases trojans of anydvd files on emule then you would expect it to be an anti pirate person. In fact, if you goto http://www.vbfrance.com/auteurdetail.aspx?ID=264139 there is a cyberbob33 on there! The trojan was written in visual basic which is what that site is based on.

I still need details on what this trojan changes in the registry. A NTDETECT.COM file needed to be added to the root as it had been deleted which explained Windows not booting. It is difficult to examine a registry which has been disabled by the system administrator.


#9

The best version of it would only come from the developer’s website and at 1Mb it would be quicker to d/l it from there than from Emule.

have you tried Ewido trojan scanner & registry mechanic to see if that helps ?


#10

Just my opinion, but, if I had a known trojan on my machine I’d back up my data and wipe the machine. Overly cautious, yes. But, to me it’s worth the peace of mind of having a clean install versus HOPING some trojan cleaner actually managed to wipe it out completely. And uh, don’t be installing things from an untrusted source such as emule file sharing. :wink:


#11

True That! I would have to wipe it, and start over too…Thats the only way I could sleep at night! :iagree:

Peace and Luv,

DJ Mind


#12

What happens if you back up the trojan to disk then reinstall windows and the reinfect the pc again ?


#13

That’d be why you back up just the DATA not any programs. A trojan can’t infect your data. And if you’re really that paranoid, then you’d probably get all your scanners and whatnot up to date before restoring the data after you do a fresh install. I’ve been using computers for over 20 years and I’ve never gotten a virus or trojan. Know the source of what you’re installing comes to mind. Scan it BEFORE installing is also prudent advice. :slight_smile: But when infected, clean as much as you can, back up the data, and reinstall. That’s what I’d do.


#14

It couldda been worse . . . it couldda unleashed the Bobbit Virus on ya . . . this virus disables your hard drive and leaves ya with a 3-1/2" floppy . . . :slight_smile:


#15

Here’s a list of programs to try to run in SAFE MODE to pick up the worm.
you can find them at www.google.com
Ad-Aware SE Professional
Spybot - Search & Destroy
SpywareBlaster
Norton AntiVirus
update them and run them in that order, twice. they’ll get it for you.


#16

a virus, based on the W32.NGVCK virus creation kit. This virus will infect executable files when they are run. The existence of the file UnBlaster.exe is an indication of a possible infection.
Also Known As: Bloodhound.W32.1, W32.NGVCK.4920
Infection Length: 4920 Bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected: DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x

賽門鐵克公司 所有內容版權於公司所有 法律意事項 隱私保政策 2004年4月29日 賽門鐵克


#17

it will perform the following actions:

  1. Attempts to import several Windows functions from various .dll files. These functions will be used later to find and infect files.

  2. Creates the file, UnBlaster.exe, in the %System% folder. This file is a copy of the virus.

    Note: %System% is a variable. The virus locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  3. Installs a Windows hook so that it can infect Windows PE executable files when they are executed.

  4. Checks the system time to determine whether it should display a message box. The message, if displayed, is written in an Asian language


#18

Ok, got a fix for this…
First, I got the file when I downloaded AnyDVD+serial+crack from Morpheus. I did this because a)I’m thrifty (ok, cheap) and b)I have like 30 tools that each have 1 extra feature I need, and didn’t want to shell out the money for another. Anyhoo, lesson learned, lets move on.
This trojan does several things. For one, it deletes every MP3 on your computer. It also deletes every copy of NTDETECT.COM which prevents your system from rebooting. It then adds three registry keys that locks you out as administrator. one is NoControlPanel, another is DisableRegistryTools, the last is DisableTaskMgr. Finally it breaks the executable file association so you can’t run any .exe files (directly, more on this in a sec). The program also seems to use a virus as a vector to keep itself installed, although this wasn’t a huge problem compared with everything else. Pretty nasty, but fixable.
Ok, by the time you realize you have a problem, your computer probably doesn’t restart. I booted off my WinXp CD, did the repair console thing. I issued the FIXMBR command (don’t know if this actually had any effect, but it didn’t hurt) and then copied NTDETECT.COM from the D:\i386\ folder in to C:. Now I could boot.
Luckily, I have my textfiles associated with textpad (Helios Software solutions). This meant when I doubleclicked on a text file, textpad opened up. Textpad very handily has a run command which bypasses the .exe’s file association. The point is you need some sort of way of executing commands directly.
Now, first thing we need to do is get task manager back under our control. Issue this command:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

(in textpad, the reg goes in the command, everything else goes in the parameters). This basicly changes the DisableTaskMgr key to 0, letting you ctrl alt delete. There’s a program in the processes (sorry forgot the name, just try to execute an exe and you’ll see it pop up) that seems to be from the virus. Just kill it when it comes up. Now we need to run our virus scanners, ad-awares, etc… F-Prot with the most recently updated file (dated today, 3-18-05) found the virus called W32/Killfiles.H in the trojan program. I’m guessing this infects the MBR and then reinfects it each time the program is running, but that is just conjecture. Delete the file, let it clean everything. Oh yeah, to run it, just copy/paste the shortcut in your start menu into the command line of whatever you are using to issue commands.
Now we just fix the other three problems. To get control of our registry editor, run the following:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

Now, go to get this: http://home.earthlink.net/~rmbox/Reticulated/4IE_Only/EXEfix08.reg and apply it by just running it in your command issue-er thing. This fixes your exe problem.
ah, almost there. Now just run regedit, and do a search for NoControlPanel. There should be only one that has a value, but if not, change those too. Set it’s value to 0. This requires a reboot to make active. Cross your fingers and restart.
Ok, so that should be it (I think, it was like 3 in the morning when I finally finished.) Just for fun you should re-run all your virus scanners, etc. Everything except my MP3s are back and normal (I Hope)
A comment from me: Ok, so piracy is wrong, but is it really worse than destroying someone’s whole computer without any way to back up pictures of their daughter or whatever? Malicious “hackers” suck. I hope they burn in the bottom layers of hell with Jon Tesh.

http://windowsxp.mvps.org/Taskmanager_error.htm
http://support.microsoft.com/?kbid=831787
http://www.winguides.com/registry/display.php/543/


#19

hahahhaaa, this is some funny $%!t


#20

This doesn’t only apply to Anydvd this applies to other files downloaded from emule.

The virus will put a file in your program files folder named xerox.nt. If you have spybot installed you can access the TASKMGR to kill the process that is running (smsdriver…or something like that) then delete the xerox.nt folder.

The above example mentioned using TextPad but I had problems here also, I got an error ACCESS DENIED. But I didn’t have it installed originally, so this might be the reason.