Results 1 to 5 of 5

Thread: new virus ogysteo.exe / ~tmp0374.exe

  1. #1
    gregge Guest

    Default new virus ogysteo.exe / ~tmp0374.exe

    Greetings,

    I have a virus called ogysteo.exe that ZoneAlarm Suite cannot find or remove.
    It appears to be associated with another piece of malware called ~tmp0374.exe, which ZA also can't find and the firewall doesn't block it from running.

    I am wondering if anyone else has seen these, and when ZA will have some protection available.
    I was able to remove ogysteo and at least keep ~tmp0374.exe from running using PREVX1.

    They have some information about this virus at:

    http://spywarefiles.prevx.com/RRJBJD...YSTEO.EXE.html

    thanks,

    - Gregg

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.5

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: new virus ogysteo.exe / ~tmp0374.exe

    C:\WINDOWS\System32\ogysteo.exe is where it should be residing. But it probaly has friends..



    http://research.sunbelt-software.com...threatid=49191

    Trojan-Downloader.Win32.Small.ddy
    Type Malware
    Type Description Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
    Category Trojan Downloader
    Category Description A Trojan Downloader is a program typically installed through an exploit or some other deceptive means and that facilitates the download and installation of other malware and unwanted software onto a victim's PC. A Trojan Downloader may download adware, spyware or other malware from multiple servers or sources on the internet.
    Level High
    Level Description High risk threats are typically installed without user interaction through security exploits, and can severely compromise system security. Such threats may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These threats may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
    Advice Type Remove
    File Traces
    ~tmp0374.exe
    1670.exe
    2917.exe
    2937.exe
    2940.exe
    2973.exe
    2bfd4e897f81ce58c683a0edcd820052.exe
    3009.exe
    3026.exe
    3604.exe
    4639.exe
    4864.exe

    It may a requirement for you to disable the System Restore and then scan once again and then reenable the System Restore>

    http://support.microsoft.com/default...b;en-us;310405

    have you tried a manual deletion of the.exes in the safe mode?

    The CA antivirus used presently by the ZA does show this>

    http://www3.ca.com/securityadvisor/v....aspx?id=57652

    Oldsod

    Message Edited by Oldsod on 11-27-2006 08:27 AM

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Pro
    Software Version:5.x
    Best regards.
    oldsod

  3. #3
    gregge Guest

    Default Re: new virus ogysteo.exe / ~tmp0374.exe

    Oldsod, thanks for the info.
    I think I have most of it under control now, but the last issue appears to be what sort of looks like a browser hijack, and I'm not sure how to stop it...
    When I start IE and the default page opens, the browser tries to visit:
    http://%6c%61%68%65%72%65.%63%6f%6d/...5%78.%70%68%70
    and in the history file under pages visited at this location, there is:
    http://lahere.com/counter/index.php
    Any idea what all this means and how to get IE to open the default page properly?
    Thanks in advance for any help or insight you can provide.
    - Gregg




  4. #4
    gregge Guest

    Default Re: new virus ogysteo.exe / ~tmp0374.exe

    It turns out this was caused by a hack of the website that was the browser default.
    The domain is hosted at Network Solutions, and others have had the same issue.
    There's some discussion of it at
    http://www.dpchallenge.com/forum.php...READ_ID=502801
    A tag was added to the index page which resolves to the
    site mentioned in the above post.
    It tries to install ActiveX controls, and I believe that was the source of the virus.


  5. #5
    Join Date
    Dec 2005
    Posts
    9,056

    Default A General Guide

    This is what I would do myself if this happened to myself ( I left a few things out and added a few things, but this is the main method, even though the order of the procedure is mixed up and the cleaners scans would be used several times)

    Check the Manage Addons of the IE Tools section and disable the unwanted addons. The item or value can be deleted in the Registry itself by using the Find of the Registry. Reset the homepage to your original selection.

    Check the Add/Remove in the Control Panel for unwanted installs and uninstall them.

    Check the C\ for malware folders and in the C\Program Files. Check the C\WINDOWS and the C\WINDOWS\system32 and the dllcache and the drivers subfolders. The folder/file search utility of the Explorer should be used in addition to a manual searches.

    Check the Documents and Settings- especially the Application Data, Local Settings and Start Menus. Check all subfolders.

    Check the MSOCache and the C\WINDOWS\system32\config\systemprofile

    Open the C\WINDOWS\Downloaded Programs Files and double click the unwanted program and use the Remove feature.

    Open the C\WINDOWS\system32\drivers\etc\hosts with the notepad. Please make sure the Read-only of the Properties is unchecked and Apply and OK if changes are to be made. The only safe entry that should be there is 127.0.0.1 listed as localhost. All of the rest can be deleted- just make sure that any security application that is listed is the exact address and not a looks-alike. Close the notepad and restore the Read-only of the Properties.

    Open the Poperties of the NIC of the View Network Connections of the My Network Places. Click the Internet Protocol (TCP/IP) and then the Properties. Click the Advanced of the General tab and in the DNS should be your ISP DNS server(s) or a blank. Correct the DNS IP(s) if it is incorrect. Disable the LMHOSTS lookup of the WINS tab (optional is Disable the NetBIOS over TCP/IP) Ok all windows and Close.

    Download and run the freeware CCleaner after and make sure the ActiveX issue of the reg cleaner is included.

    http://www.majorgeeks.com/CCleaner_S...ish_d4191.html

    Download and update and run the following freeware:

    http://www.superantispyware.com/

    http://www.ewido.net/en

    http://www.lavasoftusa.com/products/...e_personal.php

    http://www.emsisoft.com/en/software/free/

    http://www.freedrweb.com/

    http://www.sophos.com/products/free-...i-rootkit.html

    http://www.microsoft.com/technet/sys...tRevealer.mspx

    http://vil.nai.com/vil/stinger/



    Open the registry (Start>Run>type regedit and OK):

    In the HKEY_LOCAL_USER\Software\Microsoft\InternetExplore r\Main
    a) Look for the SearchPage and doubleclick it. Select the Modify. In the ValueData box, delete the malware entry enter your own search.
    b). Look for the Start Page and doubleclick it. Select the modify. In the ValueSata box, delete the malware entry and enter your own start usual home page. Repeat this in the HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExpl orer\Main.

    HKEY_LOCAL_USER\Software\Microsoft\Windows\Current Version\Internet Settings\ZoneMap>Domains> Delete any malware sites, in that column. Sites such as msn.com and your security application sites and any favorites should remain. Doubleclick the malware site and use the delete feature. Remove all entires that are in the Ranges (only the Default should be left).

    Repeat this in the following

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\Domains and Ranges

    HKEY_USERS\DEFAULT\Software\Microsoft\Windows\Curr entversion\Internet Settings\ZoneMap\Domains and Ranges

    And continue this cleaning with the HKEY_USERS\S-1-5-18\ to the end of HKEY_USERS\S-5-21-* listing.

    HKEY_LOCAL_USER and the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run> delete any malware entry


    Download and install and run the following freeware:

    http://www.download.com/Abexo-Free-R...-10434887.html

    http://www.download.com/Registry-Tra...ml?tag=lst-0-1

    Delete as best as possible all items.

    Download and run the LSP-Fix and take note of LSP entries and google the findings and then delete the malware entries, using the LSP-Fix removal utility>

    http://www.majorgeeks.com/LSP-Fix_d4180.html

    Download and run the Windows XP TCP/IP Repair and do the TCP/IP reset. This tool is always handy if some install or uninstall ruins your internet connection and Windows needs a quick reapair>

    http://www.majorgeeks.com/XP_TCPIP_Repair_d4521.html

    Download and run the freeware Process Explorer and look for strange .exes and .dlls>

    http://www.microsoft.com/technet/sys...sExplorer.mspx

    also the Listdll tool will show all .dll loaded and used>

    http://www.microsoft.com/technet/sys.../ListDlls.mspx

    The freeware TCPViewer will show all active connections, source and detination and applications>

    http://www.microsoft.com/technet/sys...g/TcpView.mspx

    In the Services of the Administrative Tools. Disable and stop the Messenger Service.

    In the DCOM Config of My Computer of the Component Services of the Administrative Tools look for any malware entry and find it's value (Application ID) in the Properties and then use this value in the Find of the Registry to remove (delete) it. Also disable the Windows Messenger (disable the startup by unchecking all in the Location tab found in the Properties of the doubleclickof the item).

    Follow the advice for the online antivirus scans as a followup to ensure there are no malware and if still having any issues, then follow the HJT advice, all from spywarewarrior.com>

    http://spywarewarrior.com/sww-help.htm

    I have the HJT logs saved. Just in case- if there is a future malware infection, then the previous clean machine logs and the infected machines logs can be compared. This is a quick way to read the logs and use the HJT tool for most users. There are still a few registry places I would have searched, but those are not neccessarily needed for you.





    Oldsod

    Message Edited by Oldsod on 12-02-2006 12:53 PM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •