Results 1 to 2 of 2

Thread: Recovering from Sohanad.t

  1. #1
    csmilovi Guest

    Default Recovering from Sohanad.t

    Hi,

    I'm looking for some advice. I'm a Zone Alarm subscriber, licence
    number 8ht...., license expiring in 437 days.

    I'm stuck with a virus and not sure what to do. I'll give the
    technical details later but my basic problem is that the virus is a
    keylogger which ZoneAlarm doesn't seem to be cleaning and I want to
    get my Zone Alarm updated without giving the keylogger a chance to
    "phone home". Is the correct procedure to (while offline) give the
    Zone Alarm programs pass-lock priviledges and then click on the lock
    icon in the dashboard? I will then get online by plugging in an
    ethernet cable. Will this work?

    First the background. I've been in the boonies for a few months. I
    cannot get internet access where I live and thus have been off the net
    for about three months and not updating my virus definitions and I'm
    not sure what virus definitions I have been using. On 9/10/07 I did
    get a connection via ethernet in an internet cafe and attempted to
    update my virus definitions, etc. Watching the download, it appeared
    to fail in the middle of downloading the virus definitions. I pressed
    skip and thought the download had stopped, but later I noticed a
    window saying that spyware update had finished and when I looked at
    Anti-Virus/Anti-Spyware Main it told me that virus definitions had
    been updated on 9/10/06 (ie that day and time). So I'm not sure what
    virus definitions I have. At the end of this document I'll list my
    version info as ZoneAlarm is reporting it.

    Meanwhile I have been using a flash memory card to carry data between
    internet cafes and my computer and forgot to think about the
    implication of that. I've been seeing odd behavior of my computer
    such as Cntl-Alt-Delete and regedit not working. (If I log in using
    Safe Mode as Administrator, regedit does work). My computer seems to
    be exhibiting the symptoms of Sohanad.t as it is described around the
    internet. (Sohanad.t spreads by flash memory, so this is not too
    surprising. One time I saw the effects of Sohanad.t on that flash.
    Each directory included a mysterious file .exe)

    Grepping (ie Dos version of Unix grep utility) log files finds the following "AV/treatment"s:

    tons of: AV/treatment,2007/--/--;--:--:-- +3:00 GMT,,,,Auto
    which I assume I can just ignore.

    The following two messages that happened while I was still connected to the internet and updating my virus files:
    AV/treatment,2007/05/22,15:37:14 -7:00 GMT,Trojan.Win32.Agent.acj,C:\I386\WIN9XMIG\EASTMA N\MIGRATE.DLL,File Repair Failed,Manual
    AV/treatment,2007/05/22,15:52:46 -7:00 GMT,Trojan.Win32.Agent.acj,C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP4\A0002246.DLL,File Repair Failed,Manual

    AV/treatment,2007/09/08,10:32:52 +3:00 GMT,IM-Worm.Win32.Sohanad.t,E:\World\World.exe,File Repair Failed,Manual
    AV/treatment,2007/09/08,10:32:52 +3:00 GMT,IM-Worm.Win32.Sohanad.t,E:\resume\resume.exe,File Repair Failed,Manual

    AV/treatment,2007/09/12,22:20:02 +3:00 GMT,IM-Worm.Win32.Sohanad.t,C:\WINDOWS\SSVICHOSST.exe,Fil e Repair Failed,Auto
    AV/treatment,2007/09/12,22:21:42 +3:00 GMT,IM-Worm.Win32.Sohanad.t,C:\WINDOWS\system32\SSVICHOSS T.exe,File Repair Failed,Auto

    AV/treatment,2007/09/17,13:03:48 +3:00 GMT,IM-Worm.Win32.Sohanad.t,C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP43\A0013124.exe,File Repair Failed,Manual
    AV/treatment,2007/09/17,13:03:50 +3:00 GMT,IM-Worm.Win32.Sohanad.t,C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP43\A0013126.exe,File Repair Failed,Manual

    Neither of the files mentioned (nor the path under System Volume
    Information) exist anymore. But I seem to have the behavior of
    Schonad.t. One of the effects is that regedit doesn't work. I managed
    to access regedit in safe mode as admin, but the How can I solve this.

    I tried to fix this manually. I could only get regedit to work logging in as admin in safe mode. (Disabling regedit is one of the effects of this virus). Doing that I couldn't see any of the keys that the virus is supposed to change (but then, many of them are in CURRENT_USER and when I was admin, I was the wrong CURRENT_USER. So the manual fix didn't work.


    First problem:

    If I connect to the net to upgrade my ZoneAlarm, the keylogger may
    "phone home". The best solution I can think is to download the update
    using an internet cafe machine and then transfer it by flash memory,
    but I'm sure that will fail because I won't be able to simulate the
    protocol that ZoneAlarm uses to phone home and also I won't get passed
    the login.

    Second problem:

    How can I get to regedit to fix this?

    Will an up-to-date Zone Alarm eliminate my current infection? The infection
    agent seems to have disappeared and ZoneAlarm no longer shows any virus conditions?

    Thanks for your help.

    Craig Smilovitz

    Zone Alarm, TrueVector, and Driver version 7.0.337.000
    Anti-virus engine version 3, DAT file version 01.20070910052000
    Anti-spyware engine version 5.0.176.0 DAT file version01.200709.2375
    Anti-spam version 4.9.1.8211
    license: 8ht....

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,290

    Default Re: Recovering from Sohanad.t

    Hi!the best is to post your Hjackthislog to specialist to ensure you are clean form malware.Here: http://www.castlecops.com/f67-Hijack...ans_Oh_My.htmlPlease read mandatory steps before posting:http://www.castlecops.com/t102301-Hi...e_Posting.htmlThey will also help you on the regedit issue.If you just google your problem you will find a lot of hints, for example, this:http://www.bloganything.net/632/enab...it-is-disabledLooks like you have been infected using an IM client.if you are using MSN Live messenger ensure that you have ZA scanning attachments.Options --> file transfer --> scan files for viruses --> add this string:"C:\Program Files\Zone Labs\ZoneAlarm\multiscan.exe" or browse to multiscan.exe in ZoneAlarm directoryCheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •