Jump to content
Login new information ×
Login new information

New Virus On My Laptop

Avitar

By Avitar
in Security & Privacy Center

 Share

Recommended Posts

Avitar

Avitar

Posted
Posted (edited)

Okay so it all started like this... I was browsing around pastebin.com and checking out all the newest "untitled" posts. Here I came upon a rather interesting one with the link to a file named "keygen.exe" Knowing me, I downloaded the file, because most uploaders link to a text paste after having someone fill out a survey. So I decided to grab this new unknown keygen in hopes of it being a breakthrough and post it on nsane.

EDIT: Here's a copy of the file that I downloaded-
http://www.mirrorcreator.com/files/WQYKGMIJ/Keygen.rar_links

My stupidity didn't occur to me at the time so I downloaded it and just double clicked, without shadow defending my HDD and sandboxing in Comodo's Virtual OS. The file opened and did not present a GUI. So I opened task manager and terminated "keygen.exe" Thinking I had fixed the problem I thought I was uninfected. Lo and behold, later while disabling startup programs, I found keygen.exe with the same cheat engine icon in my startup folder. Having rebooted a few times already I knew for sure that I had been infected.

Today while randomly monitoring my active connections wondering why my internet was moving slowly and ping times were so high, I came across this screenshot:

screenshot_89.png

Right there, an unknown app was using HTTP_C to connect to 154.53.224.2..

A whois lookup on that IP revealed the following:

Results for 154.53.224.2 :
% This is the AfriNIC Whois server.

% Note: this output has been filtered.

% Information related to '154.53.0.0 - 154.53.255.255'

inetnum: 154.53.0.0 - 154.53.255.255
netname: NET-154-53-0-0
descr: __________________________
descr: This block is allocated to an organization in the ARIN
descr: region. Please query whois.arin.net for more
descr: information on the registrant.
descr: __________________________
country: MU
org: ORG-AFNC1-AFRINIC
admin-c: TEAM-AFRINIC
tech-c: TEAM-AFRINIC
status: ALLOCATED UNSPECIFIED
mnt-by: AFRINIC-HM-MNT
source: AFRINIC # Filtered
parent: 154.0.0.0 - 154.255.255.255

organisation: ORG-AFNC1-AFRINIC
org-name: African Network Information Center - (AfriNIC Ltd)
org-type: RIR
country: MU
address: 11th Floor,
address: Raffles Tower
address: Cyber City
address: Ebene
e-mail: [email protected]
phone: +230 403 5100
fax-no: +230 466 6758
admin-c: CA15-AFRINIC
tech-c: IT7-AFRINIC
mnt-ref: AFRINIC-HM-MNT
mnt-ref: AFRINIC-IT-MNT
mnt-ref: AFRINIC-DB-MNT
mnt-by: AFRINIC-HM-MNT
remarks: =======================================
remarks: For more information on AFRINIC assigned blocks,
remarks: querry whois.afrinic.net port 43, or the web based
remarks: query at http://whois.afrinic.net or www.afrinic.net
remarks: website: www.afrinic.net
remarks: Other Contacts:
remarks: ===============
remarks: [email protected] - for IP resources
remarks: [email protected] - for new members and other
remarks: inquiries.
source: AFRINIC # Filtered

role: AfriNIC TEAM
address: Raffles Tower - 11th Floor
address: Cybercity
address: Mauritius
phone: +230 403 5100
fax-no: +230 466 6758
admin-c: AA1-AFRINIC
tech-c: NG1-AFRINIC
nic-hdl: TEAM-AFRINIC
e-mail: [email protected]
mnt-by: AFRINIC-DB-MNT
source: AFRINIC # Filtered
SO now I know that I have a virus that's breaking my internet connection and using my bandwidth to do something else. Now this is frightening because my internet is at 100Mbs (11 MB a second download and upload)
Someone is Africa is laughing their ass off at me because I fell for that trap. Now how do I start to remove this thing? I'm running Windows 7 Home Premium x64.
Edited by Avitar
Link to comment
Share on other sites
  • Replies 21
  • Views 3.2k
  • Created
  • Last Reply

Top Posters In This Topic

  • Avitar

    6

  • mazigh

    4

  • jackieo

    3

  • marshall39

    1

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

cruelsister
cruelsister

Avitar- What you downloaded and installed was an Adware/trojan packer. The network activity is just ads that are being uploaded to your system. This sample was really packed with a great number of thi

Avitar

Avitar

Posted
  • Author
Posted

Hi

For my part , I'd install and run Kaspersky AV to remove it.

Otherwise if you prefer to stay with comodo , you could try Malwarebyte http://www.nsanedown.com/?request=16106013 wich is very good at removing all sort of crap ^_^

I have heard a lot about malwarebyte. I shall try that tool. However I am concerned that my internet connection will still be broken. keep in mind that this virus poses as a legitimate internet application. I don't think a HTTP Transport tool would be detected as a virus. That's why I didn't just run a full scan, because I scanned the file with COMODO and BItdefender Engine on Advanced system care ultimate. Both reported it as clean. Now I also scanned the file that was in the startup folder.. still reported as clean. I did a scan with virustotal.com and it was also reported as clean. So i don't think that any antivirus has a definition for this now virus. Still think malwarebytes will find it?

Link to comment
Share on other sites
Avitar

Avitar

Posted
  • Author
Posted

Can you mirror the keygen for malwarebytes for me please someone on datafilehost or mirrorcreator.com? When I try to download the file I get the following error:

screenshot_90.png

And once again, the anti DDoS on Nsane wants me to wait 20 mins...


screenshot_91.png

Link to comment
Share on other sites
Avitar

Avitar

Posted
  • Author
Posted

1- the IP 154.53.224.2 is related to "Cogent Communications" a multinational ISP based in US, check this: http://www.utrace.de/?query=154.53.224.2

2- Install an AV like Kaspersky, Bitdefender, ESET or Malwarebyte... and do a full scan..

3- You can control your Internet by using a Firewall in Interactive mode

1: You're right, I've found the server that the program connected to. Here it is on a map.

screenshot_92.png

2: Doing a full scan with Comodo then Bitdefender (ASC ULT) then trying to get Malwarebytes to do another scan.

3: Comodo Firewall is literally the #1 firewall on the market. I've nuked the firewall rules and started in "Paranoid Mode" to do it all over.

I doubt any of the scanners will find it... how do we deal with a zero day threat guys? Come on, I'm sure someone reading these forums works for an AV company...

If anyone wants a copy of the virus I can zip it and upload it for them.. but beware the risk of infection.

Link to comment
Share on other sites
jackieo

jackieo

Posted
Posted

regardless of whats up, you're probably gonna want to re-install Win7 - that way you will restore full control of your system .

i know its a hassle, but if you cant lick this with AV solution thats your only viable option. (in my humble opinion)

i would start giving it serious consideration.

Link to comment
Share on other sites
SnakeMasteR

SnakeMasteR

Posted
Posted (edited)

Here is a article about it on M$'s Malware Protection Center since you already figured out what it is.

And it's not a keylogger in general, it tries to gather passwords and information stored on your OS, not entered, the default trojan doesn't have keylogger functionality.

Here is another site with useful info about it (that it has hide functionality, can't be debugged nor executed in a sandbox).

The builder for this trojan is available to the public, so i guess that many antivirus or anti-malware vendors have it already in their databases.

Edited by n0_risk!
Link to comment
Share on other sites
jimbojet2011

jimbojet2011

Posted
Posted

Block the ip adresses with a firewall so internet traffic will be shut down

next step is to remove the virus trojan or whatever

Link to comment
Share on other sites
truemate

truemate

Posted
Posted (edited)

Okay so it all started like this... I was browsing around pastebin.com and checking out all the newest "untitled" posts. Here I came upon a rather interesting one with the link to a file named "keygen.exe" Knowing me, I downloaded the file, because most uploaders link to a text paste after having someone fill out a survey. So I decided to grab this new unknown keygen in hopes of it being a breakthrough and post it on nsane.

My stupidity didn't occur to me at the time so I downloaded it and just double clicked, without shadow defending my HDD and sandboxing in Comodo's Virtual OS. The file opened and did not present a GUI. So I opened task manager and terminated "keygen.exe" Thinking I had fixed the problem I thought I was uninfected. Lo and behold, later while disabling startup programs, I found keygen.exe with the same cheat engine icon in my startup folder. Having rebooted a few times already I knew for sure that I had been infected.

lolz,, thats the biggest stupidity...so much eager to share/grab unknown things..for what ?

You dont have any proper anti-virus installed in urs pc ? Though i had said in past that there's no need of anit-virus if you wont download any unknown things or visit any crap sites..but if people have the habbit like wat u have of downloading any unkown files then they must be ready for like these situations.

well, i try to download that file thru mirroupload link,But download stopped at 95% az Eset nod quaratine that file even before the download finish......

2pta495.jpg

even u have not think abt scanning that file online..az by the virustotal report wat u shared,,all anti-virus (even my fav microsft security essential) saying its kinda trojan/spy except some FLOP Crap like comodo,total defender says its clean lmaoo.

Edited by truemate
Link to comment
Share on other sites
cruelsister

cruelsister

Posted
Posted

Avitar- What you downloaded and installed was an Adware/trojan packer. The network activity is just ads that are being uploaded to your system. This sample was really packed with a great number of things like toolbars, browser helpers, download managers, etc. Really nasty.

You can see what occurred for yourself- Go into whatever application uninstaller you have and you will see a bunch of things that were installed. You will find at least 3 or 4. But to clean your computer do this:

1). download and install Malwarebytes free- let it take care of the more dodgy stuff.

2). reboot and uninstall whatever was installed on the day you ran the file(look specifically for things titled Search or Downloader. - I can't be more specific because I can't know what and how many you allowed).

If you really want to continue a malware removal discussion, I suggest you try Malwaretips. It is a great site and malware is all we do.

Link to comment
Share on other sites
STEEL

STEEL

Posted
Posted

AVG blocked in free mode. Remove if U can, or if U do Banking Ect. U have to do a Clean Install, to be save :rolleyes:

Link to comment
Share on other sites
avmad

avmad

Posted
Posted

I'd use Kaspersky Rescue Disk to boot from. Look around your system and delete any bits you can find. (In appdata etc)

Then run the Scan and clean up whatever it finds.

Then reboot and run mbam, eset, hitman etc to be sure it's all gone. The more scanners the merrier. All Full Scans not quick ones.

Link to comment
Share on other sites
Avitar

Avitar

Posted
  • Author
Posted

Thank you everyone for your advice. I think I fresh install is the way to go. I'm backing up my data as we speak in case. Here's a list of all the programs installed on my computer. I don't think I was infected with any installers since I terminated the program mere seconds after running it. All that remains is the full scan with bitdefender. If I remove it successfully then I'll stick with my OS. If I have to reinstall, I'm moving up to 8.1

I'm just really thankful that, unlike the average user who would be infected, I can identify exactly what file caused the problem and report comprehensively on it.

Avitar- What you downloaded and installed was an Adware/trojan packer. The network activity is just ads that are being uploaded to your system. This sample was really packed with a great number of things like toolbars, browser helpers, download managers, etc. Really nasty.

Here's a list of all the programs installed on my machine, friend. Do take a look and tell me if it installed any rouge apps please.

http://www.mirrorcreator.com/files/ACEEUQ23/Installed_Programs.xlsx_links

Link to comment
Share on other sites
jackieo

jackieo

Posted
Posted

Thank you everyone for your advice. I think I fresh install is the way to go. I'm backing up my data as we speak in case. Here's a list of all the programs installed on my computer. I don't think I was infected with any installers since I terminated the program mere seconds after running it. All that remains is the full scan with bitdefender. If I remove it successfully then I'll stick with my OS. If I have to reinstall, I'm moving up to 8.1

I'm just really thankful that, unlike the average user who would be infected, I can identify exactly what file caused the problem and report comprehensively on it.

Avitar- What you downloaded and installed was an Adware/trojan packer. The network activity is just ads that are being uploaded to your system. This sample was really packed with a great number of things like toolbars, browser helpers, download managers, etc. Really nasty.

Here's a list of all the programs installed on my machine, friend. Do take a look and tell me if it installed any rouge apps please.

http://www.mirrorcreator.com/files/ACEEUQ23/Installed_Programs.xlsx_links

your list looks clean to me bro :) good luck in your travels :)

Link to comment
Share on other sites
mazigh

mazigh

Posted
Posted

Thank you everyone for your advice. I think I fresh install is the way to go. I'm backing up my data as we speak in case. Here's a list of all the programs installed on my computer. I don't think I was infected with any installers since I terminated the program mere seconds after running it. All that remains is the full scan with bitdefender. If I remove it successfully then I'll stick with my OS. If I have to reinstall, I'm moving up to 8.1

I'm just really thankful that, unlike the average user who would be infected, I can identify exactly what file caused the problem and report comprehensively on it.

Avitar- What you downloaded and installed was an Adware/trojan packer. The network activity is just ads that are being uploaded to your system. This sample was really packed with a great number of things like toolbars, browser helpers, download managers, etc. Really nasty.

Here's a list of all the programs installed on my machine, friend. Do take a look and tell me if it installed any rouge apps please.

http://www.mirrorcreator.com/files/ACEEUQ23/Installed_Programs.xlsx_links

Good to see you figuring out what to do, Bitdefender and Kaspersky are the best in Virus removing, next time it's recommended to backup your C partition for example for every 3 months to save time when having trouble with the OS, Good luck

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...