Jump to content

SUBIECTE NOI
« 1 / 5 »
RSS
Nr prime

La mulți ani @mishu_bz!

La mulți ani @kyrre!

windows 10 drivere startup degrad...
 Tencuiala exterioara casa caramid...

Contact posibil deteriorat proces...

ce se mai lucreaza remote ?

Care din urmatoarele optiuni este...
 Cum se calculeaza MTBF la un swit...

Distante etrieri

Fisier corupt reapare in galeria ...

Ce condensator ar putea fi? TV Vo...
 Problema droguri

Soldat gradat profesionist - dipl...

Eroare incarcare formular

merita upgrade de la Ryzen 5 2600...
 

IM-Worm.Win32.Qucan.a / Sohanad.E

- - - - -
Last Updated: Feb 17 2011 22:03, Started by Daisuke , Nov 23 2006 01:00  
  ·  
  • Please log in to reply
44 replies to this topic

#1
Daisuke
Posted 23 November 2006 - 01:00

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Acest vierme poate fi usor confundat cu IM-Worm.Win32.Sohanad.O
Procedura de curatare este diferita pentru Sohanad.O. (vezi link)

------------------
Semne
Start menu: Run lipseste din Start menu
Internet Explorer: Homepage schimbat, iar editarea in "Internet Options" nu e posibila
Task Manager: este blocat.
Yahoo Messenger: Status Message este schimbat

Incearca sa inlocuiasca regedit.exe. Daca reuseste folosirea regedit.exe reinstaleaza viermele.

------------------
Curatare

1. Download Delete_YM_Qucan.zip pe desktop

2. Download Clear/Edit YahooMessenger Status History pe desktop.

3. Download ATF Cleaner pe desktop.

4. Reboot in safemode.

5. Se fixeaza cu HiJackThis urmatoarele:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://thecoolpics.net

O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost32.exe

O4 - HKLM\..\Run: [svchost] C:\WINDOWS\system\svhost.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

6. Se sterg fisierele:

C:\WINDOWS\system\svchost32.exe <-- acest fisier
C:\WINDOWS\system\svhost.exe <-- acest fisier
(Atentie svchost.exe este un fisier legitim Microsoft)

7. Se golesc temp folders:
Dublu-click ATF-Cleaner.exe pentru a porni programul.
In tab-ul Main alege: Select All
Apasa butonul Empty Selected.

8. Se repara Registry:
Extrage 'Delete_YM_Qucan.inf' din Delete_YM_Qucan.zip pe desktop.

Click dreapta pe 'Delete_YM_Qucan.inf' si selecteaza 'Install'.

9. Reboot normal.

10. Scaneaza computerul online:
http://www.bitdefend...m/scan8/ie.html
http://www.kaspersky.com/virusscanner

11. Viermele incearca sa inlocuiasca regedit.exe.

Daca regedit.exe a fost inlocuit / sters iti trebuie CD-ul Windows.
Pe CD-ul Windows, regedit.exe se afla in folderul I386. Se copiaza in C:\Windows si C:\Windows\system32\dllcache\

12. Deschide YIM-StatusEdit.exe si apasa "Check ALL" si apoi "Clear Checked".
Programul e destul de instabil si mai crapa din cand in cand. Da' isi face treaba daca nu apesi pe alte butoane.


Va rog nu postati loguri in acest topic.
Comentariile / intrebarile sunt bine venite.

Delete_YM_Qucan.inf este imbunatatit si updatat de cate ori este nevoie.
Faceti download la acest fisier doar din acest topic.

Attached Files


Edited by Daisuke, 23 November 2006 - 08:31.

#2
Dutzzu
Posted 20 March 2007 - 10:24

Dutzzu

    Junior Member

  • Grup: Members
  • Posts: 33
  • Înscris: 05.03.2007
salutare :)

Daisuke am urmat pasii tai si am reusit sa scap de virus  :D Totusi, acum cand porneste windos'ul primesc un msg de eroare 
Windows cannot find'C:\WINDOWS\system\lsass.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search
Bine, nu e ceva grav, un simplu click pe OK rezolva problema, dar daca se poate scapa de aceasta eroare as vrea sa stiu cum.
Acel fisier ( c:/windows/lsass.exe ) era infectat d'asemenea cu acelasi virus ca si C:\WINDOWS\system\svhost.exe

Ms pt timpu' acordat

#3
Daisuke
Posted 20 March 2007 - 19:27

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Cu HiJackThis fixezi linia asta:

O4 - HKLM\..\Run: [exista o denumire aici] C:\WINDOWS\system\lsass.exe

#4
the_angel
Posted 06 April 2007 - 13:40

the_angel

    Member

  • Grup: Members
  • Posts: 881
  • Înscris: 05.02.2007
(Atentie svchost.exe este un fisier legitim Microsoft
pai si pana la urma il mai stergem

#5
Daisuke
Posted 06 April 2007 - 13:46

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
svchost.exe este legitim daca este in folderul system32.

Iar daca citeai cu atentie vedeai ca e vorba de alte denumiri aici:

svchost.exe     - legitim daca indeplineste conditia de mai sus
svhost.exe       - vierme (lipseste "C"-ul)
svchost32.exe - vierme

Edited by Daisuke, 06 April 2007 - 13:47.

#6
the_angel
Posted 06 April 2007 - 13:48

the_angel

    Member

  • Grup: Members
  • Posts: 881
  • Înscris: 05.02.2007
6. Se sterg fisierele:

C:\WINDOWS\system\svchost32.exe <-- acest fisier
C:\WINDOWS\system\svhost.exe <-- acest fisier
(Atentie svchost.exe este un fisier legitim Microsoft)
scuze dar tu ce ai intelege daca nu ai avea habar de virusi.

#7
Daisuke
Posted 06 April 2007 - 13:54

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004

Quote

Atentie svchost.exe este un fisier legitim Microsoft
Atunci mai poti sa adaugi "nu confundati cu viermele".

Oricum nu poti sterge svchost.exe asa usor.

#8
the_angel
Posted 06 April 2007 - 14:29

the_angel

    Member

  • Grup: Members
  • Posts: 881
  • Înscris: 05.02.2007
inca ceva daca nu te-am enervat destul . la scanarea online am ales kaspersky. se pare ca merge numai cu Internet Explorer. apoi ma intreaba daca vreau sa instalez activ x. ce fac instalez. mi-e sa nu mai iau alt virus

#9
Daisuke
Posted 06 April 2007 - 14:34

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004

Quote

se pare ca merge numai cu Internet Explorer. apoi ma intreaba daca vreau sa instalez activ x. ce fac instalez. mi-e sa nu mai iau alt virus
Scanarea online merge numai cu Internet Explorer. Da, trebuie sa instalezi ActiveX ca sa poti scana.

#10
the_angel
Posted 06 April 2007 - 15:22

the_angel

    Member

  • Grup: Members
  • Posts: 881
  • Înscris: 05.02.2007
salut nici urma de svhost(vierme) am venit cu rezultatele scanarii online.
    KASPERSKY ONLINE SCANNER REPORT
Friday, April 06, 2007 4:17:14 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/04/2007
Kaspersky Anti-Virus database records: 275519
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true


Scan Statistics
Total number of scanned objects 44110
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 00:40:14

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\AvgFwLog.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\AvgFwLog.log.lck Object is locked skipped
C:\Documents and Settings\geo\Application Data\Mozilla\Firefox\Profiles\mbp6z0xr.default\cert8.db Object is locked skipped
C:\Documents and Settings\geo\Application Data\Mozilla\Firefox\Profiles\mbp6z0xr.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\geo\Application Data\Mozilla\Firefox\Profiles\mbp6z0xr.default\history.dat Object is locked skipped
C:\Documents and Settings\geo\Application Data\Mozilla\Firefox\Profiles\mbp6z0xr.default\key3.db Object is locked skipped
C:\Documents and Settings\geo\Application Data\Mozilla\Firefox\Profiles\mbp6z0xr.default\parent.lock Object is locked skipped
C:\Documents and Settings\geo\Application Data\Mozilla\Firefox\Profiles\mbp6z0xr.default\search.sqlite Object is locked skipped
C:\Documents and Settings\geo\Application Data\Mozilla\Firefox\Profiles\mbp6z0xr.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\geo\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\geo\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\geo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\geo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\geo\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbp6z0xr.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\geo\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbp6z0xr.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\geo\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbp6z0xr.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\geo\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbp6z0xr.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\geo\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\geo\Local Settings\History\History.IE5\MSHist012007040620070407\index.dat Object is locked skipped
C:\Documents and Settings\geo\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\geo\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\geo\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{170BA085-E2B7-433D-8069-60219BE3FE76}\RP11\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

am vrut si parerea unui profesionist. pt ca mie nu mi s-a parust nik in neregula. totusi vreau sa aud si parerea ta

#11
Daisuke
Posted 06 April 2007 - 19:49

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004

Quote

mie nu mi s-a parust nik in neregula
Logul e curat.

#12
poki
Posted 13 April 2007 - 11:27

poki

    New Member

  • Grup: Members
  • Posts: 18
  • Înscris: 04.12.2004
am si eu o problema asemanatoare cu virusul IM-Worm.Win32.Sohanad.O dar NU imi lipseste "run" din meniu si NU am new folder .....
In schimb dupa pornirea calculatorului svchost.exe (unul din ele) imi tine procesorul la 100 % adica nu pot sa mai fac nimic ....
folosesc antivirusul KIS 6 updatat ...
daca din task bar ii dau end proces la acest svchost.exe calculatorul isi revine la normal dar dupa un timp iara revine acesta......
Voi nu ati patit asa ceva ??? ii virus oare ??? stiti vreo solutie ???
Mersi

#13
Daisuke
Posted 13 April 2007 - 18:45

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Citeste asta: FIX: When you run Windows Update to scan for updates that use Windows Installer, including Office updates, CPU utilization may reach 100 percent for prolonged periods Nu cred ca e viermele de YM.

#14
Dutzzu
Posted 08 June 2007 - 00:40

Dutzzu

    Junior Member

  • Grup: Members
  • Posts: 33
  • Înscris: 05.03.2007

View PostDaisuke, on Mar 20 2007, 20:27, said:

Cu HiJackThis fixezi linia asta:

O4 - HKLM\..\Run: [exista o denumire aici] C:\WINDOWS\system\lsass.exe


Sal again :)
Daisuke, singurele linii in care apare C:\WINDOWS\system\lsass.exe sunt :
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system\lsass.exe
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\lsass.exe

Ce fac ? :D

#15
Lemmy
Posted 08 June 2007 - 01:14

Lemmy

    Senior Member

  • Grup: Senior Members
  • Posts: 3,222
  • Înscris: 03.05.2004

View PostDutzzu, on Jun 8 2007, 01:40, said:

Sal again :)
Daisuke, singurele linii in care apare C:\WINDOWS\system\lsass.exe sunt :
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system\lsass.exe
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\lsass.exe

Ce fac ? :D

Ai gresit topicul :P

http://forum.softped...howtopic=226500

#16
vladut07
Posted 17 June 2007 - 12:36

vladut07

    Junior Member

  • Grup: Members
  • Posts: 45
  • Înscris: 17.06.2007
Am si eu o intrebare.Ma confrunt si eu cu acelasi SOHANAD si ma cam enerveaza.Am reinstalat windowsul dar tot degeaba.Am doua partitii. C:\ pe care am windowsul si un D:\ pe care nu am nimik,cu exceptia lui New Folder.Am dat instal la windows cu format pe C:\ insa tot degeaba.Nu as putea sa rezolv prblema cu un reinstal la windows , ca sincer mi-ar fi ceva mai usor.Multumesc anticipat si scuze daca am zis vreo ceva gresit.Este prima data cand postez pe un forum.

#17
Dutzzu
Posted 18 June 2007 - 15:34

Dutzzu

    Junior Member

  • Grup: Members
  • Posts: 33
  • Înscris: 05.03.2007

View PostLemmy, on Jun 8 2007, 02:14, said:

Ai gresit topicul :P

http://forum.softped...howtopic=226500


Oups, credeam ca i acelasi virus ( aceeasi problema ). My mistake :-s

Ms pt reply/indrumare Lemmy :-)

#18
tuscu
Posted 25 July 2007 - 19:29

tuscu

    New Member

  • Grup: Members
  • Posts: 5
  • Înscris: 29.04.2006
Daisuke, te rog fii mai explicit la punctul 5. Cum anume se foloseste si de unde se ia acel HAIJACKTHIS ?

Anunturi

Chirurgia endoscopică a hipofizei Chirurgia endoscopică a hipofizei

"Standardul de aur" în chirurgia hipofizară îl reprezintă endoscopia transnazală transsfenoidală.

Echipa NeuroHope este antrenată în unul din cele mai mari centre de chirurgie a hipofizei din Europa, Spitalul Foch din Paris, centrul în care a fost introdus pentru prima dată endoscopul în chirurgia transnazală a hipofizei, de către neurochirurgul francez Guiot. Pe lângă tumorile cu origine hipofizară, prin tehnicile endoscopice transnazale pot fi abordate numeroase alte patologii neurochirurgicale.

www.neurohope.ro
Back to Devirusare & raportare virusi/malware

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Forumul Softpedia
  2. Soft Related / OS
  3. Antivirus & Security
  4. Devirusare & raportare virusi/malware
Forumul Softpedia foloseste "cookies" pentru a imbunatati experienta utilizatorilor Accept
Pentru detalii si optiuni legate de cookies si datele personale, consultati Politica de utilizare cookies si Politica de confidentialitate