Results 1 to 5 of 5

Thread: DVR-IMAGEN005.jpg.zip - has disaled Spybot S&R

  1. #1
    Junior Member
    Join Date
    Feb 2009
    Posts
    3

    Default DVR-IMAGEN005.jpg.zip - has disaled Spybot S&R

    Hi lads,

    Today there is some real nasty fella spreading through MSN and Yahoo messengers. It is acting really fast, within 30 minutes i found everyone on my contact list infected. Fella is smart... it provides a code generated text along "hey, check this out" or "could you help me with this photo, maybe you can make it look better" or... "ricky martin gay fotos", and it's always followed by link to http://www.asdastory(dot)ws/uploadfiles/user0193/DVR-IMAGEN005.jpg.zip and information that you need to open it in Photoshop.


    well, anyway it's foolin ppl around easily, including me (however I did'n fell for Ricky Martin thing ), and it's acting fast, almost instantly resending itself to everyone from contact list, but what's worst it's disabling all security and security-related tools, - my PC Cillin and Spybot S&D went down instantly, and now I can't even open Sysinternals Process Explorer or HijackThis.
    It's also hidng itself well from Windows Task Manager.

    I don't know it it is related, but with netstat I was able to track process named - avirarkm.exe - which is connecting to 208.77.45.92:8764

    well.... that's all i know now, running kaspersky online scanner at the moment and I'll keep ya updated.

    cheers.
    Last edited by tashi; 2009-02-24 at 01:42. Reason: Moved from General Security Alerts, disabled link

  2. #2
    Junior Member
    Join Date
    Feb 2009
    Posts
    3

    Default

    Kaspersky detected mentioned .exe as Backdoor.Win32.Delf.oax and looks like it dealt with it. However I still can't start antivirus software on PC

    update: regedit is't starting, how fun...


    update2: kaspersky didn't solve problem, program is still using messengers to resend itself,
    looks like Backdoor.Win32.Delf.oax was just part of infection.
    Last edited by beatwerk; 2009-02-24 at 02:53.

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello beatwerk,

    If you need help in removing an infection please follow the instructions in this link to produce a HJT log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

    Then start your own thread in the Malware Removal Forum where an analyst will advise you as soon as available.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  4. #4
    Junior Member
    Join Date
    Feb 2009
    Posts
    3

    Default

    toshi - sorry if I messed up and went against forum rules, but just wanted to inform ppl ASAP. Anyway, as you can see this fella is blocking HJT and all other anti-virus software from start, so can't even prepare logs that you asked.



    UPDATE: I was able to access anti-virus tools after I rebooted and logged on as Guest and then launched Spybot S&R by "run as" and selected account with administrator rights.

    Now really need to go sleep as gotta get up to work in hours - will continue fighting this fella tomorrow, but according to instrunctions from toshi - in separate thread.

  5. #5
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hi there,
    Quote Originally Posted by beatwerk View Post
    Anyway, as you can see this fella is blocking HJT and all other anti-virus software from start, so can't even prepare logs that you asked.
    If you post in the malware forum and say you cannot run HJT, an analyst can give instructions that may help.

    Please provide a link back to this thread.

    Cheers.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •