Posted by zlatipln on August 26, 2008
This worm was reported in July and is a new step in worms and viruses development.
The new is it converts the mp3 file into WMA file and embeds in it. When the file is opened, the Worm.Win32.GetCodec worm opens a web page telling you to download a new codec.
NEVER download and install codecs from unknown sites! It is 99% sure they are worms/trojans.
If you agree to install the ‘codec’ file, a Trojan – known as Trojan-Proxy.Win32.Agent.arp is downloaded to your computer, giving the hackers control of the victim’s PC.
if you got infected, use http://www.pctools.com/spyware-doctor/ to clean the worm.
Posted in Internet, Software, Windows, malware, trojan, virus | Tagged: mp3 codec, spyware, trojan, Trojan-Proxy.Win32.Agent.arp, worm, Worm.Win32.GetCodec | Leave a Comment »
Posted by zlatipln on August 19, 2008
I had surfing the net when a red alert in Tray menu started to appear. It read Windows Seciruty has to be updated.
It offered me a site with “XP Antivirus 2008″
As I tought it is Microsoft security center alert, entered the site http://s c a n n e r . a n v i-s c a n n e r . c o m / 3 4 /? a d v i d = 0 0 0 0 0 0 4 6 8 3 & H T T & /Attention – better do not try to open/
When I saw the fake system scanning and $20 price to “clean my system” I quickly left but was too late.
Then Avira Antivir started to alert about viruses detected. The computer became very slow.
I restarted in Safe Mode /F8/ and ran Spyware Doctor – it found more than 20 viruses and 30 infected files. Spyware Doctor cleaned them. I had disabled System Restore in advance. /Important!/
Then ran Avira Antivir again and cleaned 17 trojans.
Open Task manager /alt+ctrl+del/ and stop the following processes:
vav.exe
XPAntivirus.exe
XPAntivirusUpdate.exe
xpa.exe
xpa2008.exe
Then Remove following XP Antivirus 2008 Registry Values:
HKEY_USERS\Software\XP antivirus
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c uninstallstring
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c advid
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c automaticallyupdates
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscan
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscantimeout
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c databaseversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c daysinterval
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c domain
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c engineversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c guiversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c installdir
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c minimizeonstart
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c programversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyname
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyport
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationdiscurl
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationurl
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scandepth
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scanpriority
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scansystemonstartup
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c softid
This way I cleaned my system from that annoying malware.
Posted in Internet, Registry, Software, Windows, XP Antivirus 2008, computer, malware, trojan, virus | Tagged: antivirus, Antivirus 2008, antivirus 2009, safe mode, spyware, trojan, virus, vista antivirus 2008, XP Antivirus 2008 | 2 Comments »
