Help on an unknown virus!!

  • Thread starter Thread starter chuck
  • Start date Start date
C

chuck

I found that there are a lot of winxx.exe, e.g. win2.exe, win3.exe,
replicating in my "\Document and Settings\<user name>\Local Settings\Temp"
folder. One of them is active. But I cannot see it in Task Manager.
Therefore I cannot kill it. Together there is a LgSyz.dll. It is in use. I
cannot kill it at all.

My anti-virus program cannot kill it. I researched on the Internet and could
not find a solution either.

Could you help me kill this vrius? Thanks for your help.
 
chuck said:
I found that there are a lot of winxx.exe, e.g. win2.exe, win3.exe,
replicating in my "\Document and Settings\<user name>\Local Settings\Temp"
folder. One of them is active. But I cannot see it in Task Manager.
Therefore I cannot kill it. Together there is a LgSyz.dll. It is in use. I
cannot kill it at all.

My anti-virus program cannot kill it. I researched on the Internet and could
not find a solution either.

Could you help me kill this vrius? Thanks for your help.
Click to expand...

Try removing the virus by any DOS BASED ANTIVIRUS or FROM A LAN
COMPUTER(be aware that LAN COMPUTER may got infected, so If u have any
drive lock ultity or firewall then lock all the drivers of the LAN
COMPUTER then start scanning from their. Many times you can not see the
virus processes, it got hidden. Generally virus got loaded when u start
windows.
for more information check the removing section of
http://freetipsandtricks.blogspot.com (last VIRUS removing instructions)
 
I installed Nod32. Then I have a dialog coming up repeatedly from Nod32.

http://www.ucdq.com/k.exe
Probably unkonown NewHeur_PE virus

I then keep killing it. The problem is still there. All the articles from
Google about www.usdq.com are in Chinese. I cannot tell what are in those
articles. It looks like an known Asian virus. Do you know anything about
this? Thanks.
 
I found that there are a lot of winxx.exe, e.g. win2.exe, win3.exe,
replicating in my "\Document and Settings\<user name>\Local Settings\Temp"
folder. One of them is active. But I cannot see it in Task Manager.
Therefore I cannot kill it. Together there is a LgSyz.dll. It is in use. I
cannot kill it at all.

My anti-virus program cannot kill it. I researched on the Internet and could
not find a solution either.

Could you help me kill this vrius? Thanks for your help.
Click to expand...

Only download software you can validate as uncompromised - in the case
of non-vendor site you have no guarantee that the files are unmodified
or uncompromised. Anyone providing a link to a non-vendors site with a
direct download should not be trusted, the vendors sites are the safest
place to download their application.

No person of sound mind would download files from a hack site that
requires a password to access the unknown files when they are available
directly from the vendors.

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

First, make sure that your Java is updated to the latest version:
http://www.java.com/en/download/index.jsp

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Secured2K's AntiPauper (download link/info at)
http://forums.mcafeehelp.com/viewtopic.php?t=65072

Rogue Fix - This removal tool is the property of Internet Inspiration
http://www.internetinspiration.co.uk/roguefix.htm

AdAwareSE can be found here:
http://www.lavasoft.com/download_and_buy/detection_database/

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

HiJack can be found here:
http://www.spywareinfo.com/~merijn/downloads.html

Ewido Security Suite Trial can be found here:
http://www.ewido.net/en/download/

CrapCleaner can be found at the vendors site here:
http://www.ccleaner.com/ccdownload.asp

CleanUp can be found at the vendors site here:
http://www.stevengould.org/software/cleanup/download.html
or from another reputable source:
http://www.tucows.com/get/405276_152071

The following are two links to Antivirus software in order that I would
use them:

You can also download Symantec Trial version of their Antivirus software
from here:
http://www.symantec.com/downloads/

Download AVG Personal Free edition from here:
http://free.grisoft.com/freeweb.php/doc/2/

These are the actual vendors sites, not some unknown or authorized no-
name site. They also don't artificially increase the hits for sites that
get paid for the amount of traffic they can generate like one poster has
admitted to in this group.
 
I found that there are a lot of winxx.exe, e.g. win2.exe, win3.exe,
replicating in my "\Document and Settings\<user name>\Local Settings\Temp"
folder. One of them is active. But I cannot see it in Task Manager.
Therefore I cannot kill it. Together there is a LgSyz.dll. It is in use. I
cannot kill it at all.

My anti-virus program cannot kill it. I researched on the Internet and could
not find a solution either.

Could you help me kill this vrius? Thanks for your help.
Click to expand...

Only download software you can validate as uncompromised - in the case
of non-vendor site you have no guarantee that the files are unmodified
or uncompromised. Anyone providing a link to a non-vendors site with a
direct download should not be trusted, the vendors sites are the safest
place to download their application.

No person of sound mind would download files from a hack site that
requires a password to access the unknown files when they are available
directly from the vendors.

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

First, make sure that your Java is updated to the latest version:
http://www.java.com/en/download/index.jsp

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Secured2K's AntiPauper (download link/info at)
http://forums.mcafeehelp.com/viewtopic.php?t=65072

Rogue Fix - This removal tool is the property of Internet Inspiration
http://www.internetinspiration.co.uk/roguefix.htm

AdAwareSE can be found here:
http://www.lavasoft.com/download_and_buy/detection_database/

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

HiJack can be found here:
http://www.spywareinfo.com/~merijn/downloads.html

Ewido Security Suite Trial can be found here:
http://www.ewido.net/en/download/

CrapCleaner can be found at the vendors site here:
http://www.ccleaner.com/ccdownload.asp

CleanUp can be found at the vendors site here:
http://www.stevengould.org/software/cleanup/download.html
or from another reputable source:
http://www.tucows.com/get/405276_152071

The following are two links to Antivirus software in order that I would
use them:

You can also download Symantec Trial version of their Antivirus software
from here:
http://www.symantec.com/downloads/

Download AVG Personal Free edition from here:
http://free.grisoft.com/freeweb.php/doc/2/

These are the actual vendors sites, not some unknown or authorized no-
name site. They also don't artificially increase the hits for sites that
get paid for the amount of traffic they can generate like one poster has
admitted to in this group.
 
I found that there are a lot of winxx.exe, e.g. win2.exe, win3.exe,
replicating in my "\Document and Settings\<user name>\Local Settings\Temp"
folder. One of them is active. But I cannot see it in Task Manager.
Therefore I cannot kill it. Together there is a LgSyz.dll. It is in use. I
cannot kill it at all.

My anti-virus program cannot kill it. I researched on the Internet and could
not find a solution either.

Could you help me kill this vrius? Thanks for your help.
Click to expand...
************ REPLY SEPARATER ************
In order to delete any file, you must first stop it from executing. This may be
as simple as starting in safe mode, or stopping the particular program or
service from running in the task manager. If (and I say IF) you are able to
delete all occurrences of the file (including the DLL), your system may then
produce an error on boot-up because it cannot find the file, or the file may be
reproducing itself using a short program (like a batch file) to copy itself
from another file of a different name or over the Internet. Consequently, when
you are attempting to repair your system, always disconnect from the Internet.

The nature of the error produced on boot-up will determine the next step.

J.A. Coutts
 
From: "chuck" <[email protected]>

| I installed Nod32. Then I have a dialog coming up repeatedly from Nod32.
|
| hxxp://www .ucdq.com/ k.exe
| Probably unkonown NewHeur_PE virus
|
| I then keep killing it. The problem is still there. All the articles from
| Google about www. usdq. com are in Chinese. I cannot tell what are in those
| articles. It looks like an known Asian virus. Do you know anything about
| this? Thanks.
|

That is a password stealing Trojan !


Complete scanning result of "k.exe", processed in VirusTotal at 01/09/2007 22:27:27 (CET).

[ file data ]
* name: k.exe
* size: 24576
* md5.: 2d747c2bac72a1e87f4da7f8e7c1e985
* sha1: b751506f79b2ed72cc4d3eb590ce841ce12f94a4

[ scan result ]
AntiVir 7.3.0.21/20070109 found [BDS/Hupigon.DP]
Authentium 4.93.8/20070109 found nothing
Avast 4.7.892.0/20061230 found [Win32:Small-DJU]
AVG 386/20070109 found nothing
BitDefender 7.2/20070109 found nothing
CAT-QuickHeal 9.00/20070109 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20070109 found [Trojan.Downloader-486]
DrWeb 4.33/20070109 found [Trojan.PWS.Legmir.812]
eSafe 7.0.14.0/20070109 found [Win32.Polipos.sus]
eTrust-InoculateIT 23.73.109/20070109 found nothing
eTrust-Vet 30.3.3313/20070109 found nothing
Ewido 4.0/20070109 found nothing
F-Prot 3.16f/20070109 found nothing
F-Prot4 4.2.1.29/20070109 found nothing
Fortinet 2.82.0.0/20070109 found [suspicious]
Ikarus T3.1.0.27/20070109 found nothing
Kaspersky 4.0.2.24/20070109 found [Trojan-Downloader.Win32.Small.czl]
McAfee 4935/20070109 found [PWS-Legmir]
Microsoft 1.1904/20070109 found nothing
NOD32v2 1968/20070109 found [Win32/PSW.Legendmir.NEF]
Norman 5.80.02/20071231 found [Suspicious_F.gen]
Panda 9.0.0.4/20070109 found [Suspicious file]
Prevx1 V2/20070109 found nothing
Sophos 4.13.0/20070105 found [Mal/Behav-009]
Sunbelt 2.2.907.0/20070105 found [VIPRE.Suspicious]
TheHacker 6.0.3.146/20070108 found nothing
UNA 1.83/20070109 found nothing
VBA32 3.11.2/20070109 found [MalwareScope.Backdoor.Hupigon.10]
VirusBuster 4.3.19:9/20070109 found nothing

[ notes ]
packers: PE-ARMOR
packers: PE-Armor
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed
suspicious through heuristics.

-----------


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *
 
This sample is detected as Trojan-Downloader.Win32.Small.czl by kapersky
antivirus you may want to try that scanner
 
Back
Top