I've been infected by terrorism.exe

  • Thread starter Thread starter Michael Farragher
  • Start date Start date
M

Michael Farragher

Very foolishly I ran the above file - now I can't access my favorite sites -
bbc.co.uk, amazon.

Can anyone tell me how I can undo the damage ?

TIA,

Michael Farragher
 
Michael Farragher said:
Very foolishly I ran the above file - now I can't access my favorite sites -
bbc.co.uk, amazon.

Can anyone tell me how I can undo the damage ?
Click to expand...

Get your data off the machine.

Reformat and reinstall the original OS from original media.

Anything less is just chasing down potentially a thousand cuts,
applying bandaids, and still likely losing the battle.
 
From: "Michael Farragher" <[email protected]>

| Very foolishly I ran the above file - now I can't access my favorite sites -
| bbc.co.uk, amazon.
|
| Can anyone tell me how I can undo the damage ?
|
| TIA,
|
| Michael Farragher
|


Please submit a sample of "terrorism.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.



Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
From: "Michael Farragher" <[email protected]>

| Very foolishly I ran the above file - now I can't access my favorite sites -
| bbc.co.uk, amazon.
|
| Can anyone tell me how I can undo the damage ?
|
| TIA,
|
| Michael Farragher
|


Please submit a sample of "terrorism.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
Click to expand...

Searching on terrorism.exe suggests it might be PWSteal.flecsip.D
which is apparently a later enough variant that I was unable to find a
description.

Art
http://home.epix.net/~artnpeg
 
From: "Art" <[email protected]>

|
| Searching on terrorism.exe suggests it might be PWSteal.flecsip.D
| which is apparently a later enough variant that I was unable to find a
| description.
|
| Art
| http://home.epix.net/~artnpeg

Thanx Art.

I didn't do much library research but I did see a few Trojans that can be represented by
that named file.
 
Thanks for the advice everyone.

I've just run RazeSpyware and I get this log :

Logfile ofRazeSpyware v160
Scan saved at 14:40:42, on 17/02/2006
Platform: Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)
MSIE: Internet Explorer build 6.0.2800.1106

[Spyware] [Cookie] [adblock.com] [Spyware cookie - adblock.com]
[Spyware] [Cookie] [cashtoolbar.com] [Spyware cookie - cashtoolbar.com]
[Spyware] [Cookie] [hitexchange.net] [Spyware cookie - hitexchange.net]
[Spyware] [Cookie] [fastclick.net] [Spyware cookie - fastclick.net]
[Spyware] [Cookie] [fastclick.net] [Spyware cookie - fastclick.net]
[Spyware] [Cookie] [fastclick.net] [Spyware cookie - fastclick.net]
[Spyware] [Cookie] [fastclick.net] [Spyware cookie - fastclick.net]
[Spyware] [Cookie] [fastclick.net] [Spyware cookie - fastclick.net]
[Spyware] [Cookie] [mediaplex.com] [Spyware cookie - mediaplex.com]
[Spyware] [Cookie] [ehg-ladbrokes.hitbox.com] [Spyware cookie - hitbox.com]
[Spyware] [Cookie] [doubleclick.net] [Spyware cookie - doubleclick.net]
[Spyware] [Cookie] [atdmt.com] [Spyware cookie - atdmt.com]
[Spyware] [Cookie] [adtech.de] [Spyware cookie - adtech.de]
[Spyware] [Cookie] [adtech.de] [Spyware cookie - adtech.de]
[Spyware] [Cookie] [questionmarket.com] [Spyware cookie -
questionmarket.com]
[Spyware] [Cookie] [mediaplex.com] [Spyware cookie - mediaplex.com]
[Spyware] [Cookie] [mediaplex.com] [Spyware cookie - mediaplex.com]
[Spyware] [Cookie] [hitbox.com] [Spyware cookie - hitbox.com]
[Spyware] [Cookie] [hitbox.com] [Spyware cookie - hitbox.com]
[Spyware] [Cookie] [advertising.com] [Spyware cookie - advertising.com]
[Spyware] [Cookie] [advertising.com] [Spyware cookie - advertising.com]
[Spyware] [Cookie] [advertising.com] [Spyware cookie - advertising.com]
[Spyware] [Cookie] [ehg-autotrader.hitbox.com] [Spyware cookie - hitbox.com]
[Spyware] [Cookie] [servedby.advertising.com] [Spyware cookie -
advertising.com]
[Spyware] [Cookie] [servedby.advertising.com] [Spyware cookie -
advertising.com]
[Spyware] [Cookie] [adviva.net] [Spyware cookie - adviva.net]
[Spyware] [Cookie] [adviva.net] [Spyware cookie - adviva.net]
[Spyware] [Cookie] [adviva.net] [Spyware cookie - adviva.net]
[Spyware] [Cookie] [adviva.net] [Spyware cookie - adviva.net]
[Spyware] [Cookie] [adviva.net] [Spyware cookie - adviva.net]
[Spyware] [Cookie] [adviva.net] [Spyware cookie - adviva.net]
[Spyware] [Cookie] [connextra.com] [Spyware cookie - connextra.com]
[Spyware] [Cookie] [ehg-newsinternational.hitbox.com] [Spyware cookie -
hitbox.com]
[Spyware] [Cookie] [ehg-newsinternational.hitbox.com] [Spyware cookie -
hitbox.com]
[Spyware] [Cookie] [ehg-bskyb.hitbox.com] [Spyware cookie - hitbox.com]
[Spyware] [Cookie] [xmts.net] [Spyware cookie - xmts.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [ehg-capitalgroup.hitbox.com] [Spyware cookie -
hitbox.com]
[Spyware] [Cookie] [ehg-capitalgroup.hitbox.com] [Spyware cookie -
hitbox.com]
[Spyware] [Cookie] [as1.falkag.de] [Spyware cookie - falkag.de]
[Spyware] [Cookie] [as1.falkag.de] [Spyware cookie - falkag.de]
[Spyware] [Cookie] [as1.falkag.de] [Spyware cookie - falkag.de]
[Spyware] [Cookie] [as1.falkag.de] [Spyware cookie - falkag.de]
[Spyware] [Cookie] [as1.falkag.de] [Spyware cookie - falkag.de]
[Spyware] [Cookie] [ehg-cricinfo.hitbox.com] [Spyware cookie - hitbox.com]
[Spyware] [Cookie] [atdmt.com] [Spyware cookie - atdmt.com]
[Spyware] [Cookie] [hitbox.com] [Spyware cookie - hitbox.com]
[Spyware] [Cookie] [hitbox.com] [Spyware cookie - hitbox.com]
[Spyware] [Cookie] [adviva.net] [Spyware cookie - adviva.net]
[Spyware] [Cookie] [adviva.net] [Spyware cookie - adviva.net]
[Spyware] [Cookie] [adviva.net] [Spyware cookie - adviva.net]
[Spyware] [Cookie] [adviva.net] [Spyware cookie - adviva.net]
[Spyware] [Cookie] [doubleclick.net] [Spyware cookie - doubleclick.net]
[Spyware] [Cookie] [xmts.net] [Spyware cookie - xmts.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [as-eu.falkag.net] [Spyware cookie - falkag.net]
[Spyware] [Cookie] [bluestreak.com] [Spyware cookie - bluestreak.com]
[Spyware] [Cookie] [image.masterstats.com] [Spyware cookie -
masterstats.com]
[Spyware] [Cookie] [realmedia.com] [Spyware cookie - realmedia.com]
[Spyware] [Cookie] [ccbill.com] [Spyware cookie - ccbill.com]
[Spyware] [Cookie] [vip.clickzs.com] [Spyware cookie - clickzs.com]
[Spyware] [Cookie] [vip.clickzs.com] [Spyware cookie - clickzs.com]
[Spyware] [Cookie] [adultfriendfinder.com] [Spyware cookie -
adultfriendfinder.com]
[Spyware] [Cookie] [advertising.com] [Spyware cookie - advertising.com]
[Spyware] [Cookie] [advertising.com] [Spyware cookie - advertising.com]
[Spyware] [Cookie] [advertising.com] [Spyware cookie - advertising.com]
[Spyware] [Cookie] [ehg-cricinfo.hitbox.com] [Spyware cookie - hitbox.com]
[Spyware] [Cookie] [connextra.com] [Spyware cookie - connextra.com]
[Spyware] [Cookie] [connextra.com] [Spyware cookie - connextra.com]
[Spyware] [Cookie] [connextra.com] [Spyware cookie - connextra.com]
[Spyware] [Cookie] [servedby.advertising.com] [Spyware cookie -
advertising.com]
[Spyware] [Cookie] [servedby.advertising.com] [Spyware cookie -
advertising.com]
[Spyware] [Cookie] [servedby.advertising.com] [Spyware cookie -
advertising.com]
[Spyware] [Cookie] [gettyimages.122.2o7.net] [Spyware cookie - 2o7.net]
[Spyware] [Cookie] [service.liveperson.net] [Spyware cookie -
liveperson.net]
[Spyware] [Cookie] [service.liveperson.net] [Spyware cookie -
liveperson.net]
[Spyware] [Cookie] [statse.webtrendslive.com] [Spyware cookie -
webtrendslive.com]
[Spyware] [Cookie] [112.2o7.net] [Spyware cookie - 2o7.net]
[Spyware] [Cookie] [adtech.de] [Spyware cookie - adtech.de]
[Spyware] [Cookie] [adtech.de] [Spyware cookie - adtech.de]
[Spyware] [Cookie] [ehg-bskyb.hitbox.com] [Spyware cookie - hitbox.com]
[Spyware] [Cookie] [statse.webtrendslive.com] [Spyware cookie -
webtrendslive.com]
[Spyware] [Cookie] [2o7.net] [Spyware cookie - 2o7.net]
[Spyware] [Cookie] [doubleclick.net] [Spyware cookie - doubleclick.net]
[Spyware] [Cookie] [adtech.de] [Spyware cookie - adtech.de]
[Spyware] [Cookie] [adviva.net] [Spyware cookie - adviva.net]



Is there an easy way of getting rid of them - rather than formatting my
machine ?
 
Thanks for the advice everyone.

I've just run RazeSpyware and I get this log :
Click to expand...

Is there an easy way of getting rid of them - rather than formatting my
machine ?
Click to expand...

You should rather be asking how to get rid of RazeSpyware:

http://sunbeltblog.blogspot.com/2006/01/raze-spyware-installs-fake-keylogger.html

Never use junk rouge apps like that. Use decent anti-spyware such as
Lavasoft's AdAware and Spybot S&D. Here's how to remove it:

http://www.2-spyware.com/review-razespyware.html?gclid=CJf828Xsn4MCFSqcLAoddwf9JQ

Art
http://home.epix.net/~artnpeg
 
Trojan.Dropper.Bush-43W is responsible for the presence of
terrorism.exe on your system. It is spread via media outlets such as
Fox, Limbaugh and Hannity. Vulnerability is limited largely to the
United States, particularly those running Southern-Baptist or
Republican operating systems. The infection runs in 8-year cycles,
and is expected to time-out or remove itself in January 2009.
 
Trojan.Dropper.Bush-43W is responsible for the presence of
terrorism.exe on your system. It is spread via media outlets such as
Fox, Limbaugh and Hannity. Vulnerability is limited largely to the
United States, particularly those running Southern-Baptist or
Republican operating systems. The infection runs in 8-year cycles,
and is expected to time-out or remove itself in January 2009.
Click to expand...

Interesting analogy. Interesting also that many Republican politicians
are terrorised by the Bush Trojan. My own generic detection worked
well, and I avoided the Trojan completely right from the beginning.
But unfortunately too many others were vulnerable and were exploited
twice. Now the widespread damage is extraordinarily costly, and it
will be a huge burden on many generations to come :(

Art
http://home.epix.net/~artnpeg
 
From: "Michael Farragher" <[email protected]>

| Thanks for the advice everyone.
|
| I've just run RazeSpyware and I get this log :

RazeSpyware is listes as a Rogue anti spyware on Spware Warrior !

http://www.spywarewarrior.com/rogue_anti-spyware.htm

You need to use only sussted anti malware utilities. RazeSpyware is not one of them.

Spyware Warrior has suggestions.



If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
Back
Top