the Obfustat virus

Buzzard · Dec 11, 2007

My aunt has the obfustat virus on her computer.

Specifially, "obfustat.UVE".

It resides in "c:\windows\system32\pccapcc.dll".

AVG free, up-to-date, detects it, but cannot delete it.
(select "heal", or "put in vault", and it thinks it did,
but the file is still there in system32).

Safe-mode boot, no difference.

I found several references to pccapcc.dll in the
registry, 2 under CLSID/{big_long_gobbeldygook_keycode},
and one under windows services, so I think its being
loaded as a service (under svchost perhaps?)

What I would like to know is:
Is pccapcc.dll a file that is supposed to be in XP and
the virus has simply infected it, or is this a bogus dll
that has no business being there in the first place?

In other words, is it safe to chop out all references to
pccapcc.dll in the registry, so that XP will allow me to
delete the file without "access denied" ?
(The file permissions on pccapcc.dll look like deletion
is allowed, but any deletion attempt is still denied)

Anyone else out there had problems with an obfustat virus
that AVG couldn't remove?

pcbutts1 · Dec 12, 2007

Use one of these utilities to delete it.
Unlocker http://ccollomb.free.fr/unlocker/
Move on boot http://www.softwarepatch.com/software/moveonboot.html
Also try it in safe mode.

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz, Beauregard T.
Shagnasty,Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell

Sycho · Dec 12, 2007

Here ye! Here ye! Today Buzzard <[email protected]> stormed
in alt.comp.virus on Tue, 11 Dec 2007 18:55:59 -0500 and shouted for
all to hear..

My aunt has the obfustat virus on her computer.

Specifially, "obfustat.UVE".

It resides in "c:\windows\system32\pccapcc.dll".

AVG free, up-to-date, detects it, but cannot delete it.
(select "heal", or "put in vault", and it thinks it did,
but the file is still there in system32).

Have you tried using Spybot Search & Destroy to see if it detects any
problems on the comp?

Safe-mode boot, no difference.

I found several references to pccapcc.dll in the
registry, 2 under CLSID/{big_long_gobbeldygook_keycode},
and one under windows services, so I think its being
loaded as a service (under svchost perhaps?)

What I would like to know is:
Is pccapcc.dll a file that is supposed to be in XP and
the virus has simply infected it, or is this a bogus dll
that has no business being there in the first place?

I use Windows 98 Second Edition on this comp, my wife uses Windows XP
Home on hers. I searched her registry and found no reference to that
file, let alone the file itself on her comp. So it's safe to assume
that the file has nothing to do with Windows itself. I also did a
search for the file at Yahoo! and Google. No information at either
site on that file.

In other words, is it safe to chop out all references to
pccapcc.dll in the registry, so that XP will allow me to
delete the file without "access denied" ?
(The file permissions on pccapcc.dll look like deletion
is allowed, but any deletion attempt is still denied)

Anyone else out there had problems with an obfustat virus
that AVG couldn't remove?

Not personally since I use Norton Anti Virus version 5.0 on my comp.
But you may want to download System Mechanic (http://www.iolo.com) and
disable any rogue programs in Windows Startup Manager.

I would also recommend disabling System Restore before performing any
scans and fixing any problems if you haven't done so already.

In my search I did happen to make note that there are others out there
using AVG that say they're having the same problems removing the bug
that you're having. So you can rest assured that you're not alone.

Unfortunately I've found nothing in my searches on what the malware
is. Some sites call it a trojan, others a virus and a couple, a
rootkit.

If the IP you're posting from is your aunt's IP address and not yours,
I'd be happy to run an nmap scan on the IP to determine if there are
any ports open to the outside world that would be opened by a trojan.

I could post the results here or email. I would rather prefer using
email to inform you of any vulnerable ports that I find opened as
opposed to posting them in a public forum as anyone with malicious
intent could use the information and cause harm or damage.

Buzzard · Dec 14, 2007

Sycho said:
Here ye! Here ye! Today Buzzard <[email protected]> stormed
in alt.comp.virus on Tue, 11 Dec 2007 18:55:59 -0500 and shouted for
all to hear..

Have you tried using Spybot Search & Destroy to see if it detects any
problems on the comp?

So far I've only tried the AVG. It'll take me awhile
to dnld the other stuff, due to the snail-slow internet
in this area. (Dialup only, and nowhere near 56k)

I use Windows 98 Second Edition on this comp, my wife uses Windows XP
Home on hers. I searched her registry and found no reference to that
file, let alone the file itself on her comp. So it's safe to assume
that the file has nothing to do with Windows itself. I also did a
search for the file at Yahoo! and Google. No information at either
site on that file.

My pc is win98 also. Haven't had any viruses at all since
august 2005.

What I don't like about XP is that you can't boot to plain
DOS and still get to your files. I would have deleted, or
moved, pccapcc.dll that way.

Not personally since I use Norton Anti Virus version 5.0 on my comp.
But you may want to download System Mechanic (http://www.iolo.com) and
disable any rogue programs in Windows Startup Manager.

I would also recommend disabling System Restore before performing any
scans and fixing any problems if you haven't done so already.

Disabling sys restore... I'll try that next time I'm at my aunt's.
Will a functioning sys restore put the virus right back on reboot,
or only if someone reverts to an infected restore point?

In my search I did happen to make note that there are others out there
using AVG that say they're having the same problems removing the bug
that you're having. So you can rest assured that you're not alone.

I'd bet AVG has been hearing some comments, then

Unfortunately I've found nothing in my searches on what the malware
is. Some sites call it a trojan, others a virus and a couple, a
rootkit.

If the IP you're posting from is your aunt's IP address and not yours,
I'd be happy to run an nmap scan on the IP to determine if there are
any ports open to the outside world that would be opened by a trojan.

No, I'm posting from my own pc.

--
Buzzard

Thanks for the help. I'll be back later to see about
other solutions if this doesn't work, and also about
getting the aol connectivity dialer and an expired
McAfee (both of which REFUSE to uninstall) removed.

Sycho · Dec 14, 2007

Here ye! Here ye! Today Buzzard <[email protected]> stormed
in alt.comp.virus on Fri, 14 Dec 2007 01:33:50 -0500 and shouted for
all to hear..

So far I've only tried the AVG. It'll take me awhile
to dnld the other stuff, due to the snail-slow internet
in this area. (Dialup only, and nowhere near 56k)

Ah damn.

Well I can still hook you up with anything you might need
regardless of your connection speed.

My pc is win98 also. Haven't had any viruses at all since
august 2005.

What I don't like about XP is that you can't boot to plain
DOS and still get to your files. I would have deleted, or
moved, pccapcc.dll that way.

Ah yes! That's why I still refuse to switch to XP for that very reason
alone. If I can't work straight in DOS mode there's no point in having
the OS. I shouldn't have to load a boot disk just to get to the
command prompt. That's just gay. Hell I won't use an FTP client if I
need to upload or download anything from any of the three computers on
my network. I do that right from the command prompt. I guess I'm old
fashioned that way. lol

Disabling sys restore... I'll try that next time I'm at my aunt's.
Will a functioning sys restore put the virus right back on reboot,
or only if someone reverts to an infected restore point?

I'm not really sure on that to be perfectly honest, I just know that
that's how some reinfections occur is if system restore is enabled
while ridding the problem. Another stupid feature Micro$oft added that
wasn't needed.

I'd bet AVG has been hearing some comments, then

It wouldn't surprise me. It's a shame that your aunt is using XP
otherwise I would have you get Norton Anti Virus v5 off my warez page.
That particular version won't run on XP unfortunately. Otherwise my
wife would have that installed on her comp immediately.

No, I'm posting from my own pc.

Ah, ok. Well I'm guessing then that she's also on dial-up? If so it
wouldn't do any good getting the IP address to me since it would
change at every logon you/she made.

You are more than welcome at any time to connect to my IRC server
should you want to discuss this in more detail. My IRC is open 24/7 to
anyone.

Connect to 3wd.no-ip.org:9800

And the channel is #3wd.

Feel free to register your nick on there.

Syntax is: /msg nickserv register <nickname> <password> <email>
Ex: /msg nickserv register Foo skittles (e-mail address removed)

Once you've register and want to connect at a later time, to ID use
this:

/pass <password>
Ex: /pass skittles

I don't ask that anyone use their real email address. Make up one.

If you have a CD burner I'll hook you up with anything that I think
you can use on your comp as well as your aunt's comp to clean the
infection. Most of the stuff I have is in ISO format.