How to remove

system32\System32\explorer.exe

Wed, 22 Feb 2012 16:49:43 +0000

Suspicious file named C:\windows\system32\System32\explorer.exe has appeared in a virus analysis report. You can see it on this link

It creates a malicious folder C:\windows\system32\System32\ . And the file explorer.exe is the name of a legitimate process of windows explorer located at C:\windows\explorer.exe

The installer of this virus is of about 168 KB. It is not yet detected by any antivirus program
It creates registry entries so that C:\windows\system32\System32\explorer.exe run at startup
It connects to suspicious IP address in the US and starts outbound traffic on port 50100

It creates fake explorer.exe and other files on the infected computer that you need to search and delete. You should end running processes named fake explorer.exe from Task Manager. And also remove the file's entries from windows startup.

Warning: It is possible that some legitimate software may be using the same file names as that of the virus files. You do not have to delete these files if they belong to some legitimate program installed on your computer. Use Windows Defender or SysInternals Process Explorer to differentiate between them. The information in this article is presented without making any claims regarding its usefulness or otherwise. If you have any objections or questions, please send a note by adding a comment at the end of this page, or mail on support(at)comprolive.com

Preventive measures

Most of the viruses enter your computer when you visit some harmful website. If you use a browser plugin that warns you about harmful websites, you can prevent this from happening. A popular browser plugin is called Web Of Trust (WOT), you can install it from its website on this link.
[ a video about WOT plugin ]
Blocking Javascript of all sites by default can help to prevent drive by download infections. You can use Noscript Plugin for firefox as explained in this video. Similar functionality can be achieved in Google's Chromium browser using the settings in Preferences > Under the Hood > Content Settings > Java Script > Select "Do not Allow". After that when you visit a site, you will see a pop up next to the address bar asking you if you want to allow JavaScript to run for that particular site.
Some of the viruses are downloaded in Internet Cache or in the Temp folder of the windows. The viruses get activated when these files are executed. You can reduce the risk of virus infection if you empty your browser cache and remove windows temp files occasionally, ideally at the end of a browsing session or before closing down your computer. Some programs like CCleaner can be set to do these things automatically. [ a video about CCleaner ]
Do not leave your computer infected and insecure. If you doubt that there could be some undetected virus on your computer, don't leave it like that. Format the hard disk and reinstall windows and all other programs. That is the sure way to clear doubts.

Using System Restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus

Using system restore in windows XP
Using system restore in windows Vista
Using system restore in windows7

[ Video of How to use System Restore ]

Boot in safe mode

Sometimes you can not delete a file. You should boot in safe mode and then try to delete it.

How to boot in safe in windows XP
How to boot in safe mode in windows Vista
How to boot in safe mode in windows7

View Hidden Files

You need to enable to view hidden files and folders before searching.
How to Enable to View Hidden Files and Folders in Windows XP
How to Enable to View Hidden Files and Folders in Windows Vista
How to Enable to View Hidden Files and Folders in Windows7

[ Video of How to enable Hidden files and folders ]

Remove Processes from Task Manager

Press Ctrl Alt Del keys to open the Task Manager.Select Processes tab. You will see a list. Look for the names fake explorer.exe in it. Select if found and press the End Process button. It will ask for your confirmation to end that process. Select Yes. You can end one process at a time. You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown under Unknown Publisher in windows defender. Whereas in Windows7 you can find that out from the task manager itself. You can watch a video on How to use Windows Defender.

How to use Windows Defender in windows XP
How to use Windows Defender in windows Vista
How to use Windows Defender in windows7

Or you can use Sysinternal's Process Explorer. How to use Sysinternal's Process Explorer

[Video of How to use Sysinternal's/ Windows Process Explorer]

Removing entry from windows startup

The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box.
In xp by clicking on Start > run . The windows startup is reversible. You can check / uncheck any entry from windows startup any number of times. Watch a video on How to Use the Windows Startup

Open system configuration window.Click on the Startup tab. You will see a list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer. That will show you the full path of the program. Locate and uncheck the boxes in front of these names "fake explorer.exe" (also look for any other suspicious names)Press Apply , Press Close/Ok , Select "restart" at the next prompt.

Deleting files

The computer will restart now. Delete the following files and folders. Boot in safe mode or boot in the dos prompt if needed. You can use windows search utility to search for fake explorer.exe

Files
%AppData%\Microsoft \Crypto\RSA \S-1-5-21-606747145 -764733703- 839522115- 1003\699c4b9cd ebca7aaea5193 cae8a50098_ a7bcc1a4-f7a4- 4502-8650- 8579e60 7f7f7
C:\windows\system32\System32\explorer.exe
C:\windows\system32\System32\logse.dat

Folders
C:\windows\system32\System32

Files in Temp folder
-

Installer File
[file and pathname of the sample #1]

You can find full path of the folders for your version of windows on this link.

(We do not know the name or the location of sample #1, it could be in your default download location or on the desktop or in a Temp folder. The files and folders in the Temp folder can be automatically removed, if you use a freeware temp files/ registry cleaner software like CCleaner)

Some Common folder locations

Virus makes create their files in uncommon locations. You can find such locations on this link.

These are the folders where you should find sub folders of legitimate programs. If you find any files (exe, dll etc) at this location, they should be treated suspiciously. The other thing to look out for is randomly named folders.

Repair Hosts File

To repair/ edit the hosts file. Login as administrator. open the following file in notepad
C:\ WINDOWS \system32 \drivers \etc \hosts
remove anything other than 127.0.0.1 Localhost, and save and close the file.

Registry Keys

There are several registry modifications done by this virus. You can see the registry modifications in the report from the link above.

Using CCleaner

You can easily remove the files in the temp folder by running CCleaner. You can set CCleaner to run automatically each time the computer starts. Do not forget to run CCleaner > Registry menu to remove the obsolete registry entries.

more about CCleaner on this link

[Video on how to use CCleaner]

Free tools to repair disabled folder options, registry, Task Manager etc

Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools

Tools for Windows Vista
Tools for Windows XP
Tools for Windows7

Use the System File Checker

To repair altered deleted or modified windows system files.

How to run System File Checker utility in windows XP
How to run System File Checker utility in windows Vista
How to run System File Checker utility in windows7

Additional Information
Virus infections are complex. Most of the times a virus on the computer downloads more files and make it complicated. In my attempt to warn users about the different ways that viruses are trying to infect and ways to find them and remove, I have created videos on specific Free tools and manual methods, these videos could be of great help

1) To detect and remove malicious Alternate Data Streams - Stream Armour

2) To detect and remove malicious Services - Advanced WinService Manager

3) To detect and remove viruses in Fake recycle Bin - Watch Video

4) keep an eye on suspicious connections using a Firewall - Free Comodo Firewall

5) A free tool to detect and remove unwanted BHOs - SpyBHO Remover

6) A free tool from Microsoft to reset the IE settings - on Microsoft's website

Reprinted with permission from Threatexpert.com

Sanjay C Rajure

wsock32.sys, scvhost.exe

Mon, 20 Feb 2012 11:28:30 +0000

Suspicious files names wsock32.sys, scvhost.exe have appeared in a virus analysis report. You can see it on this link

The installer of this virus is of about 63 KB. It is detected by antivirus programs as
Backdoor.Ciadoor!rem [PCTools]
Backdoor.Ciadoor [Symantec]
Backdoor.Win32.Ciadoor.cdt [Kaspersky Lab]
BackDoor-ASB.svr [McAfee]
Mal/VBDrop-G [Sophos]
Backdoor.Win32.Ciadoor [Ikarus]
packed with: MewBundle [Kaspersky Lab]
It creates registry entries so that wsock32.sys, scvhost.exe and other malicious files run at startup
It creates malicious services named Nla/Network Location Awareness (NLA), SENS/System Event Notification, SharedAccess/Windows Firewall/Internet Connection Sharing (ICS). These services were not running.
These names are similar to the names of legit windows services. The only way you might be able to differentiate is by looking at the names in the manufacturercolumn.
It stops a legitimate service named ALG/Application Layer Gateway Service. You need to start it again
Disables System Restore Settings link in the System Restore interface
Disables the System Restore tools on the Start menu
Prevents users from starting Task Manager (Taskmgr.exe)
Disables the Windows registry editors (Regedt32.exe and Regedit.exe)
It connects to suspicious IP addresses in Germany and starts download from a dubious French website

It creates wsock32.sys, scvhost.exe and other files on the infected computer that you need to search and delete. You should end running processes named wsock32.sys, scvhost.exe from Task Manager. And also remove the file's entries from windows startup.

Preventive measures

Most of the viruses enter your computer when you visit some harmful website. If you use a browser plugin that warns you about harmful websites, you can prevent this from happening. A popular browser plugin is called Web Of Trust (WOT), you can install it from its website on this link.
[ a video about WOT plugin ]
Blocking Javascript of all sites by default can help to prevent drive by download infections. You can use Noscript Plugin for firefox as explained in this video. Similar functionality can be achieved in Google's Chromium browser using the settings in Preferences > Under the Hood > Content Settings > Java Script > Select "Do not Allow". After that when you visit a site, you will see a pop up next to the address bar asking you if you want to allow JavaScript to run for that particular site.
Some of the viruses are downloaded in Internet Cache or in the Temp folder of the windows. The viruses get activated when these files are executed. You can reduce the risk of virus infection if you empty your browser cache and remove windows temp files occasionally, ideally at the end of a browsing session or before closing down your computer. Some programs like CCleaner can be set to do these things automatically. [ a video about CCleaner ]
Do not leave your computer infected and insecure. If you doubt that there could be some undetected virus on your computer, don't leave it like that. Format the hard disk and reinstall windows and all other programs. That is the sure way to clear doubts.

Using System Restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus

Using system restore in windows XP
Using system restore in windows Vista
Using system restore in windows7

[ Video of How to use System Restore ]

Boot in safe mode

Sometimes you can not delete a file. You should boot in safe mode and then try to delete it.

How to boot in safe in windows XP
How to boot in safe mode in windows Vista
How to boot in safe mode in windows7

View Hidden Files

You need to enable to view hidden files and folders before searching.
How to Enable to View Hidden Files and Folders in Windows XP
How to Enable to View Hidden Files and Folders in Windows Vista
How to Enable to View Hidden Files and Folders in Windows7

[ Video of How to enable Hidden files and folders ]

Remove Processes from Task Manager

Press Ctrl Alt Del keys to open the Task Manager.Select Processes tab. You will see a list. Look for the names wsock32.sys, scvhost.exe in it. Select if found and press the End Process button. It will ask for your confirmation to end that process. Select Yes. You can end one process at a time. You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown under Unknown Publisher in windows defender. Whereas in Windows7 you can find that out from the task manager itself. You can watch a video on How to use Windows Defender.

How to use Windows Defender in windows XP
How to use Windows Defender in windows Vista
How to use Windows Defender in windows7

Or you can use Sysinternal's Process Explorer. How to use Sysinternal's Process Explorer

[Video of How to use Sysinternal's/ Windows Process Explorer]

Removing entry from windows startup

Open system configuration window.Click on the Startup tab. You will see a list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer. That will show you the full path of the program. Locate and uncheck the boxes in front of these names "wsock32.sys, scvhost.exe" (also look for any other suspicious names)Press Apply , Press Close/Ok , Select "do not restart" at the next prompt.

Restarting service

Select the services tab while still in the system configuration window. Loate and check the box in front of ALG/Application Layer Gateway Service so as to start it. )

Finding malicious services

This virus creates services with exactly same names as that of some Microsoft services. The easy way to find them is to check the box in front of "Hide All Microsoft services" and look for these names in the remaining list.
Nla/Network Location Awareness (NLA), SENS/System Event Notification, SharedAccess/Windows Firewall/Internet Connection Sharing (ICS). Stop them if you find them active or running by unchecking the boxes.

Press Apply , Press Close/Ok , Select "restart" at the next prompt.

Deleting files

The computer will restart now. Delete the following files and folders. Boot in safe mode or boot in the dos prompt if needed. You can use windows search utility to search for wsock32.sys, scvhost.exe

Files
C:\windows\system32\ckl009.dat
C:\windows\system32\scvhost.exe
C:\windows\system32\UgPSCgIxag.ini
C:\windows\system32\wsock32.sys

Folders
-

Files in Temp folder
-

Installer File
[file and pathname of the sample #1]

You can find full path of the folders for your version of windows on this link.

Some Common folder locations

Virus makes create their files in uncommon locations. You can find such locations on this link.

Repair Hosts File

Registry Keys

There are several registry modifications done by this virus. You can see the registry modifications in the report from the link above.

Using CCleaner

more about CCleaner on this link

[Video on how to use CCleaner]

Free tools to repair disabled folder options, registry, Task Manager etc

Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools

Tools for Windows Vista
Tools for Windows XP
Tools for Windows7

Use the System File Checker

To repair altered deleted or modified windows system files.

How to run System File Checker utility in windows XP
How to run System File Checker utility in windows Vista
How to run System File Checker utility in windows7

1) To detect and remove malicious Alternate Data Streams - Stream Armour

2) To detect and remove malicious Services - Advanced WinService Manager

3) To detect and remove viruses in Fake recycle Bin - Watch Video

4) keep an eye on suspicious connections using a Firewall - Free Comodo Firewall

5) A free tool to detect and remove unwanted BHOs - SpyBHO Remover

6) A free tool from Microsoft to reset the IE settings - on Microsoft's website

Reprinted with permission from Threatexpert.com

Sanjay C Rajure

torrent.exe

Tue, 14 Feb 2012 07:57:38 +0000

Suspicious files name torrent.exe has appeared in a virus analysis report. You can see it on this link

The installer of this virus is of about 108 KB. It is detected by antivirus programs as
Bat/sdel [McAfee]
It creates registry entries so that torrent.exe and other malicious files run at startup
It connects to suspicious IP address in Russia and starts download from a dubious website

It creates torrent.exe and other files on the infected computer that you need to search and delete. You should end running processes named torrent.exe from Task Manager. And also remove the file's entries from windows startup.

Preventive measures

Most of the viruses enter your computer when you visit some harmful website. If you use a browser plugin that warns you about harmful websites, you can prevent this from happening. A popular browser plugin is called Web Of Trust (WOT), you can install it from its website on this link.
[ a video about WOT plugin ]
Blocking Javascript of all sites by default can help to prevent drive by download infections. You can use Noscript Plugin for firefox as explained in this video. Similar functionality can be achieved in Google's Chromium browser using the settings in Preferences > Under the Hood > Content Settings > Java Script > Select "Do not Allow". After that when you visit a site, you will see a pop up next to the address bar asking you if you want to allow JavaScript to run for that particular site.
Some of the viruses are downloaded in Internet Cache or in the Temp folder of the windows. The viruses get activated when these files are executed. You can reduce the risk of virus infection if you empty your browser cache and remove windows temp files occasionally, ideally at the end of a browsing session or before closing down your computer. Some programs like CCleaner can be set to do these things automatically. [ a video about CCleaner ]
Do not leave your computer infected and insecure. If you doubt that there could be some undetected virus on your computer, don't leave it like that. Format the hard disk and reinstall windows and all other programs. That is the sure way to clear doubts.

Using System Restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus

Using system restore in windows XP
Using system restore in windows Vista
Using system restore in windows7

[ Video of How to use System Restore ]

Boot in safe mode

Sometimes you can not delete a file. You should boot in safe mode and then try to delete it.

How to boot in safe in windows XP
How to boot in safe mode in windows Vista
How to boot in safe mode in windows7

View Hidden Files

You need to enable to view hidden files and folders before searching.
How to Enable to View Hidden Files and Folders in Windows XP
How to Enable to View Hidden Files and Folders in Windows Vista
How to Enable to View Hidden Files and Folders in Windows7

[ Video of How to enable Hidden files and folders ]

Remove Processes from Task Manager

Press Ctrl Alt Del keys to open the Task Manager.Select Processes tab. You will see a list. Look for the names torrent.exe in it. Select if found and press the End Process button. It will ask for your confirmation to end that process. Select Yes. You can end one process at a time. You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown under Unknown Publisher in windows defender. Whereas in Windows7 you can find that out from the task manager itself. You can watch a video on How to use Windows Defender.

How to use Windows Defender in windows XP
How to use Windows Defender in windows Vista
How to use Windows Defender in windows7

Or you can use Sysinternal's Process Explorer. How to use Sysinternal's Process Explorer

[Video of How to use Sysinternal's/ Windows Process Explorer]

Removing entry from windows startup

Open system configuration window.Click on the Startup tab. You will see a list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer. That will show you the full path of the program. Locate and uncheck the boxes in front of these names "torrent.exe" (also look for any other suspicious names)Press Apply , Press Close/Ok , Select "restart" at the next prompt.

Deleting files

The computer will restart now. Delete the following files and folders. Boot in safe mode or boot in the dos prompt if needed. You can use windows search utility to search for torrent.exe

Files
%AppData%\Microsoft\torrent.exe
C:\windows\system32\clean.bat

Folders
-

Files in Temp folder
-

Installer File
[file and pathname of the sample #1]

You can find full path of the folders for your version of windows on this link.

Some Common folder locations

Virus makes create their files in uncommon locations. You can find such locations on this link.

Repair Hosts File

Registry Keys

There are several registry modifications done by this virus. You can see the registry modifications in the report from the link above.

Using CCleaner

more about CCleaner on this link

[Video on how to use CCleaner]

Free tools to repair disabled folder options, registry, Task Manager etc

Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools

Tools for Windows Vista
Tools for Windows XP
Tools for Windows7

Use the System File Checker

To repair altered deleted or modified windows system files.

How to run System File Checker utility in windows XP
How to run System File Checker utility in windows Vista
How to run System File Checker utility in windows7

1) To detect and remove malicious Alternate Data Streams - Stream Armour

2) To detect and remove malicious Services - Advanced WinService Manager

3) To detect and remove viruses in Fake recycle Bin - Watch Video

4) keep an eye on suspicious connections using a Firewall - Free Comodo Firewall

5) A free tool to detect and remove unwanted BHOs - SpyBHO Remover

6) A free tool from Microsoft to reset the IE settings - on Microsoft's website

Reprinted with permission from Threatexpert.com

Sanjay C Rajure

UpSysGrade.exe

Mon, 13 Feb 2012 09:03:47 +0000

The name UpSysGrade.exe has appeared in a virus analysis report. You can see it on this link

The installer is of about 32 KB. It could be a virus Trojan Infostealer Bancos/ Banker/Banbra.
It has threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
It may stop services ALG/ Application Layer Gateway Service, SharedAccess/ Windows Firewall/Internet Connection Sharing (ICS)
Trojan.Bancos runs silently in the background to monitor web browser activities. It can create fake login page for certain banking sites which is used for stealing usernames and passwords which can be sent to the attacker via e-mail.
It may modify the hosts file so as to redirect or block sites. Or it deletes the hosts file.
It may delete safeboot registry keys. This will prevent the computer from starting in safe mode. The remedy to this problem is to reinstall windows.
According to Symantec

The Trojan is most often spread by way of an email containing a social engineering trick such as a fake email from a bank asking the user to run the attached program and perform some other actions to verify their banking details. If the user complies with the request they could potentially reveal their account access information which may lead to significant financial loss.

You can read the the writeup at Symantec on this link

It creates UpSysGrade.exe and other files on the infected computer that you need to search and delete. You should also remove the entries of these files from the windows startup.

Preventive measures

Most of the viruses enter your computer when you visit some harmful website. If you use a browser plugin that warns you about harmful websites, you can prevent this from happening. A popular browser plugin is called Web Of Trust (WOT), you can install it from its website on this link.
[ a video about WOT plugin ]
Blocking Javascript of all sites by default can help to prevent drive by download infections. You can use Noscript Plugin for firefox as explained in this video. Similar functionality can be achieved in Google's Chromium browser using the settings in Preferences > Under the Hood > Content Settings > Java Script > Select "Do not Allow". After that when you visit a site, you will see a pop up next to the address bar asking you if you want to allow JavaScript to run for that particular site. The author of NoScript is writing a similar plugin for IE9 called GoodScript. Keep an eye on when it becomes available.
Some of the viruses are downloaded in Internet Cache or in the Temp folder of the windows. The viruses get activated when these files are executed. You can reduce the risk of virus infection if you empty your browser cache and remove windows temp files ocasionally, ideally at the end of a browsing session or before closing down your computer. Some programs like CCleaner can be set to do these things automatically. [ a video about CCleaner ]
Do not leave your computer infected and insecure. If you doubt that there could be some undetected virus on your computer, don't leave it like that. Format the hard disk and reinstall windows and all other programs. That is the sure way to clear doubts.

Using System Restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus

Using system restore in windows XP
Using system restore in windows Vista
Using system restore in windows7

[ Video of How to use System Restore ]

Boot in safe mode

Sometimes you can not delete a file. You should boot in safe mode and then try to delete it.

How to boot in safe in windows XP
How to boot in safe mode in windows Vista
How to boot in safe mode in windows7

View Hidden Files

You need to enable to view hidden files and folders before searching.
How to Enable to View Hidden Files and Folders in Windows XP
How to Enable to View Hidden Files and Folders in Windows Vista
How to Enable to View Hidden Files and Folders in Windows7

[ Video of How to enable Hidden files and folders ]

Remove Processes from Task Manager

Press Ctrl Alt Del keys to open the Task Manager. Select Processes tab. You will see a list. Look for the names UpSysGrade.exe in it. Select if found any and press the End Process button. It will ask for your confirmation to end that process. Select Yes. You can end one process at a time. You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown under Unknown Publisher in windows defender. Whereas in Windows7 you can find that out from the task manager itself. You can watch a video on How to use Windows Defender.

How to use Windows Defender in windows XP
How to use Windows Defender in windows Vista
How to use Windows Defender in windows7

Or you can use Sysinternal's Process Explorer. How to use Sysinternal's Process Explorer

[Video of How to use Sysinternal's/ Windows Process Explorer]

Removing entry from windows startup

Open system configuration window.Click on the Startup tab. You will see a list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer. That will show you the full path of the program. Locate and uncheck the boxes in front of these names "UpSysGrade.exe" (also look for any other suspicious names)Press Apply , Press Close/Ok , Select "do not restart" at the next prompt.

modified services

While still in the above window, click on Services tab. Click on "Hide All Microsoft Services". Look for ALG/ Application Layer Gateway Service, SharedAccess/ Windows Firewall/Internet Connection Sharing (ICS). If they are checked, then do nothing. If they are unchecked then you need to check them again.

Locate and Check the box in front of these services if they are unchecked. Press Apply. Press Ok/close. Click on "restart" at the next prompt.

Deleting files

The computer will restart now. Delete the following files and folders. Boot in safe mode or boot in the dos prompt if needed. You can use windows search utility to search for UpSysGrade.exe

Files
C:\windows\system32\AvAtualizacao.exe
C:\windows\system32\AvMaster.exe
C:\windows\system32\AVSCD1A40%ComputerName%.log
C:\windows\system32\SysGrade.exe
C:\windows\system32\SysUpGrade.exe
C:\windows\system32\UpSys.exe
C:\windows\system32\UpSysGrade.exe

Folders

Files in Temp folder
%Temp%\80EB2F5C

Installer File
[file and pathname of the sample #1]

Repair Hosts File

Registry Keys

Some of the registry keys will be automatically removed if you run Registry menu of CCleaner. For others you can see the report mentioned at the beginning of this article .

Using CCleaner

more about CCleaner on this link

[Video on how to use CCleaner]

Free tools to repair disabled folder options, registry, Task Manager etc

Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools

Tools for Windows Vista
Tools for Windows XP
Tools for Windows7

Use the System File Checker

To repair altered deleted or modified windows system files.

How to run System File Checker utility in windows XP
How to run System File Checker utility in windows Vista
How to run System File Checker utility in windows7

1) To detect and remove malicious Alternate Data Streams - Stream Armour

2) To detect and remove malicious Services - Advanced WinService Manager

3) To detect and remove viruses in Fake recycle Bin - Watch Video

4) keep an eye on suspicious connections using a Firewall - Free Comodo Firewall

5) A free tool to detect and remove unwanted BHOs - SpyBHO Remover

If nothing works

More often a virus makes it difficult to remove its files while you are logged in windows. It may do one of the following

1) You may see the suspicious virus process running in the task manager but can not remove it.

2) Even if you delete a virus file/ or terminate the process, the process may spawn again.

3) The virus may disable system restore, registry tools, task manager, safe boot etc.

If any of these or other things done by the virus make you think/ feel that you are not able to remove the virus files then do as follows

1) Download a Knoppix Boot only CD ISO image from in your language from one of the download links from this website.

2) Burn the ISO image on a blank CD

3) Put the Knoppix Boot disk in your computer's CD drive and boot from the CD

At the beginning of boot process you will see a prompt as boot:

Type
knoppix screen=1280x1024
knoppix screen=1024x728 or any suitable resolution that your computer supports.
If you do not specify screen resolution, the knoppix will boot with minimal resolution and you may have to use command line options which is inconvenient for a windows user.

Once the knoppix window opens, click on the folder icon in the bottom left of the screen to open the PCMan file manager. It is a graphical file manager in Knoppix. It has two panels. In the left panel you should see the partitions of your hard disk. Select the partition in which windows is installed and you will instantly see all the folders. Now you can access the contents of your folders and delete suspicious files and folders just as you would do in the windows explorer.

When you are finished. Click on Log off. Now you can Turn Off or restart. Take out the knoppix CD from your drive and you can normally boot in windows.

Reprinted with permission from Threatexpert.com

Sanjay C Rajure

UpSys.exe

Mon, 13 Feb 2012 09:01:14 +0000

The name UpSys.exe has appeared in a virus analysis report. You can see it on this link

The installer is of about 32 KB. It could be a virus Trojan Infostealer Bancos/ Banker/Banbra.
It has threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
It may stop services ALG/ Application Layer Gateway Service, SharedAccess/ Windows Firewall/Internet Connection Sharing (ICS)
Trojan.Bancos runs silently in the background to monitor web browser activities. It can create fake login page for certain banking sites which is used for stealing usernames and passwords which can be sent to the attacker via e-mail.
It may modify the hosts file so as to redirect or block sites. Or it deletes the hosts file.
It may delete safeboot registry keys. This will prevent the computer from starting in safe mode. The remedy to this problem is to reinstall windows.
According to Symantec

The Trojan is most often spread by way of an email containing a social engineering trick such as a fake email from a bank asking the user to run the attached program and perform some other actions to verify their banking details. If the user complies with the request they could potentially reveal their account access information which may lead to significant financial loss.

You can read the the writeup at Symantec on this link

It creates UpSys.exe and other files on the infected computer that you need to search and delete. You should also remove the entries of these files from the windows startup.

Preventive measures

Most of the viruses enter your computer when you visit some harmful website. If you use a browser plugin that warns you about harmful websites, you can prevent this from happening. A popular browser plugin is called Web Of Trust (WOT), you can install it from its website on this link.
[ a video about WOT plugin ]
Blocking Javascript of all sites by default can help to prevent drive by download infections. You can use Noscript Plugin for firefox as explained in this video. Similar functionality can be achieved in Google's Chromium browser using the settings in Preferences > Under the Hood > Content Settings > Java Script > Select "Do not Allow". After that when you visit a site, you will see a pop up next to the address bar asking you if you want to allow JavaScript to run for that particular site. The author of NoScript is writing a similar plugin for IE9 called GoodScript. Keep an eye on when it becomes available.
Some of the viruses are downloaded in Internet Cache or in the Temp folder of the windows. The viruses get activated when these files are executed. You can reduce the risk of virus infection if you empty your browser cache and remove windows temp files ocasionally, ideally at the end of a browsing session or before closing down your computer. Some programs like CCleaner can be set to do these things automatically. [ a video about CCleaner ]
Do not leave your computer infected and insecure. If you doubt that there could be some undetected virus on your computer, don't leave it like that. Format the hard disk and reinstall windows and all other programs. That is the sure way to clear doubts.

Using System Restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus

Using system restore in windows XP
Using system restore in windows Vista
Using system restore in windows7

[ Video of How to use System Restore ]

Boot in safe mode

Sometimes you can not delete a file. You should boot in safe mode and then try to delete it.

How to boot in safe in windows XP
How to boot in safe mode in windows Vista
How to boot in safe mode in windows7

View Hidden Files

You need to enable to view hidden files and folders before searching.
How to Enable to View Hidden Files and Folders in Windows XP
How to Enable to View Hidden Files and Folders in Windows Vista
How to Enable to View Hidden Files and Folders in Windows7

[ Video of How to enable Hidden files and folders ]

Remove Processes from Task Manager

Press Ctrl Alt Del keys to open the Task Manager. Select Processes tab. You will see a list. Look for the names UpSys.exe in it. Select if found any and press the End Process button. It will ask for your confirmation to end that process. Select Yes. You can end one process at a time. You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown under Unknown Publisher in windows defender. Whereas in Windows7 you can find that out from the task manager itself. You can watch a video on How to use Windows Defender.

How to use Windows Defender in windows XP
How to use Windows Defender in windows Vista
How to use Windows Defender in windows7

Or you can use Sysinternal's Process Explorer. How to use Sysinternal's Process Explorer

[Video of How to use Sysinternal's/ Windows Process Explorer]

Removing entry from windows startup

Open system configuration window.Click on the Startup tab. You will see a list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer. That will show you the full path of the program. Locate and uncheck the boxes in front of these names "UpSys.exe" (also look for any other suspicious names)Press Apply , Press Close/Ok , Select "do not restart" at the next prompt.

modified services

Locate and Check the box in front of these services if they are unchecked. Press Apply. Press Ok/close. Click on "restart" at the next prompt.

Deleting files

The computer will restart now. Delete the following files and folders. Boot in safe mode or boot in the dos prompt if needed. You can use windows search utility to search for UpSys.exe

Folders

Files in Temp folder
%Temp%\80EB2F5C

Installer File
[file and pathname of the sample #1]

Repair Hosts File

Registry Keys

Some of the registry keys will be automatically removed if you run Registry menu of CCleaner. For others you can see the report mentioned at the beginning of this article .

Using CCleaner

more about CCleaner on this link

[Video on how to use CCleaner]

Free tools to repair disabled folder options, registry, Task Manager etc

Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools

Tools for Windows Vista
Tools for Windows XP
Tools for Windows7

Use the System File Checker

To repair altered deleted or modified windows system files.

How to run System File Checker utility in windows XP
How to run System File Checker utility in windows Vista
How to run System File Checker utility in windows7

1) To detect and remove malicious Alternate Data Streams - Stream Armour

2) To detect and remove malicious Services - Advanced WinService Manager

3) To detect and remove viruses in Fake recycle Bin - Watch Video

4) keep an eye on suspicious connections using a Firewall - Free Comodo Firewall

5) A free tool to detect and remove unwanted BHOs - SpyBHO Remover

If nothing works

More often a virus makes it difficult to remove its files while you are logged in windows. It may do one of the following

1) You may see the suspicious virus process running in the task manager but can not remove it.

2) Even if you delete a virus file/ or terminate the process, the process may spawn again.

3) The virus may disable system restore, registry tools, task manager, safe boot etc.

If any of these or other things done by the virus make you think/ feel that you are not able to remove the virus files then do as follows

1) Download a Knoppix Boot only CD ISO image from in your language from one of the download links from this website.

2) Burn the ISO image on a blank CD

3) Put the Knoppix Boot disk in your computer's CD drive and boot from the CD

At the beginning of boot process you will see a prompt as boot:

When you are finished. Click on Log off. Now you can Turn Off or restart. Take out the knoppix CD from your drive and you can normally boot in windows.

Reprinted with permission from Threatexpert.com

Sanjay C Rajure

SysUpGrade.exe

Mon, 13 Feb 2012 08:56:29 +0000

The name SysUpGrade.exe has appeared in a virus analysis report. You can see it on this link

The installer is of about 32 KB. It could be a virus Trojan Infostealer Bancos/ Banker/Banbra.
It has threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
It may stop services ALG/ Application Layer Gateway Service, SharedAccess/ Windows Firewall/Internet Connection Sharing (ICS)
Trojan.Bancos runs silently in the background to monitor web browser activities. It can create fake login page for certain banking sites which is used for stealing usernames and passwords which can be sent to the attacker via e-mail.
It may modify the hosts file so as to redirect or block sites. Or it deletes the hosts file.
It may delete safeboot registry keys. This will prevent the computer from starting in safe mode. The remedy to this problem is to reinstall windows.
According to Symantec

The Trojan is most often spread by way of an email containing a social engineering trick such as a fake email from a bank asking the user to run the attached program and perform some other actions to verify their banking details. If the user complies with the request they could potentially reveal their account access information which may lead to significant financial loss.

You can read the the writeup at Symantec on this link

It creates SysUpGrade.exe and other files on the infected computer that you need to search and delete. You should also remove the entries of these files from the windows startup.

Preventive measures

Most of the viruses enter your computer when you visit some harmful website. If you use a browser plugin that warns you about harmful websites, you can prevent this from happening. A popular browser plugin is called Web Of Trust (WOT), you can install it from its website on this link.
[ a video about WOT plugin ]
Blocking Javascript of all sites by default can help to prevent drive by download infections. You can use Noscript Plugin for firefox as explained in this video. Similar functionality can be achieved in Google's Chromium browser using the settings in Preferences > Under the Hood > Content Settings > Java Script > Select "Do not Allow". After that when you visit a site, you will see a pop up next to the address bar asking you if you want to allow JavaScript to run for that particular site. The author of NoScript is writing a similar plugin for IE9 called GoodScript. Keep an eye on when it becomes available.
Some of the viruses are downloaded in Internet Cache or in the Temp folder of the windows. The viruses get activated when these files are executed. You can reduce the risk of virus infection if you empty your browser cache and remove windows temp files ocasionally, ideally at the end of a browsing session or before closing down your computer. Some programs like CCleaner can be set to do these things automatically. [ a video about CCleaner ]
Do not leave your computer infected and insecure. If you doubt that there could be some undetected virus on your computer, don't leave it like that. Format the hard disk and reinstall windows and all other programs. That is the sure way to clear doubts.

Using System Restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus

Using system restore in windows XP
Using system restore in windows Vista
Using system restore in windows7

[ Video of How to use System Restore ]

Boot in safe mode

Sometimes you can not delete a file. You should boot in safe mode and then try to delete it.

How to boot in safe in windows XP
How to boot in safe mode in windows Vista
How to boot in safe mode in windows7

View Hidden Files

You need to enable to view hidden files and folders before searching.
How to Enable to View Hidden Files and Folders in Windows XP
How to Enable to View Hidden Files and Folders in Windows Vista
How to Enable to View Hidden Files and Folders in Windows7

[ Video of How to enable Hidden files and folders ]

Remove Processes from Task Manager

Press Ctrl Alt Del keys to open the Task Manager. Select Processes tab. You will see a list. Look for the names SysUpGrade.exe in it. Select if found any and press the End Process button. It will ask for your confirmation to end that process. Select Yes. You can end one process at a time. You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown under Unknown Publisher in windows defender. Whereas in Windows7 you can find that out from the task manager itself. You can watch a video on How to use Windows Defender.

How to use Windows Defender in windows XP
How to use Windows Defender in windows Vista
How to use Windows Defender in windows7

Or you can use Sysinternal's Process Explorer. How to use Sysinternal's Process Explorer

[Video of How to use Sysinternal's/ Windows Process Explorer]

Removing entry from windows startup

Open system configuration window.Click on the Startup tab. You will see a list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer. That will show you the full path of the program. Locate and uncheck the boxes in front of these names "SysUpGrade.exe" (also look for any other suspicious names)Press Apply , Press Close/Ok , Select "do not restart" at the next prompt.

modified services

Locate and Check the box in front of these services if they are unchecked. Press Apply. Press Ok/close. Click on "restart" at the next prompt.

Deleting files

The computer will restart now. Delete the following files and folders. Boot in safe mode or boot in the dos prompt if needed. You can use windows search utility to search for SysUpGrade.exe

Folders

Files in Temp folder
%Temp%\80EB2F5C

Installer File
[file and pathname of the sample #1]

Repair Hosts File

Registry Keys

Some of the registry keys will be automatically removed if you run Registry menu of CCleaner. For others you can see the report mentioned at the beginning of this article .

Using CCleaner

more about CCleaner on this link

[Video on how to use CCleaner]

Free tools to repair disabled folder options, registry, Task Manager etc

Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools

Tools for Windows Vista
Tools for Windows XP
Tools for Windows7

Use the System File Checker

To repair altered deleted or modified windows system files.

How to run System File Checker utility in windows XP
How to run System File Checker utility in windows Vista
How to run System File Checker utility in windows7

1) To detect and remove malicious Alternate Data Streams - Stream Armour

2) To detect and remove malicious Services - Advanced WinService Manager

3) To detect and remove viruses in Fake recycle Bin - Watch Video

4) keep an eye on suspicious connections using a Firewall - Free Comodo Firewall

5) A free tool to detect and remove unwanted BHOs - SpyBHO Remover

If nothing works

More often a virus makes it difficult to remove its files while you are logged in windows. It may do one of the following

1) You may see the suspicious virus process running in the task manager but can not remove it.

2) Even if you delete a virus file/ or terminate the process, the process may spawn again.

3) The virus may disable system restore, registry tools, task manager, safe boot etc.

If any of these or other things done by the virus make you think/ feel that you are not able to remove the virus files then do as follows

1) Download a Knoppix Boot only CD ISO image from in your language from one of the download links from this website.

2) Burn the ISO image on a blank CD

3) Put the Knoppix Boot disk in your computer's CD drive and boot from the CD

At the beginning of boot process you will see a prompt as boot:

When you are finished. Click on Log off. Now you can Turn Off or restart. Take out the knoppix CD from your drive and you can normally boot in windows.

Reprinted with permission from Threatexpert.com

Sanjay C Rajure

SysGrade.exe

Mon, 13 Feb 2012 08:53:47 +0000

The name SysGrade.exe has appeared in a virus analysis report. You can see it on this link

The installer is of about 32 KB. It could be a virus Trojan Infostealer Bancos/ Banker/Banbra.
It has threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
It may stop services ALG/ Application Layer Gateway Service, SharedAccess/ Windows Firewall/Internet Connection Sharing (ICS)
Trojan.Bancos runs silently in the background to monitor web browser activities. It can create fake login page for certain banking sites which is used for stealing usernames and passwords which can be sent to the attacker via e-mail.
It may modify the hosts file so as to redirect or block sites. Or it deletes the hosts file.
It may delete safeboot registry keys. This will prevent the computer from starting in safe mode. The remedy to this problem is to reinstall windows.
According to Symantec

The Trojan is most often spread by way of an email containing a social engineering trick such as a fake email from a bank asking the user to run the attached program and perform some other actions to verify their banking details. If the user complies with the request they could potentially reveal their account access information which may lead to significant financial loss.

You can read the the writeup at Symantec on this link

It creates SysGrade.exe and other files on the infected computer that you need to search and delete. You should also remove the entries of these files from the windows startup.

Preventive measures

Most of the viruses enter your computer when you visit some harmful website. If you use a browser plugin that warns you about harmful websites, you can prevent this from happening. A popular browser plugin is called Web Of Trust (WOT), you can install it from its website on this link.
[ a video about WOT plugin ]
Blocking Javascript of all sites by default can help to prevent drive by download infections. You can use Noscript Plugin for firefox as explained in this video. Similar functionality can be achieved in Google's Chromium browser using the settings in Preferences > Under the Hood > Content Settings > Java Script > Select "Do not Allow". After that when you visit a site, you will see a pop up next to the address bar asking you if you want to allow JavaScript to run for that particular site. The author of NoScript is writing a similar plugin for IE9 called GoodScript. Keep an eye on when it becomes available.
Some of the viruses are downloaded in Internet Cache or in the Temp folder of the windows. The viruses get activated when these files are executed. You can reduce the risk of virus infection if you empty your browser cache and remove windows temp files ocasionally, ideally at the end of a browsing session or before closing down your computer. Some programs like CCleaner can be set to do these things automatically. [ a video about CCleaner ]
Do not leave your computer infected and insecure. If you doubt that there could be some undetected virus on your computer, don't leave it like that. Format the hard disk and reinstall windows and all other programs. That is the sure way to clear doubts.

Using System Restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus

Using system restore in windows XP
Using system restore in windows Vista
Using system restore in windows7

[ Video of How to use System Restore ]

Boot in safe mode

Sometimes you can not delete a file. You should boot in safe mode and then try to delete it.

How to boot in safe in windows XP
How to boot in safe mode in windows Vista
How to boot in safe mode in windows7

View Hidden Files

You need to enable to view hidden files and folders before searching.
How to Enable to View Hidden Files and Folders in Windows XP
How to Enable to View Hidden Files and Folders in Windows Vista
How to Enable to View Hidden Files and Folders in Windows7

[ Video of How to enable Hidden files and folders ]

Remove Processes from Task Manager

Press Ctrl Alt Del keys to open the Task Manager. Select Processes tab. You will see a list. Look for the names SysGrade.exe in it. Select if found any and press the End Process button. It will ask for your confirmation to end that process. Select Yes. You can end one process at a time. You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown under Unknown Publisher in windows defender. Whereas in Windows7 you can find that out from the task manager itself. You can watch a video on How to use Windows Defender.

How to use Windows Defender in windows XP
How to use Windows Defender in windows Vista
How to use Windows Defender in windows7

Or you can use Sysinternal's Process Explorer. How to use Sysinternal's Process Explorer

[Video of How to use Sysinternal's/ Windows Process Explorer]

Removing entry from windows startup

Open system configuration window.Click on the Startup tab. You will see a list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer. That will show you the full path of the program. Locate and uncheck the boxes in front of these names "SysGrade.exe" (also look for any other suspicious names)Press Apply , Press Close/Ok , Select "do not restart" at the next prompt.

modified services

Locate and Check the box in front of these services if they are unchecked. Press Apply. Press Ok/close. Click on "restart" at the next prompt.

Deleting files

The computer will restart now. Delete the following files and folders. Boot in safe mode or boot in the dos prompt if needed. You can use windows search utility to search for SysGrade.exe

Folders

Files in Temp folder
%Temp%\80EB2F5C

Installer File
[file and pathname of the sample #1]

Repair Hosts File

Registry Keys

Some of the registry keys will be automatically removed if you run Registry menu of CCleaner. For others you can see the report mentioned at the beginning of this article .

Using CCleaner

more about CCleaner on this link

[Video on how to use CCleaner]

Free tools to repair disabled folder options, registry, Task Manager etc

Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools

Tools for Windows Vista
Tools for Windows XP
Tools for Windows7

Use the System File Checker

To repair altered deleted or modified windows system files.

How to run System File Checker utility in windows XP
How to run System File Checker utility in windows Vista
How to run System File Checker utility in windows7

1) To detect and remove malicious Alternate Data Streams - Stream Armour

2) To detect and remove malicious Services - Advanced WinService Manager

3) To detect and remove viruses in Fake recycle Bin - Watch Video

4) keep an eye on suspicious connections using a Firewall - Free Comodo Firewall

5) A free tool to detect and remove unwanted BHOs - SpyBHO Remover

If nothing works

More often a virus makes it difficult to remove its files while you are logged in windows. It may do one of the following

1) You may see the suspicious virus process running in the task manager but can not remove it.

2) Even if you delete a virus file/ or terminate the process, the process may spawn again.

3) The virus may disable system restore, registry tools, task manager, safe boot etc.

If any of these or other things done by the virus make you think/ feel that you are not able to remove the virus files then do as follows

1) Download a Knoppix Boot only CD ISO image from in your language from one of the download links from this website.

2) Burn the ISO image on a blank CD

3) Put the Knoppix Boot disk in your computer's CD drive and boot from the CD

At the beginning of boot process you will see a prompt as boot:

When you are finished. Click on Log off. Now you can Turn Off or restart. Take out the knoppix CD from your drive and you can normally boot in windows.

Reprinted with permission from Threatexpert.com

Sanjay C Rajure

AvAtualizacao.exe

Mon, 13 Feb 2012 08:21:43 +0000

The name AvAtualizacao.exe has appeared in a virus analysis report. You can see it on this link

The installer is of about 32 KB. It could be a virus Trojan Infostealer Bancos/ Banker/Banbra.
It has threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
It may stop services ALG/ Application Layer Gateway Service, SharedAccess/ Windows Firewall/Internet Connection Sharing (ICS)
Trojan.Bancos runs silently in the background to monitor web browser activities. It can create fake login page for certain banking sites which is used for stealing usernames and passwords which can be sent to the attacker via e-mail.
It may modify the hosts file so as to redirect or block sites. Or it deletes the hosts file.
It may delete safeboot registry keys. This will prevent the computer from starting in safe mode. The remedy to this problem is to reinstall windows.
According to Symantec

The Trojan is most often spread by way of an email containing a social engineering trick such as a fake email from a bank asking the user to run the attached program and perform some other actions to verify their banking details. If the user complies with the request they could potentially reveal their account access information which may lead to significant financial loss.

You can read the the writeup at Symantec on this link

It creates AvAtualizacao.exe and other files on the infected computer that you need to search and delete. You should also remove the entries of these files from the windows startup.

Preventive measures

Most of the viruses enter your computer when you visit some harmful website. If you use a browser plugin that warns you about harmful websites, you can prevent this from happening. A popular browser plugin is called Web Of Trust (WOT), you can install it from its website on this link.
[ a video about WOT plugin ]
Blocking Javascript of all sites by default can help to prevent drive by download infections. You can use Noscript Plugin for firefox as explained in this video. Similar functionality can be achieved in Google's Chromium browser using the settings in Preferences > Under the Hood > Content Settings > Java Script > Select "Do not Allow". After that when you visit a site, you will see a pop up next to the address bar asking you if you want to allow JavaScript to run for that particular site. The author of NoScript is writing a similar plugin for IE9 called GoodScript. Keep an eye on when it becomes available.
Some of the viruses are downloaded in Internet Cache or in the Temp folder of the windows. The viruses get activated when these files are executed. You can reduce the risk of virus infection if you empty your browser cache and remove windows temp files ocasionally, ideally at the end of a browsing session or before closing down your computer. Some programs like CCleaner can be set to do these things automatically. [ a video about CCleaner ]
Do not leave your computer infected and insecure. If you doubt that there could be some undetected virus on your computer, don't leave it like that. Format the hard disk and reinstall windows and all other programs. That is the sure way to clear doubts.

Using System Restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus

Using system restore in windows XP
Using system restore in windows Vista
Using system restore in windows7

[ Video of How to use System Restore ]

Boot in safe mode

Sometimes you can not delete a file. You should boot in safe mode and then try to delete it.

How to boot in safe in windows XP
How to boot in safe mode in windows Vista
How to boot in safe mode in windows7

View Hidden Files

You need to enable to view hidden files and folders before searching.
How to Enable to View Hidden Files and Folders in Windows XP
How to Enable to View Hidden Files and Folders in Windows Vista
How to Enable to View Hidden Files and Folders in Windows7

[ Video of How to enable Hidden files and folders ]

Remove Processes from Task Manager

Press Ctrl Alt Del keys to open the Task Manager. Select Processes tab. You will see a list. Look for the names AvAtualizacao.exe in it. Select if found any and press the End Process button. It will ask for your confirmation to end that process. Select Yes. You can end one process at a time. You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown under Unknown Publisher in windows defender. Whereas in Windows7 you can find that out from the task manager itself. You can watch a video on How to use Windows Defender.

How to use Windows Defender in windows XP
How to use Windows Defender in windows Vista
How to use Windows Defender in windows7

Or you can use Sysinternal's Process Explorer. How to use Sysinternal's Process Explorer

[Video of How to use Sysinternal's/ Windows Process Explorer]

Removing entry from windows startup

Open system configuration window.Click on the Startup tab. You will see a list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer. That will show you the full path of the program. Locate and uncheck the boxes in front of these names "AvAtualizacao.exe" (also look for any other suspicious names)Press Apply , Press Close/Ok , Select "do not restart" at the next prompt.

modified services

Locate and Check the box in front of these services if they are unchecked. Press Apply. Press Ok/close. Click on "restart" at the next prompt.

Deleting files

The computer will restart now. Delete the following files and folders. Boot in safe mode or boot in the dos prompt if needed. You can use windows search utility to search for AvAtualizacao.exe

Folders

Files in Temp folder
%Temp%\80EB2F5C

Installer File
[file and pathname of the sample #1]

Repair Hosts File

Registry Keys

Some of the registry keys will be automatically removed if you run Registry menu of CCleaner. For others you can see the report mentioned at the beginning of this article .

Using CCleaner

more about CCleaner on this link

[Video on how to use CCleaner]

Free tools to repair disabled folder options, registry, Task Manager etc

Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools

Tools for Windows Vista
Tools for Windows XP
Tools for Windows7

Use the System File Checker

To repair altered deleted or modified windows system files.

How to run System File Checker utility in windows XP
How to run System File Checker utility in windows Vista
How to run System File Checker utility in windows7

1) To detect and remove malicious Alternate Data Streams - Stream Armour

2) To detect and remove malicious Services - Advanced WinService Manager

3) To detect and remove viruses in Fake recycle Bin - Watch Video

4) keep an eye on suspicious connections using a Firewall - Free Comodo Firewall

5) A free tool to detect and remove unwanted BHOs - SpyBHO Remover

If nothing works

More often a virus makes it difficult to remove its files while you are logged in windows. It may do one of the following

1) You may see the suspicious virus process running in the task manager but can not remove it.

2) Even if you delete a virus file/ or terminate the process, the process may spawn again.

3) The virus may disable system restore, registry tools, task manager, safe boot etc.

If any of these or other things done by the virus make you think/ feel that you are not able to remove the virus files then do as follows

1) Download a Knoppix Boot only CD ISO image from in your language from one of the download links from this website.

2) Burn the ISO image on a blank CD

3) Put the Knoppix Boot disk in your computer's CD drive and boot from the CD

At the beginning of boot process you will see a prompt as boot:

When you are finished. Click on Log off. Now you can Turn Off or restart. Take out the knoppix CD from your drive and you can normally boot in windows.

Reprinted with permission from Threatexpert.com

Sanjay C Rajure

avmaster.exe

Mon, 13 Feb 2012 08:14:28 +0000

The name avmaster.exe has appeared in a virus analysis report. You can see it on this link

The installer is of about 32 KB. It could be a virus Trojan Infostealer Bancos/ Banker/Banbra.
It has threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
It may stop services ALG/ Application Layer Gateway Service, SharedAccess/ Windows Firewall/Internet Connection Sharing (ICS)
Trojan.Bancos runs silently in the background to monitor web browser activities. It can create fake login page for certain banking sites which is used for stealing usernames and passwords which can be sent to the attacker via e-mail.
It may modify the hosts file so as to redirect or block sites. Or it deletes the hosts file.
It may delete safeboot registry keys. This will prevent the computer from starting in safe mode. The remedy to this problem is to reinstall windows.
According to Symantec

The Trojan is most often spread by way of an email containing a social engineering trick such as a fake email from a bank asking the user to run the attached program and perform some other actions to verify their banking details. If the user complies with the request they could potentially reveal their account access information which may lead to significant financial loss.

You can read the the writeup at Symantec on this link

It creates avmaster.exe and other files on the infected computer that you need to search and delete. You should also remove the entries of these files from the windows startup.

Preventive measures

Most of the viruses enter your computer when you visit some harmful website. If you use a browser plugin that warns you about harmful websites, you can prevent this from happening. A popular browser plugin is called Web Of Trust (WOT), you can install it from its website on this link.
[ a video about WOT plugin ]
Blocking Javascript of all sites by default can help to prevent drive by download infections. You can use Noscript Plugin for firefox as explained in this video. Similar functionality can be achieved in Google's Chromium browser using the settings in Preferences > Under the Hood > Content Settings > Java Script > Select "Do not Allow". After that when you visit a site, you will see a pop up next to the address bar asking you if you want to allow JavaScript to run for that particular site. The author of NoScript is writing a similar plugin for IE9 called GoodScript. Keep an eye on when it becomes available.
Some of the viruses are downloaded in Internet Cache or in the Temp folder of the windows. The viruses get activated when these files are executed. You can reduce the risk of virus infection if you empty your browser cache and remove windows temp files ocasionally, ideally at the end of a browsing session or before closing down your computer. Some programs like CCleaner can be set to do these things automatically. [ a video about CCleaner ]
Do not leave your computer infected and insecure. If you doubt that there could be some undetected virus on your computer, don't leave it like that. Format the hard disk and reinstall windows and all other programs. That is the sure way to clear doubts.

Using System Restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus

Using system restore in windows XP
Using system restore in windows Vista
Using system restore in windows7

[ Video of How to use System Restore ]

Boot in safe mode

Sometimes you can not delete a file. You should boot in safe mode and then try to delete it.

How to boot in safe in windows XP
How to boot in safe mode in windows Vista
How to boot in safe mode in windows7

View Hidden Files

You need to enable to view hidden files and folders before searching.
How to Enable to View Hidden Files and Folders in Windows XP
How to Enable to View Hidden Files and Folders in Windows Vista
How to Enable to View Hidden Files and Folders in Windows7

[ Video of How to enable Hidden files and folders ]

Remove Processes from Task Manager

Press Ctrl Alt Del keys to open the Task Manager. Select Processes tab. You will see a list. Look for the names avmaster.exe in it. Select if found any and press the End Process button. It will ask for your confirmation to end that process. Select Yes. You can end one process at a time. You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown under Unknown Publisher in windows defender. Whereas in Windows7 you can find that out from the task manager itself. You can watch a video on How to use Windows Defender.

How to use Windows Defender in windows XP
How to use Windows Defender in windows Vista
How to use Windows Defender in windows7

Or you can use Sysinternal's Process Explorer. How to use Sysinternal's Process Explorer

[Video of How to use Sysinternal's/ Windows Process Explorer]

Removing entry from windows startup

Open system configuration window.Click on the Startup tab. You will see a list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer. That will show you the full path of the program. Locate and uncheck the boxes in front of these names "avmaster.exe" (also look for any other suspicious names)Press Apply , Press Close/Ok , Select "do not restart" at the next prompt.

modified services

Locate and Check the box in front of these services if they are unchecked. Press Apply. Press Ok/close. Click on "restart" at the next prompt.

Deleting files

The computer will restart now. Delete the following files and folders. Boot in safe mode or boot in the dos prompt if needed. You can use windows search utility to search for avmaster.exe

Folders

Files in Temp folder
%Temp%\80EB2F5C

Installer File
[file and pathname of the sample #1]

Repair Hosts File

Registry Keys

Some of the registry keys will be automatically removed if you run Registry menu of CCleaner. For others you can see the report mentioned at the beginning of this article .

Using CCleaner

more about CCleaner on this link

[Video on how to use CCleaner]

Free tools to repair disabled folder options, registry, Task Manager etc

Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools

Tools for Windows Vista
Tools for Windows XP
Tools for Windows7

Use the System File Checker

To repair altered deleted or modified windows system files.

How to run System File Checker utility in windows XP
How to run System File Checker utility in windows Vista
How to run System File Checker utility in windows7

1) To detect and remove malicious Alternate Data Streams - Stream Armour

2) To detect and remove malicious Services - Advanced WinService Manager

3) To detect and remove viruses in Fake recycle Bin - Watch Video

4) keep an eye on suspicious connections using a Firewall - Free Comodo Firewall

5) A free tool to detect and remove unwanted BHOs - SpyBHO Remover

If nothing works

More often a virus makes it difficult to remove its files while you are logged in windows. It may do one of the following

1) You may see the suspicious virus process running in the task manager but can not remove it.

2) Even if you delete a virus file/ or terminate the process, the process may spawn again.

3) The virus may disable system restore, registry tools, task manager, safe boot etc.

If any of these or other things done by the virus make you think/ feel that you are not able to remove the virus files then do as follows

1) Download a Knoppix Boot only CD ISO image from in your language from one of the download links from this website.

2) Burn the ISO image on a blank CD

3) Put the Knoppix Boot disk in your computer's CD drive and boot from the CD

At the beginning of boot process you will see a prompt as boot:

When you are finished. Click on Log off. Now you can Turn Off or restart. Take out the knoppix CD from your drive and you can normally boot in windows.

Reprinted with permission from Threatexpert.com

Sanjay C Rajure