Jump to content

Infected - Worm32:Ainslot.A


SimonJames

Recommended Posts

Hi all, have a little problem....

Worm:Win32/Ainslot.A(MSE)

Other aliases...

TROJ_GEN.UAE171Y (Trend Micro)

Trojan.Win32.Swisyn.aedl (Kaspersky)

I\'m a bit of an idiot for relying solely on Microsoft Security Essentials to protect my system and this little beast is extremely effective at circumventing MSE.

I\'ve done the best I can to quash this little bastard but I\'m not 100% convinced I\'ve been totally successful. I downloaded and ran mbam, which found and removed the virus but something else strange is going on. At start up I notice a a command line window pop up for about a quarter of a second and around 3 commands being executed. This small window flashes up and then closes so fast it\'s not possible to read the commands, I did notice something called PH.EXE in the top left of the window border.

I\'m not sure how to proceed now.

I know there\'s a lot of extremely intelligent people on these forums, programmers and systems guys etcetera, who know way more than I do about this sort of stuff. I myself know very little, I only use a PC for gaming and other forms of entertainment(not porn, I know you were thinking that.)

Any help, tips, advice would be gratefully received guys,

Thanks SJ.

Link to comment
Share on other sites

Never rely on anything to be full-proof in terms of anti-virus.

I used MSE just to block off the brunt of viruses/worms (because it doesn\'t bug me about much of anything; registration etc etc) and have Malewarebytes on a flashdrive to clean my system once it\'s infected.

What I\'d suggest you do is back everything you need/want onto a flashdrive as a preventative 'Oh Shi*' ocurrance.

Next I\'d suggest booting into Safe-Mode and using Malewarebytes, the free downloady thing.

Safe-Mode in Win7 is the F8 key (I always forget :P)

If you have the latest version of Maleware bytes, don\'t boot into Safe-Mode with networking. Just boot into Safe-Mode.

If you have an outdated version of Maleware bytes (as I did in one case) you should boot into safe mode with networking. This allows Maleware bytes to download the latest updates/definitions.

Of course, being cut-off from the internet is the ideal situation so that you don\'t spread the virus somehow, and the virus doesn\'t pull something off the web somehow.

After the full scan and everything checks out, I uninstall Maleware bytes. I leave it off my system so any viruses can\'t affect it.

I believe Maleware bytes also has a BootScan option. That might be worth trying. Especially if the full scan doesn\'t work

Link to comment
Share on other sites

Never rely on anything to be full-proof in terms of anti-virus.

I used MSE just to block off the brunt of viruses/worms (because it doesn\'t bug me about much of anything; registration etc etc) and have Malewarebytes on a flashdrive to clean my system once it\'s infected.

What I\'d suggest you do is back everything you need/want onto a flashdrive as a preventative 'Oh Shi*' ocurrance.

Next I\'d suggest booting into Safe-Mode and using Malewarebytes, the free downloady thing.

Safe-Mode in Win7 is the F8 key (I always forget :P)

If you have the latest version of Maleware bytes, don\'t boot into Safe-Mode with networking. Just boot into Safe-Mode.

If you have an outdated version of Maleware bytes (as I did in one case) you should boot into safe mode with networking. This allows Maleware bytes to download the latest updates/definitions.

Of course, being cut-off from the internet is the ideal situation so that you don\'t spread the virus somehow, and the virus doesn\'t pull something off the web somehow.

After the full scan and everything checks out, I uninstall Maleware bytes. I leave it off my system so any viruses can\'t affect it.

I believe Maleware bytes also has a BootScan option. That might be worth trying. Especially if the full scan doesn\'t work

That\'s Avast! I believe....

Link to comment
Share on other sites

Thanks Ydoow.

I\'ve already ran MalwareBytes in safe mode and it found the initial Ainslot.A worm virus and deleted it. I had no idea about the virus could actually alter MalwareBytes itself though. Another problem lay in the fact that this virus tries to copy itself to attached devices such as a flash drive, so using a flash drive to run Malwarebytes or even as a boot device may still cause problems.

I\'m pretty sure that worm32:Ainslot.A has been eliminated but not before it infected my system with other malware.

Ph.exe is a Spyware.Apropos.

Ph.exe is a Browser Helper Object.

Ph.exe monitors user Internet activity and private information.

It sends stolen data to a hacker site.

Related files:

%Windir%\Downloaded Program Files\load.exe

%Windir%\Downloaded Program Files\monpop.exe

%Windir%\Downloaded Program Files\pop225.dll

%Windir%\Downloaded Program Files\pophook4.dll

%Windir%\Downloaded Program Files\PopSrv225.exe

%Temp%\auto_update_loader.exe

%Temp%\install_ct.exe

%Temp%\CXtPls.exe

%Temp%\ProxyStub.dll

%Temp%\WinGenerics.dll

%Temp%\ace.dll

%Temp%\atla.dll

%Temp%\atlw.dll

%Temp%\data.bin

%Temp%\libexpat.dll

%Temp%\ph.exe

%Temp%\pm.exe

%Temp%\setup.inf

%Temp%\uninstaller.exe

%Temp%\atl.dll

%System%\atmon.exe

%System%\intfaxui.exe

Adds the value:

'POP' = 'C:\WINDOWS\Downloaded Program Files\PopSrv225.exe'

'AutoLoaderEnvoloAutoUpdater' = 'auto_update_loader.exe'

'[random name]' = 'intfaxui.exe'

'[random name]' = 'atmon.exe'

Link to comment
Share on other sites

I had no idea about the virus could actually alter MalwareBytes itself though.

I have no idea either, but since it\'s my hail mary virus minesweeper, I prefer to keep it off the system just in case it can affect it.

Another problem lay in the fact that this virus tries to copy itself to attached devices such as a flash drive, so using a flash drive to run Malwarebytes or even as a boot device may still cause problems.

I\'m pretty sure that worm32:Ainslot.A has been eliminated but not before it infected my system with other malware.

Ph.exe is a Spyware.Apropos.

Ph.exe is a Browser Helper Object.

Ph.exe monitors user Internet activity and private information.

It sends stolen data to a hacker site.

Related files:

%Windir%\Downloaded Program Files\load.exe

%Windir%\Downloaded Program Files\monpop.exe

%Windir%\Downloaded Program Files\pop225.dll

%Windir%\Downloaded Program Files\pophook4.dll

%Windir%\Downloaded Program Files\PopSrv225.exe

%Temp%\auto_update_loader.exe

%Temp%\install_ct.exe

%Temp%\CXtPls.exe

%Temp%\ProxyStub.dll

%Temp%\WinGenerics.dll

%Temp%\ace.dll

%Temp%\atla.dll

%Temp%\atlw.dll

%Temp%\data.bin

%Temp%\libexpat.dll

%Temp%\ph.exe

%Temp%\pm.exe

%Temp%\setup.inf

%Temp%\uninstaller.exe

%Temp%\atl.dll

%System%\atmon.exe

%System%\intfaxui.exe

Adds the value:

'POP' = 'C:\WINDOWS\Downloaded Program Files\PopSrv225.exe'

'AutoLoaderEnvoloAutoUpdater' = 'auto_update_loader.exe'

'[random name]' = 'intfaxui.exe'

'[random name]' = 'atmon.exe'

Another thing you could do is install Linux (ubuntu might be the best) on a Live CD. You can run Linux through a CD without actually installing it over Windows. There are programs around that can sweep out your Windows installation for viruses. Since Windows hasn\'t loaded, the virus can\'t protect itself or proliferate onto any external media.

I\'ve never tried this before, and if you\'re completely new to Linux/Ubuntu I\'d suggest watching a youtube video or tutorial of sorts. I\'m willing to assist as well, I have Ubuntu on a laptop back home and am at least familiar with how the OS works. It\'s quite different from Windows, but very similar to Mac (because they\'re pretty much the same thing).

Also, it might be worth doing a Disc scramble after deleting the virus. CCleaner has this option where it scrambles deleted data on your HD.

I seriously had a virus that managed to survive a complete win7 reinstall and 2 HD Formats.

I believe when you delete items (in windows at least) that the data is truly just flagged as 'you can overwrite me', so it\'s possible for a virus to uncheck that flag, or recover itself if done quickly enough (before the data is overwritten (random/by chance)).

That\'s why I settled on scrambling deleted data.

It\'s truly meant to just protect your privacy, but I like to see it as taking an electric egg scrambler to a bacteria\'s DNA ^-^

Edit: as a side note, that doesn\'t explain why the virus survived HardDrive formats >_> That completely erases everything.

I think maybe Windows just kinda re-used the previous win7 installation directories. But idk.

Link to comment
Share on other sites

Funny you should mention Linux. I was going to write about a Linux distro in my previous post above. I have a second blank HDD I use for FRAPS recordings, I may turn that in to a second boot drive running Linux.

I\'m fearful of continuing to use Windows for banking and email after this event. I\'ve been a viewer of the Linux Action Show for almost 2 years now and have been meaning to give Linux a go. Maybe now is as good a time as any to try Linux. I use my PC primarily for gaming so a total crossover is not possible but I could off-load everything other than gaming in to a Linux environment.

Link to comment
Share on other sites

Funny you should mention Linux. I was going to write about a Linux distro in my previous post above. I have a second blank HDD I use for FRAPS recordings, I may turn that in to a second boot drive running Linux.

I\'m fearful of continuing to use Windows for banking and email after this event. I\'ve been a viewer of the Linux Action Show for almost 2 years now and have been meaning to give Linux a go. Maybe now is as good a time as any to try Linux. I use my PC primarily for gaming so a total crossover is not possible but I could off-load everything other than gaming in to a Linux environment.

I\'m in the same boat as you.

I\'d like to fully switch over to Linux, but I have too many games on windows amongst a few other programs.

You could partition your second HDD, one half for Fraps, the other half Linux if it\'s large enough (Linux is quite small compared to windows).

I would say go Ubuntu. I actually think they just released their latest version for long term support. Or perhaps it was another Beta of it.

Ubuntu seems to be the most refined/user-friendly Linux OS as it stands.

It\'s widely customizable, almost to the point that it\'s detrimental to it\'s user-friendliness. But it\'s only that way if you try, so you kinda have to be technical to loose the friendliness.

So essentially, it\'s user-friendly if you want it to be, and technical if you want it to be.

The biggest thing to adjust to/wrap your mind around is that you don\'t go around the internet downloading programs.

There\'s a repository full of programs that have been officially tested by the Ubuntu Dev team which you download from.

Mac\'s do the same thing, it\'s a very large reason why they are so secure; you don\'t go around the internet downloading random programs off of random websites.

You can do it like that. But it\'s actually harder/more annoying to do so.

Link to comment
Share on other sites

Posting using Firefox on my new Ubuntu install :)

I made an Ubuntu live USB and then booted off that, then installed Ubuntu along side windows using my spare drive as the partition.

Was a pretty easy process, Ubuntu installed grub automatically and I now have a dual boot system, Vista-Ubuntu.

Just downloading security updates atm, once that\'s done I\'ll explore it properly. Pretty happy so far.

Link to comment
Share on other sites

I\'ve got Malwarebytes and Avast! running on my machine, and I\'ve been good so far.

If you can, get CCleaner from Piriform. After installing it, disconnect from the \'Net so the virus is cut off. Run the scans, and delete anything that\'s found.

Now for the best bit: CCleaner has a 'Disk Free Space' wiper that\'ll overwrite all 'empty' space as completely 1s or completely 0s. You can even choose from how many times you want it to overwrite the free space, up to 32 [?] times. I\'d go for the 'FBI' option, which is seven.

Repeat about three times to be ABSOLUTELY sure.

[i should mention that I\'ve never had to do this. This is something that sounded like a good last-ditch attempt.]

Link to comment
Share on other sites

Now for the best bit: CCleaner has a 'Disk Free Space' wiper that\'ll overwrite all 'empty' space as completely 1s or completely 0s. You can even choose from how many times you want it to overwrite the free space, up to 32 [?] times. I\'d go for the 'FBI' option, which is seven.

Repeat about three times to be ABSOLUTELY sure.

[i should mention that I\'ve never had to do this. This is something that sounded like a good last-ditch attempt.]

Yup, that\'s exactly what I was describing a tad earlier.

And congrats on the install Simon :D

If you want to explore more desktop enhancement options, check out Compiz

Link to comment
Share on other sites

Ive been in comp repair \ clean up for 5+ years both corporate and freelance work. I came across this article witch pretty much explained my exact process this entire time.

http://community.spiceworks.com/how_to/show/899

I promise you if you follow the steps it will be clean with all free software

enjoy! :D

I was once told how two ways to remove 100% of viruses from a computer

1) Format C:\

2) Magnets. Lots and lots of magnets.

Link to comment
Share on other sites

Thanks for all the tips guys.

I\'ve ran most of the steps in the link given by hpearson, I ran \'HijackThis\' but I\'ve no idea what all the stuff it posts means. Anyway, this virus appears to of been flushed out as far as I can tell.

Been playing around with Ubuntu the past couple of days and I\'m quite impressed with it. I\'ve a lot to learn about Linux though, Ubuntu is my first experience of any Linux distro. I\'ve just got to figure out how to set up a firewall. I installed Fire Starter and got it running but I\'m still not quite sure how to configure it properly. There\'s a lot of good guides out there for newbies so I\'m pretty sure I\'ll get all the software and plugins I\'ll need over the next few days.

I gave Linux 110GB of my second 160GB HDD I should of gave it the full 160GB as windows will not recognise that drive at all now. The remaining 50GB I can\'t access under Linux because I need to log in to root apparently, not sure what that means but I\'ll figure it out.

My first few days of Linux have been positive so far. It\'s a difficult move having spent 20(ish) years with DoS/Windows and like I may of mentioned before, I\'m a gamer not a a programmer or systems guy so I\'ve no real instinct with it. I should of taken a look at Linux years ago but better late than never I guess.

Thanks again guys,

SJ

Link to comment
Share on other sites

\'Root\' is pretty equivalent to Window\'s 'Administrative Powers'

You can sign in via Terminal, sorta. It\'s a bit different than you think. I\'d suggest looking up guides, it\'s really the best thing to do to get an understanding.

As for the HD being unusable, it\'s probably just the type of format it\'s in. There should be a type of format used by both windows and linux, I forget which though sorry

Link to comment
Share on other sites

This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...