Urgent Need Help, Virus Detected!

Get your specific HIARCS/Junior support questions answered here as well as up-to-the-minute news!

Moderators: Watchman, Mark Uniacke, mrudolf

Post Reply
User avatar
Terry McCracken
Senior Member
Posts: 1300
Joined: Tue Jul 31, 2007 5:49 pm

Urgent Need Help, Virus Detected!

Post by Terry McCracken »

Please read this thread from the main lobby...DO NOT CLICK ON LINKS It appears I've a virus trying to access a chess site!!! Unbelievable...

It's all at the bottom of the thread with the name of the virus and the filepath.

http://hiarcs.net/forums/viewtopic.php?t=259

Help Please, Regards,
Terry
User avatar
Steve B
Site Admin
Posts: 10140
Joined: Sun Jul 29, 2007 10:02 am
Location: New York City USofA
Contact:

Re: Urgent Need Help, Virus Detected!

Post by Steve B »

Terry McCracken wrote:Please read this thread from the main lobby...DO NOT CLICK ON LINKS It appears I've a virus trying to access a chess site!!! Unbelievable...

It's all at the bottom of the thread with the name of the virus and the filepath.

http://hiarcs.net/forums/viewtopic.php?t=259

Help Please, Regards,
Terry
Thanks for the warning Terry
i have edited the links in Ted's Post to make them unusable for now

they can be restored once we are certain the links are safe for clicking

Best Regards
Steve
User avatar
Eelco de Groot
Member
Posts: 52
Joined: Tue Jul 31, 2007 5:42 pm
Location: Groningen

Re: Urgent Need Help, Virus Detected!

Post by Eelco de Groot »

Terry McCracken wrote:Please read this thread from the main lobby...DO NOT CLICK ON LINKS It appears I've a virus trying to access a chess site!!! Unbelievable...

It's all at the bottom of the thread with the name of the virus and the filepath.

http://hiarcs.net/forums/viewtopic.php?t=259

Help Please, Regards,
Terry
Hi Terry,

It looks like the Obfustat is a general name used by AVG that could be a lot of things, it could point to a polymorphic virus which, as its name implies changes outward appearences a lot. But it could also mean a false positive. You got it immediately after connecting to the chess site so chances are high it came from there and hopefully it can be contained. A name like U.exe does sound a bit suspicious. A contained vaulted file can do no harm.

What I would do myself in such a case is first in Internet Explorer delete the temporary internet files, got to Extra -> Remove browsing history (or something like that, my version is in Dutch) Just the temporary files and cookies should be enough, then I would close down all copies of Internet Explorer. You will need the browser later again but at least the temporary files should be gone now. Then I would, if you have Java installed, go to the configuration screen in the START menu, -> Java(TM) Control Panel -> tab General Temporary Internet Files -> Settings -> Delete Files ->Ok

Not sure if that is very effective but it can't hurt.
Then I would do a complete scan of the whole system with AVG It is probably best to do that in Safe mode, if you know how to do that:

http://www.computerhope.com/issues/chsafe.htm

but you can also do first a scan in your normal set-up, I would do a scan of all files
• All antivirus programs, including AVG, by default have their settings to only scan executable files in an attempt to speed up looking for infections. While most of the time this is just fine, the newest threats that can infect your computer have started getting sneaky on how they hide their files making it easier for them to reinfect your system if your antivirus program detected and removed their executable file. To help also detect these "backup" files that the infection leaves on your system, you should in my opinion, make a couple of changes to what your AVG scans from just executable files to all files.

• To change AVG's settings, open AVG's Test Center.
Click the Tests menu then in both of the tests labelled Complete Test Settings and Selected Area Test Settings select Scan all Files and click the Ok button.

• Now AVG will scan all of the files when you scan your computer. This will take longer to complete, but I feel it is a small price to pay for the added security it provides.

If a complete scan does turn up problems I would post in the AVG forum and you probably need to do a scan with HijackThis or AVG AntiSpyware, I am not sure what program they are using, and report the results of the scan.

http://forum.grisoft.cz/freeforum/list.php?4

Read the Sticky post on asking for Help there

Some useful tips and possible cleaning recipe here
http://forum.grisoft.cz/freeforum/read. ... ,backpage=

To get more info on similar cases, there is a lot of conflicting posts about obfustat because it may point to different programs and have many different extensions given by AVG depending on the case, but you can see for yourself if you Google "what is obfustat"

I hope you get rid of any intruders!

Regards, Eelco
Careful! Even moonlit dewdrops,
If you’re lured to watch,
Are a wall before the truth.

- Sogyo (18th century)
User avatar
Terry McCracken
Senior Member
Posts: 1300
Joined: Tue Jul 31, 2007 5:49 pm

Re: Urgent Need Help, Virus Detected!

Post by Terry McCracken »

Eelco de Groot wrote:
Terry McCracken wrote:Please read this thread from the main lobby...DO NOT CLICK ON LINKS It appears I've a virus trying to access a chess site!!! Unbelievable...

It's all at the bottom of the thread with the name of the virus and the filepath.

http://hiarcs.net/forums/viewtopic.php?t=259

Help Please, Regards,
Terry
Hi Terry,

It looks like the Obfustat is a general name used by AVG that could be a lot of things, it could point to a polymorphic virus which, as its name implies changes outward appearences a lot. But it could also mean a false positive. You got it immediately after connecting to the chess site so chances are high it came from there and hopefully it can be contained. A name like U.exe does sound a bit suspicious. A contained vaulted file can do no harm.

What I would do myself in such a case is first in Internet Explorer delete the temporary internet files, got to Extra -> Remove browsing history (or something like that, my version is in Dutch) Just the temporary files and cookies should be enough, then I would close down all copies of Internet Explorer. You will need the browser later again but at least the temporary files should be gone now. Then I would, if you have Java installed, go to the configuration screen in the START menu, -> Java(TM) Control Panel -> tab General Temporary Internet Files -> Settings -> Delete Files ->Ok

Not sure if that is very effective but it can't hurt.
Then I would do a complete scan of the whole system with AVG It is probably best to do that in Safe mode, if you know how to do that:

http://www.computerhope.com/issues/chsafe.htm

but you can also do first a scan in your normal set-up, I would do a scan of all files
• All antivirus programs, including AVG, by default have their settings to only scan executable files in an attempt to speed up looking for infections. While most of the time this is just fine, the newest threats that can infect your computer have started getting sneaky on how they hide their files making it easier for them to reinfect your system if your antivirus program detected and removed their executable file. To help also detect these "backup" files that the infection leaves on your system, you should in my opinion, make a couple of changes to what your AVG scans from just executable files to all files.

• To change AVG's settings, open AVG's Test Center.
Click the Tests menu then in both of the tests labelled Complete Test Settings and Selected Area Test Settings select Scan all Files and click the Ok button.

• Now AVG will scan all of the files when you scan your computer. This will take longer to complete, but I feel it is a small price to pay for the added security it provides.

If a complete scan does turn up problems I would post in the AVG forum and you probably need to do a scan with HijackThis or AVG AntiSpyware, I am not sure what program they are using, and report the results of the scan.

http://forum.grisoft.cz/freeforum/list.php?4

Read the Sticky post on asking for Help there

Some useful tips and possible cleaning recipe here
http://forum.grisoft.cz/freeforum/read. ... ,backpage=

To get more info on similar cases, there is a lot of conflicting posts about obfustat because it may point to different programs and have many different extensions given by AVG depending on the case, but you can see for yourself if you Google "what is obfustat"

I hope you get rid of any intruders!

Regards, Eelco
Hi Eelco!

Thanks for your advice and links! Greatly Appreciated!

I didn't delete my history as I would lose important data, but would if I had to.

Java shouldn't be a problem unless it was running or the virus spread throughout the system.


After I contained the virus, (whatever it is)?, I did indeed run a full scan with AVG and did an Anti-Spyware/Maleware check with Ad-Aware.

My system came up clean, so I'm going to delete that 28kb intruder from the Vault.

Thanks Again!

Best Regards,
Terry

P.S. Be careful with unknown Russian Sites! Grrrr!!!

P.P.S. I just did a google search, and C:\U.exe is a trojan downloader program.

Here's the link.

http://www.viruslist.com/en/viruses/enc ... sid=152469
Post Reply