CurePCSolutions, ads .exe to files

[JjJames]

Avg found nothing.

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 18:38:10 16/12/2006

 

+ Scan result:

 

 

 

Nothing found.

 

 

::Report end

[Thanos]

ok your logs look clean.

 

Can you please upload one of the files renamed on Virustotal? => http://www.virustotal.com/en/indexf.html

post the result in your next reply please

[JjJames]

ok your logs look clean.

 

Can you please upload one of the files renamed on Virustotal? => http://www.virustotal.com/en/indexf.html

post the result in your next reply please

 

 

Always says "no virus found"

 

and

 

File size: 0 bytes

MD5: d41d8cd98f00b204e9800998ecf8427e

SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

 

is it normal that the file size says 0 bytes? because the file is a few kb large.

 

And when i open "my documents" avg antivirus gives me a warning "warning hidden extension .exe"

 

 

Thx by the way for the help sofar

[ipl_001]

Hi JjJames,

 

Welcome to Zeb'Sécurité! Thanks to come to our forum!

I understood charles ingals had to leave his computer... that's why I answer!

 

Please, could you check the size on your hard disk?

- in Windows Explorer with "details" in View (to display the size)

- select one of the file / right click / Properties / have a look at the size

- copy to another drive such as a USB key ou floppy disk and view on another -clean- computer (some nasties are able to hide or transform what we see)

 

As I understand it, AVG AntiVirus warns us about the dodgy name file.mp3.exe (just double extension ) but this doesn't mean the file itself is infected.

 

Sorry to maybe ask you to repeat: what happens when you rename one of the file (from file.ext.exe to file.ext)?... I read too many pages in the last hour so that I mix everything.

Does the file get a special icon?

Do you get a system message when you double click the file?

 

We would like to first determine if the files are infected. If not and if the size is fine, we could consider renaming the files with a program.

[ipl_001]

Hi JjJames,

File size: 0 bytes

MD5: d41d8cd98f00b204e9800998ecf8427e

SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

 

is it normal that the file size says 0 bytes? because the file is a few kb large.

No, you should have got the right size...

 

Here is an example of scan I just did to be sure:

Complete scanning result of "HideOutlook.exe", received in VirusTotal at 12.16.2006, 19:38:49 (CET).

 

Antivirus Version Update Result

AntiVir 7.3.0.19 12.15.2006 no virus found

...

VBA32 3.11.1 12.16.2006 no virus found

VirusBuster 4.3.19:9 12.16.2006 no virus found

 

Aditional Information

File size: 98304 bytes

MD5: 77485c4c22a33820097ab508ecad8843

SHA1: a6a7cd7a41a072826d43c27b56412ec5180767e3

98304 bytes is the good size!

 

Please, could you try the scan again?

We must ensure the files are clean!

[JjJames]

Hi JjJames,

 

....

 

Hi

 

The files are the same size they were before they were renamed. For example an Xvid episode xxxxxxx.avi that was 350mb, is now still 350mb. But when i rename it back to .avi i can no longer play it. Not even in a program like avipreview (which can play incomplete, corrupt, avi files.

 

So i think, that the file had been completely encoded or something.

 

They all used to have the same icon, an when i opened them, it would open the eror message "possible virus warning" and then go to the CurePCsolutions site.

 

But now that i have deleted the .dll file, they no longer have an icon, and it just says that i have "no acces to the file"

 

This is a screenshot from the CurePCsolutions site, about the files that were renamed.

(i dont want to post the link, because of the risc of infections)

 

 

 

EDIT: The problem is, that the other files are 350MB, and that is a lot to upload

EDIT2: just tried one of those avi files, it also says 0 bytes, but on my pc it is 350mb

EDIT3: I renamed the file that was lijstduits.doc.exe back to .doc, and now it says

 

File size: 43008 bytes

MD5: f04fd1821ae0fd1ae871dbc3a27058c5

SHA1: 754030b18b33ae2482c6eaf399d81cfd94abf90b

 

AND

 

DrWeb 4.33 12.16.2006 Trojan.Encoder.10

Norman 5.80.02 12.15.2006 W32/Cups.A

Panda 9.0.0.4 12.16.2006 Adware/SpySheriff

Modifié le 16 décembre 2006 par JjJames

[ipl_001]

JjJames,

 

Thanks for your answer!

Hi

 

The files are the same size they were before they were renamed. For example an Xvid episode xxxxxxx.avi that was 350mb, is now still 350mb. But when i rename it back to .avi i can no longer play it. Not even in a program like avipreview (which can play incomplete, corrupt, avi files.

 

So i think, that the file had been completely encoded or something.

 

They all used to have the same icon, an when i opened them, it would open the eror message "possible virus warning" and then go to the CurePCsolutions site.

 

But now that i have deleted the .dll file, they no longer have an icon, and it just says that i have "no acces to the file"

That means the file was transformed (either corrupted or infectious). You now receive the message "no acces to the file" because the program (yes the .avi now contains some executable lines) searched for the .dll that is no longer on the disk (the one you deleted).

 

This is a screenshot from the CurePCsolutions site, about the files that were renamed.

(i dont want to post the link, because of the risc of infections)

Thanks for having avoided to post the link... you're quite right!

 

EDIT: The problem is, that the other files are 350MB, and that is a lot to upload

EDIT2: just tried one of those avi files, it also says 0 bytes, but on my pc it is 350mb

I think there might be a limit of size so that VirusTotal didn't get the full file!

 

EDIT3: I renamed the file that was lijstduits.doc.exe back to .doc, and now it says

 

File size: 43008 bytes

MD5: f04fd1821ae0fd1ae871dbc3a27058c5

SHA1: 754030b18b33ae2482c6eaf399d81cfd94abf90b

 

AND

 

DrWeb 4.33 12.16.2006 Trojan.Encoder.10

Norman 5.80.02 12.15.2006 W32/Cups.A

Panda 9.0.0.4 12.16.2006 Adware/SpySheriff

 

... I go on searching and posting but I'm pessimistic for the moment!

[JjJames]

JjJames,

 

...

 

Oke, thanks for looking.

I think that its a new adware/virus. because everything i can find via Google, is posts about the same problem, and all this month. So maybe some antivirus company wil come with a fix or something. <crosses fingers>

 

And if not, then i'll just have to retype/remake the documents.

And this is yet another wake up call for me to take backups more often.

Luckely i didnt forget to backup my most important files (Bachelor thesis files), because the adware/virus also changed the original files.

JjJames

[ipl_001]

JjJames,

 

You're right, this sounds to be a new malware!

 

If your infected files are important, don't lose them! If you have the possibility (another comp, a USB removable hard drive, etc.), make a copy of the files.

I remember years ago, malware launched at the beginning of the weekend when AV Editors were unavailable! Symantec created a removal tool on Monday!

 

I keep a look at several topics on the Internet to see what they may discover...

 

You spoke about another older system: could you copy a file there, just to see how it is with a clean OS (as I said, some malware take the control of the system and show incorrect things).

 

Regarding CurePCSolutions, have a look at this page by pctools -> http://www.pctools.com/mrc/infections/id/A...urePCSolutions/ ; would you like to scan your system with a free copy of Spyware Doctor 4.0 which is said to detect and remove the culprit -> http://www.pctools.com/spyware-doctor/ ?

[ipl_001]

Hi JjJames,

 

After some readings, no topic came to a solution yet!

Some compare this CurePCSolutions with this virus which encrypted files and asked for $500 to give the key and get them back! Did you delete the DLL? or did you save it somewhere? maybe it contains the key.

( Virus verschlüsselt Daten und verlangt Lösegeld )