Lineage-377

system · 2006-11-03T11:39:28.000Z

hi

I’m new in this forum.

Since 1 week, Avast found a new worm trojan virus named “Win32:lineage-377”

in all my .exe file.

I have stopped this trojan by removing manually this program in the registry.

But i can’t find a cleanner on the web .

Can you help me to clean all my exe file , i will be difficult to reinstall all my exe file .

Thanks for all your response.

FreewheelinFrank · 2006-11-03T14:18:45.000Z

Hi pilletch,

According to information I found on the Web on Lineage, it doesn’t infect all .exe files on a computer in the way you describe.

Have you tried running a boot time scan with avast!?

Right click on the scanner screen and select ‘schedule a boot time scan.’

Reboot as requested.

You will see a blue screen during the scan.

It may be that during this scan, only the malware file itself will be detected, in which case, you can select the option to move the malware to the chest.

If the malware really is infecting .exe files, and you start getting a lot of detections, you can try the repair option.

There’s an example of the scanner screen here:

http://bcheck.scanit.be/bcheck/hj-images/avast-scan.png

essexboy · 2006-11-03T22:33:13.000Z

Hi Pilletch I have a fix for you from good authority. Do the following

REGEDIT4
[HKEY_CLASSES_ROOT.exe]
@=“exefile”

Merge the above with your registry. Copy the above text no space before the regedit4, no line above. Paste into notepad and save as fix.reg. Then right click the file and merge with your registry.

Then download http://download.bleepingcomputer.com/sUBs/zh/BetaB/combofix.exe to your desktop then go to Start > Run
and paste the following into the box “%userprofile%\desktop\combofix.exe” /wow include the quote marks

On completion paste the combofix log back here

FreewheelinFrank · 2006-11-03T22:56:52.000Z

If that fails, try this:

Cut the fat off the back of a baboon Boil it down to a pound in a spoon Scoop the eyes from a fly flying backwards Take the jaws and the paws off a 'coon Take your time, ain't life for good cookin' Cause the rest of this mess ain't good lookin' Take the fleas from the knees of a demon Tell your pals and gals and come screamin' To the feast with the beast of the Mau Maus They make wine from the spine of a bulldog It's a test for the best for who stays And the feast with the beast of the Mau Maus Brush your teeth with a piece of a goose toenail After death still a breath from a drunk in jail Pull the skin off your friend with a razor blade And tonight change tomorrow bring back yesterday Shake your hip, bite your lip, shoot your mother-in-law Put on your gorilla suit, drink some elbow soup and have a ball

Sorry, Essexboy, but what is this stuff you’re recommending and why? Maybe if you explain we can all learn something, otherwise it’s just mumbo jumbo.

essexboy · 2006-11-03T23:27:46.000Z

As you may, or may not know I am currently at geeks to go training in malware removal, I have reached the stage where I have access to a lot of information and highly experienced people. Basically the exe association is being reset and the lineage infection is being removed with a tool designed to remove it. In fact if you download the tool and just run it it from the desktop with no run switches this is the report you get obviously mine is clean so there will be no deletions

Martin - 06-11-03 23:20:56.78 Service Pack 2 ComboFix 06.10.19 - Running from: "D:\Downloads"
((((((((((((((((((((((((((((((( Files Created from 2006-10-03 to 2006-11-03 ))))))))))))))))))))))))))))))))))

2006-11-02 09:48 8,704 --a------ C:\WINDOWS\system32\CNMVS7K.DLL
2006-11-02 09:48 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-11-02 09:48 140,288 --a------ C:\WINDOWS\system32\CNMLM7K.DLL
2006-11-02 09:47 69,632 --a------ C:\WINDOWS\system32\CNCI150.DLL
2006-11-02 09:47 49,152 --a------ C:\WINDOWS\system32\cncisco.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-03 23:06 -------- d-------- C:\Program Files\Big Kahuna Reef
2006-11-02 17:45 -------- d-------- C:\Program Files\Charm Solitaire

2006-08-11 20:42 155715 --a------ C:\WINDOWS\system32\nvsvc32.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe”
“ccleaner”=“"C:\Program Files\CCleaner\ccleaner.exe" /AUTO”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“Zone Labs Client”=“"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"”
“SoundMan”=“SOUNDMAN.EXE”
“SpeedTouch USB Diagnostics”=“"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon”
“NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“Windows Defender”=“"C:\Program Files\Windows Defender\MSASCui.exe" -hide”

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
“DeskHtmlVersion”=dword:00000110
“DeskHtmlMinorVersion”=dword:00000005
“Settings”=dword:00000001
“GeneralFlags”=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“My Current Home Page”
“Flags”=dword:00000002
“Position”=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,df,02,00,00,00,
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
“CurrentState”=hex:04,00,00,40
“OriginalStateInfo”=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,df,02,
00,00,04,00,00,40
“RestoredStateInfo”=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,df,02,
00,00,01,00,00,00

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
“{438755C2-A8BA-11D1-B96B-00A0C90312E1}”=“Browseui preloader”
“{8C7461EF-2B13-11d2-BE35-3078302C2030}”=“Component Categories cache daemon”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{AEB6717E-7E19-11d0-97EE-00C04FD91972}”=“”
“{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}”=“Microsoft AntiMalware ShellExecuteHook”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
“NoLogoff”=hex:01,00,00,00
“NoRecentDocsMenu”=hex:01,00,00,00
“NoRecentDocsHistory”=hex:01,00,00,00
“NoRecentDocsNetHood”=hex:01,00,00,00
“NoComputersNearMe”=hex:01,00,00,00
“NoSMMyDocs”=hex:01,00,00,00
“NoSMMyPictures”=hex:01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“dontdisplaylastusername”=dword:00000000
“legalnoticecaption”=“”
“legalnoticetext”=“”
“shutdownwithoutlogon”=dword:00000001
“undockwithoutlogon”=dword:00000001

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
“PostBootReminder”=“{7849596a-48ea-486e-8937-a2a3009f31a9}”
“CDBurn”=“{fbeb8a05-beee-4442-804e-409d6c4515e9}”
“WebCheck”=“{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”
“SysTray”=“{35CEC8A3-2BE6-11D2-8773-92E220524153}”
“WPDShServiceObj”=“{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”
“nwiz”=“nwiz.exe /install”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061008-172253-527
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
backup-20061008-172204-605
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20061008-172203-925
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20061005-163948-607
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
backup-20061005-163948-690
R3 - Default URLSearchHook is missing
backup-20060929-184442-810
O4 - HKCU..\Run: [SandboxieControl] C:\Program Files\Sandboxie\Control.exe

Contents of the ‘Scheduled Tasks’ folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-11-03 23:21:52.20
C:\ComboFix.txt … 06-11-03 23:21

It can cure SSk L2M Purity plus others

polonus · 2006-11-04T00:10:37.000Z

Hi essexboy,

It won’t be long now before you can write your own bfu soeperman files. I guess that the combofix also runs inside a bfu (brute force uninstaller). FwF should know now that there is more between heaven and earth than the old hjt or the basic scan, there are various tools of the trade in the malware fighter’s toolbox.

Preventing these malware vectors from entering using the right protection through patching, blocking the main malware vectors, is to be preferred, but people have to get accustomed to these routines.

Keep these nice cleansing routines firing up.

polonus

FreewheelinFrank · 2006-11-04T10:49:32.000Z

Thanks essexboy,

I knew you’d been to Hogwart’s, picking up the esoteric arts: hopefully we can pick up a few trade secrets to use in the future in similar circumstances!

The first part of your advice seems to be intended to reset exe file association, I think, similar to here?

http://thelazyadmin.com/index.php?/archives/201-Reset-EXE-File-Association.html

What are the symptoms of a broken exe file association? pilletch complained of Lineage detection in all exe files. Is Lineage somehow associating itself with exe files? The references I found to Lineage don’t mention anything like this.

http://www.sophos.com/security/analyses/trojlineageo.html

I’ve come across ComboFix before: it produces a HijackThis! like report with the addition of a list of recently created files, and also removes some types of malware:

ComboFix specifically targets SurfSideKick, QooLogic, Look2Me or any combination of that group.
It also nicely picks out Vundo infections and clears some, but not all.

http://www.windowsbbs.com/showthread.php?t=57442

I can’t find any mention of ComboFix removing Lineage. Is Lineage-377 in fact something different from the spyware Trojan Lineage-O?

Thanks.

FwF

essexboy · 2006-11-04T11:18:44.000Z

I knew you'd been to Hogwart's, picking up the esoteric arts:

I like that. ;D

I can't find any mention of ComboFix removing Lineage. Is Lineage-377 in fact something different from the spyware Trojan Lineage-O?

I am in contact with the Author as he is working hard to kill the newest menace Borlan. And that is a B***h to get rid of, as I am doing a deliberately infected machine at the moment trying to clear it . The programme itself is being continuously updated, but the best thing on the report is the file creation dates for 1 month and 3 months, that way you can find the sneaky ones…

I am still not 100% competent/confident but I am getting there. I will though start taking a few more malware threads as I get the experience. At the moment I am doing logs on G2G but my fixes are being scrutinised before posting

Announcements