Hi malware fighters,

You just has experienced a svchost.exe crash, where an unknown module crashed on 0x0000000000 or an Error-bucket 738702451 then this could be due to malware but also module crash (browser)- you could try this:
Start/Run the command called regedit.exe (Registry editor). Navigate to HKEY_LOCAL_MACHINE\System
CurrentControlSet\Services\NetBT\Parameters and on the right side, double-click TransportBindName -
press delete and give it an empty value. That will close port 445.
Also, go to HKEY_LOCAL_MACHINE\Software\Microsoft\OLE and
change the value of EnableDCOM from Y to the value N - that will close port 135.
If you know how, you may also disable NETbios. Restart the computer and the bug might be gone.
Or work this with a tool called wwdc: http://www.softpedia.com/get/Security/Firewall/Windows-Worms-Doors-Cleaner.shtml

polonus

@ polonus

My DSL modem closes ports 135 and 445 so that tweak is un-necessary.

GRC Port Authority Report created on UTC: 2009-12-25 at 02:10:28

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
0 Ports Closed

26 Ports Stealth

26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

wwdc does not work on Windows 7

Hi YoKenny,

The newer operational systems like Vista and W7 have more protection aboard here.
wwdc is for users of XP SP3 which OS should only be run secure with normal user rights and utmost caution, so that it will not become the malware getto system, a situation for the coming years that has been predicted by anti-malware vendors,

polonus

Hi malware fighters,

Regedit won’t work and this could be because of you, an administrator or malware intervened.

Unless you or an administrator has applied this policy in your system for the users,
it is safe to have freefixer or HijackThis fix this entry (one of so-called 07 restrictions)

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
(there could also be one or more additional 04 entries involved with worms and trojans of this sort)

The malcreants without the victim noticing changed a registry key,
so one can no longer access regedit.

It is a component of malware or spyware,
you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the forum.
Name of trojan activity: DisableRegedit
HijackThis Category: O7
HijackThis Line:

O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Description: Disabled Regedit tools is a signature of trojan activity

How to remove: Use HijackThis, freefixer or Use Malwarebytes Antimalware

A work-around is to download freefixer.
You find it here: (http://www.freefixer.com/static/freefixersetup.exe).
Install, perform a scan and maybe you encounter this item:

HKCU Software Microsoft WindowsCurrent VersionPoliciesSystem, DisableRegedit=1

That is the cause of your predicament. Select this item and click"fix checked"
and then restart your computer.

How to use MBAM here:
Download MalwareBytes’ Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe
then download it onto your desktop.
Double click mbam-setup.exe to install the program.

See to it that after install there are tags next to:
Update MalwareBytes’ Anti-Malware
Start MalwareBytes’ Anti-Malware
Then click “Finish”.
Whenever an update is available , that will be downloaded and installed.
As soon as the program is started, go to the tab window “General Settings”.
Here you tag: “Close Internet Explorer during removal of malware”.
Then go to tab window “Scanner”, choose “Quick Scan”.
Then click “Scan” to start the scan.
Scanning may take a while so be patient.
When the sacn has finished, you click OK, then view “View results” to see results.
See to it that everything is tagged there, and then click: “Remove selected”.
After removal a log will open and you will be asked to restart the computer.
The log will be automatically be saved by MalwareBytes’ Anti-Malware
and can be found by clicking the “Logs” tab inside the program.

Now a practical example description of a worm that disables regedit
in this fashion and how to remove it can be found here:
http://www.quickheal.co.in/alerts/archives/alerts-Worm-VB-jp.asp

polonus

Salve, ho da poco scaricato avast 4.8 home edition ma ricevo sempre questo messaggio:avast: allarme nel controllo della posta. avast non sarà capace di proteggere la posta in arrivo (protocollo IMAP), la posta in uscita (POP3) e le news (NNTP protocol). Errore: 10022. Controllare che lo scanner di posta elettronica non sia bloccato dal firewall. come posso fare? Per favore aiutami!!!

The Undeletable SafeBoot Key

Hello friends,

I present you a new program to create the SafeBoot registry key with special permissions protecting it from deletion. After using this new program, you’ll be able to restore the SafeBoot registry keys with my .REG files.

Many malware deletes the SafeBoot registry key to prevent you from booting into Safe Mode. I provide a registry fix to restore these keys.

here : Didier stevens’ blog

Hope it helps all malware fighters.

Thanks
nmb

Hi nmb,

We can read each others minds, look here: http://forum.avast.com/index.php?topic=52960.msg448960#msg448960
With additional comments,

polonus

Hi malware fighters,

Cloaked malware. Eradication: See the procedure discribed here: http://techver2.blogspot.com/2009_11_22_archive.html

polonus

Hi malware fighters,
Protection agains Samy’s nattransversal exploit with NS inside Fx

If you want to change ABE should select, copy and paste this rule with Notepad

NAT Pinning blockage (blocks outbound HTTP traffic to unlikely ports)

Site https?://[^/]+:[0-35-7]
Deny

What to do next:

Navigate via Noscript, Options, Advanced to tabwindow ABE worden There left click USER and then button change, a prompt will pop up saying no file can be coupled to ABE. Choose the last option with the txt “select a program within the list of installed programs” and search for Notepad. Paste the rule at the top inside Notepad. At closing Notepad choose save. Click OK. The rule now has been added. Click OK to close the Option and save all.
You are now fully protected against router travesal…
(Coutesy of NS’s Giorgio Maone- with thanks)

polonus

Here is the original : Hackademix

Thanks
nmb

i just order the AVAst Pro and downloaded it but what ever is on my comp. will not let me open anything including my malware/spyware scanner. Can someone help me???

Hi malware fighters,

A fix for a IE vulnerability on XP adn Win2000 where protected mode has been disabled can be found here:
http://go.microsoft.com/?linkid=9709676
Info on the Information Disclosure hole in IE: http://www.microsoft.com/technet/security/advisory/980088.mspx
Make a bookmark of it, because later MS will come out with an out of band patch, and you then have to disable the work around:
Users with Vista and Windows7 are safe,

polonus

Hi malware fighters,

A work-around for an intermittent CPU peak due to a corrupt virtual memory leaking:
Make sure you have plenty of RAM to do this (minimum 515mb preferred). Get rid of the current page file (virtual memory), it may be corrupted causing memory leaks.

Right click My Computer on your desktop
Choose Properties
Click the Advanced tab
In the Performance panel,
Click the Settings button
Advanced tab in the Performance options
In the Virtual memory panel,
Click the Change button
Select C drive/partition, if it isn’t already selected
Tick ‘No Paging file’ in the paging file size for selected drive panel.
Press the SET button
Then click OK, OK, OK.
Reboot, the system will re-create it.

This possible solution should end your worries,

polonus

Give me some possible solution for cleaning registry.

Go to the link below and download TweakNow Registry Cleaner at the top left under the header Download.

http://www.tweaknow.com/RegCleaner.php

Be careful with this, I have had problems after cleaning… better leave the registry as it is or use ccleaner’s registry cleaner. which is very much safer.

Thanks
nmb

Can anybody help me with this nasty “xp antivirus pro” virus?

You should have started a new topic, and not posted inside this

How to remove XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

What this programs does:

Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 are new rogues that are exactly the same program, but are shown with different names and interfaces depending on the version of Windows that it is run on. After I wrote this guide, I was told that this rogue goes under quite a few different names, which I have listed below:

•Antivirus Vista 2010
•Vista Antispyware 2010
•Vista Guardian
•Vista Antivirus Pro
•Vista Internet Security
•Vista Internet Security 2010
•XP Guardian
•XP Antivirus Pro
•XP AntiSpyware 2010
•XP Internet Security
•XP Internet Security 2010
•Antivirus XP 2010
•Antivirus Win 7 2010
•Win7 Guardian
•Win 7 Antivirus Pro
•Win 7 Antispyware 2010
•Win 7 Internet Security
•Win 7 Internet Security 2010

When installed, this rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as a single executable called AV.exe that uses very aggressive techniques to make it so that you cannot remove it. First, it makes it so that if you launch any executable it instead launches Antivirus Vista 2010, Win 7 Antispyware 2010, or XP Internet Security 2010. If the original program that you wanted to launch is deemed safe by the rogue, it will then launch it as well. This allows the rogue to determine what executables it wants to allow you to run in order to protect itself. It will also modify certain keys so that when you launch FireFox or Internet Explorer it will launch the rogue instead and display a fake firewall warning. Last, but not least, when try to browse to a web site, it will hijack your browser and state that the site is a security risk and not allow you to visit it.

Hi guys,

Need some help!

My PC is infected with Win32-Malware-gen.
The virus is present in C:\Windows\Temp\xxx.tmp\svchost.exe.

Avast home edition is detecting it every 5 mins and suggested measure is to move it to Chest.
I have tried bootscan and it deletes it but after reboot it comes up again.

please let me know how to remove the malware from my system.

Thanks in advance!

http://forum.avast.com/index.php?topic=54389.0