open All Channels
seplocked Out of Pod Experience
blankseplocked 'olhrwef' trojan
 
This thread is older than 90 days and has been locked due to inactivity.


 
Author Topic

AnonyTerrorNinja
Minmatar
Atomic Geese
Posted - 2009.03.04 15:03:00 - [1]
 

Edited by: AnonyTerrorNinja on 06/03/2009 21:42:56
Just a little heads up.

I managed to get this charming little worm/trojan from my friend's pc recently... I'd already seen iterations of it (which were thankfully blocked by my antivirus) in october/november, that were managing to find their way to his mom's computer (she's clueless when it comes to protecting her computer and turns her antivirus off just to get rid of the messages warning her about unsafe files; great going, huh?).


I'm not sure of all of what this one is capable of, but I do know that my NOD32 is now unable to find nor remove it, as obvious as it is.


Easiest way to see if you have it on your system is to go find its obnoxious entry in your registry at:

\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

And look for an entry to run the file at "%root%\%windows%\system32\olhrwef.exe"



Even if you find it and delete that entry, it won't clean your system outright as this little bastard is doing a lot to stay alive.

Once I get a concrete method of removing it I'll post it here.


(for those of you that don't want to go into your registry, just open any folder and click 'tools -> folder options -> view -> show hidden files and folders' and click OK. Open the same process again; if it's reverted to 'Do not show hidden files and folders', then that's the worm keeping itself hidden.


*edit*
name of the virus changed - petitioning the virus creators to have them create more dyslexic friendly virus filenames in future.

And yes, I know there's a difference between viruses/trojans/worms/spyware/malware/adware in general - this one just propagates itself similarly to how a virus does and acts as a trojan AND a worm, so sue me.

Cedric Diggory
Perfunctory Oleaginous Laocoon Mugwumps
Posted - 2009.03.04 15:33:00 - [2]
 

Download Linux Live CD of your choice (with NTFS support)
Boot, mount and delete.

Log back into Windows and clean up the aftermath.

Taedrin
Gallente
Kushan Industrial
Posted - 2009.03.04 16:01:00 - [3]
 

Originally by: Cedric Diggory
Download Linux Live CD of your choice (with NTFS support)
Boot, mount and delete.

Log back into Windows and clean up the aftermath.


Perhaps the trojan has other services that will recreate the file? Removing well crafted viruses and trojans is a lot harder than simply deleting a single file - Especially if it's a *true* virus which infects other files that you use.

On an aside - the reason why your computer got infected was because you were running as an administrator. This is one of the largest complaints with Windows - virtually ALL software requires you to give it administrator privileges to function or install properly. This is very bad behavior, as you are essentially giving that program permission to **** your computer. If you never run ANY program as an administrator, you will be protected from 99% of malware. The only malware that you can be infected by is stuff that uses security vulnerabilities to gain admin privileges without user intervention.

A better behavior is to have Linux style permissions, where if a user accidentally executes a trojan or virus, he can only screw over his own files - system files remain safe and unaffected so long as you don't execute the malware with root privileges.

Cedric Diggory
Perfunctory Oleaginous Laocoon Mugwumps
Posted - 2009.03.04 16:08:00 - [4]
 

Quote:
Perhaps the trojan has other services that will recreate the file? Removing well crafted viruses and trojans is a lot harder than simply deleting a single file - Especially if it's a *true* virus which infects other files that you use.


This is absolutely true. However experience has taught me that in 99% of cases using another operating system to remove one or two offensive files will allow the point and click windows anti virus/malware tools to do their job where otherwise they could not.

Taedrin
Gallente
Kushan Industrial
Posted - 2009.03.04 16:12:00 - [5]
 

I suppose the only danger to that is if system boot files have somehow gotten infected and restore the malware to full functionality before the anti-virus gets a chance to do a scan. Perhaps we should also suggest that he do the virus scan under safe mode? Or better yet, run a virus scan FROM Linux on the Windows partition. That's one of the main reasons why Linux even HAS virus scanners, isn't it?

AnonyTerrorNinja
Minmatar
Atomic Geese
Posted - 2009.03.04 16:14:00 - [6]
 

Edited by: AnonyTerrorNinja on 04/03/2009 16:15:07
Cedric, in this one's case, it does infect other files and creates several services (even embedding itself into some other services' files so that if its own stuff gets removed, it can simply recreate itself using them).


With regards to the administrator user comment, I guess that's where I went wrong.

I'd reinstalled windows again recently, and in my frustration of having to deal with a scratched disc and having to dump the install files to my hard drive to install from there, after formatting the partition to FAT32 and a host of other crap, I no doubt forgot to create my profile as a normal user instead of admin. -_-'



Oh well, guess it's time for another hearty formatting, if I can't get this blasted thing removed! :D


*ATNinja edit*

Oh, and I have myself an Ubuntu live disc and such lying around here somewhere, but you don't want to know what my study-slash-bedroom looks like right now...

Cedric Diggory
Perfunctory Oleaginous Laocoon Mugwumps
Posted - 2009.03.04 16:16:00 - [7]
 

Originally by: Taedrin
I suppose the only danger to that is if system boot files have somehow gotten infected and restore the malware to full functionality before the anti-virus gets a chance to do a scan. Perhaps we should also suggest that he do the virus scan under safe mode? Or better yet, run a virus scan FROM Linux on the Windows partition. That's one of the main reasons why Linux even HAS virus scanners, isn't it?


Yup, throw CLAM at it and it'll no doubt clean it up no bother. However depending on the voracity of the malware, you might find windows totally unbootable afterwards.

Taedrin
Gallente
Kushan Industrial
Posted - 2009.03.04 16:22:00 - [8]
 

Originally by: AnonyTerrorNinja
Edited by: AnonyTerrorNinja on 04/03/2009 16:15:07
Cedric, in this one's case, it does infect other files and creates several services (even embedding itself into some other services' files so that if its own stuff gets removed, it can simply recreate itself using them).


With regards to the administrator user comment, I guess that's where I went wrong.

I'd reinstalled windows again recently, and in my frustration of having to deal with a scratched disc and having to dump the install files to my hard drive to install from there, after formatting the partition to FAT32 and a host of other crap, I no doubt forgot to create my profile as a normal user instead of admin. -_-'



Oh well, guess it's time for another hearty formatting, if I can't get this blasted thing removed! :D


*ATNinja edit*

Oh, and I have myself an Ubuntu live disc and such lying around here somewhere, but you don't want to know what my study-slash-bedroom looks like right now...


You MIGHT be able to do a "repair installation" of windows, which will essentially rollback your system files to the version found on your disk. Do a virus scan/removal from Linux, then do a repair installation. If that doesn't work, then a blanket reformat is probably your only real hope.

Bish Ounen
Gallente
Best Path Inc.
Cult of War
Posted - 2009.03.04 16:31:00 - [9]
 

Originally by: Taedrin

You MIGHT be able to do a "repair installation" of windows, which will essentially rollback your system files to the version found on your disk. Do a virus scan/removal from Linux, then do a repair installation. If that doesn't work, then a blanket reformat is probably your only real hope.


Just don't forget to use the bootable Ubuntu CD to back up your critical files to an external hard drive first.

Personally, I'd just back up the important stuff, and then run the installer on the Ubuntu CD, wiping the entire hard drive in the process. But that's just me.

AnonyTerrorNinja
Minmatar
Atomic Geese
Posted - 2009.03.04 17:06:00 - [10]
 

Well, looks like I got rid of it.

Requesting permission from the mods to post a link to the removal tool I used for it.

I cannot verify myself (obviously, since I managed to get this worm in the first place) that this removal tool itself is entirely clean, and as such cannot guarantee for those that may use it that it will not cause (further) damage to their systems.


Sooooo, if there's someone I can submit the link to that can check it before I post it here, please speak up.

LaVista Vista
Conservative Shenanigans Party
Posted - 2009.03.04 17:38:00 - [11]
 

If your computer has been infected by a virus, it's compromised. Any measure you might take won't change that fact but wiping the machine entirely.

Find your windows CD and get busy. It's the only reasonable thin to do.

FOl2TY8
GoonWaffe
Goonswarm Federation
Posted - 2009.03.04 21:22:00 - [12]
 

People that are recommending re-installing windows are completely ignorant. I have been cleaning viruses for years and have only done a full re-install a couple of times.

1. Delete your existing system restore points.
2. download and install Malwarebytes
3. Download and install spybot and adaware
4. Download and install smitrem and vundofix
5. Download and install hijackthis and ccleaner
6. Reboot into safe mode and run all the apps you downloaded. If they don't clear the virus then you will need help that I can't give in these forums. Go to MajorGeeks and they can help you.

You can reformat but wouldn't you rather learn how to remove a virus without resorting to a clean install? Also pick up a copy of Ghost and image your clean computer so when there is no other option you can just re-image your pc quickly and efficiently.

Elysarian
Minmatar
Elysarian Corp
Posted - 2009.03.04 21:33:00 - [13]
 

Originally by: Taedrin
Originally by: Cedric Diggory
Download Linux Live CD of your choice (with NTFS support)
Boot, mount and delete.

Log back into Windows and clean up the aftermath.


Perhaps the trojan has other services that will recreate the file? Removing well crafted viruses and trojans is a lot harder than simply deleting a single file - Especially if it's a *true* virus which infects other files that you use.

On an aside - the reason why your computer got infected was because you were running as an administrator. This is one of the largest complaints with Windows - virtually ALL software requires you to give it administrator privileges to function or install properly. This is very bad behavior, as you are essentially giving that program permission to **** your computer. If you never run ANY program as an administrator, you will be protected from 99% of malware. The only malware that you can be infected by is stuff that uses security vulnerabilities to gain admin privileges without user intervention.

A better behavior is to have Linux style permissions, where if a user accidentally executes a trojan or virus, he can only screw over his own files - system files remain safe and unaffected so long as you don't execute the malware with root privileges.


Of course... the only time you'd be logged in with administrator priv's is:

1. You're one of those people who refuses to upgrade to Vista/download and install the Windows 7 beta.
2. You upgraded to Vista but are lazy/stupid and disabled UAC (though even UAC can't protect the truly stupid "click yes to everything" kind of person).

UAC may not be perfect but it is about the closest thing Windows users have to the *Nix way of doing things (Linux does a very similar thing: if you want to do anything that requires administrator-level rights, it prompts you for the root password).

Chainsaw Plankton
IDLE GUNS
IDLE EMPIRE
Posted - 2009.03.04 22:02:00 - [14]
 

Originally by: LaVista Vista
If your computer has been infected by a virus, it's compromised. Any measure you might take won't change that fact but wiping the machine entirely.

Find your windows CD and get busy. It's the only reasonable thin to do.


*sniff* It's for your own good babe *sniff*

AnonyTerrorNinja
Minmatar
Atomic Geese
Posted - 2009.03.04 22:06:00 - [15]
 

Originally by: FOl2TY8
People that are recommending re-installing windows are completely ignorant. I have been cleaning viruses for years and have only done a full re-install a couple of times.

1. Delete your existing system restore points.
2. download and install Malwarebytes
3. Download and install spybot and adaware
4. Download and install smitrem and vundofix
5. Download and install hijackthis and ccleaner
6. Reboot into safe mode and run all the apps you downloaded. If they don't clear the virus then you will need help that I can't give in these forums. Go to MajorGeeks and they can help you.

You can reformat but wouldn't you rather learn how to remove a virus without resorting to a clean install? Also pick up a copy of Ghost and image your clean computer so when there is no other option you can just re-image your pc quickly and efficiently.



This looks suspiciously like the list of things my friend received in a mail from Blizzard when he first reported that his WoW account had been hacked...

In any event, I know that he downloaded a lot of these tools and that we were sitting here watching them be completely ineffective against this same worm/trojan (he got it from his mom, who being the highly computer literate person she is, turns off her anti-virus to get rid of the annoying 'we found something wrong!' messages whenever plugging in usb thumb drivers, friends' ipods or putting cds/dvds her friends/clients had written into her pc).


In any event, my friend, not having anything on his pc he couldn't get from someone else, just opted to go for a full format rather than bothering to try and get rid of this thing (or risking it still being there after cleaning up).



Lavista, your suggestion sounds like the average lazy techie's response to a virus infection. Just because you have been infected does not mean the only course of action is a full wipe and reinstall. Not all viruses/trojans/worms require what you were suggesting - in fact, many are so benign you can almost leave them on your system as is, since all they want to do is say hello to you every time you log in.

AnonyTerrorNinja
Minmatar
Atomic Geese
Posted - 2009.03.04 22:26:00 - [16]
 

Oh yeah, here's the link for the tool I used to clean up with, since no mods are giving me a go/no-go in the thread.

http://www.windowsvistaplace.com/vista/olhrwefexe

And hyperlinked


Hopefully, if anyone else comes across this thread and has this trojan, they'll be able to get rid of it using the same tool.

KingsGambit
Caldari Provisions
Posted - 2009.03.05 11:52:00 - [17]
 

Originally by: LaVista Vista
If your computer has been infected by a virus, it's compromised. Any measure you might take won't change that fact but wiping the machine entirely.
*picks something up from the floor* I think you dropped your tinfoil hat just here dude.

AnonyTerrorNinja
Minmatar
Atomic Geese
Posted - 2009.03.06 13:35:00 - [18]
 

In other news; NOD32 now picks this delightful little virus up and can remove it.

Hoorah for month-and-a-half-late definition updates!


More amusing is that if you go read about ohlwref on the Symantec site, they tell you it creates the registry group

HKEY_LOCAL_MACHINE\SOFTWARE\ESET\

That this is a part of the virus and that you should remove it. I rather like my NOD32 Anti-Virus, Symantec, and would rather not render the program inoperable. :D

Jana Clant
New Dawn Corp
New Eden Research.
Posted - 2009.03.06 14:42:00 - [19]
 

Sorry to hijack the thread, have a quick question I'd like to ask:

My computer has been infected by a virus recently, and my efforts to get rid of it have failed so far. I am considering formatting C:, the partition containing the OS and most of my stuff, but the virus has also infected files in partitions D: and E:, which are used mostly for file storage.

If I were to format just C:, reinstall the OS and get security programs up and running before I even attempt to open the D: and E: partitions, is there any chance the virus could infect the OS again before the anti-virus is fully installed? (I can't format D: and E: for now as I have important files there, and copying them to another computer would probably just infect that one as well, making things worse)

AnonyTerrorNinja
Minmatar
Atomic Geese
Posted - 2009.03.06 15:34:00 - [20]
 

If the partitions are mounted at startup in the new OS installation, then yes, they could infect your boot partition again before you can clean them up.

I haven't had to do this in years, so I don't remember the results, but you may be able to unmount the partitions before formatting, and then when installing the new OS on the formatted C partition, they may/may not start up mounted.


An alternative is that you run, as suggested earlier in the thread, a linux distro's live cd (ubuntu being an example) and do a virus scan from there.

Gin G
The Helghast Corporation
Posted - 2009.03.06 18:12:00 - [21]
 

There is a farm mores simple way to remove it just take your hard drive (s) and blow then to pieces

survive that

FOl2TY8
GoonWaffe
Goonswarm Federation
Posted - 2009.03.06 18:28:00 - [22]
 

Originally by: AnonyTerrorNinja
In other news; NOD32 now picks this delightful little virus up and can remove it.

Hoorah for month-and-a-half-late definition updates!


More amusing is that if you go read about ohlwref on the Symantec site, they tell you it creates the registry group

HKEY_LOCAL_MACHINE\SOFTWARE\ESET\

That this is a part of the virus and that you should remove it. I rather like my NOD32 Anti-Virus, Symantec, and would rather not render the program inoperable. :D


Lol that is awesome....


 

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only