BELOW IS OLD REFERENCE ONLY.... THERE IS A 99% CHANCE YOU ARE NOT INFECTED WITH THE ACEBOT TROJAN VIRUS!
(Due to the overwhelming attention this topic receives we must keep all data in the original thread in tact)
============================
ORIGINAL THREAD STARTS HERE
============================
This problem is no longer supported
============================
Reason being, is there is something else causing the DrWatson error now... it is no longer the AceBot Trojan, as every anti virus program removes it now.
If you post a log, do not expect it to be answered unless you are legitimately infected with the Acebot Trojan..
This thread has gotten an insanely large amount of attention, but the name of the thread doesnt seem fit anymore. This is simply a variable fix, it doesnt mean it will fix it no matter what, you must be infected for this to work...
============================
Discussion and research is welcomed
============================
=============================
UPDATE
=============================
After new logs being posted, and it is apparent that no one is infected with this anymore, I must post, before people get the wrong ideas, and end up screwing their computers up.
This virus is obsolete, Most any virus protection software will pickup, and repair this virus. Please be careful in what you delete if you think you are infected.
If you encounter a DrWatson Postmortem Debugger error, there is another error on your system. Could be your virus protection or firewall software. I have yet to work on a machine that has this new DrWatson error, but again, DrWatson is NOT bad, it reports software bugs to microsoft in XP.
If you are infected, you will know, but please be careful in what you delete from your computer, you CAN and WILL cause serious damage by deleting files with 32 in them from your system.
Just wanted everyone to know, but if you KNOW your infected, read on, also, READ logs posted and fixes posted, so you can get the real idea of how this virus works.
Thanks,
Dan
=============================
I have seen oodles of things relating to this. I recently had the privilege of working with this nasty problem.
So far, it looks like the fix is undiscovered, until now. I believe I have found the fix to all your problems with this issue.
Of course a reinstall or repair would fix it, but, however, you will unlink all your users and files relating to them, so I wrote this tutorial of my findings and discoveries on this issue.
Please read and understand what is happening before you start doing anything to your system.
(This error should ONLY occur on Windows XP SP2 Machines)
First, I would like to congradulate you on getting infected by one of the largest, most dangerous viruses for Windows XP (And other OS's, but it will do devistating things to XP SP2 Machines)
First, what is this virus? It is called the AceBot trojan virus.
So, DrWatson Postmortem Debugger is the mask for the virus? NO. NO it is not. DrWatson is a program that originated in Windows 3.x for finding software bugs and minor problems with Windows. In Windows XP it now provides a critical role in finding problems in software to submit to Microsoft.
I have seen this trojan virus 2 times, one on a Windows 98 machine, and one on a Windows XP SP2 machine. It takes various forms, some forms in which I have identified as positive links are:
mscf.exe
ipdo32.exe
protect32.exe
protect32.dll
ntip32.dll
Now, there may be other forms, but those I have identified as positive forms of this error.
(EDIT!!!!!!)
Please use common sense, I have gotten bombed with emails, messages, and these posts, I do not mind helping you, but some people need to help me help them.
Like network security services running, Google the filename, does it come up with a legit Process name? Or does it come back with 2 or 3 entries, or no entries? Then use the steps I explained to kill those files.
Look at file names, these things love latching onto either mscf.exe, or they throw 32 somewhere into their name. I really want to help everyone, but this is self explanitory, and I want to help the people who simply cannot figure it out.
Now, what exactly causes the DrWatson Postmortem Debugger error? Its pretty simple. The makers of the virus have ILLEGALLY violated Microsoft's Copyright Policies, they use the Microsoft Logo, and alerts for Windows XP SP2.
So, what happens is, this virus adds itself as a Network Security Service (usually this is where you will find mscf.exe) which 100% interferes with SP2's Security Service (The thing that comes up and says your virus protection isnt found, or updates or off, or your firewall is off). Basically, the virus HiJacks the SP2 Alert's job. It shows stuff like "Spyware activity detected" and "Your firewall may be turned off" as a spoof.
(EDIT!!!!)
How does this virus work????
It works off at least 2 executable files, and a Browser Helper Object (BHO). The BHO Seems to be the main cause of instability in SP2 systems. The executables are what keep the BHO on there, so you need to kill the trifecta in order to collapse the pyramid of doom
Thus, as soon as this program tries running, it makes your system unstable, when you open any explorer type program (IE Control Panel, My Computer, Internet Explorer) your system will crash.
Also, it is adware, spyware, and a downloader, all in one. So its got everything! (That you dont want).
================
REMOVAL OF THIS VIRUS
================
I would like to congradulate you again, you earned yourself a one way ticket to HELL. This is not an easy process, but again, this is what you get for illegally downloading music and movies, or looking at porn, or getting serial numbers from a website.
First thing you NEED to do, is go into safemode and run the following programs:
Spybot Search And Destroy 1.3
(http://www.thenerdnetwork.net/downloads ... otsd13.exe)
AdAware SE Personal
(http://www.thenerdnetwork.net/downloads ... rsonal.exe)
SpySweeper
(http://www.thenerdnetwork.net/downloads ... 201930.exe)
Panda ActiveScan
(http://www.pandasoftware.com)
Now, the above programs do not actually remove this problem, but I imagine your infected with everything else as well.
For this next step, you will need 2 programs to slay the beast, they are:
KillBox (I love whoever made this, they are GREAT)
(http://www.thenerdnetwork.net/downloads ... illBox.zip)
*This program can be fatal to your system if used wrong
HiJackThis
(http://www.thenerdnetwork.net/downloads ... ckThis.exe)
Do a System Scan with HiJackThis.
It will prduce a large list of stuff that will most likely boggle your mind.
Look for the following lines:
BHO : (no name) {MD5 NUMBER} - C:\WINDOWS\system32\ntip32.dll
O23 : Service : Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\mscf.exe
O4 - HKLM\..\Run: [ipdo32.dll] C:\WINDOWS\system32\ipdo32.exe
Now, of course, there are variations, since viruses replicate themselves, Post your HiJackThis Logs if you are experiencing this problem and need help.
(EDIT!!!!)
I am seeing hundreds of logs still being posted. Pretty much 1 person is supporting this issue now. And it is not me any longer, (except for those donating 10 dollars to billing@thenerdnetwork.net via PayPal).
There are VARIATIONS. The file names are not exactly as listed above, unless the randomness actually came back to it. So You need to find the problems, learn legit programs, from non legit. 32 is a BIG hit with this virus, you find something named 32 running, GOOGLE it. You will find the answer, I can sift thru logs quickly because im a computer technician and pretty much know what files with 32 in it are legit.
Now, Open up KillBox, and change the setting to Kill on Reboot. Now, type in each file location ONE AT A TIME, and click the Red 'X', it will ask if you want to delete it on reboot, click yes, and it will ask you to reboot, click NO!
After all the files are marked for deletion, put checks next to the 3 objects it found in HiJackThis, including the NSS, and remove them with HiJackThis, at the end, it will ask you to reboot, DO IT. On rebooting, the virus has been stir fried to a golden crisp and eaten up by a hungry foreigner, then shit out.
Now, go install Service Pack 2 (if you uninstalled it).
IF YOU WERE INFECTED! PLEASE REPORT THIS ISSUE TO MICROSOFT! THEY ARE HAVING THEIR COPYRIGHTS INFRINGED UPON AND I ALREADY TALKED TO THEIR LEGAL TEAM ABOUT IT, PLEASE SUPPORT MICROSOFT'S ATTEMPTS IN SUING THE CREATORS!
Hope this helps.
Dan
Another method has been posted by a user. It has NOT been tested by me. But it may be worth a shot for some people.
===================================================
By accident, I solved the Dr. Watson error.
Step one - Create a new user in windows xp that is different from your logon. You must have administrator rights.
Step two - Copy and paste ALL of your directories, files, documents etc from your old user account into your new user account.
Step three - test to make sure that you have transferred every over.
Step four - delete your old user account.
Step five - right click on a file that previously activated the virus.
Step six - have a nice day because you will find that the virus is gone.
"Know thy self, know thy enemy. A thousand battles, a thousand victories." - Sun Tzu
No comments:
Post a Comment