Avast WEBforum
Other => Viruses and worms => Topic started by: Lang on January 07, 2009, 01:05:49 PM
-
I have discovered that many of my mp3 and wmv files come up as having been infected with the above trojan. When I scan the files with Spybot, the trojan is identified in heuristic mode as Fraud.Installer .as. The curious thing is that everything I have read about this malware says that it creates fake mp3 files which then say they require additional software to play them. This hasn't been the case with me. The files that are infected are legitimate mp3 files, and they have all been created on this computer. They play normally. While I did download some codecs in the past, none of them showed up as being infected.
The problem I have is that the infection is so widespread (literally hundreds of files) that if I were to delete them all, it would take weeks, if not months, to restore them again.
Presumably because the files play normally, it is only the header that has been infected. Is there any way the files can be repaired?
-
If we report them as WMA:Wimad, they're not MP3's anymore, they're Windows Media Audio files and they were auto-converted. They're not in the original state and quality - the only thing what to do with them is to delete and recreate.
-
Thank you for your response, although it is a very depressing one. :'( Many of the files affected are irreplaceable.
The only other thing I can ask you is this: assuming the trojan concerned is not apparently doing anything to my system (it hasn't asked me to download anything), would there be any harm in allowing the files to remain on my computer, so long as I didn't send them to anybody else? I ask, because although you said the quality would be affected, there is no obvious difference that I can hear. Many of the files are classical, and are just as acceptable as the original mp3s.
So in their present state, are the files causing any active harm? Could they remain on my system?
-
Hi Lang,
Try this as a last resort solution:
This procedure has deleted the problem:
1) Logon with user that has not been affected by the problem
2) type "regedit" in Run window
3) locate [HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer]
4) Export that section as filename.reg
5) edit with NOTEPAD this file and replace any string that's containing
last username with your! (ex: c:\document & settings\anne\document --->>
c:\document & settings\Max\document)
Save the file
5) Logoff
6) Logon with the user affected by the problem
7) type "regedit" in Run window
7)locate [HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer]
8) delete it!
9) close regedit
10) locate the file you've modified, click with right mouse and choose
That's all, now you can play all your MP3!
polonus
-
Polonus,
Many thanks for your help.
Ok, a couple of things. Firstly, was your solution designed to remove the infection, or just to make the files playable? I ask, because in fact they *are* already playable. They play normally, with no noticeable loss of quality. That is why I asked whether the infection is actually doing any harm in its current form, because if not I could leave the files alone, and just make sure I don't send them to anybody. If it did remove the infection, then it would certainly be worth pursuing, as I really don't want to lose some of these files.
(Incidentally, I tried to treat these as wma files and used a converter to change them back to mp3. When I did this the conversion worked, but the resultant files were very choppy and unusable.)
Secondly, I went through your procedure, and extracted the section from the registry. The only problem was that when I searched for my old user name, it is not there. I did find the new one, in one entry, but that was all
Once again, many thanks for the help.
-
Hi Lang,
Yes it would remove the infection, because that is going on actually online. If you deleted the previous malicious string, you have lost it. Make a note of all I mentioned there and perform everything meticulously step by step. I gave the solution as I found it, but it is well worth a try, else you will start it over again opening up your media player. After you have cleared this completely, switch for VLC Media Player to be downloaded from here: http://www.videolan.org/mirror-geo.php?file=vlc/0.9.8a/win32/vlc-0.9.8a-win32.exe
polonus
-
Ok, as I said, I couldn't find my original user name in there at all. The only line which had a user name had the second user name:-
"shortcut2"="C:\\Documents and Settings\\Username2\\Start Menu\\Programs\\Windows Media Player.lnk"
Do you mean that I should change Username2 back to my original user name?
-
Yes, now edit with Notepad.exe to:
"shortcut1"="C:\\Documents and Settings\\Username1\\Start Menu\\Programs\\Windows Media Player.lnk"
Save this file as all files, then proceed as instructed,
5) Logoff
6) Logon with the user affected by the problem
7) type "regedit" in Run window (see picture)
7)locate [HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer]
8 ) delete it!
9) close regedit
10) locate the file you've modified, click with right mouse and choose
polonus
-
Ok - I am not sure what that was supposed to do. The situation is now as follows:-
Before - The files all gave rise to warning messages when they were scanned by Avast. However, they played ok on Windows Media Player.
After - The files still give rise to warning messages. When played by Windows Media Player they first of all tell me that they are not mp3 files (which I had been warned about in an earlier posting). If I tell media player to play them anyway they stop after a few seconds, and Avast comes up with an error message. It appears that I am being directed to a site which no longer exists:- www.isvbr.net. They play ok on the VLC player, although the quality seems to have deteriorated.
I am not sure how those instructions were supposed to help the problem I outlined in my previous postings. But thanks anyway for the help.
My problem is that I have a large number of music and video files which, when scanned with Avast, tell me they contain a trojan. As many of these files were created by me or bought from sites I cannot now locate, many of them cannot be replaced. I was hoping there was some way to access these files so as to remove the trojan, but to leave the files intact, but it appears that this is not the case. :'(
-
PS: Ah, I see the assumption was that the malware was residing in WMP, and infected every file that it played. Yes, that makes sense, although I am not sure that it remained in the media player, because later files have not been affected, although they have been played.
Anyway, better to be safe than sorry.
-
Hi Lang,
There is a tool to rename all the questioned files at once, see: http://sourceforge.net/project/showfiles.php?group_id=46941 download link for rename.it: http://sourceforge.net/project/showfiles.php?group_id=46941&package_id=39884&release_id=273583
What is this repair tool doing for you: http://www.softpedia.com/get/Multimedia/Audio/Other-AUDIO-Tools/MP3RepairTool.shtml
Also perform a full scan with this DrWebCureIt: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe
It may be able to repair it,
polonus
-
The Dr. Web tool is brilliant! I have fixed all 1000-odd files that have been affected. Took all day, but it did a great job. Many thanks for that link! :)
-
OK. Lang,
You are welcome, I am happy when you are happy,
and that is why we have put all the effort together in finding a solution.
That is why we malware fighters all do this.
Great it worked for you, enjoy your valuable files, and be safe and secure,
polonus
-
The Dr. Web tool is brilliant! I have fixed all 1000-odd files that have been affected. Took all day, but it did a great job. Many thanks for that link! :)
Now that you have recovered (excuse the pun) from the shock of your life, it is time to think about a back-up and recovery strategy so you don't lose valuable data, etc.
-
Believe it or not, I have one. In this case the trojan wasn't detected until I did a thorough scan, and by then it had infected both my backup disks. I suppose the only lesson I can draw from this is to do thorough scans more often.
Interestingly, if I'd been running my previous virus checker, for which I had been paying for the last five years (I changed to Avast because I could no longer afford the other one) I would still be blissfully unaware of the trojan, which would be happily infecting my new drive.
-
You have been fortunate and learnt a valuable lesson, without having to pay (literally as well) too high a price.
-
Lang, it's seems you and I have had the same problem. I contracted the Wimad via Emule rather oblivious to the threats via P2P. I was using another antivirus which simply did not detect the wimad and thus had moved into my entire collection. Thankfully most of my songs were already wma and not mp3, because strangely I have never trusted mp3. Nevertheless after finding the virus after media player would stop playing the song within 10 seconds and try upload (thank goodness I was not connected) a new codec. I have all the latest codecs so I knew something was up.
I tried Avast and unfortunately the true nature of how bad the infestation was, was revealed. I moved from WMP to Winamp and everything wma still played fine. So I kept the viruses like a pet, not passing anything over to friends. The mp3s though, sounded like they were being sawn though so I simply deleted all mp3s (5% of my full collection). The thing is, is that I did not play all tracks for some to be infected! Avast has stopped the infection from continuing and won't even let me edit the tracks in Winamp without notifying me of the wimad. On introducing new music I immediately converted mp3 to wma, no longer would the virus affect my new music.
Otherwise I did run the Dr. Web as well and finally I'm cured! Many thanks to all in this topic. Words cannot express how happy I am to have my music files clean!
-
Upon yesterday's scan of my Windows Home Server, 2 .MP3 files were detected as having this same infection.
What I find really odd is that those 2 files have existed there in that same location for as long as I have had the the WHS. They are both very old files that I am certain have never been played with any player for as long as they have existed on this server. I never use WMP to play music files (recently I only play them from iTunes on my Mac) so I don't know how they would have only recently become infected.
I run a full scan of the WHS every week and this is the first time they were detected. I have thousands of MP3s and only these 2 were reported.
-
Yep. We changed the scan behaviour a bit with regards to Windows Media files.
-
Do I understand correctly that you changed the behavior in the past week and that is why the files were never detected previously?
-
Yes, it's recent change - was in one of monday's updates.
-
More questions on "WMA:Wimad [Drp]"
I have a Dell Inspiron 6000 with Win XP/Pro SP3, 1.5 GHz Pentium M processor and 2 GB of RAM.
I just recently updated the Avast Home v.4.8 database (it is currently 100417-0.04/17). I typically run a scan before I run a backup.
The last scan identified 4 instances of the "WMA:Wimad [Drp]", which I deleted. The files identified I did not download and have never played in any media player. I rarely use Windows Media Player (v. 11.0.5721.5268), preferring instead Winamp (v. 5.57).
I purchased the computer used several years ago, and those files must have been on the computer when I bought it. After reading the posts in this thread, I now understand why the detections suddenly appeared.
However, I still have 2 questions:
1. After reading the posts in this thread, my conclusion is that Windows Media Player has become infected. Is that correct? If so, I find that confusing, since the problem files that were identified are files that I have never, as I said above, played with WMP, although they were probably played using WMP by the previous owner of the computer. And I have played other files with WMP (although, as I said above, rarely), that have not been identified by Avast as infected.
2. There are times when I may need to use WMP. I am part of a computer group that provides free help to members of the local community. Is it possible that other audio files, currently stored on my computer (i.e, NOT downloaded) may become infected if I use WMP?