what to do..?? found.. DAME (Dark Angel M.E.)

[Lisandro]

Hey Tech, im wondering now should i do what you were saying first, or should i do as essexboy said and fix the registry value first.. im new to all of this [playing with registry values].. but im willing to learn.. Thanks for all your patience, all of you!!   

Always follow essexboy first than I. He's a cleaning/malware expert. I'm not. I was just trying to give you a follow up of the cleaning procedure. But, care, maybe it's a false positive as Frank said. You can update your virus database (VPS) again and see if the last ones correct this detection or, on contrary, confirms the infection.

[KAZMANIA]

hi all

i am new to this site. didn't know it existed.

anyway im experiencing the same problem as christa and was wondering whether i should follow the same procedures.

thank you all.

kaz

[FreewheelinFrank]

Hi KAZMANIA,

If it's DAME in members.stg, it looks like a false alarm. Follow David's advice here:

http://forum.avast.com/index.php?topic=28883.msg236485#msg236485

[KAZMANIA]

thank you fwf,

but you wont believe this. i left the pc on, my gf did something and its gone! ive run the avast virus checker on standard and thorough and still picked up nothing! is this possible with "DAME" or has it hidden somewhere were it cannot be found? she said she deleted it or moved it to the chest but there is nothing in the chest. i don't know. let me know what you think.


kaz

[DavidR]

Where was it located originally, then check if it is still there ?
check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

It is possible that she moved/renamed and not moved to the chest, check the C:\Program Files\Alwil Software\Avast4\DATA\moved folder ?

[KAZMANIA]

hi david

i checked the moved folder and there is nothing there.

this is where the file is:

c:\documents and settings\kaz\local settings\application data\microsoft\windows live contacts\[so and so]@hotmail.com\real\members.stg\ -55735052" file

i believe this file is still there. i found it. but under properties of that folder i cant find the numerics '-55735052"file'. i don't know if these numerics need to be found to identify but the rest of file path takes me to  "members.stg"

thank you for your help
kaz

[FreewheelinFrank]

The false positive may well have been corrected.

members.stg is a database file of contact's personal information. The numerical tag is probably not a file but probably some sort of descriptor.

DAME is a virus dating back to 1993- such detections are often FP's.

If the FP hasn't been corrected by avast!, changes to the database file caused by adding, removing or updating contact details may have changed the character sequence causing the detection.

If avast! has moved the file, you will have lost you contact details in Windows Live Messenger, so you will need to restore the file.

Add it to the exclusions list to prevent detection if the FP has not been corrected.

[DavidR]

I would agree with Frank, if the file is still in the original location and undetected then the FP looks like it has been corrected. Do a right click context menu scan (in explorer) on the members.stg file to confirm it is clear.

The numerics file, \ -55735052, I believe is inside the members.stg that is why you can't see it.

[KAZMANIA]

hi all

another prob. my pc has slowed down dramatically when using the internet since the virus. it has never run this slow. could there be any relation at all?

i just use my laptop for assignments and some surfing.

thank you

[Lisandro]

could there be any relation at all?

Yes, it could. But you need to scan your computer again (avast, AVGas, a-squared, Spyware Terminator...) and take a new HijackThis log.

[vladabgd]

Hi there,

Same problem and since it was more than 2-3 months when this topic was made and there were no adjustments to viral database in Avast,can anyone tell me is this still false positive cuz i got this same virus alert yesterday. 

i checked it on virustotal and avast was the only one who detected it.


Any suggestions?Help?Oh yes,maybe i'm trippin but my pc slowed down. :/

EDIT : HJT log is attached

[Lisandro]

i checked it on virustotal and avast was the only one who detected it.

Most probably...
To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
VirusTotal and Jotti both have file size limits 10 and 15MB each.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be carefull, you should 'exclude' that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file -  there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

[vladabgd]

Thanks,I just did that.

Can you please check my HJT log to see if there's something wrong going on there?

big thnks in advance. ;]

[DavidR]

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.

I have just had a quick look at it and the most obvious sign to me is this.
O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll (file missing)

Even though the file is reported missing that may not be the case it could be being hidden by a rootkit.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm.

- BlackLight - It can detect rootkits like Rootkit Revealer but can also remove them. http://www.f-secure.com/blacklight/
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip .
- AVG ANTI-ROOTKIT - AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5.

A google search for vtrurs.dll indicates this may be a Vundo infection.
Here are the cleansing instructions for Vundo/Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html

- VirtumundoBegone (if VundoFix does not work) - http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Also
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\hawgwnsb.exe (file missing) - This file name returns zero hits in a google search, which is suspicious in its own right.

Did you make these entries in your HOSTS file for the oink.me.uk ?

[uluay]

this is my log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:44:46, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{7A-A5-56-67-ZN}] C:\Documents and Settings\ALİYE\Local Settings\Temp\TIP2D002.exe P2D002
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - Startup: TA_Start.lnk = ?
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://aliyekilic.spaces.live.com//PhotoUpload/MsnPUpld.cab
O20 - AppInit_DLLs:  sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 5372 bytes

help me sooonnn