Problem Solve.. :) But, how avast! give name to viruses and worms??

[marcjessa]

 

August 08, 2007


I am curious about several .exe that automatically running
in my computer.. at idle, draining my computer resources upto 85%!..

this programs are located and usually situated at:

C:\Documents and Settings\User\Local Settings\Temp

Programs are:

Ngsys.exe
system31.exe
runer.exe
rvshost.exe
Vel.exe
winzipt.exe
userint.exe
windxp.exe

And i tried so many times to delete them, still after bootup
it will regesterd again..

I tried to scan it with Avast!, but it has no action//


Is it a virus or not??

kindly help me..

Thanks..


Image:

Signs and Symptoms

http://img505.imageshack.us/img505/4706/new1vm5.jpg

A Mad kenshin Himura Background in your WINDOWS folder. 

http://img45.imageshack.us/img45/6563/new2yr5.jpg

A malicious Files in Temp 

http://img252.imageshack.us/img252/2824/new3pf0.jpg

And A CRAWLING to HELL PC.. 100% DRAIN!!!   

[oldman]

A google search of the file names suggest that they are indeed infected file.

if the keep reappearing after deletion, the are probably in system restore. More help will be coming.

[oldman]

For now schedule a boot time scan. Send anything avast find to the chest, don't delete! Report back what you have found. File names and paths, and what avast detected them as.

If you have already deleted these files, and they have returned, then turn off system restore before the boot time scan.

[marcjessa]

hmm..


I already have a boot scan..

But, still avast! did not detect anything maliciuos on the file..

Hmm..        

[oldman]

Maybe a hijackthis log would help.

You can down load hijackthis from here  http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

Install it in it's own folder on c:\ Run the scan and save the report. don't fix anything. Post the report here. You may have to break it down into a couple of post due to it's size.

[mauserme]

Maybe a hijackthis log would help.

Yes, but first run ComboFix and post that log.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


Then Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

[marcjessa]

Okay, i will do it..


Maybe tomorrow, i would send the data.. 

[marcjessa]

AVAST! Staff..

I already found out what attack my system...



C:\Documents and Settings\Admin\Local Settings\Temp\Ngsys.exe is infected with W32.SillyDC 
C:\Documents and Settings\Admin\Local Settings\Temp\rvshost.exe is infected with W32.SillyDC 
C:\Documents and Settings\Admin\Local Settings\Temp\runer.exe is infected with W32.SillyDC 
C:\Documents and Settings\Admin\Local Settings\Temp\userint.exe is infected with W32.SillyDC 
C:\Documents and Settings\Admin\Local Settings\Temp\windxp.exe is infected with W32.SillyDC 
C:\Documents and Settings\Admin\Local Settings\Temp\winzipt.exe is infected with W32.SillyDC 
C:\Documents and Settings\Admin\Local Settings\Temp\system31.exe is infected with W32.SillyDC 
C:\Documents and Settings\Admin\Local Settings\Temp\Vel.exe is infected with W32.SillyDC 
C:\WINDOWS\system32\Restoration.msd is infected with W32.SillyDC

AND ITS INFECTING ALL WINDOW FILES!!!!

Why does Avast! can't detect the worm W32.SillyDC???..

Other name of W32.SillyDC

Virus.Win32.Autorun.cu [Kaspersky], W32/Generic!Floppy [McAfee], Trj/TaskKill.A [Panda Software], Mal/VB-F [Sophos], Worm/VB.BNI [AVG], TR/Agent.VB.AOA [Avira Antivir], Trojan.Agent.VB.AOA [BitDefender], Win32/Autorun.C [NOD32]

Definition:

Once executed, the worm create a copy of itself in the %Windir% or %System% folder.

The worm then modifies the registry so that it is executed every time Windows starts. In most cases, the worm uses one or more of the common loading points to make sure that it runs when you start Windows. For information about common loading points, read one of these documents:


Is this a bug!???

Please.. make some move.. Need more VPS update..

Can avast! detect worm / spyware ?? or only Trojans and viruses??

Thank's avast!.

Hoping for response.. 

[I'm not in hurry,  it is just my expression]  Long live! Avast!

[Lisandro]

Why does Avast! can't detect the worm W32.SillyDC???..
Please.. make some move.. Need more VPS update..
Can avast! detect worm / spyware ?? or only Trojans and viruses??

Can you send the samples to virus@avast.com ?
You can zip and password the files... Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks for helping improving detection.

@ Virus analyst team: what about hurry up?

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

4. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

5. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

[Maxx_original]

send the infected files from your temp directory to virus[at]avast[dot]com... i guess it's a new variant of old polymorphic SillyWR... i need your samples to make some reliable detection... it will be added to some of the next virus databases

[marcjessa]

Okay, i send it using avast! chest..

[marcjessa]

Hmm..

Now i like avast!..

I like it..

I will help...

 

I dump my NORTON.. hahaha..

 

[Maxx_original]

already sent?

[marcjessa]

Oops.. Yes, through yahoo mail.. i attach it..

I in the school right now so i can't use my pc..

hmm.. not recieve any files??

i send it to virus@avast.com as you instructed..

 

[Maxx_original]

great! got the files... there was some delay in requesting the chest files from you.. i'll take a look at them and let you know