Author Topic: 1.reg trojan  (Read 5648 times)

0 Members and 1 Guest are viewing this topic.

adrian_nye

  • Guest
1.reg trojan
« on: November 12, 2007, 10:46:48 PM »

I stupidly ran a program containing this trojan, and Avast detected it but when
I clicked on "Move to Chest", the file was not found.  I tried rebooting and
Avast still detected the trojan during boot.   The symptom I was having was IE7 crashing.
I see there's a previous thread about this virus a month ago, but Avast still
detects it but does not stop it from infecting the system.

I restored my system to an earlier time (3 hours earlier) and rebooted
and Avast no longer detected the trojan.

My question is, what do I need to do to assure myself that this virus
is truly gone?  I have read that this trojan may have already sent my
personal information out and I don't want that to continue.

I have XP Media Center, with auto updates.  XP firewall on.

Thanks

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: 1.reg trojan
« Reply #1 on: November 13, 2007, 12:40:59 AM »
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

Do you happen to have ccleaner set to clear temp folders on boot ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

adrian_nye

  • Guest
Re: 1.reg trojan
« Reply #2 on: November 13, 2007, 01:35:12 AM »
The message was "VBS: Malware-gen found in C:\DOCUME~1\ADRIAN~1\LOCAL~1\Temp\1.reg".
I doubt I have ccleaner set, since I don't know what/where that is.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

Do you happen to have ccleaner set to clear temp folders on boot ?

Thanks for the help...


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: 1.reg trojan
« Reply #3 on: November 13, 2007, 01:54:27 AM »
It may be that the file is no longer in the temp folder so it can't be moved, this is usually as a result of temp cleaners, ccleaner being one there are others and there may be other settings that will clear temp folders.

If the file isn't physically in that location I would think you are OK. I would suggest that you clear all temp folders, ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, don't enable clearing temp folders on boot.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1.  If using winXP SUPERantispyware On-Demand only in free version. Or AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or Spyware Terminator Resident scanner.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
- There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

adrian_nye

  • Guest
Re: 1.reg trojan
« Reply #4 on: November 13, 2007, 06:46:32 AM »

Thanks for the advice.  I will try Comodo.

But I think you maybe missed one point.  All the people who get this virus report the same
thing, that Avast detects it but it is already moved somewhere else when Avast tries
to put it in the chest, so it is still on the system.  It seems pretty clear the virus itself
is moving or hiding it, not some system utility. 

That seems like something the people at Avast might
want to work on fixing.  If more viruses learn that trick it will be big trouble.
Right now, what happens is that Avast is not protecting, it is just notifying you, congratulations, you
now have a virus that's steals your personal info and is hard to get rid of!

Also I still need some reliable way of knowing if this thing might still be hiding
somewhere.  I have tried numerous spyware programs and none of them are finding
anything, so I guess I'm ok.

tsilo

  • Guest
Re: 1.reg trojan
« Reply #5 on: November 13, 2007, 08:58:54 AM »
Avast! don't have anti-rootkit tool... so it's not good enought at this point  :-\

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: 1.reg trojan
« Reply #6 on: November 13, 2007, 11:49:30 AM »
Avast! don't have anti-rootkit tool... so it's not good enought at this point  :-\
Sure, but there are others that have, for free, and you could give them a try.
Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: 1.reg trojan
« Reply #7 on: November 13, 2007, 03:04:58 PM »
Also F-Secure Blacklight, may not always be available, http://www.f-secure.com/blacklight.
« Last Edit: November 13, 2007, 03:06:50 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

adrian_nye

  • Guest
Re: 1.reg trojan
« Reply #8 on: November 13, 2007, 07:43:27 PM »

I tried the anti-rootkit tools and it looks like I'm clean. 

For future reference, for anyone else who gets this problem, Panda said I had the Downloader.MDW trojan.
Once I put in the Comodo firewall, I discovered BitTorrent was connecting to numerous IP addresses with no torrents active.  I don't know enough to determine which of these were valid, so I uninstalled it.

The only thing left on my system according to Panda is adware/cws in one of
my favorites folders (but there's nothing there).  I tried cwshredder and it
did not find anything.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: 1.reg trojan
« Reply #9 on: November 13, 2007, 07:51:39 PM »
Check the IP addresses with a reverse IP check or use something like win32whois.exe (http://www.gena01.com/win32whois/) a little program that runs the reverse IP check.

I don't use any P2P application, but is there not some form of connection to check updates or communication if you share files, etc. ?

I would tend to believe cwshreader a specialist tool for the cws adware.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

adrian_nye

  • Guest
Re: 1.reg trojan
« Reply #10 on: November 13, 2007, 09:45:03 PM »
Yes, my point was that cwshredder did NOT remove the cws adware that Panda says is on my system.

I would tend to believe cwshreader a specialist tool for the cws adware.

mauserme

  • Guest
Re: 1.reg trojan
« Reply #11 on: November 14, 2007, 01:56:12 PM »
There are many cws related sites  and its possible you have one of these saved as a favorite without knowing it.  I'm not sure but I think cws shredder does not look at your favorites - it only looks for active infection which might explain why Panda saw something that cws shredder didn't.

This domains list is pretty old but it illustrates the point

http://www.spywareinfo.com/~merijn/junk/cws_domains.txt


If you want to post a DSS log I'll take a look.

Download Deckard's System Scanner (DSS) to your Desktop.
  • Close all applications and windows.
  • Double-click on DSS.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the  Deckard's System Scanner  to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the  main.txt from the C:\Deckard\System Scanner folder into your next reply.