Author Topic: Win32 malware  (Read 10339 times)

Offline crabb

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Win32 malware
« on: June 27, 2008, 03:00:56 PM »
avast! detected two types of malware on my system, Win32:Agent-ZIW [Drp] and Win32:Adware-gen [Adw]. I moved these to the chest, but the next time I started my computer, avast! detected them again (typically, 2 or 3 exe files for each). I have a trojan searcher, Spybot, which didn't pick up either one, though it did find a couple of problems that I suspect were related to these bugs because a previous scan was clean and I hadn't even gone online. However, fixing these didn't take care of the problem, as the next time I started the computer, they were back again. Based on some advice I found online, I disabled System Restore (using "Apply"), ran both programs, and restarted the computer. This time, I did not receive any malware messages, and another full avast! scan turned up nothing. I reactivated System Restore, and hope the problem is gone. Is there another free trojan hunter I should install to look for these baddies to make sure they're gone? Obviously Spybot didn't get them. Also, is there anything else I can do to double-check that they are ineed gone? Thanks for any help you can provide.

Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69204
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
Re: Win32 malware
« Reply #1 on: June 27, 2008, 03:56:27 PM »
Hopefully it is because system restore was enabled or that it somehow protected the files, so they weren't actually moved to the chest.

What is the infected file name/s, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
SUPERantispyware On-Demand only in free version.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline crabb

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: Win32 malware
« Reply #2 on: June 27, 2008, 04:11:43 PM »
Thanks, David, I'm at work now, and the problems are on my home PC; unfortunately I only noted the virus (trojan) names. The actual infected files were different each time. I will make a note of them tonight. I will also install the program you recommend and run that--I have heard good things about it. THanks for your suggestions in the meantime.

Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69204
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
Re: Win32 malware
« Reply #3 on: June 27, 2008, 04:25:24 PM »
If they were different each time then it is likely there is an undetected or hidden element involved, hopefully SAS can find that.

What is your firewall as it could stop malware being downloaded ?

Welcome to the forums.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline crabb

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: Win32 malware
« Reply #4 on: June 27, 2008, 04:47:06 PM »
Got me again, David---though I do have a firewall "on." (I can't vouch for its quality.) I will gather the details about that as well tonight and report back, though very likely it's not a particularly good one.

Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69204
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
Re: Win32 malware
« Reply #5 on: June 27, 2008, 06:35:56 PM »
It should be capable of blocking unauthorised outbound Internet Connections.

Windows XP's firewall is better than no firewall but, it lulls you into a false sense of protection, it doesn't provide outbound protection.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline crabb

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: Win32 malware
« Reply #6 on: June 27, 2008, 08:16:42 PM »
I will indeed consider it, David, thank you. This whole experience has quite opened my eyes. I'm a casual user and this is, believe it or not, the first time that something has gotten into my system (that I know about) and refused to leave, and now I know firsthand the feeling of violation that underlies forums like this. Thankfully there are good souls out there like yourself willing to help the technically challenged. I will likely not get to the PC tonight, but over the weekend I will follow up on your recommendations, review the various logs, and report what I find.

Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69204
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
Re: Win32 malware
« Reply #7 on: June 27, 2008, 09:33:12 PM »
You're welcome, till then.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline crabb

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: Win32 malware
« Reply #8 on: June 28, 2008, 06:35:39 PM »
Hi, David! Here's a preliminary report---very interesting. When the computer started up, again no problems; scans by avast! and Spybot turned up nothing. Apparently disabling the System Restore and then doing the AV scans/fixes did something--the 2 threats my system was wrestling with were at least temporarily inert. I did find out how to access the logs for both and can share them if necessary. However, it may not. As you suggested, I downloaded and ran superantispyware, and it detected both threats--and only those two. They were identified slightly differently than they were by avast! ("MyWay Search Assistant Computers" and "Adware tracking cookie" by SAS vs. "Win32:Agent-ZIW" and "Win32:Adware-gen" by avast!) but I believe they are the same. I quarantined the items (14 registry items and 3 files), and when the system rebooted again no bells or whistles went off. At this point, I feel confident that the threats are gone, or at least disabled. Obviously I will keep a close watch on things. As far as the firewall, yes it's the standard Windows XP one, as far as I can tell, but I'm a little concerned about improperly installing a third-party firewall, or having one cause as many problems as it prevents; I've read that that can happen. If it makes any difference, my computer actually connects via a wireless router to another home PC (connected via modem) with its own Norton (paid version--I'm a cheapie; we only use armor on the other one, which has all personal and financial data) security system, and I don't known whether installing another firewall will in any way intefere with the Internet connection. If there's little or no risk of this, please suggest a firewall compatible with my system and its various (all free) security blankets. One thing that concerns me is that avast! detected both of the malware that got into my system, and allowed me to move both into the chest, but did not effectively remove it. Thanks for your patience!

Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69204
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
Re: Win32 malware
« Reply #9 on: June 28, 2008, 07:08:12 PM »
Sorry when I see big blocks of text without paragraphs (and some white space) it sends my eyes batty and I simply can't concentrate to read it.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline CharleyO

  • avast! Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7102
  • Gender: Male
  • Be alert for error code - ID 10T
    • Personal Message (Offline)
Re: Win32 malware
« Reply #10 on: June 30, 2008, 09:05:26 AM »
Hi, David! Here's a preliminary report---very interesting. When the computer started up, again no problems; scans by avast! and Spybot turned up nothing. Apparently disabling the System Restore and then doing the AV scans/fixes did something--the 2 threats my system was wrestling with were at least temporarily inert. I did find out how to access the logs for both and can share them if necessary.

However, it may not. As you suggested, I downloaded and ran superantispyware, and it detected both threats--and only those two. They were identified slightly differently than they were by avast! ("MyWay Search Assistant Computers" and "Adware tracking cookie" by SAS vs. "Win32:Agent-ZIW" and "Win32:Adware-gen" by avast!) but I believe they are the same. I quarantined the items (14 registry items and 3 files), and when the system rebooted again no bells or whistles went off.

At this point, I feel confident that the threats are gone, or at least disabled. Obviously I will keep a close watch on things. As far as the firewall, yes it's the standard Windows XP one, as far as I can tell, but I'm a little concerned about improperly installing a third-party firewall, or having one cause as many problems as it prevents; I've read that that can happen.

If it makes any difference, my computer actually connects via a wireless router to another home PC (connected via modem) with its own Norton (paid version--I'm a cheapie; we only use armor on the other one, which has all personal and financial data) security system, and I don't known whether installing another firewall will in any way intefere with the Internet connection. If there's little or no risk of this, please suggest a firewall compatible with my system and its various (all free) security blankets.

One thing that concerns me is that avast! detected both of the malware that got into my system, and allowed me to move both into the chest, but did not effectively remove it. Thanks for your patience!

Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69204
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
Re: Win32 malware
« Reply #11 on: June 30, 2008, 01:34:30 PM »
Thanks CharleyO

1. If disabling system restore allows a scan to complete it could indicate that it is a permission problem, but you should have got an error.

2. Tracking cookies are more a privacy issue and not a serious one either, in SAS scan settings I uncheck the tracking cookies option as a waste of resources (IMHO). Since avast doesn't even look at cookies I don't believe these are the same, the only way they could be considered the same is if they were on the same file name and location. The My Way is considered by many as adware as it collects data that is used by marketing companies. So I would suggest getting rid of the MyWaySearchAssistant.

3. It does appear that they have gone and it is good to have the two applications, avast and SAS as they look for slightly different things so they compliment each other. This doesn't mean that all systems on the network are clean.

4. The method of connection shouldn't make a difference as your system is independent of the system providing the internet connection. Adding a firewall will not (should not) interfere as it doesn't reach out beyond your system going to the router, it would have little inbound work as the router should cover that. However, routers with firewalls unless stated don't provide outbound protection, so the condition of malware connecting to the internet is still possible and a connection initiated from your system would be let back in by the router.

5. I don't know how it could move it to the chest but not remove it, that generally indicates that it is being reproduced by a hidden element (note the bit above about malware connecting to the internet) on your system or possibly something on the network, so avast would continually be catching it. Hopefully SAS caught the hidden element, though I don't think so based on what said it found.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline crabb

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: Win32 malware
« Reply #12 on: June 30, 2008, 03:41:58 PM »
Thanks for your kind reply, David---sorry about the long paragraph; I won't do that again!

I ran avast!, SAS, and Spybot each time I started up the computer over the weekend and still got nothing. I haven't noticed anything unusual, though there's a nagging concern (paranoia?) that some damage was done somewhere--by me. I forgot to mention that the first time avast! picked up one of the trojans, I panicked and clicked "delete." The computer then, on its own, rebooted, and the problems began of avast! and Spybot catching malware each time shortly after I started the computer. I now realize it's always best to quarantine. The next time vast! caught the malware, I quarantined it.

Interestingly, the exact same files that avast! put in the chest also appears in the "System files" folder; the interface indicated "no virus" for these, however, and attempting to "restore" what I thought might be important files resulted in an error message--the files were being used by the system. All very confusing to me. In any case, I've left everything alone.

Is there an easy way to run a check on your system (particularly the registry) to see whether any significant (but currently nonevident) damage was done in my fumbling attempts to deal with this?

Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69204
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
Re: Win32 malware
« Reply #13 on: June 30, 2008, 05:20:33 PM »
You're welcome.

There is always a nagging doubt after an infection that there might be more, you can only take reasonable precautions and run a few checks which you have. Just monitor your system a little closer for a few days and see if there any unusual occurrences.

When the system restore is enabled files removed or deleted from the system folders, 'may' end up being placed in the system volume information folder as a restore point (that is the point of system restore and can be a pain in the rear for removing infected files). avast! is normally good at removing files from the system folders without the restore point being created, but sometimes that will happen and on subsequent scans these will be detected let avast send those to the chest also.

I dare say there is a tool out there somewhere (google) to check for registry corruption or validity, but I don't know of any or use any. There are any number of registry cleaners, but they are more looking for invalid entries, e.g. applications or files that have been removed but a registry entry still exists. I don't think that these check against registry corruption though.

Playing in the registry is a dangerous hobby, especially if you aren't really sure what entries might do, so using a registry cleaner is probably better advised, but these to can cause issues. I use RegSeeker, it is a very powerful tool but not one that is very user friendly, you still have to know what the impact might be for selecting an entry for deletion.

Prior to doing any work in the registry it is advisable to back it up, use your friend google and search for ERUNT which is a free registry back-up tool.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline crabb

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: Win32 malware
« Reply #14 on: July 01, 2008, 05:23:49 PM »
Thanks, David--I think I'm too much of an amateur to monkey around with the registry. Unless I begin experiencing more problems, I'd do better to leave enough alone. Thanks again for your help. I have much yet to learn, but I've also learned a lot.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now