Malware-gen, Trojan-gen and Advare-gen... plase, help!

[nosirrah]

Trojan.Extension.Exploit

There are two ways this hits :

Those fake spam docs named anything like movie.mpg                                                                                             .exe . These are the ones that use loads of spaces to hide the exe .

Doc/media extensions on files with MZ . For example movie.mpg that is actually executable will get flagged .

[Jowita]

do not worry about too many apps
the only one that loads at boot is Avast
the rest are just "ON Demand" and each has their good points- as you have seen

I thought also SuperAntiSpyware, because its window pops up just after the desktop appears.

you made the MBAM news   you gotta find out if this is new stuff or just finding older stuff with latest detections
Trojan.Extension.Exploit. Date spotted: First seen on 2008-09-08. Last seen on 2008-09-10

Do you mean in that .doc file? I deleted this Word file permanently, didn't need it anyway.

we still want to know what this is
C:\Program Files\WinShrink\AutoJob.exe
O4 - HKLM\..\Run: [WinShrink] C:\Program Files\WinShrink\AutoJob.exe

--- The first 2 results from Google:
http://www.whatsrunning.net/whatsrunning/QueryProcessID.aspx?Process=19761
http://spywarefiles.prevx.com/RRFFEJ2049518/AUTOJOB.EXE.html
But I don't really understand what it is... and don't know where I got it from!

If you could upload that Kaspersky hit it would be great
C:\WINDOWS\Temp\TDSS57e0.tmp  but it may be gone

I couldn't upload it, because I didn't find it in the Avast chest (I looked for it in all categries). So it means it's gone for good?

I'll post back after seeing the SDFIX log

This I will do tomorrow. I'm quite exhausted now... my computer needs to rest too.

Do You already have Spybot installed??   good app
Immunize helps keep the bad guys out
we gotta start thinking about prevention

Not yet. So should I just install and keep this one and uninstall SAS and MBAM?

G'night.

[wyrmrider]

no reason to uninstall anything yet - you could disable the autoupdates and the buttons in the tray table
I do not install them in the first place and run from desktop or Start>progrms

It's just that we have to get some PROTECTION going
and Spybot- in addition to being a fine scanner has some
SAS and MBAM only in their paid versions-- but they work on clean up so well as you know
we'll deal with this later

I'll look at that autojob tomorrow also I was hoping it was your favorite program and you knew all about it

gone is good

[nosirrah]

How did you ever get Newbie status??
thanks

I joined a long time ago . Seems I cant reply to PMs or even send them .

I found this post checking in on some new creative heu defs I made for MBAM .

Please delete this post after reading , thanks .

[DavidR]

The PM function is restricted until the forum member has 20 posts, this is to avoid abuse of the system by drive by spammers, registering and then using the PM function to spam forum members (which has happened in the past). So we all suffer for these cretins.

[wyrmrider]

A no brainer here
or brain fade on my part
go online to virus total  you can google for address
then navigate to
C:\Program Files\WinShrink\AutoJob.exe
and upload
post the results or a link to results

[Jowita]

A no brainer here
or brain fade on my part
go online to virus total  you can google for address
then navigate to
C:\Program Files\WinShrink\AutoJob.exe
and upload
post the results or a link to results

The Virus Total scan of this AutoJob.exe result was 0%. (http://www.virustotal.com/analisis/fe599b261c2d49cc898c23436623e201)

Now I'm gonna run the SDFix.

[wyrmrider]

WinShrink is a tool that will allow you to encrypt a file or folder by manually selecting the encryption method
so if you do not use it and do not have files you need which are shrunk by it...
you could look in add-remover programs
or
in Start> Programs> Winshrink
or
go to C:\program files\ winshrink and see if there is an uninstaller

but this is not on the critical path
Autojob.exe is just a file in the C:\program files\ Winshrink folder

[Jowita]

Yes, I use WinShrink.

I was not able to enter the safe mode on boot by pressing (repeatadly) F8. I tried to times and it doesn't work. I can only press F4 to enter Raid Utility (SataRaid) or press Del to enter setup, which I did (Phoenix - Award BIOS CMOS setup utility), I pressed F1 for help, but it didn't help me find the way to start in the Safe Mode.

Any other way  to do it? On my keyboard F8 is for "save", btw.

Anyway, gotta go now!

Thank you very much for the great help! I'll be away for 3 days, but I'll come back to this thread on Sunday evening or Monday.

Have a nice weekend!

[wyrmrider]

Have a nice weekend
much easier for you to say that you use winshrink than me

for future reference
The KAspersky detection

C:\WINDOWS\Temp\TDSS57e0.tmp  but it may be gone

I couldn't upload it, because I didn't find it in the Avast chest (I looked for it in all categries).

Would NOT be in the avast Chest

 So it means it's gone for good?

It would be (or would have been) in your TEMP file

C:\WINDOWS\Temp\TDSS57e0.tmp

I missed that earlier
while you are looking for things look for those files polonus mentions
you can use windows explorer or search/find

some exploits run out of temp

[Jowita]

Hi again,

Virus Total analysis proved that C:\WINDOWS\Temp\TDSS57e0.tmp... is some trojan:
http://www.virustotal.com/analisis/2607b2151e2c2c3474bc29c02381c1fd

Which weapon should I use to kill it? Or is it enough to just delete it?

Besides, as I wrote in my last post: I wanted to run this SDFIX, but F8 wouldn't work for my PC (I know how to enter Safe Mode, because I did it on another PC). Is there any other way to start the computer in the Safe Mode?

Anyway, I checked with the Windows Explorer and none of these files are there:

C:\WINDOWS\system32\cmds.txt -
C:\WINDOWS\system32\dpl.txt -
C:\WINDOWS\system32\drivers\tdssserv.sys -
C:\WINDOWS\system32\tdssadw.dll -
C:\WINDOWS\system32\tdssinit.dll -
C:\WINDOWS\system32\tdssl.dll -
C:\WINDOWS\system32\tdsslog.dll -
C:\WINDOWS\system32\tdssmain.dll -
C:\WINDOWS\system32\tdssservers.dat -
C:\WINDOWS\system32\drivers\bd6b6435.sys -

So... it's OK or not?

[wyrmrider]

really good news that none of those associated files are in your system

to clean you temp folder you can use ATF cleaner or CCleaner
or just go in and erase the file out of the folder if it is still there
you have to "show all files and folders in C:\Windows

An F-secure on line scan should also get it- not a bad idea anyway
http://support.f-secure.com/enu/home/ols.shtml
you have to use Internet Explorer and allow active X
 

DavidR or Tech or Polonus can tell you how to start in safe mode in XP

I'm going to be gone tues -thurs - we are all volunteers here and you are in good hands

Think about some realtime antispyware app

I can think of three free ones
Windows Defender
Spyware Terminator using custom install do not install CLAM AV or the toolbar
Spyware Doctor from Google Pack  just do not download a bunch of other xxxx

could you run "secunia software inspector" let's see if you are up to date
if java needs updating use JAVARA to remove all old traces as they are vulnerable

I like Spywareblaster by javacool- takes no resources
and a Hosts file

[Jowita]

Hi again,

I installed and ran CCleaner.

Then I ran the Secunia Online scan.
It occured that I had an old version of APPLE QUICK TIME (I updated it to the last one) and SKYPE (I downloaded the 3.8 version, but I could not run it for some reason: it said that it's "not a valid Win32 application"... So I still have the 2.5.0.113 version.

I had also 2 old versions of Macromedia Flash Player and the latest version of Adobe Flash Player. But I don't know how to remove the old Macromedia Flash Player - it's not on the "Add or Remove Programs" list (there's only Macromedia Shockwave Player... is it the same?). I had also some old Java traces, but I removed them from the Control Panel.

What Secunia did not detect: I have Firefox version 2.0.0.16. A newer one is available, but I don't want to update it to the new one.

I installed Windows XP Service Pack 3 and all the updates/patches.

So... should I scan my system once again (Kaspersky online maybe?)?

And if I install Spybot - Search & Destroy, do I still need any other antispyware software/applications (like those you mentioned: Windows Defender, Spyware Terminator or Spyware Doctor)?

Cheers!

Jowita

[DavidR]

I hate seeing this error "not a valid Win32 application" as it has been an indication in the past of an infection. Whilst it is possible that the downloaded installation file might have been corrupt I don't come across this error reported very often and in many of those it was malicious software related. Having said that it isn't normally one single file in isolation there are usually several instances of this error, usually when you are trying to install and run other security software.

Reply #4 of this topic, http://forum.avast.com/index.php?topic=38548.msg323193#msg323193 gives a number of tools, some of which you have already, so I would suggest those again before considering any on-line scan.

[YoKenny]

Jowita, download Adobe Flash Player uninstaller then close all browsers then run the uninstaller:
http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14157