WORM? WHAT'S HAPPENED & WHAT NEXT?

[SPACEY]

Any advice would be much appreciated...
Downloading some programmes from limewire  p2p & avast picked up the following baddies;

06/04/2009 10:05:23   Owner   1676   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner\Desktop\MUSIC\ONLINE\sketchup pro + serial by ROR.zip\keymaker_by_CORE\CORE10k.EXE" file. 

06/04/2009 09:54:02   Owner   1676   Sign of "Win32:VB-FXE [trj]" has been found in "C:\Documents and Settings\Owner\Desktop\MUSIC\ONLINE\Google SketchUp Pro v6.0.1099.zip\Setup.exe" file. 

06/04/2009 09:53:55   Owner   1676   Sign of "Win32:Agent-AAKK [trj]" has been found in "C:\Documents and Settings\Owner\Desktop\MUSIC\ONLINE\Google SketchUp Pro v6.0.1099.zip\Crack.exe" file. 

06/04/2009 09:53:05   Owner   1676   Sign of "Win32:Wegit-C [Adw]" has been found in "C:\Documents and Settings\Owner\Desktop\MUSIC\ONLINE\sketchup


I ran ad-aware & c-cleaner programmes, deleted all cookies etc
Searched all computer activity at the time of infection, deleted all temporary files as I went.

Tried to open a couple of programmes - autocad & google sketchup and got error messages; 'can't open,files missing, moved....' , but autocad did open at the second attempt. Sketchup is now disabled. Downloaded a new copy but still can't open it. Firefox is hijacked intermittently too with MS iexplorer pop-ups to various ad sites. Ad-aware has also been disabled. Downloaded & installed current ad-aware but it wont open, not responding to double click or open.

It's all way more aggressive than any previous trouble.

So, what's happening people?  Any ideas

[Confused Computer User]

just a though but this is odd

Downloading some programmes from limewire  p2p & avast picked up the following baddies;

06/04/2009 10:05:23   Owner   1676   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner\Desktop\MUSIC\ONLINE\sketchup pro + serial by ROR.zip\keymaker_by_CORE\CORE10k.EXE" file. 
 

sketchup pro + serial by ROR.zip\keymaker_by_CORE\CORE10k.EXE" file

This would be IMHO a crak or serial generator. The thing is that most this things are sometimes infected. In your case, by the sound of it the infection has spread far and wide. Did you try to do a boot time Scan?

[DavidR]

So your surprised when downloading a program with a crack, etc. that avast would find an unwelcome trojan.

Cracks and key-gens, etc. apart from any legal or moral issue are high risk and frequently come with Trojans, I mean who are you going to complain to.

Based on the other problems you are experiencing you may have other hidden or undetected malware.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

• 1. SUPERantispyware On-Demand only in free version.
• 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

AdAware really is a waste of space and hasn't kept pace with the development of spyware, etc.

I can't recall who said it (I don't use P2P at all), but by all accounts the Limewire network is infected with malware.

[Lisandro]

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

[SPACEY]

Thanks all Confused/David/Tech,

Have installed Superspyware but it won't open, like the others, Just installed CureIt and the basic scans picked up the following and has deleted it;

ieencode32.dll in c:\windows\system32 Trojan download 33662

Set it off on a complete scan now, waiting...

Is it likely the one found so far is the one responsible?

I knew there were risks with p2p, usually only use it for music, first time seeking a programme so have been burned & lessons learned. What are the golden rules with p2p then, never trust an exe file I guess?

[SPACEY]

Ran a thorough avast! overnight as well with no results

[SPACEY]

Cureit's found some things;

can't copy cureit's log so I'll summarise the messgaes;

ieencode32.dll in c:\windows\system32   Trojan.download.33662 -  this 33662 trojan also detected in A0108873.exe and A0110141.dll in c:\system volume information\restore

A0106411.exe in c:\system volume information\restore  Trojan.download.15184 - this 15184 trojan also detected in another exe file from a plug-in that was downloaded probably two years ago.

That's seven objects the scan picked up.

Does this mean I should be regulary running two different AV softwares?

[Mr.Agent]

I didnt like Limewire for a reason because its got full virus !!! If you wanna download game you should try isohunt for torrent and blubster for music its more safe and less virus ! I never taked any virus from torrent in isohunt or blubster maybe there none or few

[SPACEY]

....or three?
superantispyware now installed and has detected 8 items;
1 tracking cookie and
a registry cleaner trial;
HKCR\.03
HKCR\03_auto_file
HKCR\03_auto_file\shell
HKCR\03_auto_file\shell\open
HKCR\03_auto_file\shell\open\command
HKCR\03_auto_file\shell\print
HKCR\03_auto_file\shell\print\command

all quarantined

I'll see what happens...

[Confused Computer User]

Does this mean I should be regulary running two different AV softwares?

Well we have to be careful with this. It is always counter indicated to run 2 or more AV on the same computer. If you look at my signature at the bottom of each of my posts I have one AV (avast) and 2 anti spyware (Super Anti-Sapyware and Malware Bytes Anti-Malware)

Now the theory behind not having two AV on one comp is that if they are both Scaning the system at the same time it can create conflicts which lead to instability in your system.What happens, and what is recomended by most Avast forum members is to keep one active AV porgram (Avast of course) and a couple of secondary Anti-spyware programs that you scan your system with once a week or more.

[DavidR]

You should now run MBAM from safe mode, this program can also be installed from safe mode too, so it can avoid some to the malware that targets security applications.

[CharleyO]

***

My golden rule for P2P programs ... never use them!


***