Author Topic: new worm?, avast doesn' know it  (Read 43543 times)

0 Members and 1 Guest are viewing this topic.

Offline Markwest

  • Jr. Member
  • **
  • Posts: 65
Re: new worm?, avast doesn' know it
« Reply #15 on: December 26, 2009, 04:24:16 AM »
currently following the guide posted  on major geeks using superanti spyware first, then malwarebytes and finishing off with mgtools, i couldn't find a seprate update for malware bytes since i can't go on the net on my main computer without it doing stuff again and do not want to connect i up incase the virus gets worse

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: new worm?, avast doesn' know it
« Reply #16 on: December 26, 2009, 04:29:45 AM »
Fair enough.
Here's a way to get MBAM updated.
Install it on a clean computer, then update it on that computer.
Go to the folder (in XP) C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware and locate rules.ref (~3.5Mb) and copy it to a flash drive.
Transfer it from the flash drive to the sick computer, to the same folder.
Windows should ask if you want to replace the same named file with this new one. If it doesn't, you're in the wrong folder. Click Yes.
Good to go.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline Markwest

  • Jr. Member
  • **
  • Posts: 65
Re: new worm?, avast doesn' know it
« Reply #17 on: December 26, 2009, 05:20:11 AM »
my laptop seems to be crashing when i use my flash drive on it, hopefully it's just being temprmental, i did update my machine quickly through the net and is now rnning Mabm, though if the flash drive resumes to fail to work i dunno how i will be able to transfer the logs over to the laptop to post here, will keep you updated on what's happening

Offline Markwest

  • Jr. Member
  • **
  • Posts: 65
Re: new worm?, avast doesn' know it
« Reply #18 on: December 26, 2009, 05:25:17 AM »
looking at what mg tools does i'm kinda scared to use it and will not be using it after all, will still try and get the logs to this computer and will await furthrt ideas if avast says the file is s till infected

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: new worm?, avast doesn' know it
« Reply #19 on: December 26, 2009, 05:53:03 AM »
Is this the tool you mean?
Quote from: majorgeeks
C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis...
If it is the same as HijackThis, the tool is safe to run.
It is not safe to remove items without guidance, if you don't know what you are doing.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline Markwest

  • Jr. Member
  • **
  • Posts: 65
Re: new worm?, avast doesn' know it
« Reply #20 on: December 26, 2009, 06:18:51 AM »
here's the intructions from the site

    * run the MGTools.exe program by double clicking on it.
          o It will create a folder named MGTools in the root folder of the hard disk where Windows is installed ( typically C:\MGTools ).
          o It will also automatically extract a bunch of files into this folder.
          o It will the automatically start running three batch ( .bat files are batch programs ) programs in that folder.
          o This will sequentially run all the tools/scans that are part of MGtools. Each of these scans will create logs in the MGtools folder. You will notice a command prompt window open and messages will appear in this window. This window will close when the scans are complete.
          o You may see a popup window with a license agreement for TrendMicro HijackThis. Make sure you click the I Accept button. You need to click it twice to get it to accept.
          o If you see HijackThis open and/or a log from HijackThis open in notepad, just close HijackThis and the notepad window.
          o These log files while be placed in the root folder of your Windows drive. The log file will also automatically be put into a ZIP file named MGlogs.zip which you will be uploading as an attachment to your message in the forum. Unlike older versions of the programs, no popups of the logs will appear when they finish running during this initial installation. At a later time, running any of the individual batch files will still cause the logs to automatically pop up.
          o Continue on to the General Information section below.

even if the program is safe i'm still rather nerved about using it and hopikng my comp wll be clean without use of it

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: new worm?, avast doesn' know it
« Reply #21 on: December 26, 2009, 06:39:29 AM »
It's quite likely that contains other applications as well as HijackThis, and the batch files to automatically run them. I couldn't easily find info on what they consist of, and it is probably best not to run them in the absence of a helper that has asked you to, which you would probably only find on the MG forum.
Just stick with MBAM for now, don't forget (as DavidR posted) to have it "remove selected", and hopefully things might improve radically after that.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline Markwest

  • Jr. Member
  • **
  • Posts: 65
Re: new worm?, avast doesn' know it
« Reply #22 on: December 26, 2009, 09:57:14 AM »
great news, mbam hit that system file and asked me to restart so it could delete it, i am going to run a standard avast to see if it's there or not and if not i will remove my system restores and that will be that ^^, though if it is still here then i will post logs here and wait for further advice

Edit:  :'( it's still there even after Mbam said it was going to delete it after reboot  :'( will post logs soon as i can get them on here
« Last Edit: December 26, 2009, 10:04:05 AM by Markwest »

Offline Markwest

  • Jr. Member
  • **
  • Posts: 65
Re: new worm?, avast doesn' know it
« Reply #23 on: December 26, 2009, 10:10:29 AM »
ok here's the logs since my laptop accepted my gflash drive without crashing this time

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/26/2009 at 03:51 AM

Application Version : 4.32.1000

Core Rules Database Version : 4402
Trace Rules Database Version: 1978

Scan type       : Complete Scan
Total Scan Time : 01:24:42

Memory items scanned      : 518
Memory threats detected   : 0
Registry items scanned    : 4602
Registry threats detected : 8
File items scanned        : 33296
File threats detected     : 5

Adware.Vundo/Variant
   HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D5BF4552-94F1-42BD-F434-3604812C807D}
   HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D5BF4552-94F1-42BD-F434-3604812C807D}

Rogue.Component/Trace
   HKLM\Software\Microsoft\70642062
   HKLM\Software\Microsoft\70642062#70648de2
   HKLM\Software\Microsoft\70642062#7064e407
   HKLM\Software\Microsoft\70642062#70642062
   HKLM\Software\Microsoft\70642062#Version

Trojan.Fake-Alert/Trace
   HKU\S-1-5-21-776561741-1563985344-839522115-1003\SOFTWARE\Microsoft\fias4013

Trojan.Agent/Gen
   C:\DOCUMENTS AND SETTINGS\MARK\START MENU\PROGRAMS\STARTUP\SISZYD32.EXE
   C:\WINDOWS\Prefetch\SISZYD32.EXE-02EC40F1.pf

Rootkit.TDSServ-Trace
   C:\WINDOWS\SYSTEM32\TDSSMTYE.DAT

Trojan.Agent/Gen-ImageDocFake
   E:\DOCUMENTS AND SETTINGS\MARK\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8GCHHHH2\MAIN_IMG3[1].PNG
   E:\FOUND.000\DIR0068.CHK\MEDIA\YOHOHO\ICONS\CHANGE_ALERT.PNG

Malwarebytes' Anti-Malware 1.42
Database version: 3431
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

26/12/2009 08:52:05
mbam-log-2009-12-26 (08-52-05).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 561957
Time elapsed: 2 hour(s), 2 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Mark\Local Settings\Temp\sig9E.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\kpgmh.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\sig10.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.

As you can see it said it would delete it on reboot but avast found it still on the computer as soon as it reloaded itself  :'(

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: new worm?, avast doesn' know it
« Reply #24 on: December 26, 2009, 11:22:07 AM »
Bu@@er. It's a SISZYD32 -related infection.
Looking at other forum posts related to this one, it looks like a pain to try and kill.
Please use your good computer to download OTL.exe and transfer it using a flash drive to the desktop of the sick computer.
Open it by double clicking, and select "run scan".
Two logs will be created, OTL.txt and Extras.txt. Copy and paste both to the forum. (Use more than one post if the maximum size is exceeded.)

I'm going to just ask for a bit of help from the maker of this app, now. We'll see what can be done.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8788
Re: new worm?, avast doesn' know it
« Reply #25 on: December 26, 2009, 11:24:08 AM »
Vundo is polomophic malware and infects the whole system and the only way to remove it is a hard disk FORMAT and re install of the operaing system.

Windows XP Service Pack 3 has been available for over a year and provides many Critical Updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don't automatically download or install them.

IE8 is more secure than IE7 and has a lot better performance:
http://www.microsoft.com/windows/Internet-explorer/default.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: new worm?, avast doesn' know it
« Reply #26 on: December 26, 2009, 11:29:27 AM »
One more thing: did you have SAS attempt to remove what it found? There is no indication of it attempting to.
You could try a scan again, but this time make sure you have the app try and quarantine all that it finds.

With MBAM, there is no need for a full scan. Just use the quick scan option, for future reference.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline Markwest

  • Jr. Member
  • **
  • Posts: 65
Re: new worm?, avast doesn' know it
« Reply #27 on: December 26, 2009, 11:43:17 AM »
yes sas did remove some stuff, i guess it doesn't show it properly in the log,

kenny i've heard nothing but other problems with service pack 3 and i don't even use ie, and seeing as it seems now there is only a single file and no noticable trace of vundo left on my computer after the removal i'm not about to reformat my computer because quite frankly there is programs on there i do not have and i would have to send my comp away all the way up england to get it properly reformated

i did try another sas scan and it didn't find any new stuff or stuff that it missed the previous time it's stll just that 1 single file

i'm gonna use that program now to grab some logs for here

Offline Markwest

  • Jr. Member
  • **
  • Posts: 65
Re: new worm?, avast doesn' know it
« Reply #28 on: December 26, 2009, 12:01:15 PM »
From what i can see this is going to take ALOT of posts with only a 10 k characters limit, is there another option to get it up on here or get the txt file visible or am i gonna just have to work my way through it posting it over those many posts


Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: new worm?, avast doesn' know it
« Reply #29 on: December 26, 2009, 12:34:38 PM »
You could break it into a series of attachments, but that would also take a few posts, not save that much time, and make it harder for the helper/s. So, even though it's a PITA, put them in multiple posts, please.
Seen them before, here. IIRC it takes about 6 posts. Depends on how many files there are.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.