Author Topic: new worm?, avast doesn' know it  (Read 57441 times)

0 Members and 1 Guest are viewing this topic.

Markwest

  • Guest
new worm?, avast doesn' know it
« on: December 25, 2009, 06:11:14 AM »
hi, at 1am this morning christmas day i got a worm on my computer after visiting a website (the page was down so throught nothing over it at first) i first noticed my avast mail protection was going crazy and saying it was scanning mail for 80% off for viagara, soon after my computer gave me a warning saying it is shutting down in 60 seconds
after it did this twice i pulled my internet cord out and avast told me a system32 driver file was infected with a worm, i have put the comp into a boot scan (2nd time now) but it doesn't seem to be removing it i also tried deleting it when the comp was active and it came back straight away

once my computer it off this bootscan i will try find out what the file name was for you and edit itinto this topic

Please if you have any suggestions i would like to hear them, i pretty much live on my computer so anything like this really puts my life to a halt, so any suggestions would be helpful

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: new worm?, avast doesn' know it
« Reply #1 on: December 25, 2009, 07:33:48 AM »
Hi, Markwest, welcome to the forum.
I'd try MBAM, get it (free version) from here. You will probably need to download the installer file using a good computer, then transfer it using a flash drive to the sick computer.
Install it and run a quick scan immediately. Tick everything it finds then click "remove selected". It may prompt to reboot to complete remval; do so immediately.
Please post the scan report.
If something was found and removed, reconnect your machine to the web, update MBAM and run another quick scan.

Later you will have to see what your email program was sending, and to who, and contact all of them and tell them to delete those mails unopened.
Windows 10,Windows Firewall,Firefox w/Adblock.

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #2 on: December 25, 2009, 10:26:27 AM »
I actully happen to have it on my computer already will run it as soon as avast gets out of the boot scan though i do have some further info, it seems to be copying or protecting itself some how , i found stuff from both temp and restore in the avast chest when i woke up and saw the boot scan had finished, incudling also another virus that avast did reconqize, , but once again avast yelped at me to restart and boot scan it before i could look here on the forum, i will try the program though and see if it can clear it, though i'm not sure how i'd move the scan report over here onto the laptop

Edit: found the file it's infecting. System32\drivers\kpgmh.sys

edit 2: The MbAM found nothing infected though it's probaby well out of date, any other suggestions , avast does see to find the bug in the boot scan but it's back as soon as my computer loads up properly
 
thanks for the input and help, hopefully we can get this virus locked down before it hurts more people
« Last Edit: December 25, 2009, 10:44:08 AM by Markwest »

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: new worm?, avast doesn' know it
« Reply #3 on: December 25, 2009, 10:46:15 AM »
OK. I'm 13 hours ahead of you if you're in England, so will be going sleep in a (very) few hours.

No Google hits for that file. That's suspicious. It's probably a new malware variant, or if you're really unlucky, a trojan variant that keeps changing its name.
Windows 10,Windows Firewall,Firefox w/Adblock.

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #4 on: December 25, 2009, 10:49:15 AM »
well some good news i was able to grab the update really fast online and now mbam is getting infected count going up finding those files, will lock them as soon as the scan is finished, i've been suspcting it might be knew probably somone thought it would be fun to create it for christmas  :'(

edit: it seems the file that was getting infected is still there after the malwarebytes removal, same file as last time, though malware bytes did pick up a few hits and logged them
« Last Edit: December 25, 2009, 10:57:55 AM by Markwest »

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: new worm?, avast doesn' know it
« Reply #5 on: December 25, 2009, 11:00:51 AM »
Sounds promising. Fingers X'd.
Windows 10,Windows Firewall,Firefox w/Adblock.

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #6 on: December 25, 2009, 11:09:15 AM »
seems mbam picked up on a trojan called vundo.h, though i suspect the other ifection my have dragged that in, since the main infection i first reported is still at large on my computer, avast wanted to boot scan again so i did now that i've made some remobvals incase it helps with the problem

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #7 on: December 26, 2009, 12:25:59 AM »
well i've taken my computer off the power and hooked up my old machine, waiting for further suggestions and keeping my machine safe at least, i'm pretty much at my end of my rope
i hope you guys can help or keep me informed if avast gets a virus update that fixes it

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: new worm?, avast doesn' know it
« Reply #8 on: December 26, 2009, 12:44:33 AM »
Can you please post the MBAM log.
If there is more than one, post them, in order.
Windows 10,Windows Firewall,Firefox w/Adblock.

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #9 on: December 26, 2009, 01:22:03 AM »
Just updating my old computer with windows updates (it's been off for the best part of a year), once it has don that i'll grab the log from my main computer, sorry it's taking so long, just trying to get some access to my normal life again while repairing my main machine

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: new worm?, avast doesn' know it
« Reply #10 on: December 26, 2009, 01:57:17 AM »
Hi Markwest,

There is a cleansing routine for vundo.H described here:
http://forums.majorgeeks.com/showthread.php?t=161380
and here:
http://www.bleepingcomputer.com/forums/topic219912.html

polonus
« Last Edit: December 26, 2009, 02:12:10 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #11 on: December 26, 2009, 02:13:44 AM »
polo is it possible that is all i have on my machine, does what i wrote in my first post seem to be its behaviour?, it would be nice if that can just be sorted then and there with that stuff
my old comp is still installing windows updates so i will get to my main comp as soon as it is done and start working on it

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #12 on: December 26, 2009, 02:40:47 AM »
ok here's the mbam report at least, am working through the guide at the moment seeing if it'll lcear the problem

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

25/12/2009 09:51:55
mbam-log-2009-12-25 (09-51-52).txt

Scan type: Quick Scan
Objects scanned: 125472
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDSSserv.sys (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysgif32 (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: nmntrs2.dll  -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\nmntrs2.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Mark\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (Trojan.Agent) -> No action taken.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: new worm?, avast doesn' know it
« Reply #13 on: December 26, 2009, 03:30:45 AM »
Run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: new worm?, avast doesn' know it
« Reply #14 on: December 26, 2009, 04:10:42 AM »
Might be a good idea to update MBAM, too.
Your database is out of date, current version (as of yesterday) 3423. Yours indicates 3289.

If MBAM prompts for a reboot to complete removal (unlikely in this case, I believe, but possible) please reboot promptly.
Windows 10,Windows Firewall,Firefox w/Adblock.