HELP!!! New Virus urgent need help!!!

Viruses and worms
1

First hi all,

New posible virus in rotation, I´ll call it, I hate MP3´s.
following diagnostics
HDD faliure with small possible access,
Within short time HDD crash,

diagnostics boot record shows giberish inform of FFFFFFFF in most fields (PM PTEDIT)

this occures where HDD contains meny MP3 files of any nature(game files or private home collection).

I came accross this problem with my private HDD´s and some of my customer HDD´s.

sorry I am not so good that i can do more. ???

2

You can send any infected file for analysis and help to improve the avast detection?
Does avast detect it? And what about other tools like AVGas or SpywareTerminator or SuperAntispyware?

3

no luck with detection and that makes it for me not possible to give a possible file as i can not find suspect files.

4

Did you try on-line scanning with Kaspersky?

Full computer on-line scanning:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
AVGas (does not necessary if you have AVG antispyware installed)
F-Secure
BitDefender (free removal of the malware)
HitmanPro (new online scanner with multiply scanners)

5

hmmm… heard about it (at wilders or somewhere)… but we can do nothing without valid samples of this virus…

6

i hav a dumb feeling that it hardcodes itself in windows somewhere or it mybe from ms self as a anti signture action to force peeps to either purchase music with those dumb licences… just a thought…

7

@Maxx_original

Do you have any clues what to look for with this?

I just did a repair install on my wife’s computer last night because of hard drive problems similar to those posted by Jurgster. I haven’t had a chance to run any tools yet but I’m guessing something is still there. I’ve also noticed Windows Security Center and Windows Firewall are disabled, and no internet access via browsers though programs are able to update OK.

If I’m able to find anything I’ll send it along.

8

mauserme: can you run tools like filemon?

9

I’ll try when I get home from work. Would you like me to post the log or email it to you?

Any others I should run?

EDIT: BTW, all I find on the internet about this worm says it spreads via removable drive. If there is malware on my wife’s computer it did not arrive this way; rather via the internet.

10

do you know how to use filemon and its filters?

11

It looks pretty straight forward but I have no prior experience with it.

I’m good at following directions if you have something specific in mind. ;D

12

k… you must filter out the rubbish file acceses… i mean I/O acceses made by explorer, svchost, csrss, winlogon, services… it’s under the filter icon and you can follow the instructions in the dialog (to separate the excludes with semicolons etc.)

13

OK - Right Click > Exclude seems to be the key to this (easier than trying to type all the paths).

I’ll post again later.

14

Hi Kieth could I possibly have a copy Pretty Please ::slight_smile:

15

you can use the icon at the top of main window… it’s the filter where you can set what to include (*) and what to exclude (explorer etc. separated with semicolons)… you should get a pretty clean display after setting the filter, right? no system processes, only the activity of other modules… and that’s it - if some malware scans your disk for mp3 files, it must do some I/O activity… if the I/O activity can’t be monitored by filemon, then is maybe some rootkit there… so… do you see something strange in the filemon window?

16

Of course you can. Buts let’s not get too excited until we see what’s going on. I mean, I think there’s malware but I just got Windows loading again so we shall see …

Well, no. I’m still at work just playing with filemon to get a feel for it. I assumed you would not be on the forum when I try to run this on the problem computer (time difference and all) so I wanted to ask any necessary questions now, while you’re available.

If the log is short I’ll post it with a HJT log after I get home. I’ll not use tools that might delete anything until you’ve both had a chance to look at these.

17

i guess you’ll understand all the features of filemon… if you’ll find there something strange, then send it with the HJT log and (if possible) with a log from gmer or rootkit revealer… :wink:

18

Hi Maxx_original.

Has this anything to do with it? http://forum.avast.com/index.php?topic=29687.0

polonus

19

I think my problem is unrelated to the initial post since the mp3’s are intact on this computer. And strangely, internet access is back of its own accord.

I’ve attached the GMER, RootKitRevealer, and HJT logs to this post and will try to fit the Filemon log next. I haven’t taken the time to really review these yet but I did notice some Alexa in HJT and alot of wuauclt.exe in the filemon log (even with automatic updates temporarily turned off). In subsequent runs with filemon wuauclt.exe was not present.

The HJT log shows C:\DOCUME~1\Keith\LOCALS~1\Temp\JQZXK.exe as a running process. This is simply RootKitRevealer which had finished scanning but was still open when I ran HJT.

20

This filemon log will take at least 10 to 12 posts and its too large to attach. Maybe its better if I just investigate this and post again if I find something pertinent. I don’t want to hijack Jurgster’s thread.