hi, at 1am this morning christmas day i got a worm on my computer after visiting a website (the page was down so throught nothing over it at first) i first noticed my avast mail protection was going crazy and saying it was scanning mail for 80% off for viagara, soon after my computer gave me a warning saying it is shutting down in 60 seconds
after it did this twice i pulled my internet cord out and avast told me a system32 driver file was infected with a worm, i have put the comp into a boot scan (2nd time now) but it doesn’t seem to be removing it i also tried deleting it when the comp was active and it came back straight away

once my computer it off this bootscan i will try find out what the file name was for you and edit itinto this topic

Please if you have any suggestions i would like to hear them, i pretty much live on my computer so anything like this really puts my life to a halt, so any suggestions would be helpful

Hi, Markwest, welcome to the forum.
I’d try MBAM, get it (free version) from here. You will probably need to download the installer file using a good computer, then transfer it using a flash drive to the sick computer.
Install it and run a quick scan immediately. Tick everything it finds then click “remove selected”. It may prompt to reboot to complete remval; do so immediately.
Please post the scan report.
If something was found and removed, reconnect your machine to the web, update MBAM and run another quick scan.

Later you will have to see what your email program was sending, and to who, and contact all of them and tell them to delete those mails unopened.

I actully happen to have it on my computer already will run it as soon as avast gets out of the boot scan though i do have some further info, it seems to be copying or protecting itself some how , i found stuff from both temp and restore in the avast chest when i woke up and saw the boot scan had finished, incudling also another virus that avast did reconqize, , but once again avast yelped at me to restart and boot scan it before i could look here on the forum, i will try the program though and see if it can clear it, though i’m not sure how i’d move the scan report over here onto the laptop

Edit: found the file it’s infecting. System32\drivers\kpgmh.sys

edit 2: The MbAM found nothing infected though it’s probaby well out of date, any other suggestions , avast does see to find the bug in the boot scan but it’s back as soon as my computer loads up properly

thanks for the input and help, hopefully we can get this virus locked down before it hurts more people

OK. I’m 13 hours ahead of you if you’re in England, so will be going sleep in a (very) few hours.

No Google hits for that file. That’s suspicious. It’s probably a new malware variant, or if you’re really unlucky, a trojan variant that keeps changing its name.

well some good news i was able to grab the update really fast online and now mbam is getting infected count going up finding those files, will lock them as soon as the scan is finished, i’ve been suspcting it might be knew probably somone thought it would be fun to create it for christmas

edit: it seems the file that was getting infected is still there after the malwarebytes removal, same file as last time, though malware bytes did pick up a few hits and logged them

Sounds promising. Fingers X’d.

seems mbam picked up on a trojan called vundo.h, though i suspect the other ifection my have dragged that in, since the main infection i first reported is still at large on my computer, avast wanted to boot scan again so i did now that i’ve made some remobvals incase it helps with the problem

well i’ve taken my computer off the power and hooked up my old machine, waiting for further suggestions and keeping my machine safe at least, i’m pretty much at my end of my rope
i hope you guys can help or keep me informed if avast gets a virus update that fixes it

Can you please post the MBAM log.
If there is more than one, post them, in order.

Just updating my old computer with windows updates (it’s been off for the best part of a year), once it has don that i’ll grab the log from my main computer, sorry it’s taking so long, just trying to get some access to my normal life again while repairing my main machine

Hi Markwest,

There is a cleansing routine for vundo.H described here:
http://forums.majorgeeks.com/showthread.php?t=161380
and here:
http://www.bleepingcomputer.com/forums/topic219912.html

polonus

polo is it possible that is all i have on my machine, does what i wrote in my first post seem to be its behaviour?, it would be nice if that can just be sorted then and there with that stuff
my old comp is still installing windows updates so i will get to my main comp as soon as it is done and start working on it

ok here’s the mbam report at least, am working through the guide at the moment seeing if it’ll lcear the problem

Malwarebytes’ Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

25/12/2009 09:51:55
mbam-log-2009-12-25 (09-51-52).txt

Scan type: Quick Scan
Objects scanned: 125472
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.BHO) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.BHO) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) → No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDSSserv.sys (Rootkit.TDSS) → No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysgif32 (Trojan.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) → No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) → Data: nmntrs2.dll → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\nmntrs2.dll (Trojan.Vundo.H) → No action taken.
C:\Documents and Settings\Mark\Local Settings\Temp_ir_sf_temp_0\irsetup.exe (Trojan.Agent) → No action taken.

Run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.

Might be a good idea to update MBAM, too.
Your database is out of date, current version (as of yesterday) 3423. Yours indicates 3289.

If MBAM prompts for a reboot to complete removal (unlikely in this case, I believe, but possible) please reboot promptly.

currently following the guide posted on major geeks using superanti spyware first, then malwarebytes and finishing off with mgtools, i couldn’t find a seprate update for malware bytes since i can’t go on the net on my main computer without it doing stuff again and do not want to connect i up incase the virus gets worse

Fair enough.
Here’s a way to get MBAM updated.
Install it on a clean computer, then update it on that computer.
Go to the folder (in XP) C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware and locate rules.ref (~3.5Mb) and copy it to a flash drive.
Transfer it from the flash drive to the sick computer, to the same folder.
Windows should ask if you want to replace the same named file with this new one. If it doesn’t, you’re in the wrong folder. Click Yes.
Good to go.

my laptop seems to be crashing when i use my flash drive on it, hopefully it’s just being temprmental, i did update my machine quickly through the net and is now rnning Mabm, though if the flash drive resumes to fail to work i dunno how i will be able to transfer the logs over to the laptop to post here, will keep you updated on what’s happening

looking at what mg tools does i’m kinda scared to use it and will not be using it after all, will still try and get the logs to this computer and will await furthrt ideas if avast says the file is s till infected

Is this the tool you mean?

C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis...