It all started with this stuff… *
Started on Sunday, May 13, 2012 8:31:51 PM
- VPS: 120507-1, 05/07/2012
\tsclient\a\a.dll [L] Win32:Agent-AOKE [Trj] (0)
\tsclient\a\a.dll [L] Win32:Agent-AOKE [Trj] (0)
While moving file to chest, error occurred: The network name cannot be found
I found this Win32:Crypt-MIZ[Trj] in the file z:\imbtools\drivers\PZ2Z25US\HDDDriverInfo.exe
It even migrated into the system restore data.
I tried to scan for this network… I did some research… It was some kind of infection… That I thought I might have gotten on one of the profiles of XP Pro SP2.
Then this happened.
C:\3210208955144ed7387c7d\5A5CE835-DCD2-430A-BA82-D40734EF0F24mpasdlta.vdm.new.temp [L] INF:AutoRun-AA [Wrm] (0)
When I researched this… I tried to find traces and evidence of the payload of this other worm too… I didn’t really notice anything odd with the registry at first… I ve still been trying to crack this…
I just know that my registry was altered by a worm somehow…
But… this worm is starting to create startups in the root directory of my main drives… . It didn’t create any autorun.inf files… So… I’m a little lost as to how and when I first got infected… and the client server… unauthorized connections is confusing me… I can’t seem to find out where this all happened… But im listing this stuff from start to finish.
Even after avast disinfects the files and chests them… they still re appear…
C:\ibmtools\drivers\PZ2Z25US\HDDDriveInfo.exe [L] Win32:Crypt-MIZ [Trj] (0)
C:\System Volume Information_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP444\A0152943.exe [L] Win32:Crypt-MIZ [Trj] (0)
C:\System Volume Information_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP444\A0152943.exe [L] Win32:Crypt-MIZ [Trj] (0)
Started on Thursday, May 24, 2012 9:45:00 PM
- VPS: 120521-0, 05/21/2012
H:\87e9d5575327307baa0050680c3e6216\427C33D4-7CD2-424F-A5F8-743B789D63E3mpasdlta.vdm.old.temp [L] INF:AutoRun-AA [Wrm] (0)
IT seems to only migrate to drives with a paging file on the drives I have set up.
It hasn’t done anything to my Main Storage Drive.
The paging File is on Z: (aka C because I used a backup drive with my OS on it and put it into the system and I am booting up with that drive so it doesn’t boot the Paging files in the other drives or the infected OS).
so Z: will be the infected C: Drive that I am scanning with my back up OS.
There is also another paging file on Drive H: (which is the performance drive for the main focus of paging. )
The worm seems to only try to infect other drives that has a paging system…
I didn’t notice it trying to infect removable media yet.
The back up OS has AutoRun Autoplay disabled (aka Shell disabled via Msnconfig) for as a safety protocol.
I did a full updated AV database’d scan on Z: and H:
Only thing infected on H: was the pagefile.sys It’s been deleted.
Can’t detect the trojan in my Z: drive though I don’t know why but just in case i’m deleting it too to refresh the pagefile.sys on Z:
Malwarebytes only detects the following
Z:\Program Files\Avanquest\SystemSuite\helpfiles.exe
Z:\Program Files\Avanquest\SystemSuite\fcs.exe
Those were never infected before… Avanquest has never giving me trouble till now… So that confused me there…
All i know is around May 8th is when I noticed my backup account profile in WXP SP2 on infected Z:
was acting up… Programs would execute when the Windows Logon screen for fast user switching was on… aka PC Locked or something when IM logged onto my Admin account Brickstin…
Somehow Backup was being logged into remotely… so I killed Desktop remote ect and the likes. There was no password on Backup at first so I tried putting a pass called Backup.
It was still being logged into…
So I killed the account and removed deleted the files associated with that profile.
And also disabled the guest account…
can anyone shed some light ?
I’m still scanning As I type this.
Thanks in advance,
Sincerely,
Erick