Win32:Small-EMG [Trj]

Hi,

Yesterday I downloaded a file but once I tried to run it avast notified me it was infected so I moved it to the vault and deleted the exe setup, a few minutes later windows firewall was disabled and didn’t allow me to enabled it,i did a scan with spybot search and destroy and it detected my firewall was disabled so it enabled it and I rebooted.When I logged on and avast! had a notification message about a virus,I then saw my whole Windows Security center was disabled.I ran a scan with avast and it detected 2 infected files and moved them to the chest:

Virus has been detected!
File Name: adv691[1].exe
FileID: 9
Virus Description: Win32:Small-EMG [Trj]

I ran Adaware aswell and spyboy again and spybot detected and fixed the security center and firewall,a minute later the security center was disabled again.I thought I might try to make a System Restore then but when I open the System Restore panel an error popped up saying:

"There was an unexpected error:

The filename , directory name, or volume label syntrax is incorrect.
(0x8007007B)

System Restore will now close."

I wanted to try maybe Spyware Doctor and find a temp firewall since I’m quite vulnerable at the moment but I have a 64bit version of Windows Vista so it’s not really easy to find compatible software. Any Suggestions?

Thanks

Comodo doesn’t claim 64 bit compatibility but I have it installed on five 64 bit boxes without any problems

http://www.filehippo.com/download_comodo/

I suggest you get it downloaded along with AVG Antispyware and A-Squared (both free versions)

http://free.grisoft.com/doc/20/lng/us/tpl/v5

http://www.emsisoft.com/en/software/free/

Take your computer offline. Do an avast! boot scan and place in quarantine anthing found. After, install the firewall and the two anti-trojan programs and connect to the internet long enough to update both. Then scan with those and post the results in your response.

thanks for the reply,

I tried comodo a few weeks ago but it didn’t want to install,today I found http://sphinx-soft.com/Vista/index.html which is really simple but works with 64bit vista.

I was reading the FAQ’s of avast and saw you can’t use boot time scan in 64 bit OS’s:
http://www.avast.com/eng/faq-cant-use-boot-time-scan.html

AVG AntiSpyware also won’t installed on my 64bit pc, I’ll try A-squared in safe mode and see how I go.

I ran the A Squared scan but apart from a few low risk cookies and my mIRC,it didn’t detect anything.However while it was scanning my 3 hard drives avast popped up two times warning me about the following malwares:

Win32:Trojan-gen. {VC}

Win32:Trojano-1210 [Trj]

Which were located in this users temp files but now should be in the chest.I then remember the services.msc command and ran it on windows Run,the security center was set to disabled so I set it to Automatic which seemed to allow me to enable my security center for some 10 minutes before it disabled itself again.

Sorry - If you’re able to boot into safe mode do a thorough safe mode scan instead.

Then lets get a look at what’s running on your system:

Download Deckard’s System Scanner (DSS) to your Desktop.
[*]Close all applications and windows.
[*]Double-click on DSS.exe to run it, and follow the prompts.
[*]The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard’s System Scanner to run and don’t let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt from the C:\Deckard\System Scanner folder into your next reply.

Is the firewal you downloaded working?

The firewall I downloaded seems to be doing the job quite well :),

Here is the results of the main.txt: http://www.geocities.com/sex.technician/main.txt

Here is the results of the extra.txt: http://www.geocities.com/sex.technician/extra.txt

When you ran DSS was it in safe mode?

Upload this file to Virus Total

C:\Windows\mdms32.exe

and post the results

Also, did you install FlashGet?

oh nope I ran it normally,didn’t say anything about safe mode.

I looked in my windows folder but mdms32.exe doesn’t appear.

Yep I installed FlashGet.

Thanks for the help,

Do this, then look again

  1. Close all programs so that you are at your desktop.
  2. Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
  3. Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:
4) Double-click on the Folder Options icon.
5) Click on the View tab.
Go to step 6.

If you are in the Control Panel Home view do the following:
4) Click on the Appearance and Personalization link .
5) Click on Show Hidden Files or Folders.
Go to step 6.

  1. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  2. Remove the checkmark from the checkbox labeled Hide extensions for known file types.
    8 ) Remove the checkmark from the checkbox labeled Hide protected operating system files.
  3. Press the Apply button and then the OK button.

You should be able to find mdms32.exe now to upload to Virus Total.

DSS installed hijackthis for you. Please rename hijackthis.exe to hijackthat.exe, open the program, and generate and save a log. Then post the results of the Virus Total scan and the new hjt log (I had asked whether you scanned in safe mode because there were very few running processes shown in the log. Hopefully this will fix that).

Heres the VirusTotal results:

Antivirus Version Update Result AhnLab-V3 2007.3.31.0 04.02.2007 no virus found AntiVir 7.3.1.47 04.01.2007 TR/Agent.1251840 Authentium 4.93.8 03.31.2007 no virus found Avast 4.7.936.0 04.02.2007 no virus found AVG 7.5.0.447 04.01.2007 no virus found BitDefender 7.2 04.02.2007 DeepScan:Generic.Malware.SI!FWX!Bprng.2B7FBDD6 CAT-QuickHeal 9.00 03.31.2007 no virus found ClamAV devel-20070312 04.02.2007 no virus found DrWeb 4.33 04.01.2007 no virus found eSafe 7.0.15.0 04.01.2007 no virus found eTrust-Vet 30.6.3527 03.31.2007 no virus found Ewido 4.0 04.01.2007 Trojan.Agent FileAdvisor 1 04.02.2007 no virus found Fortinet 2.85.0.0 04.01.2007 suspicious F-Prot 4.3.1.45 03.30.2007 no virus found F-Secure 6.70.13030.0 04.02.2007 no virus found Ikarus T3.1.1.3 04.01.2007 Backdoor.VB.EV Kaspersky 4.0.2.24 04.02.2007 no virus found McAfee 4997 03.31.2007 no virus found Microsoft 1.2306 04.02.2007 no virus found NOD32v2 2161 04.01.2007 no virus found Norman 5.80.02 03.31.2007 no virus found Panda 9.0.0.4 04.01.2007 W32/Sdbot.KCC.worm Prevx1 V2 04.02.2007 Trojan.Ronet Sophos 4.16.0 03.30.2007 no virus found Sunbelt 2.2.907.0 03.31.2007 Trojan.SI!FWX!Bprng.2B7FBDD6 Symantec 10 04.02.2007 no virus found TheHacker 6.1.6.083 03.30.2007 no virus found UNA 1.83 03.16.2007 no virus found VBA32 3.11.3 04.01.2007 no virus found VirusBuster 4.3.7:9 04.01.2007 no virus found Webwasher-Gateway 6.0.1 04.01.2007 Trojan.Agent.1251840
Aditional Information File size: 1251840 bytes MD5: e54377e5c4c87b076c5036812df47b9c SHA1: b13b0311034e6f0b7829bcf8481f4e80c5e7140f Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=a83383592844

I renamed HiJackThis and did the scan,while doing the scan it had a couple of errors,the first one said something about going to start>run and calling notepad to edit the host since HJT couldn’t access some files,the second one was this:

An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #75 - Path/File access error

Please email me at merijn@spywareinfo.com, reporting the following:

  • What you were trying to fix when the error occurred, if applicable
  • How you can reproduce the error
  • A complete HijackThis scan log, if possible

Windows version: Windows NT 6.00.1904
MSIE version: 7.0.6000.16386
HijackThis version: 1.99.1

The HJT log can be found here:
http://www.geocities.com/sex.technician/hijackthis.log

Bear with me. I would like to try sdfix but I’m not sure it’s compatbale with Vista.

SDFix will not work in Vista.

I would like to try an automated fix but first zip and password protect a copy of mdms32.exe and email it to virus(at)avast.com. Include the password in the body of your email and a brief description.

SuperAntispyware says it has preliminary Vista support without specifying 32 or 64 bit, so download and install (hopefully) the free version

http://www.superantispyware.com/superantispyware.html

After rebooting and updating, run a complete scan. Quarantine anything found, then click the Preferences button, then the Statistics/Log tab. Highlight the log and click the View Log button which will open notepad. Copy the contents of the log and post it here.

ok,the installation of SuperAntispyware went pretty well,I’ll do the scan once it finishes downloading the updates.The symptoms of the virus seem to have gotten worse,since yesterday it has slowed down my internet incredibly from like 1.5 mb’s to 65 kb.After 10/15 minutes the connection just dies and I have reboot to get it back for another 15 minutes,I never had this kind of prob with my ISP.Also everytime I turn on the computer on Avast now notifies me of :

File name: C:\msrwl32.exe[FSG]

Malware name: Win32:Small-EMG [Trj]

Malware type: Trojan Horse

And the firewall blocks half a dozen or so connections from system files that are trying to access the internet like svchost.exe and mdms32.exe

Just emailed avast and finished the scan,here is the results:

SUPERAntiSpyware Scan Log
Generated 04/03/2007 at 08:02 AM

Application Version : 3.6.1000

Core Rules Database Version : 3190
Trace Rules Database Version: 1220

Scan type : Complete Scan
Total Scan Time : 00:33:14

Memory items scanned : 100
Memory threats detected : 0
Registry items scanned : 5680
Registry threats detected : 0
File items scanned : 50236
File threats detected : 6

Adware.Tracking Cookie
C:\Users\Matty\AppData\Roaming\Microsoft\Windows\Cookies\matty@adserving.cpxinteractive[2].txt
C:\Users\Papa\AppData\Roaming\Microsoft\Windows\Cookies\Low\papa@imrworldwide[2].txt
C:\Users\Papa\AppData\Roaming\Microsoft\Windows\Cookies\Low\papa@msnportal.112.2o7[1].txt
C:\Users\Papa\AppData\Roaming\Microsoft\Windows\Cookies\Low\papa@www.vibrantmedia[2].txt
C:\Users\Papa\AppData\Roaming\Microsoft\Windows\Cookies\papa@2o7[2].txt
C:\Users\Papa\AppData\Roaming\Microsoft\Windows\Cookies\papa@amlocalhost.trymedia[1].txt

Your computer is slow right now because the trojan is using so many resources.

Open hjt and click Do a System Scan Only. When it finishes place a check next to this line

O23 - Service: Microsoft Validation Service - Unknown owner - C:\Windows\mdms32.exe

and click the Fix Checked button.

Reboot into safe mode and delete this file

C:\Windows\mdms32.exe

We will still need to go after C:\msrwl32.exe, so boot into normal mode and post another hjt log. Also post the path of the svchost.exe that tries to access the internet.

yeah it takes alot to reboot or shutdown,i did another avast scan just to see how it went and it detected the same trj located at : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\22SQK8O8\adv691[1].exe[FSG

I did the HJT scan and fixed the mdms32 then entered in safe mode and deleted it,I don’t see the firewall blocked notifications anymore because it loads so many that it crashes the firewall on startup and windows has to shut it down.

Heres the results for the new HJT log: http://www.geocities.com/sex.technician/hijackthis.log

And here’s a couple of ss’s of the errors I get while it does the scan just in case:

http://www.geocities.com/sex.technician/hjt1.JPG
http://www.geocities.com/sex.technician/hjt2.JPG

Is the firewall working at all?

Early in this thread I asked you to scan with avast! in safe mode but I don’t see that you’ve done that yet. Please boot into safemode and do a thourough scan with archives and put anthing found in the chest.

Also, try scanning with the beta version of Windows Live OneCare

http://onecare.live.com/site/en-us/center/whatsnew.htm

It is Vista compatible.

Then, download the beta version of hijackthis v2.0 and post a log generated with this instead of the hjt you’ve been using

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

I also have to suggest you start backing up any data you need to protect. I don’t feel like we’re getting this under control quickly enough and many of the tools I would like to use either don’t function at all or not fully under Vista. I’m not ready to give up, but we need to face the possibility that you will need to wipe your drive and reinstall the OS.

If you’ve done any internet banking, access to your PayPal account etc on this computer you should also advise your financial institutions of the current situation. I don’t know how high the risk is at the moment but I do believe there is more going on than we can currently see.

When you first started this thread you said the problems began when you downloaded a file. Do you know what the file was?

do you really think this virus can be fully removed? cause i installed vista just a month ago and I think i would be willing to format everything to get rid of this pesty virus since I wont loose to much info and I will regain my system restore features ect…

At least you could learn how to manage when a virus is there…
But, if you don’t want to, you can start since from the beginning of course…