Yesterday I downloaded a file but once I tried to run it avast notified me it was infected so I moved it to the vault and deleted the exe setup, a few minutes later windows firewall was disabled and didn’t allow me to enabled it,i did a scan with spybot search and destroy and it detected my firewall was disabled so it enabled it and I rebooted.When I logged on and avast! had a notification message about a virus,I then saw my whole Windows Security center was disabled.I ran a scan with avast and it detected 2 infected files and moved them to the chest:
Virus has been detected!
File Name: adv691[1].exe
FileID: 9
Virus Description: Win32:Small-EMG [Trj]
I ran Adaware aswell and spyboy again and spybot detected and fixed the security center and firewall,a minute later the security center was disabled again.I thought I might try to make a System Restore then but when I open the System Restore panel an error popped up saying:
"There was an unexpected error:
The filename , directory name, or volume label syntrax is incorrect.
(0x8007007B)
System Restore will now close."
I wanted to try maybe Spyware Doctor and find a temp firewall since I’m quite vulnerable at the moment but I have a 64bit version of Windows Vista so it’s not really easy to find compatible software. Any Suggestions?
Take your computer offline. Do an avast! boot scan and place in quarantine anthing found. After, install the firewall and the two anti-trojan programs and connect to the internet long enough to update both. Then scan with those and post the results in your response.
I tried comodo a few weeks ago but it didn’t want to install,today I found http://sphinx-soft.com/Vista/index.html which is really simple but works with 64bit vista.
I ran the A Squared scan but apart from a few low risk cookies and my mIRC,it didn’t detect anything.However while it was scanning my 3 hard drives avast popped up two times warning me about the following malwares:
Win32:Trojan-gen. {VC}
Win32:Trojano-1210 [Trj]
Which were located in this users temp files but now should be in the chest.I then remember the services.msc command and ran it on windows Run,the security center was set to disabled so I set it to Automatic which seemed to allow me to enable my security center for some 10 minutes before it disabled itself again.
Sorry - If you’re able to boot into safe mode do a thorough safe mode scan instead.
Then lets get a look at what’s running on your system:
Download Deckard’s System Scanner (DSS) to your Desktop.
[*]Close all applications and windows.
[*]Double-click on DSS.exe to run it, and follow the prompts.
[*]The scan may take a minute. When the scan is complete, a text file will open - Main.txt Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard’s System Scanner to run and don’t let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)
Post the main.txt from the C:\Deckard\System Scanner folder into your next reply.
Close all programs so that you are at your desktop.
Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
Click on the Control Panel menu option.
When the control panel opens you can either be in Classic View or Control Panel Home view:
If you are in the Classic View do the following:
4) Double-click on the Folder Options icon.
5) Click on the View tab.
Go to step 6.
If you are in the Control Panel Home view do the following:
4) Click on the Appearance and Personalization link .
5) Click on Show Hidden Files or Folders.
Go to step 6.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide extensions for known file types.
8 ) Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button.
You should be able to find mdms32.exe now to upload to Virus Total.
DSS installed hijackthis for you. Please rename hijackthis.exe to hijackthat.exe, open the program, and generate and save a log. Then post the results of the Virus Total scan and the new hjt log (I had asked whether you scanned in safe mode because there were very few running processes shown in the log. Hopefully this will fix that).
Antivirus Version Update Result
AhnLab-V3 2007.3.31.0 04.02.2007 no virus found
AntiVir 7.3.1.47 04.01.2007 TR/Agent.1251840
Authentium 4.93.8 03.31.2007 no virus found
Avast 4.7.936.0 04.02.2007 no virus found
AVG 7.5.0.447 04.01.2007 no virus found
BitDefender 7.2 04.02.2007 DeepScan:Generic.Malware.SI!FWX!Bprng.2B7FBDD6
CAT-QuickHeal 9.00 03.31.2007 no virus found
ClamAV devel-20070312 04.02.2007 no virus found
DrWeb 4.33 04.01.2007 no virus found
eSafe 7.0.15.0 04.01.2007 no virus found
eTrust-Vet 30.6.3527 03.31.2007 no virus found
Ewido 4.0 04.01.2007 Trojan.Agent
FileAdvisor 1 04.02.2007 no virus found
Fortinet 2.85.0.0 04.01.2007 suspicious
F-Prot 4.3.1.45 03.30.2007 no virus found
F-Secure 6.70.13030.0 04.02.2007 no virus found
Ikarus T3.1.1.3 04.01.2007 Backdoor.VB.EV
Kaspersky 4.0.2.24 04.02.2007 no virus found
McAfee 4997 03.31.2007 no virus found
Microsoft 1.2306 04.02.2007 no virus found
NOD32v2 2161 04.01.2007 no virus found
Norman 5.80.02 03.31.2007 no virus found
Panda 9.0.0.4 04.01.2007 W32/Sdbot.KCC.worm
Prevx1 V2 04.02.2007 Trojan.Ronet
Sophos 4.16.0 03.30.2007 no virus found
Sunbelt 2.2.907.0 03.31.2007 Trojan.SI!FWX!Bprng.2B7FBDD6
Symantec 10 04.02.2007 no virus found
TheHacker 6.1.6.083 03.30.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.3 04.01.2007 no virus found
VirusBuster 4.3.7:9 04.01.2007 no virus found
Webwasher-Gateway 6.0.1 04.01.2007 Trojan.Agent.1251840
I renamed HiJackThis and did the scan,while doing the scan it had a couple of errors,the first one said something about going to start>run and calling notepad to edit the host since HJT couldn’t access some files,the second one was this:
An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #75 - Path/File access error
I would like to try an automated fix but first zip and password protect a copy of mdms32.exe and email it to virus(at)avast.com. Include the password in the body of your email and a brief description.
SuperAntispyware says it has preliminary Vista support without specifying 32 or 64 bit, so download and install (hopefully) the free version
After rebooting and updating, run a complete scan. Quarantine anything found, then click the Preferences button, then the Statistics/Log tab. Highlight the log and click the View Log button which will open notepad. Copy the contents of the log and post it here.
ok,the installation of SuperAntispyware went pretty well,I’ll do the scan once it finishes downloading the updates.The symptoms of the virus seem to have gotten worse,since yesterday it has slowed down my internet incredibly from like 1.5 mb’s to 65 kb.After 10/15 minutes the connection just dies and I have reboot to get it back for another 15 minutes,I never had this kind of prob with my ISP.Also everytime I turn on the computer on Avast now notifies me of :
File name: C:\msrwl32.exe[FSG]
Malware name: Win32:Small-EMG [Trj]
Malware type: Trojan Horse
And the firewall blocks half a dozen or so connections from system files that are trying to access the internet like svchost.exe and mdms32.exe
Your computer is slow right now because the trojan is using so many resources.
Open hjt and click Do a System Scan Only. When it finishes place a check next to this line
O23 - Service: Microsoft Validation Service - Unknown owner - C:\Windows\mdms32.exe
and click the Fix Checked button.
Reboot into safe mode and delete this file
C:\Windows\mdms32.exe
We will still need to go after C:\msrwl32.exe, so boot into normal mode and post another hjt log. Also post the path of the svchost.exe that tries to access the internet.
yeah it takes alot to reboot or shutdown,i did another avast scan just to see how it went and it detected the same trj located at : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\22SQK8O8\adv691[1].exe[FSG
I did the HJT scan and fixed the mdms32 then entered in safe mode and deleted it,I don’t see the firewall blocked notifications anymore because it loads so many that it crashes the firewall on startup and windows has to shut it down.
Early in this thread I asked you to scan with avast! in safe mode but I don’t see that you’ve done that yet. Please boot into safemode and do a thourough scan with archives and put anthing found in the chest.
Also, try scanning with the beta version of Windows Live OneCare
I also have to suggest you start backing up any data you need to protect. I don’t feel like we’re getting this under control quickly enough and many of the tools I would like to use either don’t function at all or not fully under Vista. I’m not ready to give up, but we need to face the possibility that you will need to wipe your drive and reinstall the OS.
If you’ve done any internet banking, access to your PayPal account etc on this computer you should also advise your financial institutions of the current situation. I don’t know how high the risk is at the moment but I do believe there is more going on than we can currently see.
When you first started this thread you said the problems began when you downloaded a file. Do you know what the file was?
do you really think this virus can be fully removed? cause i installed vista just a month ago and I think i would be willing to format everything to get rid of this pesty virus since I wont loose to much info and I will regain my system restore features ect…