Worm/Small.2.f

Viruses and worms
1

What is that virus which… AVAST and AVG unable to remove it even norton antivirus also wont able to remove it…? This virus 1st spread from Handphone mmc card and then to Pendrive and now inside PC…it will generate some file like reproduce,txt, script.txt , tcpcheck result.txt and alot…
Does anybody know what is that virus…?what is it real name…? and how to remove it…?

Hah…! it create itself a microsoft powerpoint file with folder icon…but the icon will look blur and clear intermittent…and when double click the file…it open notepad…
And now it start autorun…I dont know what it autorun what…???
Does anybody know how to shoot to kill this virus…? the mmc card and pendrive unable reformat…if reformat…after complete…it still there…! the virus still there…
Hey…! my handphone keep unknow reason send sms to unknow ppl…and keep send email…to unknow…Africa…?hey…!i dont have friend at there…Please help me shoot to kill this virus…

2

Hi and welcome, i presume you have avast as your antivirus .

If this is the case try running a boot time scan. Take note of what files are detected for quarantine and post back with the details .

3

Hi welcome to the forum.

To get you started

Open the Folder Options in the Control Panel. On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked. Click OK.

Download and run

CleanUp

Download superantispyware[

Start Superantispyware and update

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantine.

leave the others unchecked.

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everthing found . Reboot if asked.

Post that log, Start superantispyware, the log will be under Preferences, Statistics/Logs tab in the scanner logs.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

That will get you started.

4

Hi Jay_ang,

You could also download a special removal tool from here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

polonus

5

Hi,oldman.Here the log scanned result followed u…
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/29/2007 at 09:21 PM

Application Version : 3.9.1008

Core Rules Database Version : 3332
Trace Rules Database Version: 1333

Scan type : Complete Scan
Total Scan Time : 01:19:50

Memory items scanned : 379
Memory threats detected : 0
Registry items scanned : 5885
Registry threats detected : 0
File items scanned : 63662
File threats detected : 25

Adware.Tracking Cookie
H:\Documents and Settings\user\Cookies\user@statcounter[1].txt
H:\Documents and Settings\user\Cookies\user@cgi-bin[3].txt
H:\Documents and Settings\user\Cookies\user@ehg-paloaltosoftwareinc.hitbox[2].txt
H:\Documents and Settings\user\Cookies\user@richmedia.yahoo[1].txt
H:\Documents and Settings\user\Cookies\user@cgi-bin[1].txt
H:\Documents and Settings\user\Cookies\user@ad.yieldmanager[2].txt
H:\Documents and Settings\user\Cookies\user@revsci[2].txt
H:\Documents and Settings\user\Cookies\user@media.adrevolver[1].txt
H:\Documents and Settings\user\Cookies\user@zedo[2].txt
H:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
H:\Documents and Settings\user\Cookies\user@1068632757[1].txt
H:\Documents and Settings\user\Cookies\user@toplist[1].txt
H:\Documents and Settings\user\Cookies\user@hitbox[1].txt
H:\Documents and Settings\user\Local Settings\Temp\Cookies\user@3.adbrite[1].txt
H:\Documents and Settings\user\Local Settings\Temp\Cookies\user@adbrite[2].txt
H:\Documents and Settings\user\Local Settings\Temp\Cookies\user@bs.serving-sys[1].txt
H:\Documents and Settings\user\Local Settings\Temp\Cookies\user@casalemedia[1].txt
H:\Documents and Settings\user\Local Settings\Temp\Cookies\user@doubleclick[1].txt
H:\Documents and Settings\user\Local Settings\Temp\Cookies\user@fastclick[1].txt
H:\Documents and Settings\user\Local Settings\Temp\Cookies\user@mediaplex[1].txt
H:\Documents and Settings\user\Local Settings\Temp\Cookies\user@msnportal.112.2o7[1].txt
H:\Documents and Settings\user\Local Settings\Temp\Cookies\user@questionmarket[2].txt
H:\Documents and Settings\user\Local Settings\Temp\Cookies\user@rotator.adjuggler[2].txt
H:\Documents and Settings\user\Local Settings\Temp\Cookies\user@serving-sys[2].txt
H:\Documents and Settings\user\Local Settings\Temp\Cookies\user@tribalfusion[1].txt

6

AND…

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:28 PM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
H:\Program Files\Alwil Software\Avast4\ashServ.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Analog Devices\Core\smax4pnp.exe
H:\Program Files\Analog Devices\SoundMAX\smax4.exe
H:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
H:\Program Files\Guardware\GWPUM\updsvc.exe
H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\Program Files\Spyware Terminator\sp_rsser.exe
H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
H:\Program Files\FlashGet\FlashGet.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - H:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - H:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - H:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..\Run: [SoundMAXPnP] H:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [SoundMAX] “H:\Program Files\Analog Devices\SoundMAX\smax4.exe” /tray
O4 - HKLM..\Run: [SpywareTerminator] “H:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”
O4 - HKLM..\Run: [avast!] H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [msnmsgr] “H:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKLM..\Policies\Explorer\Run: [status] present
O4 - HKLM..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKUS\S-1-5-19..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘Default user’)
O8 - Extra context menu item: &D&ownload &with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - H:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - H:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - H:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ʹÓÃiTudouÏÂÔؽÚÄ¿ - H:\Program Files\Tudou\iTudou\iTudou_Link.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - H:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - H:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - H:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\Program Files\FlashGet\FlashGet.exe
O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - H:\Program Files\ICQ6\ICQ.exe (file missing)
O9 - Extra ‘Tools’ menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - H:\Program Files\ICQ6\ICQ.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - H:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip..{1AA80899-43F9-433F-9DC5-FBE6F29389EC}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - H:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - H:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Guardware Product Update Service - Guardware UK. - H:\Program Files\Guardware\GWPUM\updsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - H:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - H:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - H:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - H:\Program Files\Spyware Terminator\sp_rsser.exe


End of file - 9112 bytes

7

Hi

Bad timing, I just leaving for work.

You have two anti viruses running, you should only have one.

Did you try the tool in Polonus’s reply?

I’ll look further this afternoon.

8

Besides the two resident antivirus applications mentioned by oldman, having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

You don’t appear to have an active firewall, what is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections.

Highly suspect - See http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142280

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "winlogon"= "C:\heap41a\svchost.exe C:\heap41a\std.txt"

Disables the show hidden file options in folder options using the following registry:

O4 - HKLM..\Policies\Explorer\Run: [status] present
O4 - HKLM..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt

You should upload C:\heap41a\svchost.exe (and C:\heap41a\std.txt) to VirusTotal - Multi engine on-line virus scanner and report the results here.
If it is detected by multiple scanners then, end the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Fix:
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - H:\Program Files\ICQ6\ICQ.exe (file missing) - Confirm this file isn’t present, in missing fix.
O9 - Extra ‘Tools’ menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - H:\Program Files\ICQ6\ICQ.exe (file missing)

Your choice.
H:\PROGRA~1\Crawler\Toolbar\CToolbar.exe - Crawler is considered adware/spyware by many.
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - H:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - H:\PROGRA~1\Crawler\Toolbar\ctbr.dll

Do you know what this is, is it Guardware Parental Control ?
H:\Program Files\Guardware\GWPUM\updsvc.exe

9

Dear david/oldman,

I have try use removal tools as recommended by polonus but cant detect the virus anymore. I have read at mcafee which advise by david and found the virus info…is call W32/AHKHeap, where trend micro call it worm_ahkheap.a.
Well…i have use avast for long time ago…just recently when my computer was infected by this virus i try use other virus scanner to clean the virus…well…i just ask for help to removal the virus on eazy way…
Is that any eazy way for me remove the virus …?
What should i do now…
as mention by david i need modify the registry first…which part i need change…?after change…do i need restart computer…?after that what is next step…?

10

Okay, let’s start with a new Hijackthis log. Can’t say if there is an easy way or not.

Did you uninstall AVG AV?

11

Jay_ang, Oldman is right. Disable is not enough.

12

The link to mcafee was more information to confirm that these highly suspect O4 entries that I listed should be fixed in HJT not that you need to run another antivirus scan. You don’t have to go into the registry to change anything, run HJT again and tick the box to the left of those two entries I listed and click the Fix button in HJT.

There were also other entries that I listed that you should fix, did you do that ?

The reason I separated the two highly suspect from the other fixes was because I wanted you to do something other than fix in HJT, like upload to VirusTotal and send the sample to avast to add it to the VPS detections.