Worm That Keeps Regenerating

Viruses and worms
1

Hi,

Avast! recently picked up an infected file.bat in my WINDOWS folder.

After either deleting the file plus 3 other infected Windows files or moving it to the chest, when I restart the same problem occurs and it is picked up once more.

I have had this since saturday when I was browsing through bloody google images.

Interestingly, the virus seems to be hogging a lot of system resources: whenever I was a video on my computer now, the video slows down and desyncs with the audio, before rushing to catch up. Also, in the corner of my icons, a new strange one appears, apparently from avast telling me something about hotmail. I think perhaps the worm is trying to mail itself.

Attached is a screenshot of what I get

Thanks.

2

Well this .bat file on its own is inert (just a text file), it needs something to run it, that could be either another file or registry entry. These other elements could also be regenerating the file.bat file.

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.
  2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

What is your firewall ?

3

Well I’ve tried the first one you sent me, SUPER, are you sure it doesn’t have any viruses? Avast is going apeshit, picked this up 5 times

I’ll try the 2nd one after this has finished its scan.

I don’t have a firewall, stupid me but I have about 3 different antimalwares running so I never thought I’d need it…

4

Ah, this is what Super found, and what Avast was screaming about. Results

5

Avast may be picking up unpacking of a virus by SAS

The results link does not work for me
could you edit the log to remove references to cookies and post it directly in the thread

with MBAM be sure to put a check mark next to any hits the click REMOVE CHECKED
a backup will be made
post the log

thanks

"but I have about 3 different antimalwares running "
uh
which three
paid or free?
what do they show?

6

Hi,

Sorry my posts have been a bit hectic and unorthodox, I’m currently multitasking a few other things offline.

Right, usually I have avast! running in the background, as well as semi-regular checks with spybot and ad-aware. When avast! was picking up the file.bat, I deleted it numerous times and gave a scan with spybot, which didn’t pick anything up.

Now after following DavidR’s advice, SUPER picked up the offending virus: win32:trojan-gen, which I see is very popular on this forum. After scanning and rebooting, I am pleased to say that the all clear has been given :slight_smile:

Must get round to looking for a firewall…

7

You left avast running (pause the standard shield) when you ran SAS and it looks like avast has jumped all over files that were being opened to be scanned by SAS and that is why it was detecting like crazy. I always pause the standard shield when running another security scan for those very reasons and it also means no duplication of scanning so a quicker overall scan speed.

avast sees services.exe as trojan-gen and SAS sees it as Trojan.Dropper-Services/Fake.Process.

@ wyrmrider
The link didn’t work for me but if you look at the URL you will see it had a double http tag when you remove one of those the link will work.
http://www.superantispyware.com/applicationdisplay.html?id=13246&trial=no&activated=no&appid={3C5FB294-DB39-4B0D-A7B9-D7867D47F269}"

8

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware so this can pick up suspect files that aren’t on the normal signatures, which is why you will see it feature quite heavily on the forums.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

9

Thanks DavidR

SAS is one of the few that use that name so we really do not know what this was.
should he upload to virus total?

-gen is a generic detection not a specific threat name

when you get a chance do that MBAM scan - it may uncover some friends

(all of these scanners -have different emphasis- glad you do not put all you eggs in the ad-aware basket

None of the Antimalware you have running give you any real time protection unless you have Spybot T-timer turned on
t-timer yes or no?

actually they are on demand scanners so "running " sorta gives the wrong impression

if you are using Vista I just installed COMODO on my brothers machine - seems to work well
XP also - or PC-TOOLS

10

I don’t believe there is any need to upload it to VT as services.exe is being detected by both scanners.

Also given the file name and its location it is trying to make itself look like a legit windows file which I doubt it is. In XP it should be in the system32 folder I don’t know what OS TheLostProphet is using.

11

Thanks for all your advice guys, I feel like a noob for being so easily infected after all this time haha. Well that’s what happens when you become complacent…d’oh.

I’m running XP SP2.

And googling for a firewall as we speak!

12

Hi TheLostProphet,

Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
· Restart your computer
· After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
· Instead of Windows loading as normal, the Advanced Options Menu should appear;
· Select the first option, to run Windows in Safe Mode, then press Enter.
· Choose your usual account.
· Open the extracted SDFix folder and double click RunThis.bat to start the script.
· Type Y to begin the cleanup process.
· It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
· Press any Key and it will restart the PC.
· When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
· Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
· Finally attach the contents of the Report.txt back on the forum

==========

Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others as they were.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
Please paste that information here for me regardless of what it findswith a new HijackThis log, you can also attach to your next posting,
Get HJT from here: http://www.majorgeeks.com/downloadget.php?id=5554&file=15&evp=4122712c2af084c815e5fd4f2b249d83

polonus

13

Comodo, PcTools, OnlineArmor, Webroot will be choices…

14

Alright, I’ll run SDfix =)

Running Comodo right now, thanks again everyone for your time, expertise and help.

15

No problem, glad I could help.

Welcome to the forums.

16

Pol
Poster has already run SAS but has not run MBAM as David R suggested
if you do run SAS again please update as it updates regularly

  1. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Dear Lost
you’re not

COMODO good choice (do not install there AV or there will be conflicts with AVAST
Defense + is ok

When you do run MBAM
update
scan
put a check next to any hits
then
click
REMOVE SELECTED a backup will be made
post the log
do this BEFORE the HJT
(or If you have already run HJT let polonus know what has been run and what has not)
you can run MBAM before or after SDFIX