Jump to content


Photo

trojan's , malware or not


  • Please log in to reply
14 replies to this topic

#1 mrgigabyte

mrgigabyte

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts
  • Gender:Male
  • Location:Upstate NY

Posted 20 February 2008 - 05:45 PM

hi all i was at my brother in laws house and i was scanning his computer with the free version of anti-malware and we picked up a few differant things and we dont know if they are all safe or not to remove , or if the are all false things just popping up

some one help me out please , thank you very much for your time once again all :)




heres the results of the scan


Malwarebytes' Anti-Malware 1.04
Database version: 385

Scan type: Quick Scan
Objects scanned: 26321
Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lass.exe (Worm.Rbot) -> No action taken.
C:\WINDOWS\system32\esunid32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DEBUG.DLL (Rootkit.Haxdor) -> No action taken.
C:\WINDOWS\system32\drivers\Ygt33.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\admparsev.exe (Trojan.Zapchast) -> No action taken.
C:\WINDOWS\system32\drivers\ctl_w32.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\tdlsoui.dll (Rootkit.MalwareDestructor) -> No action taken.
C:\WINDOWS\system32\drivers\chm49.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\khtml.sys (Rootkit.Rustock) -> No action taken.




hope to here back from you soon,
Windows 7 Home Premium 64-bit

Real-Time: Avast Pro | Outpost Pro Firewall | Winpatrol Plus | Admuncher | SS Premium

On-Demand: MBAM | Hitman Pro | SAS Pro

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Root Admin
  • PipPipPipPipPipPip
  • 4,149 posts
  • Gender:Male

Posted 20 February 2008 - 05:51 PM

Does not look good. You might want to submit the files to VirusTotal and see if they are confirmed malware.
Marcin Kleczynski
Chief Executive Officer



Follow us: Twitter, Become a fan: Facebook

#3 mrgigabyte

mrgigabyte

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts
  • Gender:Male
  • Location:Upstate NY

Posted 20 February 2008 - 06:59 PM

hi rubby ducky im a little bit confused we did one file upload only to virustotal it was the first on the lass.exe one and these are the rusults i got from it , what does it mean how do i know if its a infected file or how do i know that its a ok file to keep , im pleasently confust ...... heres the results from the virustotal





File lsass.exe received on 02.21.2008 00:52:48 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 8.
Estimated start time is between 60 and 86 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.2.20.0 2008.02.20 -
AntiVir 7.6.0.67 2008.02.20 -
Authentium 4.93.8 2008.02.20 -
Avast 4.7.1098.0 2008.02.20 -
AVG 7.5.0.516 2008.02.21 -
BitDefender 7.2 2008.02.20 -
CAT-QuickHeal 9.50 2008.02.20 -
ClamAV 0.92.1 2008.02.21 -
DrWeb 4.44.0.09170 2008.02.20 -
eSafe 7.0.15.0 2008.02.20 -
eTrust-Vet 31.3.5550 2008.02.20 -
Ewido 4.0 2008.02.20 -
FileAdvisor 1 2008.02.21 -
Fortinet 3.14.0.0 2008.02.19 -
F-Prot 4.4.2.54 2008.02.20 -
F-Secure 6.70.13260.0 2008.02.20 -
Ikarus T3.1.1.20 2008.02.20 -
Kaspersky 7.0.0.125 2008.02.21 -
McAfee 5234 2008.02.20 -
Microsoft 1.3204 2008.02.20 -
NOD32v2 2890 2008.02.20 -
Norman 5.80.02 2008.02.20 -
Panda 9.0.0.4 2008.02.20 -
Prevx1 V2 2008.02.21 -
Rising 20.32.22.00 2008.02.20 -
Sophos 4.26.0 2008.02.20 -
Sunbelt 3.0.884.0 2008.02.19 -
Symantec 10 2008.02.20 -
TheHacker 6.2.9.225 2008.02.21 -
VBA32 3.12.6.1 2008.02.17 -
VirusBuster 4.3.26:9 2008.02.20 -
Webwasher-Gateway 6.6.2 2008.02.20 -
Additional information
File size: 7680 bytes
MD5: 6a0e382e74280e4cc0df17fe2661d003
SHA1: 1ec718bdc35d708d028233114a3fd0d41c7b9064
PEiD: -
Windows 7 Home Premium 64-bit

Real-Time: Avast Pro | Outpost Pro Firewall | Winpatrol Plus | Admuncher | SS Premium

On-Demand: MBAM | Hitman Pro | SAS Pro

#4 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Root Admin
  • PipPipPipPipPipPip
  • 4,149 posts
  • Gender:Male

Posted 20 February 2008 - 07:07 PM

You tried to scan the wrong file.

File lsass.exe received on 02.21.2008 00:52:48 (CET)

Notice the malicious file is missing an s.

C:\WINDOWS\system32\lass.exe (Worm.Rbot) -> No action taken.
Marcin Kleczynski
Chief Executive Officer



Follow us: Twitter, Become a fan: Facebook

#5 mrgigabyte

mrgigabyte

    Regular Member

  • Honorary Members
  • PipPip
  • 78 posts
  • Gender:Male
  • Location:Upstate NY

Posted 20 February 2008 - 08:09 PM

hi rubby ducky once again , lol

sorry for the confusion i did do a scan on the wrong file but when i went back and tried to do the scan on all the correct files with virustotal and i attached the file to thier site and hit sent , i kept coming up with zero byte recieved like it wasnt working right but it did it will and 9 files so i dont know whats going on ....

also wanna say i manually looked up every bad file and did the right click option and did a scan with anti malware and the all cliamed to be clean , so i dont know the deal

also with the full scan with anti malware when it get to the heuristics part , thats were its picking the 9 bad file ,

i just did a scan again


quaratined them leave them for a week if compter works well , ship them on the next boat to the bottom of the ocean , what you think , lol


thank you again , ace / mrgigabyte's brother in law
Windows 7 Home Premium 64-bit

Real-Time: Avast Pro | Outpost Pro Firewall | Winpatrol Plus | Admuncher | SS Premium

On-Demand: MBAM | Hitman Pro | SAS Pro

#6 blazinj

blazinj

    New Member

  • Members
  • Pip
  • 5 posts
  • Gender:Male
  • Location:Webster NY
  • Interests:computers , cars , woodworking , spongebob

Posted 20 February 2008 - 08:27 PM

just though i should say hi to everyone , exspecialy rubby ducky , lol its me ace , mrgigabyte's brother in law

he is alwayz telling me how much a good help you are and he recommened you alot to people


me ofcourse


thank you for all the help so far sure we will be talking soon





and once again hi to EVERYONE ELSE ALSO

#7 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Root Admin
  • PipPipPipPipPipPip
  • 4,149 posts
  • Gender:Male

Posted 20 February 2008 - 08:44 PM

Could this be the case of the 0 byte files again (a bug in MBAM when joined with other utilities). If it is, this will be fixed in the next version. Sounds like a plan with the files in quarantine though.

Welcome Ace :).
Marcin Kleczynski
Chief Executive Officer



Follow us: Twitter, Become a fan: Facebook

#8 blazinj

blazinj

    New Member

  • Members
  • Pip
  • 5 posts
  • Gender:Male
  • Location:Webster NY
  • Interests:computers , cars , woodworking , spongebob

Posted 23 February 2008 - 11:42 AM

ok now im really confused , with all these files i have on my computer , the so called infected one's that is anywayz i tried using virustotal like rubber ducky told me to do , but they keep coming up 0 bytes recived , so i tried unquaratining them and emailed one by one to them and came back to me same way saying nothing to scan , so i downloaded there virus total up loader , and did it that way , and same thing again file invalid nothing to scan , so i looked at everyone of them just to find out that every file that is suppose to be infected it a 0 byte file , nothing there

rubber ducky said wait until next update to see if there was a problem with the scan picking up 0 bytes , i just updated this morning unquaratined them again and did a scan and when it reached the heristics parts of the scan it picked them up again , but they still are 0 byte files


i see cretemonster posted saying that he doesnt have to scan to know that they are malware , but if they are wouldnt there be a size to the so called file and not be a 0 byte file

how would these file infect something if there isnt nothing in there own file to infect with ?


im confused what do i do with all these files , here they are again just for everyone's referance , thank you and hope to here something soon , thankx blazin'J





C:\WINDOWS\system32\lass.exe (Worm.Rbot) -> No action taken.
C:\WINDOWS\system32\esunid32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DEBUG.DLL (Rootkit.Haxdor) -> No action taken.
C:\WINDOWS\system32\drivers\Ygt33.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\admparsev.exe (Trojan.Zapchast) -> No action taken.
C:\WINDOWS\system32\drivers\ctl_w32.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\tdlsoui.dll (Rootkit.MalwareDestructor) -> No action taken.
C:\WINDOWS\system32\drivers\chm49.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\khtml.sys (Rootkit.Rustock) -> No action taken.

#9 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Root Admin
  • PipPipPipPipPipPip
  • 4,149 posts
  • Gender:Male

Posted 23 February 2008 - 11:43 AM

Do you use Comodo firewall by any chance?

This is MBAM's fault, we were going to release the fix in 1.05 but we snagged a major bug that is being worked out still.
Marcin Kleczynski
Chief Executive Officer



Follow us: Twitter, Become a fan: Facebook

#10 blazinj

blazinj

    New Member

  • Members
  • Pip
  • 5 posts
  • Gender:Male
  • Location:Webster NY
  • Interests:computers , cars , woodworking , spongebob

Posted 23 February 2008 - 11:59 AM

yes rubby ducky i do use comodo firewall , what do you recommened i do to fix these issues im having ? thank you

#11 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Root Admin
  • PipPipPipPipPipPip
  • 4,149 posts
  • Gender:Male

Posted 23 February 2008 - 12:01 PM

To solve this 0-byte issue,

Switch Comodos' Defense+ (HIPS) settings from Clean PC Mode to Train with Safe Mode.
Marcin Kleczynski
Chief Executive Officer



Follow us: Twitter, Become a fan: Facebook

#12 blazinj

blazinj

    New Member

  • Members
  • Pip
  • 5 posts
  • Gender:Male
  • Location:Webster NY
  • Interests:computers , cars , woodworking , spongebob

Posted 23 February 2008 - 12:04 PM

thats how i already have it is with train with safe mode , it alwayz have been ???

#13 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Root Admin
  • PipPipPipPipPipPip
  • 4,149 posts
  • Gender:Male

Posted 23 February 2008 - 12:37 PM

Do you have an option to flush pending file names or something of that type?
Marcin Kleczynski
Chief Executive Officer



Follow us: Twitter, Become a fan: Facebook

#14 blazinj

blazinj

    New Member

  • Members
  • Pip
  • 5 posts
  • Gender:Male
  • Location:Webster NY
  • Interests:computers , cars , woodworking , spongebob

Posted 23 February 2008 - 12:58 PM

i have no pending files or nothing at all , no such thing to do .???

#15 joe53

joe53

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 151 posts
  • Gender:Male

Posted 23 February 2008 - 06:31 PM

Hi blazinj:

I had this 0 byte detection conflict too, using Comodo 3.x firewall and MBAM. You are going to have to remove them manually.

First of all, which version of Comodo are you using? The latest is 3.0.18.309, and I strongly suggest you update to this version, if you haven't already.

Secondly, switch Defense+ Security Level to "CleanPC mode" temporarily(right-click the Comodo icon in your tray to do this).

Next, open Comodo to the Defense+ tab, and click on "My Pending Files".
Click on the [Purge] button, then on [Yes]. This should remove many 0 byte files.

Unfortunately, not all will be removed. Fortunately, the filepaths to the remaining ones are listed. You can navigate to the ones that remain with Explorer, and delete them manually (once you confirm they are 0 byte files) by right-clicking on them. After deleting them all, run a purge in Comodo's "Pending Files" again. You should be able to delete them all as invalid files now.

Once you have removed all these 0 byte files, switch Comodo's D+ Security level back to "Train with Safe Mode", and leave it there.

Further scans with MBAM should not detect them, and your "Pending Files" in Comodo should remain empty.

HTH




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users