Sign in to follow this  
Followers 0
mrgigabyte

trojan's , malware or not

15 posts in this topic

hi all i was at my brother in laws house and i was scanning his computer with the free version of anti-malware and we picked up a few differant things and we dont know if they are all safe or not to remove , or if the are all false things just popping up

some one help me out please , thank you very much for your time once again all :)

heres the results of the scan

Malwarebytes' Anti-Malware 1.04

Database version: 385

Scan type: Quick Scan

Objects scanned: 26321

Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\lass.exe (Worm.Rbot) -> No action taken.

C:\WINDOWS\system32\esunid32.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\DEBUG.DLL (Rootkit.Haxdor) -> No action taken.

C:\WINDOWS\system32\drivers\Ygt33.sys (Rootkit.Agent) -> No action taken.

C:\WINDOWS\system32\admparsev.exe (Trojan.Zapchast) -> No action taken.

C:\WINDOWS\system32\drivers\ctl_w32.sys (Rootkit.Agent) -> No action taken.

C:\WINDOWS\system32\tdlsoui.dll (Rootkit.MalwareDestructor) -> No action taken.

C:\WINDOWS\system32\drivers\chm49.sys (Rootkit.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\khtml.sys (Rootkit.Rustock) -> No action taken.

hope to here back from you soon,

Share this post


Link to post
Share on other sites

Does not look good. You might want to submit the files to VirusTotal and see if they are confirmed malware.

Share this post


Link to post
Share on other sites

hi rubby ducky im a little bit confused we did one file upload only to virustotal it was the first on the lass.exe one and these are the rusults i got from it , what does it mean how do i know if its a infected file or how do i know that its a ok file to keep , im pleasently confust ...... heres the results from the virustotal

File lsass.exe received on 02.21.2008 00:52:48 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

Loading server information...

Your file is queued in position: 8.

Estimated start time is between 60 and 86 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

AhnLab-V3 2008.2.20.0 2008.02.20 -

AntiVir 7.6.0.67 2008.02.20 -

Authentium 4.93.8 2008.02.20 -

Avast 4.7.1098.0 2008.02.20 -

AVG 7.5.0.516 2008.02.21 -

BitDefender 7.2 2008.02.20 -

CAT-QuickHeal 9.50 2008.02.20 -

ClamAV 0.92.1 2008.02.21 -

DrWeb 4.44.0.09170 2008.02.20 -

eSafe 7.0.15.0 2008.02.20 -

eTrust-Vet 31.3.5550 2008.02.20 -

Ewido 4.0 2008.02.20 -

FileAdvisor 1 2008.02.21 -

Fortinet 3.14.0.0 2008.02.19 -

F-Prot 4.4.2.54 2008.02.20 -

F-Secure 6.70.13260.0 2008.02.20 -

Ikarus T3.1.1.20 2008.02.20 -

Kaspersky 7.0.0.125 2008.02.21 -

McAfee 5234 2008.02.20 -

Microsoft 1.3204 2008.02.20 -

NOD32v2 2890 2008.02.20 -

Norman 5.80.02 2008.02.20 -

Panda 9.0.0.4 2008.02.20 -

Prevx1 V2 2008.02.21 -

Rising 20.32.22.00 2008.02.20 -

Sophos 4.26.0 2008.02.20 -

Sunbelt 3.0.884.0 2008.02.19 -

Symantec 10 2008.02.20 -

TheHacker 6.2.9.225 2008.02.21 -

VBA32 3.12.6.1 2008.02.17 -

VirusBuster 4.3.26:9 2008.02.20 -

Webwasher-Gateway 6.6.2 2008.02.20 -

Additional information

File size: 7680 bytes

MD5: 6a0e382e74280e4cc0df17fe2661d003

SHA1: 1ec718bdc35d708d028233114a3fd0d41c7b9064

PEiD: -

Share this post


Link to post
Share on other sites

You tried to scan the wrong file.

File lsass.exe received on 02.21.2008 00:52:48 (CET)

Notice the malicious file is missing an s.

C:\WINDOWS\system32\lass.exe (Worm.Rbot) -> No action taken.

Share this post


Link to post
Share on other sites

hi rubby ducky once again , lol

sorry for the confusion i did do a scan on the wrong file but when i went back and tried to do the scan on all the correct files with virustotal and i attached the file to thier site and hit sent , i kept coming up with zero byte recieved like it wasnt working right but it did it will and 9 files so i dont know whats going on ....

also wanna say i manually looked up every bad file and did the right click option and did a scan with anti malware and the all cliamed to be clean , so i dont know the deal

also with the full scan with anti malware when it get to the heuristics part , thats were its picking the 9 bad file ,

i just did a scan again

quaratined them leave them for a week if compter works well , ship them on the next boat to the bottom of the ocean , what you think , lol

thank you again , ace / mrgigabyte's brother in law

Share this post


Link to post
Share on other sites

just though i should say hi to everyone , exspecialy rubby ducky , lol its me ace , mrgigabyte's brother in law

he is alwayz telling me how much a good help you are and he recommened you alot to people

me ofcourse

thank you for all the help so far sure we will be talking soon

and once again hi to EVERYONE ELSE ALSO

Share this post


Link to post
Share on other sites

Could this be the case of the 0 byte files again (a bug in MBAM when joined with other utilities). If it is, this will be fixed in the next version. Sounds like a plan with the files in quarantine though.

Welcome Ace :).

Share this post


Link to post
Share on other sites

ok now im really confused , with all these files i have on my computer , the so called infected one's that is anywayz i tried using virustotal like rubber ducky told me to do , but they keep coming up 0 bytes recived , so i tried unquaratining them and emailed one by one to them and came back to me same way saying nothing to scan , so i downloaded there virus total up loader , and did it that way , and same thing again file invalid nothing to scan , so i looked at everyone of them just to find out that every file that is suppose to be infected it a 0 byte file , nothing there

rubber ducky said wait until next update to see if there was a problem with the scan picking up 0 bytes , i just updated this morning unquaratined them again and did a scan and when it reached the heristics parts of the scan it picked them up again , but they still are 0 byte files

i see cretemonster posted saying that he doesnt have to scan to know that they are malware , but if they are wouldnt there be a size to the so called file and not be a 0 byte file

how would these file infect something if there isnt nothing in there own file to infect with ?

im confused what do i do with all these files , here they are again just for everyone's referance , thank you and hope to here something soon , thankx blazin'J

C:\WINDOWS\system32\lass.exe (Worm.Rbot) -> No action taken.

C:\WINDOWS\system32\esunid32.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\DEBUG.DLL (Rootkit.Haxdor) -> No action taken.

C:\WINDOWS\system32\drivers\Ygt33.sys (Rootkit.Agent) -> No action taken.

C:\WINDOWS\system32\admparsev.exe (Trojan.Zapchast) -> No action taken.

C:\WINDOWS\system32\drivers\ctl_w32.sys (Rootkit.Agent) -> No action taken.

C:\WINDOWS\system32\tdlsoui.dll (Rootkit.MalwareDestructor) -> No action taken.

C:\WINDOWS\system32\drivers\chm49.sys (Rootkit.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\khtml.sys (Rootkit.Rustock) -> No action taken.

Share this post


Link to post
Share on other sites

Do you use Comodo firewall by any chance?

This is MBAM's fault, we were going to release the fix in 1.05 but we snagged a major bug that is being worked out still.

Share this post


Link to post
Share on other sites

yes rubby ducky i do use comodo firewall , what do you recommened i do to fix these issues im having ? thank you

Share this post


Link to post
Share on other sites

To solve this 0-byte issue,

Switch Comodos' Defense+ (HIPS) settings from Clean PC Mode to Train with Safe Mode.

Share this post


Link to post
Share on other sites

thats how i already have it is with train with safe mode , it alwayz have been ???

Share this post


Link to post
Share on other sites

i have no pending files or nothing at all , no such thing to do .???

Share this post


Link to post
Share on other sites

Hi blazinj:

I had this 0 byte detection conflict too, using Comodo 3.x firewall and MBAM. You are going to have to remove them manually.

First of all, which version of Comodo are you using? The latest is 3.0.18.309, and I strongly suggest you update to this version, if you haven't already.

Secondly, switch Defense+ Security Level to "CleanPC mode" temporarily(right-click the Comodo icon in your tray to do this).

Next, open Comodo to the Defense+ tab, and click on "My Pending Files".

Click on the [Purge] button, then on [Yes]. This should remove many 0 byte files.

Unfortunately, not all will be removed. Fortunately, the filepaths to the remaining ones are listed. You can navigate to the ones that remain with Explorer, and delete them manually (once you confirm they are 0 byte files) by right-clicking on them. After deleting them all, run a purge in Comodo's "Pending Files" again. You should be able to delete them all as invalid files now.

Once you have removed all these 0 byte files, switch Comodo's D+ Security level back to "Train with Safe Mode", and leave it there.

Further scans with MBAM should not detect them, and your "Pending Files" in Comodo should remain empty.

HTH

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.