Unknown Virus/Worm/Trojan/Exploit

Enverex

There is something odd going on on my brothers PC. Virii files keep appearing on my servers root shared folders from somewhere, so I decided to scan and update the machine...

Virus scan finds nothing but Windows update wont work. Going to the site just gives a box normally where the Pirated CD key box appears, but it says 'An unknown error has occured blah blah blah' and wont run. Fine, I'll use auto update... all options blocked out in the options, so I check the service, not turned on... I set it to auto, click start 'Started then stopped again immediatley' comes up and the option is still blanked out in My Computers properties.

So whatever is doing this is doing 3 things:
1 isn't picked up by Avast!
Makes lots of curiously named files on network drives
Is blocking Windows update.

Ill just scan one of the files that are being created to see what those show up as, but does anyone have any idea about the rest of the stuff? Er, XP Pro SP1 btw.

Enverex

Right, Trend-Online says these files are the AGOBOT worm, and Avast says they are something else (can't remember off the top of my head). Now I know what it is I can start figuring about how to remove it...... and then lock down his computer

The McAffee worm/trojan remover didn't work even though it says it removes Agobot. Any other ideas?

ryko

I had a similar problem on my secondary rig. I did a high priority scan all (archives included) and Avast! found a single trojan/virus (unknown), but when i went to delete the file, it said it couldn't be deleted. I tried all of the other options like move, etc...but nothing. Eventually, the pc locked up totally, and i had to do a hard-reboot. Well, it went back into winXP, and everything seemed ok. I manually deleted (outside of Avast!) the .rar archive that was infected. Another full Avat! scan, and nothing. Two days ago everything seemed fine when i went to bed, but when i woke up my pc was frozen after POST but before loading winXP. I yanked the hdd, and threw it in another machine as slave. Win XP did a scan disk and fixed a whole bunch of things (can't remeber what), but hten i could see my files. Unfortuantely many filenames/folders had been renamed into chicken-scratch. I got all of the useful data i could, then I had to re-format. Things are ok now.

Unfortunately, Avast! took a big dump on this one. And to think that i switched from AVG on your recommendation Enverex!

Straight_Man

Two general avoidance process things you can do-- I'm going to expand on both of these:

A lot of the viruses that hit the US and England are coming from East of both countries. One way to get defs before you get hit is to actually pay for AV and also to get AV tech from those areas. Then you do not end up waiting in an open time frame when you more local AV vendor has not analyzed viruses that get to them after the ones East of you have them. You also want somethign that gets you definitions more often than weekly or four-five days after the virus hits which can be the lead time for a fully tuned killing approach-- this is hard to do with free software.

Some suggestions, for Windows:

F-Prot, which works with Kaspersky Labs. Kaspersky Labs is in Russia, it gets viruses that are East-West migrators sampled to its suspicious thing acceptance servers 2-4 days before the virusesw are major hits in Europe if they come from the far east. Same heurisitics are used by both Kaspersky Labs and F-Prot, essentially, as Kaspersky licenses F-Prot's heurisitics tech.

Kaspersky Labs AV, since the interchange of info is TWO way.

Both make server grade and desktop\workstation grade AV.

The other major way is to tighten down your box's security. A software firewall, from Sygate or the Tiny personal firewall, both free, inquire of you if you want to let an app run. In essence you can tell them "yes this time," "always yes," or "no for this time" or "always no" for each application. These firewalls then take a signature snapshot of apps you OK by building a signature for it as it stands on this computer that is being protected now, and do so at the time the application is OK'd. so, let's say the app gets altered.

One guess how the firewall reacts to the change-- it thinks it has a new app trying to get a web connection, so it asks you AGAIN for the same app. IF you have just upgraded the app, then you might know to say yes to the dialog that says "should I let this connect?" If you have not upgraded this app, then you might start doing things like updating AV and say no the app once while you check your box.

How does this help with trojans??? Specifically, trojans have to connect to the web or network to work, they open a listening pipe so someone who wrote the trojan can use that port connect for something. so, the firewall can act as a malware detector if you know what ports your box uses for things, and THIS is logged by what you allow to connect being logged and blocked things being logged, with time stamps and date stamps. So firewalls can prevent unknown things from connecting, if you use the firewall wisely. Plus it can work as a trojan thing early warning by asking about the app at first connect time or at every connect time.

Now, lets partly close the entry vector or pipe that lets 90% of viruses into boxes. Anti-spam helps a lot here. Thunderbird and Mozilla have trainable anti-spam filters, buit they are NOT on by default. Investign in training them is worthwhile, as they can block by sender and\or content words or strings. They build a base of things you do not want by remembering details in things you say you do not want, and leave out common words that are in all emails. Then they autojunk them.

If you are thinking now, HEY, what if I make a mistake, simply let the ruies default for a while, they will be moved to junk without activating attachments and with moving the attachments with the emails that the anit-spam thinks are junk. So, you go to your junk directory, and grab only what you know you really do want, move it back to your inbox and then your AV serves a further line of defense if you open something that really is not what you wanted.

This trio of system security things has saved my XP install from a reload for the last 8 months-- adn last time I have installed either of my XPs was at major hardware change time, like a new motherboard. I do run HJT and SpyBot S&D and Adaware once a week or so, and they usually find nothing at all, 9 out of 10 times they find nothing at all, on an otherwise ordinary XP Pro install thatb is used for all sorts of critical things. Yes, I have two licenses for XP, and two boxes. My mom's 98 SE box has run since build time on one install. It has an always-on internet connect, though it is not always powered up. She gets her own email. Same thing with the HJT\Sybot\adaware AV scans, NADA, nothing, no trojans or junNot knocking anyone, simply an FYI for a set of things that leave me not reloading unless I fubar things myself in the middle of a virus war.

Do what you want, when I can help you fix I will, as my clients often have the same issues if they have not allowed me to set up thier boxes the same way-- thus I still need to know the fixes myself for others who pay me to tell them both how to remove their problems and how to prevent them. But, you can save a lot of major system problems that have been caused by malware things with these three kinds of things running on each of your boxes. About 114,800 such things out there, that my F-Prot AV knows now.

Enverex

Neither of those are really going to help as a firewall will keep asking them if they want to allow things which will either end up with them blocking things they needs or allowing things they don't, as I refuse to be called down every time it asks something else as that would be very often.

AV I doubt is going to help as I have been through Avast and AVG now, neither of which helped and my parents wont want to pay for AV software. Spybot and Adaware are clean too.

I can't control most of what goes through the machine anyway as my brother ends up installing his own crap and using accounts he is given off other people for pool sites etc, so that also doesn't help.

But anyway, those weren't a problem in the first place. The only issue is how do I remove this Virus/Worm/Trojan? I tried the Norton Mydoom/Ago remover and it didn't find anything. This machine doesn't get infected with anything and everything, this is just a one-off worm thing that just wont go away.