Jump to content

wighty44

Members
  • Content Count

    8
  • Joined

  • Last visited

About wighty44

  • Rank
    Newbie
  1. Just ran SAS Pro Core 4374, Trace 2214, and it corrected this FP. However, there is another issue thay appears to need investigation. When SAS first flagged the "problem" as Rogue.Agent/Gen-Nullo[EXE], it also identified the source file (PCPBIOS.EXE) and its path: C:\windows\system32. But SAS Pro Core 4373 did not identify the file or its location. In addition, it also flagged the problem as Rogue.Agent/Gen-Nullo[EXE-Spec], which is slightly different. Since the Core 4374 version did not flag the file it is unknown if the lack of file name & location issue was carried over from Core 4373 to Core 4374...
  2. On 12/12/09 SAS Pro reported NTIEMBED.DLL as being Rogue.Agent/Gen-Nullo[DLL] as well as an EXE file being discussed in another FP topic - Dell, Win XP SP1. I updated SuperAntispyware to Core 4373, Trace 2214, restored the file, and then re-ran SAS. It corrected the FP for NTIEMBED.DLL so it may also correct other FPs being discussed here...
  3. I also updated SuperAntispyware to Core 4373, Trace 2214, restored the file, and then re-ran SuperAntispyware. Unfortunately, it was again flagged as problem: PCPBIOS.EXE: Rogue.Agent/Gen-Nullo[EXE]. I sent a FP report to SAS. The one thing this SW version did do was to correct a FP for NTIEMBED.DLL: Rogue.Agent/Gen-Nullo[DLL]. Initially both the DLL & EXE file were flagged as problems for me on 12/12/09. Today I was able to restore the DLL file. Hopefully SAS programmers will correct the EXE file FP soon...
  4. Is there a way a SAS Pro user can tell if a suspected FP item has been submitted to the false positive reporting system?
  5. I also had SAS quarantine NTIEMBED.DLL as a virus. Not knowing what the file was used for, I searched for NTI*.*. What I found were several files in Windows folders [c]and one GIF file [ntimage.gif]. Viewing that file showed a faint WINDOWS XP logo. I aslo found NTIAspi.dll in a Realplayer\CDBurning folder. I hope SAS tech support resolves this issue before my sysyem needs to use NTIEMBED.DLL ...
  6. Later, I found 2 tasks added to the Task Manager, set to run hourly, that called rundll32 to load Vundo files (jemitawa & dadeyisi) added to the WINDOWS/SYSTEM32 folder by the malicious software. In addition, I was able to identify the souce of this infection using the Windows Event Viewer. If I've interpreted the information correctly it was embedded in a Flash file from ectiver.net. I've added that site to my blocked sites list.
  7. Further investigation revealed that my SVCHOST file was not the culprit. HijackThis found several registry entries that SASPro missed even though they referenced file names laready identified by SASPro in the complete system scan as Vundo files. The registry keys involved were: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] [HKEY_CLASSES_ROOT\CLSID\{8364c871-288e-4437-8d9d-d3781cd05a73}] [HKEY_CLASSES_ROOT\CLSID\{f3a8b122-4fe2-4c5e-80ec-484b49bcad79}] [HKEY_CLASSES_ROOT\CLSID\{675f77a2-36a0-4903-8947-8d1cd4dacd9d}] The last 3 keys used InprocServer32 as the means to load the Vundo files that were observed in the Rundll32 command line listed in Process Explorer scan under the svchost -k netsvcs listing. It seems SASPro needs some tweaking to identify these keys. Prehaps these keys existed from the time of the first infection and when some condition was satisfied the infection was re-established...
  8. Until this past September my WIN XP system has been virtually free of virus/adware problems, but over the past two months I've had 6 instances of Vundo variants infect my system and I'm trying to understand two things - what is the most likely infection source, and how do I remove a latent infection trigger... Although I'm not a "malware hunter" I do have a reasonably sound understanding of computer HW & SW. So these infections were handled by a combination of Avast Pro, Outpost Pro FW, and SAS Pro (lifetime registration). However I'm frustrated not knowing how these Vundo variants (Fixed, EC, TDay, WinMM, Qheader, Broad, Gen, and SR) are getting into my system. I don't visit porn sites, I'm not using online file (or Media) sharing, and I'm not an online gamer. Any thoughts?? My last infection (twice today) was cleaned-out by SASPrto, but it left something behind and did not clean out a registry key in HKLM/SW/MS/Win/CurrVer/Run. While I was able to identify and remove the registry key, I have not been successful in finding the root cause of a OS process that I can see trying to load a DLL via SVCHOST & RUNDLL32 via Process explorer. Just now I checked and two RUNDLL processes are trying to load jemitawa.dll & ginuzefa.dll (two of the 6 files identified as VUNDO variants by SASPro earlier today). It seems to me that possibly my SVHOST file may be a trojan as these file names have to be coded into some file on my system for them to be written into a rundll command line that seems to pop-up at will. So I'd like to know how to test this notion and if my SVHOST is a trojan, then perhaps the folks at SASPro might need to know that the program hasn't flagged the file as a problem.
×
×
  • Create New...