Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32 Mypis Infection? Its Weird...


  • Please log in to reply
14 replies to this topic

#1 Illusion13

Illusion13

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 14 December 2007 - 02:42 AM

Started this morning I think. Everytime I run a program (doesnt seem to happen with Internet Explorer, thankfully), such as a game, NOD32 catches a W32/mypis infection and says send to quarrantine or something. The program works fine after. Except for StarCraft which then it says my version is wrong and to uninstall and reinstall the application and if problem persists I have a virus infection (Yes I know that)...

Dont think hijackthis log will help as I do not notice anything abnormal from reading it. I am currently doing a full scan using NOD32.

The weird thing is how if I unplug my internet this problem does not happen.

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 14 December 2007 - 04:11 AM

What is the name and location of the infected file(s)?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Illusion13

Illusion13
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 14 December 2007 - 04:52 AM

C:\Documents and Settings\Lee\Local Settings\Temporary Internet Files\Content.IE5\1X83W8UY\main[1].exe
C:\Program Files\Common Files\WIN.exe
hxxp://bb.avpkav.com/main.exe

Seems like those three are the constant ones... Well the random string of things after IE5 is variable... but the rest are constant. Especially the website. I replaced http with hxxp so you wouldnt accidentally click it.

NOD32 says its a variant of the Win32 mypis virus....

The strangest thing is that when I disconnect the internet the virus doesnt activate at all... But I think all my .exe's are done... :thumbsup:

Edited by Illusion13, 14 December 2007 - 04:53 AM.


#4 Illusion13

Illusion13
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 14 December 2007 - 05:20 AM

In the middle of housecall scan it shows I have 150 infections of PE_MUMAWOW.AR

Is that related?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:03 PM

Posted 14 December 2007 - 07:36 AM

Have you tried doing your scans in "Safe Mode"? If rescanning in Safe Modes does not help, then do this:

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download Sysclean Package & save it to your desktop.
  • Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
  • Place the sysclean.com inside that folder.
  • Then download the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number)
  • Extract (unzip) the lptxxx.zip pattern file into the Sysclean folder where you put sysclean.com. (Click here for information on how to extract a file if your not sure how to do this. DO NOT scan yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with Sysclean as follows:
  • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
  • Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
  • Click the Advanced >> button.
  • The scan options appear. Select the "Scan all local fixed drives".
  • Click the "Scan button" on the Trend Micro System Cleaner console.
  • It will take some time to complete. Be patient and let it clean whatever it finds.
  • Another MS-DOS window appears containing the log file (sysclean.log) generated in the same folder where the scan is completed - C:\Sysclean.
  • To view the log, click the "View button" on the Trend Micro System Cleaner console. The Trend Micro Sysclean Package - Log window appears.
    • The Files Detected section shows the viruses that were detected by System Cleaner.
    • The Files Clean section shows the viruses that were cleaned.
    • The Clean Fail section shows the viruses that were not cleaned.
  • Exit when done, reboot normally and re-enable your anti-virus program.
Instructions with screenshots are here if you need them.

When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have access rights to scan some locations. You can also Use the "Run As" Command to Start a Program as an Administrator. Even when doing that, the scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.

Then download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Illusion13

Illusion13
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 14 December 2007 - 05:21 PM

In the process of sysclean scan... It finds the PE_MUWAWOW thingie but doesnt seem to be able to clean the .exe files infected with it..

Oh by the way housecall found like 1000 infections of that thing by the end of the scan.

NOD32 for some reason finds nothing. I think it itself might've been infected...

My question is, why doesnt it trigger a response from NOD32 when my internet is unplugged?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:03 PM

Posted 14 December 2007 - 06:27 PM

Did sysclean scan provide a specific file name associated with PE_MUWAWOW and where is it located (file path) at on your system?

My question is, why doesnt it trigger a response from NOD32 when my internet is unplugged?

No single product is 100% foolproof and can detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Illusion13

Illusion13
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 14 December 2007 - 07:59 PM

What I meant was... Its as if the virus is inactive without internet...

Sysclean seems to be cleaning stuff... 3 hours after I started the scan it is still scanning.....

#9 Illusion13

Illusion13
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 14 December 2007 - 08:42 PM

Sysclean managed to clean alot of the damage however it seems like alot of programs no longer work... While one I tried is still infected. Should I run sysclean again later?

I havent done SuperAntiSpyware yet, will that help at all??

The programs that no longer work can be reinstalled I guess...

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:03 PM

Posted 15 December 2007 - 07:04 AM

The speed of an anti-virus or anti-malware scan depends on a variety of factors.
  • The anti-virus program itself and how its scanning engine is designed to scan.
  • Deep scanning or quick scanning.
  • What action has to be performed when malware is detected.
  • Competition between the scanner and other applications for system resources.
  • Your computer's hard drive size.
  • Disk used capacity (number of files) that have to be scanned.
  • Running processes in the background.
  • Interference from malware.
  • Interference from the user.
What programs are not longer working? You don't want to reinstall something if it is infected or you will just reinfect your system.

Yes scan with SAS in safe mode as I instructed and post the log. Then perform this online Virus scan: BitDefender Online Scanner. <- Add a check by "Autoclean".
(Requires Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)

Again, these scans can take some time. It is important that you let me know the specific file name of any threat found but not removed and where is it located (file path) at on your system.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Illusion13

Illusion13
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 15 December 2007 - 10:44 PM

I have already deleted the .exes that were supposedly infected and reinstalled them and they dont seem to trigger a virus response from NOD32 anymore. I will do a housecall scan right now and see if the virus is still present.

Tonight before I go to bed I will scan using sysclean again and see what happens. Then I will do SAS.

Tomorrow if I have time I will do Bitdefender. These scans do take time and I need to use the computer...

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:03 PM

Posted 15 December 2007 - 11:45 PM

These scans do take time and I need to use the computer

I understand. At least we seem to be making progress.

Sometimes it takes several efforts with different tools to do the job. Even then, with newer types of malware infections, the task can be arduous.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Illusion13

Illusion13
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 16 December 2007 - 05:02 AM

May I ask what exactly is this virus that I got so I can maybe look up information on it or something...

And I read somewhere how to disinfect .exes... The task seems absolutely tedius and difficult. Is sysclean the solution or something? Cause I am not sure whether its sysclean that killed alot of my .exes in the cleaning process or not...

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:03 PM

Posted 16 December 2007 - 07:27 AM

W32/Mypis

W32/Mypis-Fam is a family of infected executable files that has been patched to download and execute malware from a remote location.

There is no guarantee with some infections because they can cause so much damage that you cannot always clean your system. As I already said, sometimes it takes several efforts with different tools and the task can be arduous. With some malware infections the only option is to reformat/reinstall the OS.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Illusion13

Illusion13
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 17 December 2007 - 02:46 AM

Ran sysclean and SAS today, both gets nothing (I ran Bitdefender last night, it deleted a few .exes still infected). So I guess I am clean now... hopefully... Thanks so much for your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users