Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vbs_agent.amaf


  • Please log in to reply
24 replies to this topic

#1 phallical

phallical

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 29 September 2008 - 09:42 PM

Hi,
I have detected VBS_AGENT.AMAF on my system. I have tried every piece of advice given on the internet on this worm and havent touched it.
It has been found and cleaned numerous times with Trends Sysclean and comes back. I was succeful in removing many other viri I found with it, but this thing is persistant!
Looking for advice...
thanks phal

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:53 PM

Posted 29 September 2008 - 11:32 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry798468

that's an autorun.inf infection that spreads to and from usb flash drives and other drives

Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.

after immunization the folder will have a file in it that says lpt3.This folder was created by Flash_Disinfector

Edited by DaChew, 29 September 2008 - 11:35 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 phallical

phallical
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 30 September 2008 - 05:42 AM

Hi Chewy,
The originating problem came from a external hard drive. I ran the immunization, but when I went to the problem drive, there was an autorun.inf file there, but the notation that it was made by Flash_Disnifector was missing and the folder described was not present.
Did I do something wrong here?
thanks..phal

Edited by phallical, 30 September 2008 - 05:44 AM.


#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:53 PM

Posted 30 September 2008 - 05:55 AM

you could compare that file/folder with one created on another drive

you could do the clamwin scan as mentioned by QM7 in the link

You have to kill the infection on all drives or it will just keep reinfecting
Chewy

No. Try not. Do... or do not. There is no try.

#5 phallical

phallical
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 October 2008 - 05:29 AM

One more question,
I need to plug my Ipod in also huh?
Will the .inf file cause any malfunctions on this drive? or should I clean the system and restore the ipod instead of placing the .inf file on the player?
Sorry for all the questions, but I do not know what placing the .inf file on the ipod is going to do.
thanks for all the help....phal

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:53 PM

Posted 01 October 2008 - 05:58 AM

I would wipe and reload the ipod, but don't have one myself so make sure you can reload it first

an empty autorun.inf shouldn't bother it but like I said I don't have one
Chewy

No. Try not. Do... or do not. There is no try.

#7 phallical

phallical
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 October 2008 - 06:56 AM

Wow, quick reply, you are either in another country, or are up early like myself.
I am currently running Trends Sysclean to check for the worm. It always detects it.
While watching run on my G drive, It scanned the file you were talking about
"lpt3.This folder was created by Flash_Disinfector "
But when I go to the drive, I cannot see the folder. I have always shown hidden files.
Do you have any idea why this file is not present when looking for it, but my AV scanner can see it? Maybe this is why I cannot see it on my external drive.
thanks...phal

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:53 PM

Posted 01 October 2008 - 07:12 AM

Open your C drive is my computer

I have 3 hidden folders that show as fainter icons, check those settings again, try apply to all folders

When I first started to get into windows I followed an old guru named fred langa, he wasn't afraid to criticize MS or AOL, he considered this hidden default settings a security vulnerabily and an insult to a user's intelligence

:thumbsup:
Chewy

No. Try not. Do... or do not. There is no try.

#9 phallical

phallical
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 October 2008 - 10:17 PM

I am having no luck with the fix.
The worm is still showing up on all scans.
I also have a file detected as WORM_FACE.AB.
Any other ideas/ Think I might be doing something wrong?
thanks...phal

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:53 PM

Posted 01 October 2008 - 10:22 PM

Disconnect all extra drives and leave them disconnected

Run a scan with MBAM and post the log

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365
Chewy

No. Try not. Do... or do not. There is no try.

#11 phallical

phallical
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 02 October 2008 - 05:23 PM

Sorry Chewy, I mistakenly thought you wanted me to repost in another thread. My mistake.

Here is the log:

Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 3

10/2/2008 5:36:25 AM
mbam-log-2008-10-02 (05-36-07).txt

Scan type: Quick Scan
Objects scanned: 55659
Time elapsed: 7 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\RichVideoCodec (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" /s) Good: ("%1" /S) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
G:\WINDOWS\system32\1.ico (Malware.Trace) -> No action taken.
G:\WINDOWS\system32\2.ico (Malware.Trace) -> No action taken.

Thanks...phal

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:53 PM

Posted 02 October 2008 - 05:48 PM

reboot and run another scan

"let's run this fox to ground"

chewism
Chewy

No. Try not. Do... or do not. There is no try.

#13 phallical

phallical
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 03 October 2008 - 05:53 AM

Here ya go........thanks...phal

Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 3

10/3/2008 5:51:31 AM
mbam-log-2008-10-03 (05-51-31).txt

Scan type: Quick Scan
Objects scanned: 56049
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0


Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:53 PM

Posted 03 October 2008 - 06:52 AM

VBS_AGENT.AMAF

read this from trend

http://www.trendmicro.com/vinfo/virusencyc...AF&VSect=Sn

under solution

try to grasp how this infeection works and it could be on every drive you have

but first would you run another program?



atf and SAS


http://www.bleepingcomputer.com/forums/ind...mp;#entry913381
Chewy

No. Try not. Do... or do not. There is no try.

#15 phallical

phallical
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 04 October 2008 - 05:46 AM

Hi Chewy,
I Ran ATF Cleaner and SAS.
SAS found 22 unkown threats and eliminated them.
I will run Sysclean after posting and check for the worm.

Concerning the Trend article.

I am somewhat experienced at removing the bad stuff on my machine. Before coming here, I read the same TREND article you referred me to. I looked up the keys and the keys they pointed out were not exactly as they stated they would be. before I made changes I backed up the registry to my desktop.
Here is something I am unsure of:
If the keys they refer to are not under the path that I am pointed to, do I make the key and put it there?

For instance:
If I look in my registry for:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Explorer>Advanced
There is nothing in the right panel that states:
ShowSuperHidden = "0"
But I do have a path with:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Explorer>ShowSuperHidden>
Note that in my registry "ShowSuperHidden" is not under "Advanced" It is in the same column with "Advanced" so that makes the path shown in the Trend article different than what is in my machine.
In the right side of the HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Explorer>ShowSuperHidden>
there was a "ShowSuperHidden = "0"", I made the Key into a 1 instead of 0 anyway and it had no effect on the worm.

The registry scares the crap out of me because I have seen stuff done there crash the computer into a non bootable brick. So I am hesitant to change anything without specific instruction on how to do so.

I also did the search for the AUTORUN.INF as instructed in the article. I opened each in notepad and there were no references to:

open=wscript.exe .\.vbs
shell\open\command=wscript.exe .\.vbs
shell\open\default=wscript.exe .\.vbs

anywhere in these files.
I tried other fixes in articles across the internet and found no solutions. Thats when I came here.

I will run Sysclean and check for the worm again and repost.
Thanks...phal




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users