RegVal:worm.sobig

Have tried the evaluation version, works realwell.

I purchased TDS last night.

Last night it turned up "regval:worm.sobig" and each time I "right click and delete", it returns.

I tried many times- can't get rid of it. The help menu explains reg val trace, but does not describe how to remove.

Can anyone help?

 

Hi Mot, Welcome!
Can you locate the file or not at all? If so, please submit to submit@diamondcs.com.au . Waiting for Gavin's comments.

 

Could be a false positive, I guess. Certainly I'm getting a Doomjuice.B regVal trace false positive all the time, thanks to the fact I've Nero Burning ROM installed, and it too creates a NeroCheck registry run entry...

 

The Nero trace should be fixed long ago, update your database

A regval for Worm.Sobig is interesting. Please look at the FILENAME it refers to and zip and send that EXE to submit@diamondcs.com.au. It may be a new one or some other worm which uses the same registry value (lots do this, they dont care )

 

thanks for the help, files are on the way

 

Mot, thank you in name of the whole internet community.
You might be able to delete them in safe mode and make sure to cleanse - disable system restore - reboot - enable system restore and make manually a new restore point if you are on XP so the files don't come back after reboot!
Now looking forward to Gavin's further comments and hopefully your "all clean!" message.

 

no changes so far.

booted to safe mode,

ran TDS-3, right-click files, delete,

then run reg trace again- same file still there.

 

Jooske

thanks for the help.

I should have explained, this is a Win98 SE system. Also the files I sent to today were registry exports as well as scanlog dump.

was this correct? or should I have tried to find files themselves?

 

the story continues...

Tried Kapersky file remover,

ran the remover file- did not work, or effect it. program did not find anything

also, yesterday I copied the regfiles to a floppy and emailed submitted them from a second machine.
The next time I checked my webbased email account on machine 2 I had what appeared to be a virus or trojan infected message.
It was from "Goldstein@netscape.com" and subject line read" open and read rightaway", it had a attachment also.
Of course I did not open it or download it- but it appears it was to late. This morning the second machine is infected with Rat.mIRCbased - C:\winnt\system32\dllcache\lxmstart.exe and the second entry ends with \msngr.exe

and now a third machine is infected on my networked cable internet service.

please tell me this "lxmstart" and msngr" is part of Radius server in TDS-3

 

OK, did my home work and found that lxmstart and msngr are part of the backdoor irc floodh.

Tds-3 will not remove, delete has no affect.

any way, guess this is another one of those learning opertunities.

but sometimes dumb and happy are less stressful

 

good news,

removed the original sobig with a removal tool from Sophos. it included types A,B,C,D,F

before that I tried a sobig.f removal tool, it failed.

now on to my backdoor bug- it's hiding in a folder called dllcache, and I can't touch it.

tried- rename, delete, cut and paste, (in safemode)
and tried changing from read only attributes- nojoy.

time to continue on with removal tool search

 

thanks,

will have it there in a few minutes.

 

I think this may be a case of you running in a limited USER account ? In this case it may be a false alarm. If the file(s) noted exist please send a copy to submit@diamondcs.com.au

I already emailed you about this too

 

followup,

worm.sobig cleaned out ok with Sophos removal tool.

the other item-

Rat.mIRCbased - C:\winnt\system32\dllcache\lxmstart.exe

turned out to be a false alarm- it shows up on Win2000 systems when you run TDS-3 under user or poweruser accounts. I haven't tried it on my XP system yet.

I didn't know I should be using under "admininstrator", and I am still annoyed I spent so much time trying to figure it out after searching the help menus in TDS-3 and the boards here.

I tried searching for these systems using numerous key word searches.

If this was a "glitch" in the program, why couldn't I find reference to it?

seems many many people are running under administrator all the time?

this isn't the first time a software program give me an error because I was running under a more secure user or power user account because the developers wrote the program to default to run under administrator. I wish a program that was wrote to run under administrator would clearly state that when you start it up under anything else.

rant,rant rant etc.

any way thanks for all the help.