RegVal:worm.sobig

Discussion in 'Trojan Defence Suite' started by mot, Feb 17, 2004.

Thread Status:
Not open for further replies.
  1. mot

    mot Guest

    Have tried the evaluation version, works realwell.

    I purchased TDS last night.

    Last night it turned up "regval:worm.sobig" and each time I "right click and delete", it returns.

    I tried many times- can't get rid of it. The help menu explains reg val trace, but does not describe how to remove.

    Can anyone help?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Mot, Welcome!
    Can you locate the file or not at all? If so, please submit to submit@diamondcs.com.au . Waiting for Gavin's comments.
     
  3. OSS

    OSS Guest

    Could be a false positive, I guess. Certainly I'm getting a Doomjuice.B regVal trace false positive all the time, thanks to the fact I've Nero Burning ROM installed, and it too creates a NeroCheck registry run entry...
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The Nero trace should be fixed long ago, update your database

    A regval for Worm.Sobig is interesting. Please look at the FILENAME it refers to and zip and send that EXE to submit@diamondcs.com.au. It may be a new one or some other worm which uses the same registry value (lots do this, they dont care :rolleyes:)
     
  5. mot

    mot Guest

    thanks for the help, files are on the way
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Mot, thank you in name of the whole internet community.
    You might be able to delete them in safe mode and make sure to cleanse - disable system restore - reboot - enable system restore and make manually a new restore point if you are on XP so the files don't come back after reboot!
    Now looking forward to Gavin's further comments and hopefully your "all clean!" message.
     
  7. mot

    mot Guest

    no changes so far.

    booted to safe mode,

    ran TDS-3, right-click files, delete,

    then run reg trace again- same file still there.

    o_O
     
  8. mot

    mot Guest

    Jooske

    thanks for the help.

    I should have explained, this is a Win98 SE system. Also the files I sent to today were registry exports as well as scanlog dump.

    was this correct? or should I have tried to find files themselves?
     
  9. MOT

    MOT Guest

    the story continues...

    Tried Kapersky file remover,

    ran the remover file- did not work, or effect it. program did not find anything

    also, yesterday I copied the regfiles to a floppy and emailed submitted them from a second machine.
    The next time I checked my webbased email account on machine 2 I had what appeared to be a virus or trojan infected message.
    It was from "Goldstein@netscape.com" and subject line read" open and read rightaway", it had a attachment also.
    Of course I did not open it or download it- but it appears it was to late. This morning the second machine is infected with Rat.mIRCbased - C:\winnt\system32\dllcache\lxmstart.exe and the second entry ends with \msngr.exe

    and now a third machine is infected on my networked cable internet service.

    please tell me this "lxmstart" and msngr" is part of Radius server in TDS-3o_O
     
  10. MOT

    MOT Guest

    OK, did my home work and found that lxmstart and msngr are part of the backdoor irc floodh.

    Tds-3 will not remove, delete has no affect.

    any way, guess this is another one of those learning opertunities.

    but sometimes dumb and happy are less stressful:)
     
  11. mot

    mot Guest

    good news,

    removed the original sobig with a removal tool from Sophos. it included types A,B,C,D,F

    before that I tried a sobig.f removal tool, it failed.

    now on to my backdoor bug- it's hiding in a folder called dllcache, and I can't touch it.

    tried- rename, delete, cut and paste, (in safemode)
    and tried changing from read only attributes- nojoy.

    time to continue on with removal tool search
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    post a hijackthis log in the hijack forum and we'll soon fix those suckers

    you need to kill their start up entries before you can reboot into safe mode and delete the actual files otherwise they are still running
     
  13. mot

    mot Guest

    thanks,

    will have it there in a few minutes.
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I think this may be a case of you running in a limited USER account ? In this case it may be a false alarm. If the file(s) noted exist please send a copy to submit@diamondcs.com.au

    I already emailed you about this too :)
     
  15. mot

    mot Guest

    followup,

    worm.sobig cleaned out ok with Sophos removal tool.

    the other item-

    Rat.mIRCbased - C:\winnt\system32\dllcache\lxmstart.exe

    turned out to be a false alarm- it shows up on Win2000 systems when you run TDS-3 under user or poweruser accounts. I haven't tried it on my XP system yet.

    I didn't know I should be using under "admininstrator", and I am still annoyed I spent so much time trying to figure it out after searching the help menus in TDS-3 and the boards here.

    I tried searching for these systems using numerous key word searches.

    If this was a "glitch" in the program, why couldn't I find reference to it?

    seems many many people are running under administrator all the time?

    this isn't the first time a software program give me an error because I was running under a more secure user or power user account because the developers wrote the program to default to run under administrator. I wish a program that was wrote to run under administrator would clearly state that when you start it up under anything else.

    rant,rant rant etc.

    any way thanks for all the help.
     
Thread Status:
Not open for further replies.