Worms keeps hiding in HIJACKTHIS!!!

Discussion in 'malware problems & news' started by John, Uk, May 28, 2005.

Thread Status:
Not open for further replies.
  1. John, Uk

    John, Uk Guest

    Hi,

    I do alot of file sharing using Ares, Azureus 2.2 and i get infected at least once a month with the W32/P2P varient worm. But the weird thing is that it, always hidds in the Hijackthis.exe file and doesn't do any damage.

    I use McAfee internet secuirty 2005, Spywareblaster 3.4, spybot with tea timer, ad-aware 1.06, spyware blaster, microsoft anti-spyware, process guard, Hardware Router, what-process and tcp-viewer and trojan hunter. My computer is a AMD 64, 3500 - xp pro sp2.

    My question is that has anyone had this strange thing happen to them. Where by they get infectted with a worm but it does no harm, but just hides in a exe file like Hijackthis.

    John
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    By its nature, a worm is a self replicating and fast spreading piece of malware. I don't see how it would be just targeting one executable and then sit there doing nothing; unless it was being blocked by your AV Guard. But if your AV Guard is finding it, how come it allows it into your machine in the first place!

    Someone else will have to explain that 'cos I don't know!

    Are you finding this 'Worm' via demand scans from McAfee, or is it the on-access Guard that alerts you?

    Also are you sure it has not been making any Registry changes?

    http://labs.paretologic.com/spyware.aspx?remove=W32/P2P-Spybot

    http://vil.mcafeesecurity.com/vil/content/v_99998.htm

    http://www.viruslist.com/en/viruses/encyclopedia?virusid=24282
     
    Last edited: May 28, 2005
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi John, and welcome to Wilders.
    You've mentioned that you're using McAfee internet secuirty 2005, and it's detecting the worm, W32/P2P varient inside Hijackthis.exe.

    Back in February 2005, McAfee did have a false-positive with this detection, but had supposedly fixed this with an updated definition.

    See "News and Updates" - February 16, 2005: http://www.richardthelionhearted.com/~merijn/
    It could be they are again falsely detecting an infection in HijackThis.exe. You could submit a copy of the file to them for analysis.

    But to always be on the safe side, since you are using file-sharing apps, you should do an on-line virus scan as a second verification your computer is clean.

    Regards,

    snap
     
  4. John, uk

    John, uk Guest

    hi,

    I do alot of file sharing and i assume the worms get in that way.

    Normally I get an unstable system(screen flashing-unable to open any folders), so i do virus scan and it always detects the W32/P2P varient worm hidden in the HiJackThis.exe file. Once i finished scanning i clean the file. As far as i can see there have been no registry changes, but i have alot of software in place to warn me of any important changes. Alos i download a couple of programs from F-sure that look for any registry changes made by W32/P2P spybot, w32/P2P worms, and McAfee stinger.

    Could i have a comprised computer that allows the worm to enter in the first place. Luckly i havent been infected in a couple of months.

    just confused - very strange

    thanks again for helping out,

    John
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    I'm a li'l confused myself, John. :doubt:

    You said in your first post that you usually get infected at least once a month, but yet you said you haven't been infected for several months now.

    Also, if I am understanding this correctly, it's always just this one file, HijackThis.exe, that is being flagged as infected. And it's just McAfee detecting this file infected with the same virus - W32/P2P variant worm?

    Can you tell me where the Hijackthis.exe file is located? Also, when was the last time you updated McAfee?

    Regards,

    snap
     
  6. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    As Snapdragin and Topper have told you, we have seen this problem before with people complaining..


    Im trying to fix a problem with my comp, but when i dowload Hijackthis after 3 minutes mcafee cleans it and says its a virus. Why is it doing that isnt Hijackthis a virus free program?





    It seems McAfee is detecting the new HijackThis version 1.99.1 as W32/Generic.worm!p2p. It is not the first time this happened and probably not the last time either. There is no virus in HijackThis. McAfee incorrectly detects the PE compression method I use on all of Merjin programs as a generic Kazaa worm. He contacted McAfee about this and to see if the incorrect detection can be removed in their next update.

    [Update 2] Success! McAfee has put out new definitions that no longer detect HijackThis 1.99.1 as a virus. ^_^

    FYI, at one time McAfee 8.0i also removed Spybot S&D dectecting it as a trojan,but they fixed that also.


    Also if you have ever used your hijackthis in the past to clean off any malware..by default it keeps copies of that in a file just incase you made a mistake and want to reverse the process..if an Antivirus detects that file..then simply go into your hijackthis and clean out that area.

    Now independent of that..you state " Normally I get an unstable system(screen flashing-unable to open any folders) "

    All of that is independent of this false positive your McAfee is finding and I suggestion you have other problems on your PC..and if you would like someone to look at your hijackthis log and help you on that..


    First do these steps you have not done in the past already

    Guidelines for Posting in This Forum, READ THIS FIRST PLEASE


    http://forum.gladiator-antivirus.com/index.php?showtopic=10517

    Then post your hijackthis log in a new topic at this fourm


    HELP! Think you are Infected?


    http://forum.gladiator-antivirus.com/index.php?showforum=170


    To use that forum you must first register at that Board.
     
  7. John, uk

    John, uk Guest

    Hey,

    visted www.hijackthis.de and got the log file checked over, everything seems ok. I've been having problems with McAfee showing everything expired, which in turn has leaft me with no protection, but i now fixed this problem. Used count less programm to check my system - i think McAfee has been giving false postives as well as at some point being infected with malware i.e Worms.

    Sorry to be a pain, thanks for all your help,

    John
     
  8. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Glad to hear your problem has been resolved. If you have anymore problems just drop on by and we will see if we can be of help.

    bigc
     
Loading...
Thread Status:
Not open for further replies.