AVG AntiMalware: More FAILure Abounds

This forum is for testing I do with various security settings and tools. Infection infiltration, security lock down among other things. Currently XP Home-w\SP 2 installed

Moderators: Admin Team, Moderators

User avatar
TICTestBox
Site Admin
Site Admin
Posts: 245
Joined: Tue Apr 19, 2005 12:11 pm
Area Of Expertise: Infectcious Malware
experience: I know the functions, OS settings, registry tweaks and more
Location: TeMerc's House
Contact:

AVG AntiMalware: More FAILure Abounds

Postby TICTestBox » Tue Sep 23, 2008 12:03 am

Well it was natural I finally get to this app as it used to be the darling of all HJT analysts. We'd have users install it usually as part of Smitfraud removal.

Then at about the same time that ewido sold it to AVG, MBAM came along. Oddly enough, ewido began to fall out of use as MBAM was so much better at catching these things.

I have to say I'm very disappointed with the outcome in this instance. While it did actually run, once again beating out AA SE and SS&D, it didn't find much of anything or remove much of anything.

Went to my old fav codec, which I've been using now for nearly two weeks and got me some rogues and some Vundo.

Files added:

Code: Select all

C:\Program Files\MicroAV\MicroAV.exe   419KB      9/19/2008 3:06:27 AM   
   
C:\Program Files\MicroAV\MicroAV.ooo   1KB   A   9/19/2008 3:06:27 AM   
   
C:\Program Files\MicroAV\MicroAV.cpl   167KB   A   9/19/2008 3:06:27 AM   
   
C:\WINDOWS\system32\MicroAV.cpl   167KB   A   9/19/2008 3:06:27 AM   
   
C:\Program Files\MicroAV\MicroAV1.dat   34KB   A   9/19/2008 3:06:27 AM
      
C:\Program Files\MicroAV\MicroAV0.dat   411KB   A   9/19/2008 3:06:27 AM
      
C:\Program Files\PCHealthCenter\5.exe   973KB   A   9/19/2008 3:06:28 AM
      
C:\Program Files\PCHealthCenter\0.exe   24KB      9/19/2008 3:06:28 AM
      
C:\Program Files\PCHealthCenter\2.exe   26KB   A   9/19/2008 3:06:29 AM
      
C:\Program Files\PCHealthCenter\1.exe   26KB   A   9/19/2008 3:06:29 AM
      
C:\WINDOWS\system32\YUR5.exe   26KB   A   9/19/2008 3:06:29 AM   
   
C:\WINDOWS\system32\YUR6.exe   26KB   A   9/19/2008 3:06:29 AM
      
C:\WINDOWS\system32\YUR1.exe   26KB   A   9/19/2008 3:06:29 AM   
   
C:\WINDOWS\system32\YUR2.exe   26KB   A   9/19/2008 3:06:29 AM   
   
C:\WINDOWS\system32\YUR4.exe   25KB   A   9/19/2008 3:06:30 AM   
   
C:\WINDOWS\system32\YUR8.exe   25KB   A   9/19/2008 3:06:30 AM      

C:\WINDOWS\system32\YUR7.exe   25KB   A   9/19/2008 3:06:30 AM      

C:\Program Files\PCHealthCenter\3.exe   25KB   A   9/19/2008 3:06:30 AM      

C:\Program Files\PCHealthCenter\4.exe   25KB   A   9/19/2008 3:06:30 AM      

C:\WINDOWS\system32\YUR3.exe   25KB   A   9/19/2008 3:06:30 AM      

C:\WINDOWS\system32\YUR9.exe   75KB   A   9/19/2008 3:06:31 AM      

C:\Program Files\PCHealthCenter\sc.html   3KB   A   9/19/2008 3:06:31 AM      

C:\Program Files\PCHealthCenter\7.exe   75KB   A   9/19/2008 3:06:31 AM      

C:\x   75KB   A   9/19/2008 3:06:31 AM      

C:\Documents and Settings\Tom\Local Settings\temp\s1408.php.bat   1KB   A   9/21/2008 12:56:23 PM      

C:\Documents and Settings\Tom\Local Settings\temp\smchk.exe.bat   1KB   A   9/21/2008 12:57:05 PM      

C:\Documents and Settings\Tom\Local Settings\temp\windfr.exe.bat   1KB   A   9/21/2008 12:57:06 PM      

C:\WINDOWS\system32\nnnoNhfD.dll   39KB   A   9/21/2008 12:57:08 PM      

C:\Documents and Settings\Tom\Local Settings\temp\removalfile.bat   1KB   A   9/21/2008 12:57:08 PM      

C:\WINDOWS\system32\nnnoNeFY.dll   39KB   A   9/21/2008 12:57:08 PM      

C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0T6BGTIR\file[1].exe   120KB   A   
9/21/2008 12:57:09 PM      

C:\Documents and Settings\Tom\Local Settings\temp\lwpwer.exe.bat   1KB   A   9/21/2008 11:50:06 PM      

C:\Documents and Settings\Tom\Local Settings\temp\lwpwer.exe   1,202KB   A   9/21/2008 11:52:38 PM      

C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0T6BGTIR\Uninstaller[1].exe   
1,202KB   A   9/21/2008 11:52:38 PM      

C:\Documents and Settings\Tom\Local Settings\temp\s1408.php   1KB   A   9/21/2008 11:52:39 PM      

C:\WINDOWS\system32\hgGvwxxv.dll   328KB   A   9/21/2008 11:59:59 PM      

C:\WINDOWS\system32\ujafhfoc.dll   104KB      9/22/2008 12:00:43 AM      

C:\WINDOWS\system32\ddrppqew.dll   137KB   A   9/22/2008 12:03:03 AM      

C:\WINDOWS\system32\ibjanp.dll   137KB   A   9/22/2008 12:03:03 AM      

C:\WINDOWS\system32\cofhfaju.ini   991KB   HS   9/22/2008 12:12:47 AM      

C:\Documents and Settings\Tom\Desktop\BEST ZOO PORN.url   1KB   A   9/22/2008 12:15:03 AM      

C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\4DQJODAN\Uninstaller[1].exe   
1,202KB   A   9/22/2008 12:17:09 AM      

C:\Documents and Settings\Tom\Desktop\Micro Antivirus 2009.lnk   1KB   A   9/22/2008 12:17:30 AM      

C:\Documents and Settings\Tom\Desktop\QUALITY PORN.url   1KB   A   9/22/2008 12:18:03 AM      

C:\WINDOWS\system32\vxxwvGgh.ini2   796KB   HSA   9/22/2008 12:19:58 AM      

C:\WINDOWS\system32\vxxwvGgh.ini   796KB   HSA   9/22/2008 12:20:03 AM      

C:\Program Files\PCHealthCenter   1KB   D         

C:\Program Files\MicroAV   1KB   D         

C:\Documents and Settings\Tom\Local Settings\temp\avgdiag   1KB

Files removed by AVG:

Code: Select all

"","","Adware.Generic Family","System registry HKU\S-1-5-21-1960408961-1677128483-854245398-1004\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\","9/21/2008 2:08:18 AM","{c95fe080-8f5d-11d2-a20b-00aa003c157a}","N/A"

"","","Adware.Generic Family","System registry HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\","9/21/2008 2:08:18 AM","{c95fe080-8f5d-11d2-a20b-00aa003c157a}","N/A"

"","","Trojan horse BackDoor.Generic10.IPT","C:\WINDOWS\system32\YUR4.exe","9/22/2008 11:16:51 AM","YUR4.exe","23.5 KB"

"","","Trojan horse BackDoor.Generic10.IPT","C:\WINDOWS\system32\YUR1.exe","9/22/2008 11:16:50 AM","YUR1.exe","23.5 KB"

"","","Trojan horse FakeAlert.BD","C:\WINDOWS\system32\MicroAV.cpl","9/22/2008 11:16:50 AM","MicroAV.cpl","162.5 KB"


"","","Trojan horse FakeAlert.BD","C:\Program Files\PCHealthCenter\5.exe","9/22/2008 11:16:50 AM","5.exe","949.58 KB"

"","","Trojan horse BackDoor.Generic10.IPX","C:\Program Files\PCHealthCenter\0.exe","9/22/2008 11:16:50 AM","0.exe","22.5 KB"

"","","Adware Generic3.PVE","C:\Program Files\MicroAV\MicroAV.exe","9/22/2008 10:52:52 AM","MicroAV.exe","409 KB"

"","","Trojan horse FakeAlert.BD","C:\Program Files\MicroAV\MicroAV.cpl","9/22/2008 11:16:49 AM","MicroAV.cpl","162.5 KB"

"","","Trojan horse BackDoor.Generic10.IPX","C:\Documents and Settings\Tom\Local Settings\Temporary Internet
Files\Content.IE5\4DQJODAN\Uninstaller[1].exe","9/22/2008 11:16:47 AM","Uninstaller[1].exe","1.15 MB"

"","","Trojan horse BackDoor.Generic10.IPX","C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0T6BGTIR\Uninstaller[1].exe","9/22/2008 11:16:45 AM","Uninstaller[1].exe","1.15 MB"

"","","Not-A-Virus.Adware.Virtumonde","C:\Documents and Settings\Tom\Local Settings\temp\removalfile.bat","9/22/2008 11:16:45 AM","removalfile.bat","43 bytes"

"","","Trojan horse BackDoor.Generic10.IPX","C:\Documents and Settings\Tom\Local Settings\temp\lwpwer.exe","9/22/2008 11:16:44 AM","lwpwer.exe","1.15 MB"

After AVG did it's removal thing, I ran MBAM and here is what it found:

Code: Select all

Malwarebytes' Anti-Malware 1.28
Database version: 1194
Windows 5.1.2600

9/22/2008 11:41:37 AM
mbam-log-2008-09-22 (11-41-37).txt

Scan type: Quick Scan
Objects scanned: 35164
Time elapsed: 3 minute(s), 6 second(s)

Memory Modules Infected:
C:\WINDOWS\system32\hgGvwxxv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nnnoNhfD.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ibjanp.dll (Trojan.Vundo) -> Delete on reboot.


Folders Infected:
C:\Program Files\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.


Files Infected:
C:\WINDOWS\system32\hgGvwxxv.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\vxxwvGgh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vxxwvGgh.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\ibjanp.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\nnnoNeFY.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nnnoNhfD.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.

C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ddrppqew.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Tom\Local Settings\temp\s1408.php (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\0T6BGTIR\CA32IT7Z (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\MicroAV\MicroAV0.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

C:\Program Files\MicroAV\MicroAV1.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\Tom\Desktop\Micro Antivirus 2009.lnk (Rogue.XPertAntivirus) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Tom\Desktop\QUALITY PORN.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Program Files\MicroAV\MicroAV.ooo (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\Tom\Desktop\BEST ZOO PORN.url (Rogue.Link) -> Quarantined and deleted successfully.

Yet again MBAM proves superior in these rogue\Vundo cases, many of which are littering the Net.

Return to “TeMerc Test Box”

Who is online

Users browsing this forum: No registered users and 1 guest