BleepingComputer.com: Attack from Tracur.Y and two other viruses

The stinger scanner worked fine. I installed avast! and updated it. I am currently running a full system scan with Avast!, I will let you know if anything shows up.


Ran Stinger as a .bat and enabled full scan and fix to scan. This is all that came up after the scan.

Scan initiated on Tue Jul 26 12:17:00 2011
Number of clean files: 29


------
I also ran Stinger full scan now without fix to scan enabled.

Scan initiated on Tue Jul 26 12:20:40 2011
Number of clean files: 231808

This post has been edited by agentrx: 26 July 2011 - 01:56 PM

Quote

Yes.

I ran avast! full scan, here are the scan results:





My options were: Repair, Move to chest, Delete, Do Nothing.

I chose Move to chest and it prompted me to do a reboot scan. After the reboot scan, I did a quick scan and found nothing on my computer. Am I still infected?

This post has been edited by agentrx: 27 July 2011 - 02:11 AM

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after 'RP' represents a sequential number automatically assigned by the operating system. The ***** after 'A00' also represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:

• Restore Point Forensics
  
• Forensic Analysis of System Restore Points in Microsoft Windows XP

System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malevolent files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. If your anti-virus or anti-malware tool is able to move (quarantine) the file(s) let it do so. When an anti-virus or security program quarantines a file and moves it into a virus vault (chest) or a dedicated Quarantine folder, that file is safely held there and no longer a threat. The file is essentially disabled and prevented from causing any harm to your system through security routines which may copy, rename, encrypt and password protect the file the file before moving. Quarantine is just an added safety measure which allows you to view and investigate the files while keeping them from harming your computer. When the quarantined file is known to be malicious, you can delete it at any time by launching the program which removed it, going to the Quarantine tab, and choosing the option to delete.

In order to ensure all such files are removed, the easiest thing to do after disinfection is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista and Windows 7 users can refer to these links:

• Create a New Restore Point in Vista or Windows 7
  
• Disk Cleanup in Vista
  
• Disk Cleanup in Windows 7

The files with an error in regard to the path appear to be related to avast defintion files and not a cause of concern.

For good measure, I started up Avast! one more time and during the scan, it found 5 viruses. It did not complete all the way because my computer blue screened. Windows starts up now with a pop up for sending the error to Microsoft about the problem. The error signature:

BCCode: 1000008e BCP1: C0000005 BCP2: B66FA949 BCP3: B3E12600 BCP4: 00000000 OSVer: 5_1_2600 SP: 3_0 Product: 768_1

Each time I attempt to Send Error Report or if I click Don't Send, the computer goes into blue screen and I have to manually restart the computer.

This post has been edited by agentrx: 27 July 2011 - 12:56 PM

Crashes (BSOD), unexpected shutdowns, sudden freezing, random restarting, and booting problems could be symptomatic of a variety of things to include hardware/software issues, overheating caused by a failed processor fan, bad memory (RAM), failing or underpowered power supply, CPU overheating, motherboard, video card, faulty or unsigned device drivers, CMOS battery going bad, BIOS and firmware problems, dirty hardware components, programs hanging or unresponsive in the background, etc.

The speed and ability to complete an anti-virus or anti-malware scan depends on a variety of factors.

• The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning or a combination of both.
  
• Options to scan for spyware, adware, riskware and potentially unwanted programs (PUPS).
  
• Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  
• Type of scan performed: Deep, Quick or Custom scanning.
  
• What action has to be performed when malware is detected.
  
• A computer's hard drive size.
  
• Disk used capacity (number of files to include temporary files) that have to be scanned.
  
• Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  
• Whether external drives are included in the scan.
  
• Competition for and utilization of system resources by the scanner.
  
• Other running processes and programs in the background.
  
• Interference from malware.
  
• Interference from the user.

-- Using two security scanning engines at the same time can cause each to interfere with the other, cause systems hangs, false detections, unreliable results and other unpredictable behavior.

-- If the screensaver, hibernation or Sleep Mode are not turned off before scanning, those features can sometimes have odd effects when attempting to resume normal mode.

Further, it is not unusual for an anti-virus or anti-malware scanner to be suspicious of compressed, archived, .cab, .rar, .jar, .iso, and packed files because they have difficulty reading what is inside them. These kind of files often trigger alerts by security software using heuristic detection because they are resistant to scanning (difficult to read). This resistance may also result in some scanners to stall (hang) on these particular types of files or just ignore (skip) them. Certain files in the System Volume Information Folder like the Tracking.log (created by the Distributed Link Tracking Service to store maintenance information) have also been reported as a source causing some scanners to hang.

To speed up your scans, uninstall unnecessary programs, clean out the temporary files, temporarily disable any other real-time protection tools, close all open programs and do not use the computer during the scan. If the scan still seems slow or hangs, then try performing the scan in "safe mode".

There were a few malware found when I did a safemode scan with Avast!. It seemed to work. I did a full scan when I booted up normally and Avast! picked up nothing. Everything seems to be working alright at the moment. I'll await on your conclusions and to create a system restore point.

If everything seems ok, then go ahead and create a new Restore Point so it will be there if needed.

I am a bit hesitant to do a system restore. I've noticed that my browsers (both firefox and chrome) have been redirecting me to different links.

This post has been edited by agentrx: 27 July 2011 - 10:19 PM

I did not ask you to do a System Restore. I said to create a new Restore Point which can be used to restore your system to that point. However, I only advised you to do that if there are no further signs/symptoms of infection to which you said:

Quote

If you are still experiencing redirects, then everything is not alright and your machine is most likely still infected.

Since none of the tools you have used thus far have been successful, further investigation is required as disinfection will probably require the use of more powerful tools than we recommend in this forum. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".

• If you cannot complete a step, then skip it and continue with the next.
  
• In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.

Sorry, I meant to type Restore Point for a future System Restore. I have made a new thread here: My link

Thank you for helping and being patient with me quietman7.

You're welcome.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.