Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Jpg.scr


  • Please log in to reply
9 replies to this topic

#1 radioactivelaxative

radioactivelaxative

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 16 October 2007 - 11:34 PM

Hello,

It all happened last night, my brother was msning, a friend of his says "hey check out this site (somerandomchinesesite)" He opens the link, he is prompted to download a screensaver called "jpg.scr" (i mean isn't that suspicious already?) Downloads it.
Double-clicks it (as if not scan it online first) and an error message pops up...
Then it hits him... he just got infected.
So he hurries up and deletes the file he clicked, thinking its all good.

So I take a look, and yep, somethings immediately different about the comp. I can't download any files through "Free Download Manager" and it lags like hell. ESPECIALLY when i open notepad. I dutifully check the task manager at the processes tab... and i see some random process called 62D4F8F5DDAC.EXE running, sometimes disappearing sometimes 'teleporting' to the top of the process list. So on my other comp, i copied the few tasks that kept on appearing and disappearing

62D4F8F5DDAC.EXE
WUAUCLT.EXE
VERCLSID.EXE

the bottom two are meant to be harmless me thinks....
so i end process them,
one minute later i check, and 62d4 is back up there again.

so I do a computer search, searching for 62D4F8F5D... and jpg.scr
they both pop up in the c windows prefetch folder...
then i deleted them...
but the 62d4 process kept popping up, so i realised i was just deletin a prefetch file (doh) and not the actual problem itself.

So like any concerned person i googled
62D4F8F5DDAC.EXE
only 3 sites popped up, all 3 in chinese, i used the google translator and got nothing out of it, except that another guy had the problem and some dude replied he should try some program (which is appropriately chinese and shareware)

So next i found two files in the c: windows: debug folder (but ican't remember how)

62D4F8F5DDAC.EXE
62D4F8F5DDAC.dll

So happily i opened the debug folder, BUT i could't see them. (yes i turned on "see hidden files" on in the folder options)
To double check, i right clicked the debug folder and check its properties... yep there were an extra 2 files there i couldn't see...

So i tried to delete it through start > run> cmd > cd %windir% > del debug/62d4....etc
It said no such files detected.

So then i go to pandasoftware.com site to scan my comp,
so it downloads activex and some stuff into an 'activescan folder'
and my amon goes "C:\WINDOWS\system32\ActiveScan\port32.dll - probably unknown WIN32 virus",
so i was like wtf... so i stopped the scan.

used a nod32 scan... (deep heuristic)... nothing popped up except that "C:\WINDOWS\system32\ActiveScan\port32.dll - probably unknown WIN32 virus", and when it got to the debug folder it goes:
"C:\WINDOWS\Debug\62D4F8F5DDAC.dll - is OK
C:\WINDOWS\Debug\62D4F8F5DDAC.exe - is OK"

I'm not sure, but i think its this site : "我可愛狗狗的照片 hxxp://www.blogo.tw 好不好看要告訴我" I found it digging through my bro's old convo history. (shhhh.....) So yeah.. if you're brave ... check it out for me ;).


I would love any help and suggestions on how to get rid of this.
Thanks.


BTW i'm running windows xp sp2 with amon (not updated) and on dialup,
(so if you suggest any programs to download preferably not bigger than 10 megs mainly because I have to use the browser to download it since FreeDownloadManager is stuffing up not allowing me to download anything (hence i can't pause and resume a download))
Also googleupdater is stuffing up not allowing me to download spyware doctor (inside the google pack).

Mod Edit: Link disabled to preclude possible infection. ~TMacK

Edited by TMacK, 16 October 2007 - 11:47 PM.


BC AdBot (Login to Remove)

 


#2 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:06:27 AM

Posted 17 October 2007 - 07:32 AM

Hi radioactivelaxative

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.


Please download, install and update Avg Anti-Spyware 7.5.<--link DO NOT perform a scan yet..

Print out the Avg Install and Scan Instructions<--link

Please download ATF Cleaner<--link by Atribune.DO NOT use yet..

Reboot your computer in SAFE MODE"<--link using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.]

now Scan with Avg per the "Safe Mode" instructions you printed out.
IMPORTANT: Do not open any other windows or programs while Avg is scanning, it may interfere with the scanning proccess.

Reboot back to normal mode .

If you are still having problems.. Come back and we'll advise you further.



Stelios :thumbsup:

#3 radioactivelaxative

radioactivelaxative
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 18 October 2007 - 03:44 AM

I followed the instructions and :thumbsup: it found some trojans!

However, 62D4F8F5DDAC.EXE is still in my system.... so what do i do from here?






[]-----------------------------------------------------------------------------------------------------------------------------------------[]
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:25:31 PM 18/10/2007

+ Scan result:



HKLM\SYSTEM\CurrentControlSet\Services\VGADown -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\VGADown\Enum -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\VGADown\Security -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\MIS\Desktop\Downloads\games\DOS\street.zip/street.exe -> Backdoor.JustFun : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-507921405-1708537768-1202660629-500\Dc1\Cookies\iam@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\WINDOWS\system32\od3mdi.dll -> Trojan.Maran.kt : Cleaned with backup (quarantined).
[488] C:\WINDOWS\system32\od3mdi.dll -> Trojan.Maran.kt : Cleaned with backup (quarantined).


::Report end
[]-----------------------------------------------------------------------------------------------------------------------------------------[]

#4 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:06:27 AM

Posted 18 October 2007 - 04:57 AM

Hi radioactivelaxative

I am sorry to be the bearer of bad news but unfortunately, you are infected with a dangerous malware,{ Backdoor.JustFun }<--See here with backdoor capabilities giving intruders complete control of your computer. I would counsel you to disconnect this PC from the Internet and the network (if you're networked) immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to alert them to your situation.

Though the Trojans have been identified and can be killed, because of their backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Please read these for more information:

What is a backdoor or remote access trojan? Read this article. Danger: Remote Access Trojans

http://www.microsoft.com/technet/security/...o/virusrat.mspx

When should I re-format? How should I reinstall?

http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451



Should you have any questions, please feel free to ask.


Stelios

#5 radioactivelaxative

radioactivelaxative
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 18 October 2007 - 11:58 PM

:S ... this sucks. Oh well, i guess it'll give me an opportunity to burn all my important files and stuff for safe storage.

Oh I managed to delete 62D4F8F5DDAC.dll in the c: windows / debug folder through safe mode, but

i) I still can't see 62D4F8F5DDAC.exe even though i know its there. But it no longer pops up when I open any application :thumbsup:.

ii) I've got a textfile in the same Debug folder which is named "PASSWD.log", it's 0kb but when I try to delete it in safe mode, it says:
"Error Deleting File or Folder"
"Cannot delete PASSWRD: It is being used by another person or program. Close any programs that might be using the file and try again." :S


Thanks for all your help, but is there any chance I can save my comp?

Edited by radioactivelaxative, 19 October 2007 - 06:52 AM.


#6 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:06:27 AM

Posted 21 October 2007 - 03:35 AM

Hi radioactivelaxative

If the comb was mine I wouldn’t trust it!! If you trust it I can try to clean it.


Stelios :thumbsup:

#7 radioactivelaxative

radioactivelaxative
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 22 October 2007 - 12:11 AM

That would be great DASOS...
i understand that my OS's security is compromised, but it seems the file that has the backdoor was a file I had for over (4 months!) and nothing fortunately had happened to the financial account that was used in that time.
Since then I've changed all the passwords, details,etc. stopped paying for anything online and monitor and scan my computer frequently, so I understand the risk involved in continue to using this computer, but I do not have the time or resources to reinstall the OS for at least 2 months; so I'd be very thankful to you if my computer can just be safe as it possibly can be for the next couple of inconvenient weeks.
Thanks, your help is appreciated. :thumbsup:

#8 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:06:27 AM

Posted 22 October 2007 - 10:27 AM

Hi

I suggest you post a HijackThis log for examination.


Please read, and follow, all directions carefully!!!

Read Preparation Guide for use before posting a HijackThis Log.

Then, run a log, and post it in the HijackThis forum, at this link. Do not, fix anything, yet.
A member, of the HJT Team, will help you out. It may take a while to get a response, because the HJT Team are very busy. Please, be patient, as these people are volunteers. They will help you out, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team.
The first thing they look for, when looking for logs to reply to, is 0 replies.
If you make another post, there will be 1 reply.

The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.



Stelios

#9 radioactivelaxative

radioactivelaxative
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 23 October 2007 - 12:12 AM

Okay thanks DASOS, I'll get it done next week, that's quite alot of downloading and scanning for a dial-up connection.

Right now I've just recently installed KeyScrambler Personal, at (https://addons.mozilla.org/en-US/firefox/addon/3383)
which is a a firefox (and it gives an option for IE) addon that encrypts my keystrokes at the kernel driver level to protect my login information from keyloggers, just in case there are any hiding, so i'm relatively safe for now.

Thanks for all your help dasos,


I'll update this thread once the HJT deal with my issue :thumbsup:

#10 tanyanz

tanyanz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 20 May 2014 - 07:02 PM

Hi everyone,

 

I have opened the same file on my iPhone just then :( does it infect mac os too? and if yes, what do I do? :(

 

Thanks,

Tanya






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users