Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptexe, Win32.wor.autorun, Win32/bifrose.au


  • Please log in to reply
5 replies to this topic

#1 thegoldenvision

thegoldenvision

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 01 May 2008 - 08:58 AM

Hi, I'll try to be clear and concise, but I'm not an expert with computers and I may over-explain things, or not mention other obvious things.

A few days ago I plugged my pendrive into computer at work and was told by AVG (which they have running there) that the pen contained a 'general trojan' whcih AVG gave me the option to eliminiate, and I did.

This obviously made me wonder if I had a problem with my own computer. I did a bit of googling about pendrives and trojans and discovered one tell-tale sign is bening unable to remove the pen safely through windows as a program is still writing to it. Anyway I messed around plugging unplugging my pen and found that yes I did have problems safely disconnecting. Also when i tried to open it (double click) through My Computer, rather than opening the removable disk drive I got a 'choose what program you want to use to open this file' box. Right click and 'open' would open the pen no-problem. Took pen back to work and got same message from AVG, eliminitated the trojan again!

Now, I have Norton internet security (CONFESSION subscription expred approx 4 months ago, havent renewed). I ran a full scan - came back with nothing. I also have Spybot and ad-aware installed and I updated them and ran full scans.

Ad-aware detected Win32.worm.autorun in C/System Volume Information witha a very long filename which began _restore and finished A0049223.exe - Adaware removed this for me

Sybot detected win32.bifrose.au , which it also fixed for me.

NB spybot each time I run a scan gives two errors during the scan "there were problems in the include file C:\ProgramFiles\Spybot-search destroy\includes\trojans.sbi see error log for details" and also later in its scan pops up the same message but in relation to Includes\TrojansC.sbi .

Also I did notice that this bifrose thing actually reappeared two days later when I scanned again, again with spybot, but i 'fixed' it again, and it has been quite a few days since now and ive done several scans and it hasnt reappeared again

And IN THE MEANTIME i have also downloaded AVG myself (as this was the program that detected the problem with the pen at work) and have been scanning with that.

AVG turned up various things (40 files!!), all of which it send to the Vault

fsgmt.dll (Win32/CryptExe.a)
fsgmt.dll.tmp (win\system32\secpol.exe.tmp
NewServer[1].dll
NewServer[2].dll
c6jmqkdv.exe in docs and settings local settings temp
and really long list of other files all with with long similar names and and all in C:\System\Volume information\_restore etc etc

I've since realised that the vault I think is to keep files for a few days to see if your system runs ok without them before you elimintate but I didnt know this and immediately deleted them all. Oops. It has now been 24 hours and my computer is working ok so far though.

I sacanned immediately again with AGV it turned up nothing.

this morning i scanned again with AGV and it turned up 1 threat in :\System\Volume information\_restore etc etc with it also described as CryptExe
This one file is currently sitting in the vault

So my question basically is what should I do?

By the way my computer is running normally, not noticeable slower or any pop ups or anything. the only thing i would mention (no idea if it is conected) is on start up sometimes it takes a few seconds for the icons to appear on the desktop (but my desktop is currently very full of icons, maybe this is the reason)

Oh and one final thing on shutdown (after shutdown JUST before computer turns itself off) recently iv had sometimes messages which are too long and disapear too quickly to note them down but are about "memory could not be 'read' " but this is going back to before i was aware of the problem with my pen and to be honest the last few days I havent had one of those messages.

oh and since the second removal of the trojan from my Pen drive ive had the pen in and out of my computer several times and theres now no longer a problem with safely disconnecting it or opening it by double clicking in My Computer.

Phew, I didnt manage to keep it short, I hope someone can make sense of this

Thanks so much for your time if you do.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:41 PM

Posted 02 May 2008 - 02:05 PM

Hello although i prefer to do this last,I think the infection is living in system restore. So lets clean them and the scan again with AVG and then MalWareBytes.
Also you are correct about th vault.
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup
    to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
NEXT Scan:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 thegoldenvision

thegoldenvision
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 02 May 2008 - 04:32 PM

Thank you so much for your prompt response to my question.

I followed your instructions (before doing so I had AVG delete from the vault that one final file that had shown as infected on the last scan, with the path :\System\Volume information\_restore etc etct (although if I understood your explanation of Restore being ‘protected’ I guess the file wasn’t really deleted)

· I set a new system restore point

· I used disk cleanup to remove old restore points

- I have one question about this. Maybe (almst certainly) I havent understood correctly but this System Restore Point thing sounds to me like it serves a similar function to another program I have which came with the laptop from Acer which creates ‘backups’. Is this the same idea? (system restore point and backup point sound very similar concepts to me). If so be advised that I have a backup saved in this program (Acer e Recover management), do I need to delete this backup like I did with the restore points?

· I downloaded MBAM (Ive now got so many different scanning programs intalled, im sure you are going to tell me I should only have one installed?)


· Scanned with MBAM here is the log/report

Malwarebytes' Anti-Malware 1.11
Database version: 709

Scan type: Quick Scan
Objects scanned: 43491
Time elapsed: 27 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



· I’m also going to scan again with AVG as you suggested at the start of your reply, will post the log when it's complete

EDIT AVG scan complete, it didnt show anything:

</rec>
- <rec time="2008/05/02 23:21:21" user="Matt" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2008/05/03 00:45:09" user="Matt" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
</history>

Is this likely to mean whatever problem I had is gone, or is it too early to say? I ll keep scanning anyway and if anything reappears I ll post it here.

Please lat me know what you think. Thanks you so much for your time once again

Edited by thegoldenvision, 02 May 2008 - 05:57 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:41 PM

Posted 02 May 2008 - 06:38 PM

You are looking good. Here is one more good scanning tool. After you install and Update reboot into safe mode then scan.

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 thegoldenvision

thegoldenvision
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 04 May 2008 - 01:09 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/03/2008 at 07:16 PM

Application Version : 4.0.1154

Core Rules Database Version : 3452
Trace Rules Database Version: 1444

Scan type : Quick Scan
Total Scan Time : 00:58:25

Memory items scanned : 175
Memory threats detected : 0
Registry items scanned : 489
Registry threats detected : 0
File items scanned : 23581
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Matt\Cookies\matt@doubleclick[1].txt

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:41 PM

Posted 04 May 2008 - 03:54 PM

Hello things look clean now. As for the Acer app I think it's similar to system restore,not certain as I do not have it. But i would say if you have the ability to dump it and make a new back there I would as it may have backed up the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users