Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Disk?


  • Please log in to reply
10 replies to this topic

#1 ill_Nino

ill_Nino

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:03 PM

Posted 27 May 2008 - 03:26 AM

Today, after coming home from collage, I had brought back a friends USB that I borrowed to install ArchiCAD software that was downloaded from the collage computers.

When I got home, I opened the USB without scanning it using my Norton Internet Security. However, when I was installing ArchiCAD onto my computer, I noticed a bit of lag, and even My Documents folder was lagging to open. I then quickly scanned his USB to find that he had:

Files & Directories
f:\esb journal\phim nguoi lon.exe
F:\Secret.exe



My Internet Security took care of it, and it was "Fully Removed", then giving my computer a Full System scan, it came up clean.

But ever since I got back today, I have been getting this message and it won't go away even after a couple of clicks of Cancel, only after about 5-10.

I have included a copy of the message

Posted Image


Any help would be greatly appreciated.

Thanks

~ Nino

BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:10:03 PM

Posted 27 May 2008 - 06:42 AM

From this thread ( http://forums.mcafeehelp.com/showthread.php?t=219224 ) it appears that one thing this virus can do is delete all the files on your hard drive. I'd suspect that the error message is related to that.

From my travels around Google it seems that the most common reasons for this are:
1) Drive letter assignment
2) QuickTime
3) iTunes

This link has some good suggestions to try: http://forums.techguy.org/business-applica...processing.html
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 ill_Nino

ill_Nino
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:03 PM

Posted 28 May 2008 - 05:13 AM

Well I remove all my admin powers, and now I got two events, both of them I suspect of being related to the virus. Is it possible to remove these .dll? Because I can't manually do it.

Posted Image

Posted Image

I have noticed, now that only my account is affected, the others, not as bad, they only get the pop up. I am now getting website pop ups, I have included the link as reference, but use with extreme caution.

USE WITH EXTREME CAUTION

DELETED LINK....

Edited by usasma, 28 May 2008 - 07:10 PM.
Deleted link


#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:10:03 PM

Posted 28 May 2008 - 07:19 PM

Yep, it looks to me as if they are viruses attempting to launch (and since you removed the Administrator permissions they aren't able to launch because of the Access denied message). That does not mean that all the viruses are stopped - only those 2.

I removed the link because it's "panicware" - it attempts to get you to purchase their product by preying on your fear of an infection (my wife got hit by XPAntiSpyware yesterday - a similar ploy)

I'm going to move this topic over to the Am I Infected forum where the malware experts hang out.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 ill_Nino

ill_Nino
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:03 PM

Posted 28 May 2008 - 07:22 PM

Well, I have completely reformatted my PC, including deleting and creating new Partions on my PC, and reinstalling my XP OS.

So, far, so good. But what should I look out for?

#6 syunichi

syunichi

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miri
  • Local time:09:03 PM

Posted 28 May 2008 - 07:28 PM

wow...this is very new to me. But in my case earlier I would try to unregister the .dll to prevent it from loading or even registered to my system simply by using regsvr32 /u "dll path". But if everything is ok now, you should be more carefull on whatever access of external devices such as pendrives can do to your pc. Get a very good AV and runs realtime. It will intercept any weird interuption before you can get your mouse to accidentally click on it :thumbsup: Good luck. Just a thought.
Posted Image

Tech Support: "Do you have any windows open right now?"
Customer: "Are you crazy woman, it's twenty below outside..."

#7 ill_Nino

ill_Nino
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:03 PM

Posted 28 May 2008 - 10:37 PM

I tried regsvr32 /u, but that thing wouldn't budge. Can a .dll file recover itself after what I did?

Note, I have Norton Internet Security 2008.

#8 syunichi

syunichi

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miri
  • Local time:09:03 PM

Posted 28 May 2008 - 10:39 PM

Hmm..so there was something in the registry alright. Might need to use HJT to locate the source. Just a thought :thumbsup:
Posted Image

Tech Support: "Do you have any windows open right now?"
Customer: "Are you crazy woman, it's twenty below outside..."

#9 ill_Nino

ill_Nino
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:03 PM

Posted 28 May 2008 - 10:51 PM

Yeah? This will say if there is anything bad on the computer right?

#10 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 29 May 2008 - 01:14 PM

may I suggest you run these two scans to see if there is anything nasty on the computer?


Superantispyware; guide on how to install and run


If you have not already got a Downloads folder , I suggest you create a new folder in My Documents, and name it Downloads ;

Installing superantispywareSuperantispyware is found here


http://www.superantispyware.com/index.html

Download to the Downloads folder the free exe to superantispyware from here


http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

you install superantispyware by clicking on the icon in the downloads folder ;
it will launch the installation process;
follow the instructions and I suggest you ask for a default installation ;
ensure it creates a desktop icon for you ;
once the program has been installed it should ask you if you wish to update the program ; say YES

if it does not ask you , you need TO fully update the definitions by opening the program and find the ‘check for updates ‘tab in the bottom left of the menus you see; click on it and it will do the update for you ;
I suggest you ask it to check for updates again once the first update is complete just to be sure


please then reboot your computer ; it is preferable to run the scan in your computers safe mode;

please open this program from the desktop icon
please run the scan while you are OFF line and do not have the computer doing any other work while the scan runs

go to the preferences tab on the right
on the General tab I suggest you disable the scan on start up

on the Hijack protection tab I suggest you tick BOTH items; this enables the program to give you a Hijack home page alert if your home page gets changes ; if you DO get a home page hijack, when you boot up the computer superantispyware will open and tell you the home page has changed and will ask you if this is a legitimate change;

in statistics/logs- go to the bottom and you will see two boxes asking about keeping a log of scanning results and saving empty logs?

Tick both of them

Then go back to the main screen and see the tab that says scan your computer? Do you see that ?

Click on it

A screen will open ;on the left hand side ensure your FIXED drive ( most probably the C drive) is ticked;
Also tick in there any other section that is used and attached .
On the right had side you see three scanning options?; please click the Complete scan option

OK; you are now set to scan

Please then click on the ‘next’ tab and let the scan run please run the scan while you are OFF line and do not have the computer doing any other work while the scan runs

From my experience running this program the complete full scan CAN take many hours to run depending on how much is on your computer so be patient and let it run; maybe go for a cuppa or watch a favourite program while this one runs

Once the scan IS complete you will be presented with a box telling you what the scan has found ( if anything); if harmful objects have been found click on the OK button ; on the next screen all the harmful objects should have a check mark beside them, ; click ‘next’


A notification should appear that

‘quarantine and removal is complete’

click ‘ok’
and then the Finish button to get returned to the main menu


If you have run the scan in computers safe mode you will need to reboot to computer normal mode

If you have run in computer’s normal mode I suggest you reboot to enable the ‘fix’ the program has performed to consolidate

You then need to retrieve the scan result

Open the program and return to the statistics /logs section ; locate the most recent log ; left mouse click on it to highlight it and click the ‘view log’ tab

The log should appear in maybe note pad ; you need to copy and paste that log for examination
Once you have posted the log please close the superantispyware program

.........................................................

then malawarebytes;
you need to be ON line to start this process and please run the scan in computer’s NORMAL mode

http://www.besttechie.net/tools/mbam-setup.exe


alternate download link 1

http://malwarebytes.gt500.org/mbam-setup.exe


alternate download link

2
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html




suggest; download the exe to your downloads folder so you know where to find it;

create from that folder a shortcut to your desktop

.
Double-click on the to install the application.
The installation is relatively straight forward; just follow the prompts and do not make any changes to default settings.

When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
The Program will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, you may manually download them from
here
http://www.malwarebytes.org/mbam/database/mbam-rules.exe

On the main interface you will see different tabs at the top of the program?

Select each to see what they ask of you and what they each represent;
When you are ready to scan you will be asked to select the drives you wish to scan? The program should recognise ALL your drives ; if it does not I suggest you select all drives

You will be asked to select either a quick scan or a full computer scan my recommendation is to do a full scan so your search does not miss anything

Click the start button and let the scan run; it will show you how it is progressing, what section it is on and the elapsed time I ran a full trial scan on my relatively empty XP for a ‘sampling ‘ ;your scan may take about an hour or so to run;


When the scan is complete a message box will say "The scan completed successfully. Click on 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
On the Main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Ensure everything is checked,

click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log should be saved automatically and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.


Note: please be aware ;

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


let us know how those two scans go and post the two reports for examination

#11 Michael York

Michael York

    Authorized Symantec Representative


  • Members
  • 118 posts
  • OFFLINE
  •  
  • Location:San Francisco, California
  • Local time:06:03 PM

Posted 29 May 2008 - 05:32 PM

Well, I have completely reformatted my PC, including deleting and creating new Partions on my PC, and reinstalling my XP OS.

So, far, so good. But what should I look out for?



Hi ill_Nino,

This is Mike from the Norton Authorized Support Team, and I can assist you with setting up Norton Internet Security properly so that your computer is protected against future threats.

The fact that you were infected from a USB Flash drive, leads to the possability that a setting to scan that drive upon insertion, may not have been checked.

Making sure that LiveUpdate has been running consistently is another important factor in Norton Internet Security's ability to keep you protected. As you may already know, the LiveUpdate feature in Norton Internet Security 2008 is set to "Automatic" by default. As long as your computer is turned On and is connected to the internet, LiveUpdate will check for and install both program and definition updates in the background, multiple times per day, to keep you protected. You will also want to make sure that the Auto-Protect feature is enabled so that you are fully protected.

Please follow the steps below to check your settings in Norton Internet Security 2008.

1. Open Norton Internet Security from the Start menu.

2. Select the "Norton Internet Security" tab at the top of the window.

3. Click on the arrow next to "Settings" to expand it's options.

4. Under "Basic Security" click on "Auto-Protect" and then click on "Configure." Make sure there is a check next to "Turn On Auto-Protect," "Load Auto-Protect during system startup," "Turn on Bloodhound heuristics." Click the "Apply" button at the bottom of the window.

5. Next, under the "Real-Time Protection" category on the left side of the window, select "General Settings." Make sure there is a check next to "Turn on Suspicious Activity Monitoring," and also "Scan removable media for boot viruses when inserted." Click the "Apply" button art the bottom of the window.

You may also want to enable the settings under the "Manual Scanning" category for further protection.

Under the "Settings" menu, please also make sure that "LiveUpdate" is set to "Automatic" mode.

I hope that these steps clarify the settings in Norton internet Security for you. If you have any further questions, please reply back to this thread.

Thank you,
Mike
Michael York
Norton Authorized Support Team
Symantec Corporation
http://service.symantec.com/priority




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users