Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Mal/encpk-da


  • Please log in to reply
22 replies to this topic

#1 BostonBen

BostonBen

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 31 May 2008 - 09:12 AM

I hit a site that tried to make a dl, I blocked it but upon a scan webroot found Mal/EncPk-DA, I removed with webroot but feel it may still be in my computer? Thx for any help in advance - Ben

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 31 May 2008 - 09:30 AM

can you kindly tell us your windows version, what protection programs are on board , when were they all last fully updated and run to try to remove this item?

#3 BostonBen

BostonBen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 31 May 2008 - 09:34 AM

Of Course sry, XP Media Center SP2, SAS, Mcafee, Rougeremover, Webroot, all updated within last 5 days at worst most updated daily. SAS and Rogueremover had no hits. Webroot found the file and I quarentied and remoed it.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:44 AM

Posted 31 May 2008 - 09:45 AM

You possibly dodged it. Run this scan please.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:44 AM

Posted 31 May 2008 - 09:49 AM

was there a video codec involved?
Chewy

No. Try not. Do... or do not. There is no try.

#6 BostonBen

BostonBen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 31 May 2008 - 10:05 AM

Malwarebytes' Anti-Malware 1.14
Database version: 807

11:02:29 AM 5/31/2008
mbam-log-5-31-2008 (11-02-29).txt

Scan type: Quick Scan
Objects scanned: 35761
Time elapsed: 15 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{95e554e1-04f3-4d9b-a4e9-881dc420882b} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{85116c11-b265-4635-8fd8-a500007a6915} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5269d0c0-572b-445a-88ac-8c8843b6d42b} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{69c1ef64-a396-4490-8849-52af7f7ec6e5} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f5f40e25-cf4d-434e-a6ae-ed625ae87cab} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pvnsmfor.btqr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

#7 BostonBen

BostonBen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 31 May 2008 - 10:07 AM

yes chewy but i didnt download it i recognized it and blocked and shutdown browser

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:44 AM

Posted 31 May 2008 - 10:09 AM

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

the newer malware has been associated with the storm variant, it's a hard to detect nasty

run sdfix
Chewy

No. Try not. Do... or do not. There is no try.

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:44 AM

Posted 31 May 2008 - 10:13 AM

shutting down the browser doesn't bother malware in the least, it's capable of downloading and updating as long as the computer is on and the internet is connected

it only takes a 20 KB downloader and a very small rootkit hiding it and in seconds you've been had
Chewy

No. Try not. Do... or do not. There is no try.

#10 BostonBen

BostonBen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 31 May 2008 - 10:23 AM

so blocking the download with webroot is useless is it an autorun? Im gonna run SDfix now wish me luck Thx for help

Edited by BostonBen, 31 May 2008 - 10:23 AM.


#11 BostonBen

BostonBen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 31 May 2008 - 10:29 AM

while installing got a mcafee popup saying to block i allowed is this ok? the dl will still be complete? tried to run file in safe mode i guess in try to install again this is odd.

Edited by BostonBen, 31 May 2008 - 10:38 AM.


#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:44 AM

Posted 31 May 2008 - 10:42 AM

it's best to disable real time protection before attempting a lot of fixes, that's why sdfix runs from safe mode and then reboots and tries to keep everything from loading in normal mode to finish the fix

I have worse problems removing malware from protected computers than unprotected ones


You possibly dodged it.


I am just being cautious, those references to storm concerned me as it's a very prevalent bot than goes undetected on most computers

I would rather err on the side of caution as to come back in a few days after you had left your computer on overnight to find it totally trashed

webroot should have never let affri thru w/o your help

Edited by DaChew, 31 May 2008 - 10:42 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#13 BostonBen

BostonBen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 31 May 2008 - 10:48 AM

When I boot in safe mode under admin in stead of my setting it cant find SDFix how do I fix this problem? And if I need to diable sheilds in webroot how do I do so? Also could the affri be leftover that the dell guys missed, and the rest be from the incident today? or are they both from the same package? I'm really frustrated at myself for not getting SDFix to run where am I going wrong? I assume it has to do with the filename path being linked to my user desktop settings?

Edited by BostonBen, 31 May 2008 - 11:18 AM.


#14 BostonBen

BostonBen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 31 May 2008 - 11:39 AM

SDFix: Version 1.187
Run by Administrator on Sat 05/31/2008 at 12:24 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 12:31:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 29 Feb 2008 625,664 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Tue 10 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Fri 23 May 2008 8 ..SHR --- "C:\WINDOWS\system32\464E49BC0F.sys"
Fri 23 May 2008 5,642 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Mon 21 Apr 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Mon 21 Apr 2008 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Fri 7 Oct 2005 1,847,296 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\LAUNCHER.EXE"
Fri 7 Oct 2005 62,464 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\MNYINSTA.DLL"
Fri 7 Oct 2005 95,232 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\RMVSUITE.EXE"
Fri 7 Oct 2005 36,864 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\SETUPLNG.DLL"
Fri 7 Oct 2005 20,480 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\UNREGWTR.EXE"
Thu 12 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 21 Mar 2007 9,506 A.SH. --- "C:\Documents and Settings\Ben\My Documents\My Music\License Backup\drmv2key.bak"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\Ben\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\Ben\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 14 Apr 2007 8 A..H. --- "C:\Documents and Settings\Ben\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Fri 20 Apr 2007 8 A..H. --- "C:\Documents and Settings\Ben\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:44 AM

Posted 31 May 2008 - 12:06 PM

Fri 23 May 2008 8 ..SHR --- "C:\WINDOWS\system32\464E49BC0F.sys"
Fri 23 May 2008 5,642 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"


I moderate in a digital video forum and have a little knowledge of video codecs, what's the dr divx from?
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users