Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bugnraw Infection


  • Please log in to reply
12 replies to this topic

#1 alpenview

alpenview

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 04 August 2008 - 11:10 AM

I had a brief window pop up will using Thunderbird which indicated that there was an infected file containing something called bugnraw. This window was too brief too capture the location but it seemed to have this partial location ( I didn't see the initial part of the directory listing) ....thunderbird\profile\blyugfxk.default\mail\local\folders-1\trash <unknown>

When I try to search for this location, odd things happen. First the search won't find this directory. Second after searching, my desktop is mostly blank (my computer and documents icons show up as well as a couple of other) but when I try to look into either my documents or my computer, I get a message that they are empty.

When I reboot the computer, the desktop and documents are accessible. Sometimes when I do a control-alt -delete, task manager will not launch. It seems that whatever level of searching I do, results in the desk top blanking out and me not being able to locate any files or programs.

I've run, Kaspersky, Spybot, and Adaware programs, but these don't seem to have found the correct infection. I've seen this bug listed on CA's site, and I've scanned with their online system, which found other questionable items but not one with this name.

Any suggestions of potentially more fruitful actions, would be appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 04 August 2008 - 03:31 PM

Is this also an XP machine?

Start with this scan,please.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 alpenview

alpenview
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 04 August 2008 - 08:20 PM

This the log file after scanning. The problem persists after rebooting.

The OS is XP Professional

Malwarebytes' Anti-Malware 1.24
Database version: 1024
Windows 5.1.2600 Service Pack 2

12:07:02 PM 8/4/2008
mbam-log-8-4-2008 (12-07-02).txt

Scan type: Quick Scan
Objects scanned: 58178
Time elapsed: 1 hour(s), 6 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\install (Rogue.Multiple) -> Delete on reboot.

Edited by alpenview, 04 August 2008 - 08:23 PM.


#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 PM

Posted 04 August 2008 - 08:22 PM

Try running the scan again.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 04 August 2008 - 08:30 PM

Also check for an Update as you are one behind,thanks

Edited by boopme, 04 August 2008 - 08:30 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 alpenview

alpenview
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 05 August 2008 - 10:10 AM

The new scan follows. I first attempted a long scan. Upon completion it detected 1 infection but wouldn't display the result and did not create a log. There was also a run time "52" error )bad file name/number) being reported.

This is from a short scan:

Malwarebytes' Anti-Malware 1.24
Database version: 1026
Windows 5.1.2600 Service Pack 2

8:00:51 AM 8/5/2008
mbam-log-8-5-2008 (08-00-51).txt

Scan type: Quick Scan
Objects scanned: 58056
Time elapsed: 52 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\install (Rogue.Multiple) -> Delete on reboot.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 05 August 2008 - 03:34 PM

Hello ,try updating and rescanning,post a new log. Also reboot if you have not already to complete the malware removal.

52 = Bad file name or number Program error, verify the program has all the latest updates. If updated try reinstalling the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 alpenview

alpenview
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 05 August 2008 - 09:02 PM

Latest scan after reinstalling the program.

Malwarebytes' Anti-Malware 1.24
Database version: 1028
Windows 5.1.2600 Service Pack 2

6:59:57 PM 8/5/2008
mbam-log-8-5-2008 (18-59-57).txt

Scan type: Quick Scan
Objects scanned: 52898
Time elapsed: 39 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 05 August 2008 - 09:16 PM

Looks good any more issues or malware symptoms?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 alpenview

alpenview
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 05 August 2008 - 10:07 PM

The computer still doesn't operate properly even after rebooting. Subsequent to performing a search the desktop is blank except for the icons for documents, my computer, my network places, recycle bin and internet explorer. If I click on My Doc, I get a security alert that says my current security settings do not allow this action. If I click on my computer, I get a screen showing the various drives, but opening a drive gives an error saying that that particular drive is not accessible; logon failure: account is currently disabled. This occurs for all drives.

I can open the recycle bin for whatever reason.

At the end of these trials I got a message window entitled Update Manager with the runtime 52 error.

At that point I need to reboot to recover the system.

I should also mention that I got another realtime virus alert that a file was corrupted by PHishbank CCG. There were apparently two infections but I couldn't cycle to the other one in time to see what it was.

Any further recommendations?

A few additional items to add. My AV is CA which has enabled a quarantine function. I see that I as the admin am being quarantined for attempting to load an infected file onto the system. Maybe that is part of the reason why I can't look at the various directories for a while after searching. As a precaution, I've greatly extended the quarantine time to hopefully limit any further infected files from entering the system.

Alpenview

Edited by alpenview, 05 August 2008 - 10:55 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 06 August 2008 - 12:12 PM

Let's do a different scan and see. Run it from Safe Mode after install and update.

How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 alpenview

alpenview
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 12 August 2008 - 01:08 PM

I couldn't exactly follow the given directions. Firstly I can no longer boot in safe mode. I get an error saying that either my user name or password is invalid and therefore, I can't boot in that mode. No problem with a normal boot using the same name/pw. This was not a problem last week as I booted in safe mode multiple times. I checked the normal potential problems such as caplock and numlock. I also seem to still have administrator privileges.

Booting in normal mode, I first ran a quick scan that found some tracking software which was eliminated. I then rescanned in complete mode with the preferences set as indicated. It didn't find anything.

Neither mode produced a log file, so I can't attach it.

Both scans produced a 52 error relative to update manager. The scans also caused CA antivirus to quarantine me. I have attempt to uninstall the CA antivirus program, but my system hangs up without uninstalling the program.

I have performed the above actions numerous times with the same results.

What should I do next?

Thanks,

Alpnview

Edited by alpenview, 12 August 2008 - 01:09 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 12 August 2008 - 03:44 PM

Seems you will need to have our HJT experts look deeper for the cause..
Please follow the instructions here...
Preparation Guide For Use Before Posting A Hijackthis Log

Then post the complete log here HijackThis Logs and Malware Removal and not in this thread,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users