Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected?


  • Please log in to reply
35 replies to this topic

#1 mike=)).

mike=)).

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:06:16 AM

Posted 06 September 2008 - 11:23 AM

Hi, I have just signed up here, and after writing a note in the introduction form, would like to expand on my current PC problems.

Briefly:

I have a PC with a suspected trojan. Generic9.BECA. The trojan was discovered in an ftp software file, and googling it took me to an entry in this forum. After noticing that other programs are not doing what they should do (AdAware crashes, printer failure etc.) it seemed to be the right time to attempt to clean the whole system. I'm expecting the worst.

I use my PC to maintain a website, which needs fairly constant updating. I can run my laptop in parallel, but with limited capability. The laptop may well have the same problems as the PC. Also I am using 5 !!! external hard-drives, 3 compact-flash (camera) cards and a usb-stick. All of these will need to be investigated. The website is hosted externally on a Linux-based dedicated server, so for now i'mnot expecting problems there. Some help to fix (update) site software would be appreciated later.

Both PC and laptop are installed with quite a lot of software, but I am not too sure which versions of the software are running (and that includes windows).

If anyone can help me clean the system, I will be very grateful indeed. I have the patience and precision to follow all instructions and give feedback. I'll post a HJT log in the appropriate forum as soon as necessry.

Thanks in advance!!!! Mike

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:16 AM

Posted 06 September 2008 - 03:41 PM

Hello wait to post the HJT log until we see what happens here.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:06:16 AM

Posted 06 September 2008 - 07:23 PM

boopme, thank you for helping !!!!

Installed and updated MBAM.
Ran quick scan, taking care to leave all external hard-drives running.
I was not asked to select drives, and i was not asked to reboot.
The result appears clean (see below).

additional information which may be of use:
- AdAware scans fail (crashes) when it reaches a certain file
- I have disabled the Widows firewall, and use Comodo instead
- my anti-virus is AVG (free version) and it is fully up to date
- I am running Windows XP Pro (I think)
- the trojan AVG detected was Generic9.BECA, and it was found in an .exe file for my ftp software G6FTP

Here's the log:

Malwarebytes' Anti-Malware 1.26
Database version: 1120
Windows 5.1.2600 Service Pack 2

07/09/2008 02:14:08
mbam-log-2008-09-07 (02-14-08).txt

Scan type: Quick Scan
Objects scanned: 53771
Time elapsed: 35 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by mike=))., 06 September 2008 - 07:29 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:16 AM

Posted 06 September 2008 - 08:01 PM

Hello again . Uninstall adaware from the Control Panel.

Check for updates and resacan with MBAM, This time do a full scan and select the other drives there.

I'm looking for more info on the Trojan.

EDIT: Did AVG quarantine that Trojan file?

Edited by boopme, 06 September 2008 - 08:18 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:06:16 AM

Posted 06 September 2008 - 09:20 PM

Yes it did quarantine the file (I'll try and get the AVG log next time)

I'm checking my laptop in parallel with the main PC. They are not physically connected, and until all is safe, I'm not using the external HD's on the laptop. The main scan is running, and I imagine it will take at least 6 hours.

This message is from my laptop. Here's the laptop MBAM log:

Malwarebytes' Anti-Malware 1.26
Database version: 1120
Windows 5.1.2600 Service Pack 2

07/09/2008 08:05:28
mbam-log-2008-09-07 (08-05-19).txt

Scan type: Quick Scan
Objects scanned: 45123
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:16 AM

Posted 06 September 2008 - 09:27 PM

OK the "No Action Taken " remarks generally means the Remove Selected button was not clicked.

Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.


Please rescan.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:06:16 AM

Posted 07 September 2008 - 04:05 AM

hi !!

The main PC is still running a complete scan After 7,5 hours the internal drives have been checked and are clean. I'm thinking of aborting the scan of the external drives, as it will take ages to complete the scan (5 drives, more than 2 TB). I'll uncouple them from the system and scan 1 by 1 at a later point in time, if that's ok? Edit: afterthought. Main PC has 55 processes running, which imo is too many, and probably effecting the speed of the scan. Maybe close down some of them?

Laptop:
Re-run the laptop scan, this time running a complete scan. Killed the 4 infections, see log below.

Extra information on laptop:
- windows firewall
- ESET NOD32 anti-virus
- Windows XP Pro
- no P2P software
- Flash FXP software in use for website connection

ESET NOD32 was getting in the way of the scan... detecting viruses... I'm adding this log too.

laptop MBAM log:

Malwarebytes' Anti-Malware 1.26
Database version: 1120
Windows 5.1.2600 Service Pack 2

07/09/2008 14:43:58
mbam-log-2008-09-07 (14-43-58).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 97162
Time elapsed: 25 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS\Adobe Acrobat 8\keygen.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS\Sound Forge\Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS\Sound Forge\SoundForge8_Retail_KG.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS\Sound Forge\SoundForge8_Trial.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

laptop ESET NOD32 log:

07/09/2008 14:43:24 Real-time file system protection file D:\System Volume Information\_restore{C3D6F4DE-A519-48FF-B641-C64AF815390B}\RP98\A0049548.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:23 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\us\kb888111xpsp1.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:22 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\pt\kb888111xpsp1.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:22 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\pt\kb888111w2ksp4.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:21 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\pl\kb888111xpsp1.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:20 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\pl\kb888111w2ksp4.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:19 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\kor\kb888111xpsp1.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:18 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\hu\kb888111xpsp1.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:17 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\heb\kb888111xpsp1.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:17 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\heb\kb888111w2ksp4.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:16 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\ger\kb888111xpsp2.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:15 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\fr\kb888111w2ksp4.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:14 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\es\kb888111w2ksp4.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:14 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\cs\kb888111w2ksp4.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:13 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\chs\kb888111xpsp1.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:12 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\br\kb888111xpsp2.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:11 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\br\kb888111xpsp1.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:43:09 Real-time file system protection file D:\F3Sc\UAA_XP32_070906\ara\kb888111xpsp1.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:42:55 Real-time file system protection file D:\F3Sc\Fingerprints_XP_071214\Fingerprints_XP_071214\Program Files\Bin\ASTray.exe Win32/Patched.A virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:42:49 Real-time file system protection file D:\F3Sc\Fingerprints_XP_071214\Fingerprints_XP_071214\Program Files\Bin\asghost.exe Win32/Patched.A virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:42:45 Real-time file system protection file D:\Adobe Photoshop 7.0 Nl\Adobe Photoshop 7 Nl\_ISDel.exe Win32/Patched.A virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:34:15 Real-time file system protection file C:\System Volume Information\_restore{DBBAF630-87C9-4921-903B-62A3254B0584}\RP31\A0009229.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
07/09/2008 14:23:19 Real-time file system protection file C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS\Winzip 11\keygen.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
13/08/2008 07:54:49 Real-time file system protection file F:\Promt Expert 7 Giant with Dictionary Set\MInstall.exe Win32/Patched.A virus unable to clean NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.EXE.
13/08/2008 07:54:49 Real-time file system protection file F:\Promt Expert 7 Giant with Dictionary Set\MInstall.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.EXE.
13/08/2008 07:54:49 Real-time file system protection file F:\Promt Expert 7 Giant with Dictionary Set\MInstall.exe Win32/Patched.A virus unable to clean NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.EXE.
13/08/2008 07:54:49 Real-time file system protection file F:\Promt Expert 7 Giant with Dictionary Set\MInstall.exe Win32/Patched.A virus unable to clean NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.EXE.
13/08/2008 07:54:46 Real-time file system protection file F:\Promt Expert 7 Giant with Dictionary Set\MInstall.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.EXE.
13/08/2008 07:54:45 Real-time file system protection file F:\Promt Expert 7 Giant with Dictionary Set\MInstall.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.EXE.
13/08/2008 07:54:39 Real-time file system protection file F:\Promt Expert 7 Giant with Dictionary Set\MInstall.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.EXE.
13/08/2008 07:54:38 Real-time file system protection file F:\Promt Expert 7 Giant with Dictionary Set\MInstall.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.EXE.
13/08/2008 07:54:36 Real-time file system protection file F:\Promt Expert 7 Giant with Dictionary Set\MInstall.exe Win32/Patched.A virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.EXE.
13/08/2008 07:54:34 Real-time file system protection file F:\Promt Expert 7 Giant with Dictionary Set\MInstall.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.EXE.
13/08/2008 07:54:33 Real-time file system protection file F:\Promt Expert 7 Giant with Dictionary Set\MInstall.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.EXE.
13/08/2008 07:54:32 Real-time file system protection file F:\Promt Expert 7 Giant with Dictionary Set\MInstall.exe Win32/Patched.A virus NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.EXE.
12/08/2008 16:25:31 Real-time file system protection file F:\AutoRun.inf Win32/Fujacks.L virus deleted NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
12/08/2008 16:25:30 Real-time file system protection file F:\AutoRun.inf Win32/Fujacks.L virus deleted NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
12/08/2008 16:25:29 Real-time file system protection file F:\Autorun.inf Win32/Fujacks.L virus deleted NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
12/08/2008 16:25:28 Real-time file system protection file F:\Autorun.inf Win32/Fujacks.L virus deleted NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
12/08/2008 16:25:27 Real-time file system protection file F:\Autorun.inf Win32/Fujacks.L virus deleted NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
12/08/2008 16:25:25 Real-time file system protection file F:\Autorun.inf Win32/Fujacks.L virus deleted NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
12/08/2008 16:25:24 Real-time file system protection file F:\Autorun.inf Win32/Fujacks.L virus deleted NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
12/08/2008 16:25:21 Real-time file system protection file F:\Autorun.inf Win32/Fujacks.L virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.

Edited by mike=))., 07 September 2008 - 04:21 AM.


#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 07 September 2008 - 11:48 AM

those autorun.inf infections would indicate that you need to run subs flash disinfector and do some specialized scans

Your infection will continue to spread back and forth until you clean them all

It's important that you don't access any file on the infected drives

http://www.bleepingcomputer.com/forums/ind...526&hl=subs
Chewy

No. Try not. Do... or do not. There is no try.

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 07 September 2008 - 11:58 AM

http://www.kaspersky.com/scanforvirus

for individual files or

http://www.kaspersky.com/virusscanner

for those drives

It will take many many hours for tetrabytes, illegal cracks like keygens are prime suspects, as are any cracked illegal software, the newest one I have seen infects all the mp3's basically wiping out all music

Easy come easy go

Edited by DaChew, 07 September 2008 - 11:59 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#10 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:06:16 AM

Posted 07 September 2008 - 01:35 PM

Thanks for the ongoing insight DaChew !!! (EDITED...)

The current situation is that I did not stop the MBAM-scan on main PC. It's been running for 17,5 hours (more than 24 hours in real time) and hasn't even finished scanning the first external hard-drive. The internal drives were scanned, and as to date no problems have been found here, or on the first external hard-drive. I shall have to abort as the scan is getting slower to almost and standstill.. and I'm right out of CPU. I haven't run a HJT yet.

As I mentioned before, I run a website, and my workfiles are stored (with back-ups) on two external hard-drives. I will need to access files on those drives to keep the site running (updates and moderating).

However, if I can clean either the main PC or the laptop, then I can probably use that machine to clean the external harddrives, one by one. So there will be some strategy needed.

As yet, My scans have not found any more than I have posted.

ESET NOD32 finds malware on the laptop.
AVG (free version) does not find malware on the main PC.

My main PC is slowing down... probably lack of CPU to get the scan task done.

I have no idea what subs flash disinfector is, or how to use it. Any help on this would be appreciated.
I shall download Kaspersky, but as mentioned above, would prefer to decide strategy first... main PC or laptop.

Waiting for reply to continue .... thanks!!!

aborted MBAM log for main PC:

Malwarebytes' Anti-Malware 1.26
Database version: 1120
Windows 5.1.2600 Service Pack 2

07/09/2008 22:33:29
mbam-log-2008-09-07 (22-33-29).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|)
Objects scanned: 1162604
Time elapsed: 17 hour(s), 41 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by mike=))., 07 September 2008 - 03:38 PM.


#11 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:06:16 AM

Posted 08 September 2008 - 05:04 AM

Update:

Since running MBAM on my laptop, I am unable to connect to the ESET NOD32 server for updating my anti-virus...

Waiting for reply to continue... Thanks !!!

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 08 September 2008 - 06:30 AM

Time elapsed: 17 hour(s), 41 minute(s), 17 second(s)


and it didn't finish

well a million mp3's?

if they were on e-sata drives I might consider a scan or just individually scan groups of data selectively
Chewy

No. Try not. Do... or do not. There is no try.

#13 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:06:16 AM

Posted 08 September 2008 - 06:52 AM

Hi Chewy !!!

The one that was partially scanned is a Seagate Barracuda SATA 400 GB internal drive, rigged up with an external powersource and USB2 PC connection. The other 4 are 3 Western Digital 500 GB drives, and one 500 GB that I can't remember (I'm at work right now). I was going to set up a RAID configuration, but that will have to wait. The contents are mainy film and photos, with some software back-ups.

Certainly scanning one by one would be the best option, but I think I'll have to do that from a clean machine. So the main PC and/or the laptop are priorities.

Also, judging by the results of the 17,5 hour scan (zero infections), I doubt that MBAM will find anthing of interest. If there is anything there, it will be well hidden.

So maybe move on to:
- subs flash disinfector EDIT...just noticed your link to the Flash_Disinfector thread. Note, my drives already have a hidden autorun.inf file. Will this be deleted or overwritten?
- specialized scans
- ESET NOD32 update problem
- kaspersky
- HJT-log ???

One other point of interest is a start-up problem. If I boot with the external drives attached, then the PC / laptop will ask to perform a scan of the drives. I can't remember the exact error message. Something about integrity ???

Please let me know how best to proceed. I will continue the MBAM scans if neccesary. Or download Kaspersky.

Thanks in advance...

Edited by mike=))., 08 September 2008 - 06:57 AM.


#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 08 September 2008 - 07:03 AM

With all externals disconnected run subs flash disinfector on both computers, this will immunize(hopefully) individual internal drives with a good autorun.inf file

http://www.bleepingcomputer.com/forums/ind...mp;#entry934959

I would run cureit from safe mode on both computers, no externals, no internet

http://www.bleepingcomputer.com/forums/ind...mp;#entry935171

also atf cleaner and SAS

these will take long enough
Chewy

No. Try not. Do... or do not. There is no try.

#15 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:06:16 AM

Posted 08 September 2008 - 06:55 PM

With all externals disconnected run subs flash disinfector on both computers, this will immunize(hopefully) individual internal drives with a good autorun.inf file

http://www.bleepingcomputer.com/forums/ind...mp;#entry934959

I would run cureit from safe mode on both computers, no externals, no internet

http://www.bleepingcomputer.com/forums/ind...mp;#entry935171

also atf cleaner and SAS

these will take long enough


laptop first.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/09/2008 at 05:06 AM

Application Version : 4.21.1004

Core Rules Database Version : 3559
Trace Rules Database Version: 1547

Scan type : Complete Scan
Total Scan Time : 01:08:23

Memory items scanned : 166
Memory threats detected : 0
Registry items scanned : 5050
Registry threats detected : 0
File items scanned : 53702
File threats detected : 1

Unclassified.Unknown Origin/System
C:\D\G\AS\2\CHPSTART.EXE

DrWeb - scanned approx 23:00 CET 08-09-2008

Angry IP Scanner 2.21.exe;C:\Program Files\Angry IP Scanner;Tool.AngryIpscan;Incurable.Moved.;
A0006226.EXE\#setuppath#\raddrv.dll;C:\System Volume Information\_restore{DBBAF630-87C9-4921-903B-62A3254B0584}\RP26\A0006226.EXE;Program.RemoteAdmin;;
A0006226.EXE\#setuppath#\radmin.exe;C:\System Volume Information\_restore{DBBAF630-87C9-4921-903B-62A3254B0584}\RP26\A0006226.EXE;Program.RemoteAdmin;;
A0006226.EXE\#setuppath#\r_server.exe;C:\System Volume Information\_restore{DBBAF630-87C9-4921-903B-62A3254B0584}\RP26\A0006226.EXE;Program.RemoteAdmin;;
A0006226.EXE;C:\System Volume Information\_restore{DBBAF630-87C9-4921-903B-62A3254B0584}\RP26;Archive contains infected objects;Moved.;
A0006229.dll;C:\System Volume Information\_restore{DBBAF630-87C9-4921-903B-62A3254B0584}\RP26;Program.RemoteAdmin;Incurable.Moved.;
A0006230.exe;C:\System Volume Information\_restore{DBBAF630-87C9-4921-903B-62A3254B0584}\RP26;Program.RemoteAdmin;Incurable.Moved.;
A0006231.exe;C:\System Volume Information\_restore{DBBAF630-87C9-4921-903B-62A3254B0584}\RP26;Program.RemoteAdmin;Incurable.Moved.;
A0006232.exe;C:\System Volume Information\_restore{DBBAF630-87C9-4921-903B-62A3254B0584}\RP26;Program.RemoteAdmin;Incurable.Moved.;
A0006233.dll;C:\System Volume Information\_restore{DBBAF630-87C9-4921-903B-62A3254B0584}\RP26;Program.RemoteAdmin;Incurable.Moved.;

the ATF-Cleaner gave no notices.

EDIT: this laptop was maintained by a friend in Russia during my recent visit there. Some of the entries may indicate this.

Edited by mike=))., 08 September 2008 - 07:02 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users