Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was Hit By Worm But Am I Safe Now?


  • Please log in to reply
10 replies to this topic

#1 xEnvious

xEnvious

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 16 September 2008 - 03:44 PM

So today I was going to move some stuff over from my computer to my laptop and I put my USB pen drive into my computer. I move one file to the drive then I move it to the laptop (because NOD32 never informed me of this). McAfee on my laptop detects a something so I quickly check my NOD32 on my desktop and sees that it found 16 infected files, and cleans 1. I check to see what was going on and this is what I found:

Time Module Object Name Threat Action User Information
9/16/2008 15:16:19 PM AMON file F:\Autorun.inf Win32/AutoRun.PI worm error while cleaning - operation unavailable for this type of object NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.

The "error while cleaning" part is getting me paranoid. I restarted my computer and everything seems to be fine with startup and all. I did another full NOD32 scan and it says I was clean. I also looked up when NOD32 updated for this specific detection and it was quite a while ago. Same goes for the scan McAfee on my laptop (it said I was clean). The laptop is the one I don't care about so I put my USB drive in it again and scanned it and McAfee found one infection but I couldn't find the file. So I went ahead and formatted the USB pen drive and scanned it again - no detections.

Am I safe or do I have to further steps to see if I'm safe or not?
And on a side note, can someone exactly tell me how worms are spread so I don't give it to my other comps? Also, can worms transfer via network connections via "My Network Places" even if I don't access it? Thanks!

Edited by xEnvious, 16 September 2008 - 06:39 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:40 AM

Posted 17 September 2008 - 07:23 PM

You have asked some hard questions, here's a little insight, I wish I had taken the time to read it better and make the proper preperations before I infected my computer

pen drive infections

http://www.bleepingcomputer.com/forums/ind...mp;#entry798468

infections that spread thru network shares usually have to exploit a vulnerability in the operating system, that's why we try to keep up to date, windows is like a block of swiss cheese

even tho you have an open HJT log posted I see nothing wrong with your questions or my attempting to answer them


http://www.bleepingcomputer.com/forums/t/168923/double-checking/

Edited by DaChew, 17 September 2008 - 07:26 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 xEnvious

xEnvious
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 18 September 2008 - 10:13 AM

Thanks for your reply and that link! Hmm.. But, I don't know if this worm sneaked into my computer and my other computers but I started a new topic concerning Ada-Ware detecting some infected hosts files.

http://www.bleepingcomputer.com/forums/t/170017/hosts-files-infection/

Could you please take a look?

Edited by xEnvious, 18 September 2008 - 10:22 AM.


#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:40 AM

Posted 18 September 2008 - 10:43 AM

Is it the same computer that has a HJT log posted, you are not supposed to make any changes on that one or take any advise from anyone else?
Chewy

No. Try not. Do... or do not. There is no try.

#5 xEnvious

xEnvious
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 18 September 2008 - 10:49 AM

Yes. This is the same computer with the HJT log posted. But the same symptoms occur in my other computers. I have a feeling it's an update from Ad-Aware that's showing files that Spybot quarantined to be bad.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:40 AM

Posted 18 September 2008 - 11:20 AM

you can ignore scans that show infections in quarantine, as a general rule

If you want to work with one of your other computers in this forum, that's fine
Chewy

No. Try not. Do... or do not. There is no try.

#7 xEnvious

xEnvious
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 18 September 2008 - 11:26 AM

Yes, I understand that you can ignore infections in quarantine. But on Ad-Aware, there is nothing in the quarantine.

So, with HJT, I checked for hosts files and saw that the hosts files that Ad-Aware detected was underneath "# Start of entries inserted by Spybot - Search & Destroy"

Am I allowed to just ignore this?

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:40 AM

Posted 18 September 2008 - 11:50 AM

spybot writes a special hosts file to immunize you from maliscous web pages with IE

smitfraudfix, sdfix and others flag this, some returning the hosts file to the MS default

reapplying the immunization puts it back

C:\WINDOWS\system32\drivers\etc
is the standard path with xp

mine starts like this

# Copyright 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
and 9000 more entries
Chewy

No. Try not. Do... or do not. There is no try.

#9 xEnvious

xEnvious
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 18 September 2008 - 12:02 PM

Yeah! Mine looks like that too. So if the hosts files (ie. 127.0.01 THEREALSEARCH.COM) that Ad-Aware detected is located in the Spybot entries, it's safe to ignore Ad-Aware's detections right?

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:40 AM

Posted 18 September 2008 - 12:08 PM

127.0.0.1 therealsearch.com

is what my entry reads

http://www.lavasoftsupport.com/index.php?s...amp;#entry85817

I decided spybot was a lot better than adaware a long time ago

even spybot doesn't scan very well against the newest infections tho
Chewy

No. Try not. Do... or do not. There is no try.

#11 xEnvious

xEnvious
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 18 September 2008 - 03:02 PM

Ah thank you so much! This is the thread I was trying to find. Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users