Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kaspersky Log


  • Please log in to reply
6 replies to this topic

#1 savasg

savasg

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 02 October 2008 - 08:18 PM

I have run Kaspersky Online Scan;
It found some trojans

Can you help to clean them?

Here is the log:
--------------------------------------------------------------------------------
KASPERSKY ONLİNE SCANNER 7 REPORT
Friday, October 3, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, October 02, 2008 18:32:06
Records in database: 1283871
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 147110
Threat name: 12
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 05:12:16


File name / Threat name / Threats count
C:\Documents and Settings\Gokhan Savas\Desktop\flash 10 may\1\AUTORUN.INF Infected: Virus.Win32.Small.f 1
C:\Documents and Settings\Gokhan Savas\Desktop\GOKHAN\SDL\flash disk\AUTORUN.INF Infected: Virus.Win32.Small.f 1
C:\Documents and Settings\Gokhan Savas\My Documents\archive.pst Infected: Trojan-Spy.HTML.Citifraud.ae 2
C:\Documents and Settings\Gokhan Savas\My Documents\archive.pst Infected: Trojan-Spy.HTML.Citifraud.ai 2
C:\Documents and Settings\Gokhan Savas\My Documents\archive.pst Infected: Trojan-Spy.HTML.Bankfraud.v 2
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\138C5335.zip Infected: Exploit.Java.ByteVerify 2
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\138C5335.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\34AA2366 Infected: Worm.Win32.Agent.p 1
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3EBD7106.exe Infected: Worm.Win32.VB.an 1
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\48D53A5D.zip Infected: Exploit.Java.ByteVerify 2
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\48D53A5D.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\66E93557 Infected: Trojan-Downloader.Win32.Adload.jm 1
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\789D4E35 Infected: Hoax.Win32.Renos.cc 1
C:\WINDOWS\system32\CD_Gif.dll Infected: not-a-virus:AdWare.Win32.Cydoor 1
C:\WINDOWS\system32\KMON.OCX Infected: not-a-virus:Monitor.Win32.KeyLogger.o 1
C:\WINDOWS\system32\KTKBDHK3.DLL Infected: not-a-virus:Monitor.Win32.KeyLogger.o 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:46 PM

Posted 02 October 2008 - 09:17 PM

The worm then spreads through removable storage devices by creating the following file and setting the attributes to hidden:
[DRIVE LETTER]\activexdebugger32.exe

The worm also creates the following file so that it executes whenever the removable device is used on another computer:
[DRIVE LETTER]\Autorun.inf

The worm then opens a back door and allows a remote attacker to gain access to the compromised computer.

It may attempt to steal sensitive information from the compromised computer and send it to a remote attacker via email.


http://www.bleepingcomputer.com/forums/ind...mp;#entry944365

What does MBAM find?
Chewy

No. Try not. Do... or do not. There is no try.

#3 savasg

savasg
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 03 October 2008 - 11:46 AM

It did not find anything;
Log as below;
I think I can basicly delete these two related activeXdebugger.32 I believe:

"C:\Documents and Settings\Gokhan Savas\Desktop\flash 10 may\1\AUTORUN.INF Infected: Virus.Win32.Small.f 1
C:\Documents and Settings\Gokhan Savas\Desktop\GOKHAN\SDL\flash disk\AUTORUN.INF Infected: Virus.Win32.Small.f 1"
The following 3 are located my e-mail back-up; I think I can delete these as well
"C:\Documents and Settings\Gokhan Savas\My Documents\archive.pst Infected: Trojan-Spy.HTML.Citifraud.ae 2
C:\Documents and Settings\Gokhan Savas\My Documents\archive.pst Infected: Trojan-Spy.HTML.Citifraud.ai 2
C:\Documents and Settings\Gokhan Savas\My Documents\archive.pst Infected: Trojan-Spy.HTML.Bankfraud.v 2"

The following located at Norton quarantined files; Norton is not installed anymore in my computer; should I delete these?
"C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\138C5335.zip Infected: Exploit.Java.ByteVerify 2
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\138C5335.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\34AA2366 Infected: Worm.Win32.Agent.p 1
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3EBD7106.exe Infected: Worm.Win32.VB.an 1
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\48D53A5D.zip Infected: Exploit.Java.ByteVerify 2
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\48D53A5D.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\66E93557 Infected: Trojan-Downloader.Win32.Adload.jm 1
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\789D4E35 Infected: Hoax.Win32.Renos.cc 1"

What should I do with these?"C:\WINDOWS\system32\CD_Gif.dll Infected: not-a-virus:AdWare.Win32.Cydoor 1
C:\WINDOWS\system32\KMON.OCX Infected: not-a-virus:Monitor.Win32.KeyLogger.o 1
C:\WINDOWS\system32\KTKBDHK3.DLL Infected: not-a-virus:Monitor.Win32.KeyLogger.o 1"

Malwarebytes' Anti-Malware 1.28
Database version: 1226
Windows 5.1.2600 Service Pack 3

03.10.2008 19:34:21
mbam-log-2008-10-03 (19-34-21).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|H:\|)
Objects scanned: 255316
Time elapsed: 6 hour(s), 20 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:46 PM

Posted 03 October 2008 - 11:57 AM

The manual deletions should work, for norton's I would run the uninstaller also

http://service1.symantec.com/Support/tsgen...005033108162039

KMON.OCX may be an older leftover malware

the key logger may be legitimate or not, I hate the idea myself

Download this file to your Desktop: http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
Start the setup_.exe-file and click "Next".
The tool will be unzipped now to his own folder on the Desktop, confirm this by pressing "Next" again.
Now, click "Scan" to start the quick scan.
When it's finished, the found malware will be showed to you, press "Delete".
Now click the button "Reports" in the main screen and save the logfile to your Desktop.
Post this logfile in your next reply
After that you'll get this message: "Do you want to uninstall?", choose "Yes".
The tool will be deleted then

this might work better on an older infection, MBAM is too new
Chewy

No. Try not. Do... or do not. There is no try.

#5 savasg

savasg
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 04 October 2008 - 09:44 AM

I have run the old version kaspersky;
It did not found anything ; log as below;
I have manually deleted norton, archieve,and autorun.inf files;
When I rebooth, windows did not start properly; suggest to open normally did not accepted; I havd to run last succesfull rebooth; opende and re started comp without any problem;


Scan
----
Scanned: 824
Detected: 0
Untreated: 0
Start time: 03.10.2008 21:59:51
Duration: 00:02:55
Finish time: 03.10.2008 22:02:46


Detected
--------
Status Object
------ ------


Events
------
Time Name Status Reason
---- ---- ------ ------


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search No
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:46 PM

Posted 04 October 2008 - 10:01 AM

http://www.bleepingcomputer.com/forums/ind...mp;#entry948894

Let's check with atf and SAS from safe mode
Chewy

No. Try not. Do... or do not. There is no try.

#7 savasg

savasg
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 04 October 2008 - 06:01 PM

Hi Again DaChew

SAS did not find anything; Here is the log;

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/05/2008 at 00:40 AM

Application Version : 4.21.1004

Core Rules Database Version : 3588
Trace Rules Database Version: 1575

Scan type : Complete Scan
Total Scan Time : 05:21:41

Memory items scanned : 174
Memory threats detected : 0
Registry items scanned : 7988
Registry threats detected : 0
File items scanned : 128092
File threats detected : 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users