Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

3 suspicious files in a folder where 5 trojans already detected


  • Please log in to reply
3 replies to this topic

#1 petit mel

petit mel

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:24 PM

Posted 20 March 2009 - 10:58 PM

Hi,

I have HP laptop with Vista Home Premium 64bit. I use nod32 antivirus 3.0.684.0 and Comodo Firewall and today I installed SpyBot.

There is a strange folder C:\Users\Maki\AppData\Roaming\_af653503338a0dc8b5043dd28f0675fb with save.ini, control.ini and a folder 'down' with curl.exe, mini000.exe and xxx000.exe files inside of it. In March my nod32 antivirus 3.0.684.0 detected and quarantined 5 infected files in that folder (C:\Users\Maki\AppData\Roaming\_af653503338a0dc8b5043dd28f0675fb\down): im001.exe (Win32/TrojanDownloader.Agent.OTF trojan), ic007.exe (Win32/TrojanDownloader.Small.OLF trojan), tp000.exe (Win32/Agent.OVG trojan), rp000.exe (Win32/Injector.HP trojan), _uptd8083.exe (or __uptd8083.exe) (Win32/VB.NWF trojan). I googled 3 files that are still there and found out that some antivirus programs consider for example mini000.exe as infected but nod32 doesn't recognize them as a threat.

I don't know if I'm infected or not and I even considered deleting entire folder manually . Can you please help.

Thank you,
Marija
“All that is necessary for the triumph of evil is that good men do nothing”

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:24 PM

Posted 20 March 2009 - 11:33 PM

Hello Marija. Please run this MBAM scan and post the log ,I'll look back in the morning.

Next run MBAM:
Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 petit mel

petit mel
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:24 PM

Posted 21 March 2009 - 10:30 PM

Hi boopme,

Thanks for helping me. :thumbsup:

I did what you said although I did read that MBAM doesn't work with 64-bit Vista? Also the folder and files I was asking about, were they scanned and should I do anything regarding that? What is this infection MBAM found?

Here's the log:


Malwarebytes' Anti-Malware 1.34
Database version: 1863
Windows 6.0.6001 Service Pack 1

22.3.2009 4:10:49
mbam-log-2009-03-22 (04-10-49).txt

Scan type: Quick Scan
Objects scanned: 57498
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
“All that is necessary for the triumph of evil is that good men do nothing”

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:24 PM

Posted 22 March 2009 - 11:54 AM

Hello here's an Online scanner that will work in 64. I just want to get the log so w can be sure of what is infected.

ESET Online Scan; No installation required.
Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.

That finding is actually sort of False positive, more like a registry modification dur to something that was done bt malware.

The reason these "FP's" as you call them are detected and modified is meant to be as a service to a user whose settings have (at least potentially) been modified by malware, although I do agree that the implementation at least could be better. Perhaps instead of a detection in a normal scan, these could be part of a special section of "fixes" within MBAM that say things like "restore Help item to Start Menu" or something similar, or at least identify the detections in the scans a bit more descriptively so they aren't percieved by users as actual threats, simply as modified settings that are often changed by malware, and perhaps with a message along the lines of "if you made these changes yourself please ignore this detection." And maybe even going as far as not having these items marked for removal by default, instead maybe show that they were detected, but force the user to check a box next to them to remove them so hopefully they'll read what they are.

from MBAM.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users