Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UNSTOPPABLE Trojans & Virus, Franklin U680


  • Please log in to reply
12 replies to this topic

#1 angelsfire15

angelsfire15

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 20 June 2009 - 10:24 PM

This is for a windows XP system. I use a Franklin U680 Wireless USB Modem, and the problem seems to be tied to it. Here's the process I go through.

I update all 3 of the following: Malwarebytes, SuperAntiSpyware, and AVG.

1) I reboot in Safe Mode, then I run ATF-Cleaner, wipe everything, and hit Firefox with it too.
2) I run Flash_Disinfector, and hold down on the shift key while I insert the U680 in order to prevent any auto execute malware from running before windows detects the modem.
3) I run SuperAntiSpyware for C:\ D:\(cd drive) and E:\ (the Franklin U680 Modem), with the following items UN-checked:

Ignore files larger than 4MG (recommended)
Ignore non-executable files (recommended)
Ignore System Restore/Volume Information on ME/XP
Scan only known file types (.exe, .com, .dll, etc.)

And the following items CHECKED:
Close browsers before scanning
Scan for tracking cookies
Resolve Links/Shortcuts during scan (.lnk)
Terminate memory threats before quarantining
Scan Alternate Data Streams
Use Kernel Direct File Access (recommended)
Use Direct disk Access (recommended)
Display scan option in Explorer context (right-click) menu

SAS will get rid of HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (abbreviated HKLM\SOFTWARE\AGprotect in SAS) which is always on the U680. Then I unplug the U680 USB modem and restart my computer in Safe Mode

4) Next I go through Flash_Disinfector again, hold shift, plug in the U680. Then I run Malwarebytes on everything (C:\, D:\(cd drive), and E:\ (U680 USB Modem) because HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\avast!AntiVirus is always on the U680 and SAS doesn't get it, however Malwarebytes will. Then I unplug the U680 Modem and restart my computer in Normal Mode.

5) Then, while in normal mode, I run AVG, sometimes it catches stuff that both SAS and Malwarebytes missed.

6) Now I plug in the Franklin U680 Wireless Modem, (without connecting to the internet) and scan it with Malwarebytes and AVG. Both scans show that it's clean.

Then I connect to the internet (with the U680,) I don't open a browser or anything, all I do is connect. At this point, if I run Malwarebytes, even though literally seconds earlier I had just finished scanning with Malwarebytes and AVG, and they both showed E:\ as clean, both of these next 2 malware programs will be on E:\ (every time, guaranteed)

Trojan.Agent Registry Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\avast!AntiVirus

Malware.Trace Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect

And one of these next 2 will usually be on C:\

Trojan.Agent File C:\WINDOWS\Temp\BN5.tmp or Trojan.Agent File C:\WINDOWS\Temp\BN7.tmp


Then this one is less frequent, and I can't find a regular pattern for it, but it's in my quarantine history dozens of times:

Trojan.Agent File C:\WINDOWS\system32\avast!AntiVirus.exe

Anyway, I keep running all the programs I see commonly recommended on this forum, but I must be missing something because I just can't kill this crap.


I have tried using SDfix, but when I try to extract it, I get this:
C:\SDFIX\apps\installed.txt Access is denied.

Also, I can't post any of my mbam logs, because when I try to look at them I get this message:
C:\Documents and Setting\KCMS-08\Application Data\Malwarebytes’ Anti-Malware\Logs\Mbam-log-2009-05-26 (1059-50).txt Access Denied


I don't know if this is related, but I suspect it may be. About 5 weeks ago my computer got infected with a whole bunch of things all at once. That's what prompted me to start poking around on these forums, and I read somewhere that some malware will actually disable your access to your control panel etc. in order to make it harder to remove. That may have happened to me, because when I open up my control panel, nothing in it is accessible. When I try to access "User Accounts," "Add/Remove Programs," "Security Center," or anything else under Control Panel, this is the message I get:

Windows cannot find C:\\WINDOWS\system32\rundll32.exe. Make sure you typed the name correctly, and then try again. To search for a file click the Start button, and then click search.

Although if I open my Task Manager, it will show C:\\WINDOWS\system32\rundll32.exe is running.

But seriously- W...T...F... is wrong with the people who come up with this crap? I'm sure it's frustrating to be an outcast and virgin, and even worse to know that you're going to die as an older, outcast, virgin. And it has to be difficult to talk about it when people will take sand paper to their own raw, exposed brain, rather than have a conversation with you. But that's what internet porn is for, come on.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Edited by angelsfire15, 21 June 2009 - 12:50 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:17 PM

Posted 21 June 2009 - 03:27 AM

Hello angelsfire15, and :thumbsup: to BleepingComputer!

It sure can be frustrating, all that malware, but thats what keeps us busy! Lets see if we can get thing sorted out for your computer. Please follow the steps below and make sure you run ATF-cleaner before doing so, since this scan may take some time.

Make sure to print these instructions or safe them in a notepad-file, since the steps involve a reboot in safe mode.

DR. WEB CUREIT
----------------------
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 angelsfire15

angelsfire15
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 23 June 2009 - 06:45 PM

Hi Elise, and thank you! Here's that report from Dr. Web's CureIt. I had a question, it looks like I either downloaded malware disguised as SDFix, or maybe some malware tried to hide itself in my SDFix file/folder or something, am I understanding that correctly?

SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\KCMS-08\Desktop\Security\SDFix.exe;Tool.Prockill;;

SDFix.exe;C:\Documents and Settings\KCMS-08\Desktop\Security;Archive contains infected objects;Moved.;

RtlUpd64.exe;C:\drivers\audio\R179413;Win32.Virut.56;Cured.;

Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;

A0015056.exe;C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP67;Tool.Prockill;Incurable.Moved.;

A0015145.exe;C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP67;Tool.Prockill;Incurable.Moved.;

A0015776.exe;C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP71;Trojan.DownLoad.37569;Deleted.;

A0015791.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP71\A0015791.exe;Tool.Prockill;;

A0015791.exe;C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP71;Archive contains infected objects;Moved.;

A0015792.exe;C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP71;Win32.Virut.56;Cured.;




After I ran Dr. Web and got this report (following all the steps you laid out) I went ahead and ran Malwarebytes on E:\ and found those same infections:

Malware.Trace Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect

Trojan.Agent Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus




Also, I don't know how it factors in, but I had a question about the behavior of AVG. I have Resident Shield Running all the time, and periodically a message will pop up letting me know it's blocked the action of

Infection Type - - -Virus Name - - - - - - - - - - - - - - Path to File
Infection - - - - Virus identified Win32/Cryptor - - C:\WINDOWS\system32\avast!Antivirus.exe

I can't identify any pattern as far as what is happening or what I'm doing when this message pops up. Do I understand correctly, this infection is sort of "Dormant" and when it tries to do something, AVG "blocks" it?




And I don't know if this is helpful, but when I run PC Tools Spyware Doctor trial version, it finds

Trojan-Proxy.Small.DU
Adware.Component.Unrelated

but the trial version doesn't remove them, it just lets me know they're there lol.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:17 PM

Posted 24 June 2009 - 12:22 AM

Hi angelsfire15, Dr. web identified SDFix as a process killer, not as malware. This means your SDFix was most likely not infected, but D. web, since it cannot make the difference between good and bad programs, recognized it as something that has the potential to be harmful. This is a normal detection, nothing to care about.

However, Dr. web also found 2 virut infections. Virut is an extremely dangerous infection, that can infect a large part of your files and make them virtually useless. Since there were only 2 detections and they are no critical files, we may be able to contain this.

But first you have to make sure, your other computers are completely isolated from each other. After you do that, please run Dr. Web on the other computers, so we can see if there is Virut there as well.
Please post the logs from both in your next reply. Note, best would be to burn Dr. Web to a CD and run it on the computers, to avoid further infection.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 angelsfire15

angelsfire15
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 24 June 2009 - 02:10 PM

Yeah I've kept the infected computer isolated, I manually turned off it's ability to connect to my wireless router, and I only connect to the internet via the U680 USB modem. I've ran a bunch of diagnostics on my other PC just in case, and it's clean. Which is comical, actually. I had a Toshiba laptop for almost 5 years, and never once had any kind of protection, literally. And never got any kind of infection. This other computer I had for a week with all kinds of protection, and it nearly gets crippled...

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:17 PM

Posted 24 June 2009 - 02:24 PM

Hi angelsfire15,

Can you please list for me what tools you did run before posting your problem? I see in your dr. Web log you cleaned already some items at an earlier time.

Lets see if another scan reveals more about that AVG popup. The Spyware Dr. detections are no problem. Actually, there are better spyware scanners that are completely free. So if these items are still there, we will get them.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 angelsfire15

angelsfire15
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 24 June 2009 - 02:47 PM

Yep I've been using:

Malwarebytes
Super Anti-Spyware
Flash_Disinfector
AVG
CCleaner
ATF-Cleaner
PC Tools Registry Mechanic 7.0 (Full Version)
PC Tools Spyware Doctor (Free Version) although I now have a key for a full version, I just need to decide if I want to use it on this computer.

At first I was just trying to get the best spyware program, but I've found that no single program will get everything, and they each will get stuff that the other programs won't.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:17 PM

Posted 24 June 2009 - 02:52 PM

Hi again,

I see you have a registry cleaner on your computer. BC does not recommend the use of this kind of programs. They do NOT improve the performance of your computer and may cause huge problems. Its really not worth it.

Can you post the results of the MBAM scan? If it will not run correctly, try renaming it as explained in my previous post.

As for your conclusion that no tool provides 100% protection, thats right. A combination of different tools with as golden rule one active firewall and one active antivirus program, is most effective.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 angelsfire15

angelsfire15
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 24 June 2009 - 03:16 PM

There's a problem with posting my mbam log- when I try top open the .txt logs, I get

C:\Documents and Settings\KCMS-08\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2009-05-26 (10-59-50).txt

Access is denied.



I'm logged in as an administrator, so I'm not sure what the problem is.

#10 angelsfire15

angelsfire15
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 24 June 2009 - 05:36 PM

I've also added StopZilla, some of the features you have to pay for, but some are free like the Real-Time Protection. When I view the event log:

"Suspicious network activity terminated. Activity type: Too many SMTP connections."

I've been on google for an hour now trying to figure out what the implications are, and I really haven't made any progress...

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:17 PM

Posted 25 June 2009 - 01:40 AM

Hi angelsfire15, you are definitely infected with some bad stuff, that is why you have all this problems. Lets see if we can run SuperAntispyware. I see you have installed it already, so you can skip the install-steps below. I post them in case you have uninstalled the program.

Please run ATF cleaner before running SuperAntispyware, since the scan might take some time.

SUPERANTISPYWARE
----------------------------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 angelsfire15

angelsfire15
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 26 June 2009 - 02:32 AM

Ran ATF-Cleaner and then SAS like you said, (in safe mode) here’s the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 06/25/2009 at 03:40 PM
Application Version : 4.26.1004
Core Rules Database Version : 3949
Trace Rules Database Version: 1891
Scan type : Complete Scan
Total Scan Time : 00:34:00
Memory items scanned : 226
Memory threats detected : 0
Registry items scanned : 5307
Registry threats detected : 2
File items scanned : 58177
File threats detected : 0

Trojan.Unknown Origin
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg

Then after I ran SAS I rebooted, went back in to Safe Mode, and ran Malwarebytes on C:\ D:\ (cd drive) and E:\ (U680 USB modem) and this is what Malwarebytes came up with, I have to type it because whenever I try to access the logs it tells me access denied-

Malwarebytes: (This is one of the 2 infections I always find, this time I think SAS got the other one first.)
Trojan.Agent Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus


Then I rebooted, back in to Safe Mode and ran AVG, but it came up with nothing.

After AVG I rebooted again, started back up in Safe Mode and ran DR. Web CureIt, here’s that info
Dr. Web CureIt
A0015793.exe;C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP71;Tool.Prockill;Incurable.Moved.;

Then I rebooted in to normal mode, as PC-Tools Spy Doctor will recommend that you run it in normal mode if you can. You can’t launch into a full scan, you can only start a quick scan before you have the option of the full scan, here’s what the Spy Doctor quick scan yielded:
Spy Doctor
6/25/2009 9:38:42 PM:937
Scan Started
Scan Type - Intelli-Scan

6/25/2009 9:39:10 PM:406
Infection was detected on this computer
Threat Name - Adware.Component.Unrelated
Type - Registry Value
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Desktop, id

6/25/2009 9:39:39 PM:828
Infection was detected on this computer
Threat Name - Trojan-Proxy.Small.DU
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Desktop, id

6/25/2009 9:40:36 PM:93
Scan Finished
Scan Type - Intelli-Scan
Items Processed - 266948
Threats Detected - 2
Infections Detected - 2
Infections Ignored - 0

6/25/2009 9:47:51 PM:890
Immunizer Results
ActiveX section has been immunized. No items were processed. 6/25/2009 9:49:12 PM:859
Infection quarantined
Threat Name - Adware.Component.Unrelated
Type - Registry Value
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Desktop, id

6/25/2009 9:49:12 PM:875
Infection cleaned
Threat Name - Adware.Component.Unrelated
Type - Registry Value
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Desktop, id

6/25/2009 9:49:13 PM:31
Infection quarantined
Threat Name - Trojan-Proxy.Small.DU
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Desktop, id

6/25/2009 9:49:13 PM:109
Infection cleaned
Threat Name - Trojan-Proxy.Small.DU
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Desktop, id

6/25/2009 9:49:15 PM:203
Infections Quarantined/Removed Summary
Quarantined - 2
Quarantine Failed - 0
Removed - 2
Remove Failed - 0



And then I had the option of running a full scan, which I did, and it found 14 instances of the same kind of infection. Below is a sample of how the Spy Doctor reports are set up.

The first page and a half are all “Infection was detected on this computer” there was a paragraph like this one for each instance detected

Scan Type - Full Scan
6/25/2009 10:59:12 PM:484
Infection was detected on this computer
Threat Name - Trojan-PWS.Bancos.PWN
Type - File
Risk Level - Medium
Infection - C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP61\A0010417.sys

Then the next page and a half or so was all like this “Infection Quarantined” 14 entries just like this one, one for each instance

Infection quarantined
Threat Name - Trojan-PWS.Bancos.PWN
Type - File
Risk Level - Medium
Infection - C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP74\A0016989.sys
6/26/2009 1:33:24 AM:718


Then the last page and a half are the same 14 infections being reported individually as “Infection cleaned” like this one:

Infection cleaned
Threat Name - Trojan-PWS.Bancos.PWN
Type - File
Risk Level - Medium
Infection - C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP74\A0016989.sys
6/26/2009 1:33:26 AM:781

I have access to the full individual report on each of the 14 infections if that’s helpful, but I figured this would give you the idea. According to Spy Doctor this was a fairly serious infection, designed to steal passwords, although they only gave it a medium security rating. I don’t know how much more serious it gets than stealing bank passwords, so I found that kind of confusing. Then as I was typing all this, AVG (I have it running in the background) popped up with this:

"Virus identified Win32/Cryptor";"C:\WINDOWS\system32\avast!Antivirus.exe";"Deleted";"6/26/2009, 1:52:28 AM";"file";"C:\WINDOWS\system32\services.exe"


And that reminded me, I don’t understand what WHITE-LISTED means, but I gather than AVG won’t terminate something that has been dubbed as such:

"Trojan horse Rootkit-Agent.DI";"C:\WINDOWS\system32\drivers\ndis.sys";"Object is white-listed (critical/system file that should not be removed)";"6/25/2009, 11:14:23 PM";"file";"C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe"

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:17 PM

Posted 26 June 2009 - 03:07 AM

Hi angelsfire15,

First of all. Whitelisted means that a certain file is added to a whitelist, a list of trusted files that will be excluded from scanning (in this case).
The problem here is that a whitelisted file is recognized as a trojan. Normally this file is a windows core file, so we will have to figure out if this is about a false positive or a real infected file. Since Virut was detected in two instances, we will have to look further in this. Therefore we will upload this file and see what the online scanners come up with.

UPLOAD A FILE
--------------------
We need to check a file. Please click this link VirusTotal

When the page has finished loading, click the Choose file button and navigate to the following file and click Send file.

C:\Windows\system32\drivers\ndis.sys

If you get the message that the file has already been scanned before, please click Reanalyse file now.
Please post back the results of the scan in your next post.


O, and not to forgot about SpyDoctor. The items there are found in system restore, that means they are remains of infections you have already removed. Once your machine is clean you can create a new one and remove the older ones. You will be instructed then how to do this. Leave them for now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users