Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SAS found trojan.agent/gen-pec


  • Please log in to reply
15 replies to this topic

#1 nizzy

nizzy

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 28 July 2009 - 06:26 PM

I do not know where this came from but I allowed SAS to remove it and I am rescanning right now
Posted Image

EDIT

I re scanned with SAS and it did not find the trojan so is it gone? or was that a nasty one?
I will scan with Ad-aware, spybot, MBAM and AVG 8.5 tomorrow but please leave some feed back for me as this is the first trojan I have found.

Edited by nizzy, 28 July 2009 - 07:47 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:51 AM

Posted 29 July 2009 - 01:14 AM

Hello although there can be many variants of Pev.exe, I feel this one will not be an issue. As I haves een it metioned as a false positive at SAS forums.
Please disable spybot's te timer if active before running the Malwarebytes scan. Please post that log too. With MBAM and SAS. i would acyually remove both adaware and spybot. I feel they may be slowing your PC down. You have too many programs.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 29 July 2009 - 06:40 AM

I only scan with those maybe once a month so not too often,
MBAM found this

Malwarebytes' Anti-Malware 1.39
Database version: 2525
Windows 6.0.6002 Service Pack 2

29/07/2009 12:36:44
mbam-log-2009-07-29 (12-36-44).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 227335
Time elapsed: 1 hour(s), 13 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\DivX\divx converter\pS2Xx.ddc (Backdoor.Bot) -> Quarantined and deleted successfully.

I have not used DivX at all since getting the computer 20+ months ago :thumbsup:

(I shall post this in MBAMs forum incase its a false positive or something)

Edit

Rescanned with SAS and all it found was the tracking cookie no trojan this time.

Edited by nizzy, 29 July 2009 - 08:07 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:51 AM

Posted 29 July 2009 - 09:00 AM

Hello any more signs of the infections?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 29 July 2009 - 10:22 AM

Just scanned with SpyBot and that found nothing.
Will re scan with MBAM later to make sure it removed it.
Any opinions on what I have found?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:51 AM

Posted 29 July 2009 - 10:35 AM

Hi,Yes I do,i was waiting to see if there were more.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 29 July 2009 - 10:47 AM

Well I do not do banking online and have only purchased things online a few times so the sites do not remember those details, everything else is just plain browsing, I do not even go off the beaten track on the internet so I have no clue as to how they would have gotten on there, plus I do not really have access to a clean PC,
I checked MBAM site and the backdoor might be a false positive http://www.malwarebytes.org/forums/index.p...hl=backdoor.bot what do you think?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:51 AM

Posted 29 July 2009 - 11:16 AM

Yes it probably is a false Positive..
Report it to MBAM so you are sure..

http://www.malwarebytes.org/forums/index.php?showtopic=3228
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 29 July 2009 - 12:52 PM

Thanks for that I would hate to have to reformat as I am a newbie at all this!
I have mentioned it to them and am awaiting reply.

The "trojan" PEV.EXE you said was a false positive also seems to possibly come from me not unistalling combofix that last time does that sound likely?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:51 AM

Posted 29 July 2009 - 01:16 PM

Very possible.. Also note the blue text at the top of this forum.

Remove Combofix now that we're done with it.
Click on your Start Menu, then Run....
Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".


When shown the disclaimer, Select "2"
This will remove files/folders assoicated with combofix and uninstall it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 29 July 2009 - 01:26 PM

I had to run it last time thats the only reason I had it, It uninstalled but it did not give me a option to select "2" it just said that it detected my AVG and that carrying on was at my own risk then a small blue screen popped up and another little box saying it had unistalled, I moved the desk top icon to the recycle bin so that should be that totally gone fingers crossed.

Edited by nizzy, 29 July 2009 - 01:26 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:51 AM

Posted 29 July 2009 - 01:30 PM

Ok good.. If it ever shows again choose to quarantine it and leave it there.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 29 July 2009 - 01:32 PM

Why quarantine it?

Thanks for your help I will get back to you about the backdoor.bot when MBAM get back to me.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:51 AM

Posted 29 July 2009 - 01:40 PM

Welll I guees it's that or ignore.. If it is referencing the now defunct combofix,then it will do no harm sitting there. If it was actually a malware then it cannot harm your PC. Also if somehow it was actually a needed file for the stability of the PC we did not delete it. My logic to this somewhat iffy file.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 05 August 2009 - 01:15 PM

Looks like it was confirmed a false positive so I thought I would give you the link for it!
http://www.malwarebytes.org/forums/index.php?showtopic=19656
This is the link that I made for both "infections" http://www.malwarebytes.org/forums/index.php?showtopic=20351
Thank you for your help :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users