Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please, what is this?


  • Please log in to reply
3 replies to this topic

#1 CaptainSensible

CaptainSensible

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 07 October 2009 - 02:50 AM

Dear All,
Firstly, please forgive my lack of computer-esque knowledge. I am rather dull in this department.

I come seeking help with a strange .exe file named "restorer32a". This file has popped up in my user directory. There is a small graphic beside the file name depicting two eyes and a raised eyebrow. The file is presently 26.3KB. I cannot delete this file. When I try, I am told I need permission to continue. There is another file above it which I can delete, this file inevitabley returns though. It is called "oashdihasidihasu......(etc)". This file is presently 1 byte.

I am having problems running Defender Firewall, I get told that 'Security Centre can't turn on Windows Firewall', although when I scan the above-mentioned files with AVG 8.5 and Malwarebytes I get no errors. Is this a nasty file of sorts? How can I get rid of it?

I am using Windows Vista.
Thanks Kindly,
CS

Ps. If anyone could let me know how to take a screenshot, that would be lovely (I know to press prtsc, but then what?) :thumbsup:

Edited by CaptainSensible, 07 October 2009 - 02:56 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:50 PM

Posted 07 October 2009 - 07:56 AM

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program so that it can run automatically each time the computer is booted. A file's properties may give a clue to identifying it. Right-click on the file, choose Properties and examine the General and Version tabs.

Tools to investigate running processes and gather additional information to identify them and resolve problems:These tools will provide information about each process, CPU usage, file description and its path location If you right-click on a file and select properties, you will see more details.

If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
-- Then post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 CaptainSensible

CaptainSensible
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 08 October 2009 - 05:51 AM

Here is the Malwarebytes log of a scan I ran last night. I hope it's meaningful to someone. I seem to have gotten rid of the two files mentioned in my previous post (and identified by Malwarebytes, below). However my Windows firewall is still not turning on.

Any suggestions are welcome,
Thanks!

Malwarebytes' Anti-Malware 1.41
Database version: 2917
Windows 6.0.6001 Service Pack 1

8/10/2009 7:34:22 AM
mbam-log-2009-10-08 (07-34-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 227788
Time elapsed: 1 hour(s), 20 minute(s), 36 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\Users\Scott\restorer32_a.exe (Trojan.FakeAlert) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\restorer32_a (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Scott\Downloads\registryfix.exe (Rogue.Installer) -> No action taken.
C:\Users\Scott\restorer32_a.exe (Trojan.FakeAlert) -> No action taken.
C:\Users\Scott\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> No action taken.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:50 PM

Posted 08 October 2009 - 06:56 AM

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 2917. Last I checked it was 2924.

If you cannot update through the program's interface and have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, be aware that mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating, is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users