Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

First time of an alert of virus on PC


  • Please log in to reply
7 replies to this topic

#1 retiredbri

retiredbri

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 14 January 2010 - 06:56 AM

I have had times when a virus was intercepted trying to get into my PC but, up to now, I've not had one inside my PC that could have run so this is a first for me.

On 8 Jan, Trojan-Downloader.Win32.Agent.cyzf was located on my PC by Kaspersky Internet Security 7 (KIS 7) as file cltest.exe (used by Power DVD to check the external DVD). This file has been on my PC for many years. At this time VirusList.com did not report this trojan.

I accepted the KIS instruction to delete it to the KIS backup together with two files in the Restore folder and then started a full scan of my PC.
The event log strangely reports KIS turned off for about 6 minutes. I do not think I turned it off.
I panicked because a similar trojan Agent.alby turns off KIS, captures screens and is a key-logger.

Early on 9 Jan, I reported everything to Kaspersky and sent the files and the GetSystemInfo (GSI) file.
I conducted a full computer scan followed by a rootkit scan and KIS reported no problems found.
However, it seemed that everything had slowed down so I was concerned that during the time KIS7 was off, the virus had established itself as a legitimate programme.

I could not get a quick answer to my GSI report, but I was "informed" that Combofix would tell me more. I followed the instructions on this site and ran
Combofix and the report was produced. Apart from Combofix deleting three file, it all went as your instructions. I did not make any changes to my PC and Combofix didn't tell me to do anything.

Only now, reading this forum, I realise I shouldn't have run Combofix. Can I now send the report so that someone have a look please and tell me what it means?

I have run a CD with a .wmf file and it appears to work so not sure if the missing cltest.exe (that was deleted) file was doing anything.

Being wise after the event, it could be something as simple as cltest.exe giving a false positive. Because no one wants to give me the answer, I fear it is something worse?

Regards

retiredbri

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:20 PM

Posted 14 January 2010 - 10:55 AM

Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

:thumbsup: ComboFix logs, where should I post them?


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 retiredbri

retiredbri
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 19 January 2010 - 04:32 PM

All appears OK, just need some help to finish.

I tried to run Combofix /U to remove it from my pc but it didn't want to run.

Can I just delete (shift-delete so they do not go to the recycler) the three folders with Combofix in and PEV.exe in the Widows folder then purge the System Restore to clean out all old files?

Regards

retiredbri

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:20 PM

Posted 20 January 2010 - 01:07 PM

To uninstall ComboFix, press the Windows Key + R keys on your keyboard or go to Posted Image > Run... and in the Open dialog box, type: ComboFix /Uninstall
  • Posted Image
  • Press OK.
  • This will delete ComboFix's related folders/files, reset the clock settings, hide file extensions/system files, clear the System Restore cache to prevent possible reinfection and create a new Restore point.
-- Vista users, users can refer to these instructions: How to Enable Run Command in Vista
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 retiredbri

retiredbri
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 21 January 2010 - 05:07 AM

To uninstall ComboFix, press the Windows Key + R keys on your keyboard or go to Posted Image > Run... and in the Open dialog box, type: ComboFix /Uninstall


Thanks for the info.
I tried the /U command but my KIS7 (Kaspersky Internet Security ver 7) kept alerting me to unusual processes so I stopped.
Do I therefore need to turn KIS off before running Combofix /Uninstall and if I do, should I disconnect from the Internet because with KIS off, the Firewall not be will working?

Finally, I haven't found instructions for Combofix /Uninstall. Does the Unistall ever throw up any problems and does it take a long time to run? The instructions to run Combofix were very descriptive and explained what was happening and re-inforced the need to "wait" at certain times.

Thanks for all your time and expertise

Regards

retiredbri

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:20 PM

Posted 21 January 2010 - 08:40 AM

If KIS is interfering, then disconnect from the Internet and temporarily disable it until you are finished.

Any program can "hiccup" from time to time. Just run the command as instructed and let CF do its thing...it shouldn't take long.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 retiredbri

retiredbri
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 22 January 2010 - 12:14 PM

If KIS is interfering, then disconnect from the Internet and temporarily disable it until you are finished.

Any program can "hiccup" from time to time. Just run the command as instructed and let CF do its thing...it shouldn't take long.



Thanks - all now gone and PC clean.

It was a false positive but Kaspersky Support didn't respond :flowers: so I "tried" Combofix.
Never again - I'll come her first in the future.

Great Forum - real big thanks for providing all your time helping us. :thumbsup:

This thread can be closed

Regards

Retiredbri

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:20 PM

Posted 22 January 2010 - 01:09 PM

You're welcome and thank you for the kind words.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users