Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

External Drive Infections, Damaged files, infected objects, Help Neeeded


  • Please log in to reply
11 replies to this topic

#1 rogue212

rogue212

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 16 March 2010 - 06:46 PM

Please don't close this post, I just need some advice on what to do.

After scanning two of my external hard drives with F-Prot it reported: damaged files, contain infected objects or are infected. Infections reported include. W32/Trojan3.BAT, W32/Backdoor2.DXMC (exact), W32/BackdoorX.BUJG, W32/Backdoor2.DAVN (exact), W32/Backdoor2.BBNJ (exact), W32/Backdoor2.AXXB, W32/Skintrim.1!Generic, but the main one is W32/Backdoor2.DXMC.

This also keeps appearing on all partitions and drives, .Trash-999 folder.

Seven infected files sent to Virustotal, scan results:

ntiVir 8.2.1.180 2010.03.15 PCK/PESpin
Authentium 5.2.0.5 2010.03.15 W32/Heuristic-210!Eldorado, W32/Backdoor2.DXMC
AntiVir 8.2.1.180 2010.03.15 PCK/PESpin
CAT-QuickHeal 10.00 2010.03.15 Trojan.Agent.IRC
ClamAV 0.96.0.0-git 2010.03.15 Trojan.Backdoor-11
Comodo 4272 2010.03.15 UnclassifiedMalware, Heur.Packed.Unknown
eSafe 7.0.17.0 2010.03.14 Win32.Banker
F-Prot 4.5.1.85 2010.03.15 W32/Heuristic-210!Eldorado, W32/Backdoor2.DXMC
Ikarus T3.1.1.80.0 2010.03.15 Backdoor.Rbot
Jiangmin 13.0.900 2010.03.15 Backdoor/Huigezi.2008.tfj
K7AntiVirus 7.10.997 2010.03.13 Trojan.Win32.Malware.1
McAfee-GW-Edition 6.8.5 2010.03.15 Packer.PESpin
PCTools 7.0.3.5 2010.03.15 Packed/PeSpin
Sunbelt 5894 2010.03.15 Trojan.Win32.Packer.PESpinv1.32 (v)
TheHacker 6.5.2.0.233 2010.03.15 W32/Behav-Heuristic-070
VirusBuster 5.0.27.0 2010.03.14 Packed/PeSpin
Sophos 4.51.0 2010.03.15 MadCodeHook
Norman 6.04.08 2010.03.14 W32/Hupigon.JDZS
TrendMicro 9.120.0.1004 2010.03.15 PAK_Generic.001
VirusBuster 5.0.27.0 2010.03.14 Backdoor.Agent.ISZS
CAT-QuickHeal 10.00 2010.03.15 Trojan.Agent.IRC
ClamAV 0.96.0.0-git 2010.03.15 Trojan.Backdoor-11
Comodo 4272 2010.03.15 UnclassifiedMalware
eSafe 7.0.17.0 2010.03.14 Win32.Banker
F-Prot 4.5.1.85 2010.03.15 W32/Heuristic-210!Eldorado
Ikarus T3.1.1.80.0 2010.03.15 Backdoor.Rbot
Jiangmin 13.0.900 2010.03.15 Backdoor/Huigezi.2008.tfj
K7AntiVirus 7.10.997 2010.03.13 Trojan.Win32.Malware.1
McAfee-GW-Edition 6.8.5 2010.03.15 Packer.PESpin
PCTools 7.0.3.5 2010.03.15 Packed/PeSpin
Sunbelt 5894 2010.03.15 Trojan.Win32.Packer.PESpinv1.32 (v)
TheHacker 6.5.2.0.233 2010.03.15 W32/Behav-Heuristic-070
VirusBuster 5.0.27.0 2010.03.14 Packed/PeSpin

Have I lost all the data on my external drives, is there an infection spreading and infecting more and more of my files, what can do, please any advice. In all about seven files contained these infectionsl, the others I can't scan due to there size or they won't upload or are damaged, thanks.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:16 AM

Posted 16 March 2010 - 09:30 PM

Hello ,well first some advice on Backdoor infections.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


To clean run DDS
We need a deeper look,please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic from step 9.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 17 March 2010 - 06:19 AM

So if they are on my external hard drives, detected in program exe files that have not been installed, they can still infect my computer or other fies on that drive and jump to my current computer? thanks

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:16 AM

Posted 17 March 2010 - 12:51 PM

Depending on the type of infection yes it can happen.. best to post the DDS and be safe.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 17 March 2010 - 05:54 PM

Most of the infected files are in quarantine or deleted from my external drives, do you want me to scan all the external drives or just my computer, don't I need to clean my external drives, won't it just come back. I just scanned all my drives with Bitdefender's online scanner and it picked up a virus in a text file on all drives and partitions:

BitDefender Online Scanner Scan report generated at: Wed, Mar 17, 2010 - 22:25:14

C:\Documents and Settings\Ricky\My Documents\online scanners.txt.......Infected with: Generic.Qhost.DE36A241
D:\Text\online scanners 22.txt.......Infected with: Generic.Qhost.DE36A241
E:\online scanners 22.txt........Infected with: Generic.Qhost.DE36A241

plus all partitions on my external drives that contained that same txt file, if this is true and not a false positive then I just don't know what to do, thanks.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:16 AM

Posted 17 March 2010 - 07:28 PM

Ok run a FULL scan with MBAM it should then scan both drives..
Then scan with SAS.. You will need to select which drives to scan. Post back the logs with an update on how it's running.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform FULL Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
Next SAS:
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 18 March 2010 - 06:59 AM

Here's Malwarebytes' Anti-Malware scan results, sorry got to redo SAS scan.

Malwarebytes' Anti-Malware 1.44
Database version: 3879
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

18/03/2010 10:51:41
mbam-log-2010-03-18 (10-51-41).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 177387
Time elapsed: 42 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 18 March 2010 - 11:45 AM

Sorry for delay, tried some other scans in safe mode, here's the SAS scan result which was clean, Norton security scan deleted 7 cookies after SAS didn't detect any.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/18/2010 at 01:26 PM

Application Version : 4.34.1000

Core Rules Database Version : 4694
Trace Rules Database Version: 2506

Scan type : Complete Scan
Total Scan Time : 01:15:51

Memory items scanned : 257
Memory threats detected : 0
Registry items scanned : 3982
Registry threats detected : 0
File items scanned : 30273
File threats detected : 0

Edited by rogue212, 18 March 2010 - 02:01 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:16 AM

Posted 18 March 2010 - 11:49 AM

Hello, looks good to me.. If there is still an issue then we will need a deeper look and you need to use the Prep guide I posted in post 2....
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 18 March 2010 - 01:49 PM

Ok will do that, I think what ever it is or was is coming from my external drives, Finding more junk on them by the way, trouble is I had a backup program that duplicated everything to each drive just in case one failed and other peoples backups on them to, will clean them up. There's a couple of program exe's and ISO's, I can't re-download as I don't have the same e-mail addresss as my original account, can they be tested to see if they've been infected, thanks.

Sorry for all this fuss and my other posts, a lot of it was due to what I've leant in the past year about viruses, worms, trojans and the real truth behind some of the more nastier infections that require over writing every sector of the hard drive at least eight times to be sure they will not re-infect.

#11 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 18 March 2010 - 01:58 PM

Just one more thing, if I did or had in the past one of those infections that can add malicious code to other data, can that data be tested to see if it is clean, say an exe file for example, if it was inffected and I uploaded it to virustotal could it be detected, or would I need to have it checked by the original maker of the program to check the code etc, would a checksum be good enough, thanks.

Edited by rogue212, 18 March 2010 - 02:00 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:16 AM

Posted 19 March 2010 - 03:43 PM

hello, yes they can be uploaded or your AV should be able to scan an individual file(s).
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users