Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection with "Palevo.DP" worm


  • Please log in to reply
1 reply to this topic

#1 Tirfing88

Tirfing88

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 05 May 2010 - 05:38 AM

Hello,

First of all, i thank everyone in here who volunteer for this awesome service free of charge, in this world where everything has a price tag, finding something like this is really nice.

Ok, to the issue:

Recently, i was chatting with a friend over MSN, suddendly this person sent me a link with a "photo" and asked me to download it. It seems that her computer is infected with something that makes her send automatic messages to her contacts with quotes like "look at this pic" and stuff like that, i know it's the oldest trick in the book in order to infect someone but for some strange reason i don't comprehend yet (i believe i was sleepy), i fell for it and downloaded this fake "picture".

The link with the download is this one. PLEASE DO NOT CLICK IT, I'M JUST POSTING IT IN CASE SOMEONE RECOGNIZES THE PAGE AND PROBABLY THE WORM:
hxxp: //joblin.co.nz/image.php?=
AGAIN DO NOT CLICK IT!


Following the equal symbol was my email address

When i was about to open it to check it, i find that it is an .exe disguised with a .GIF image icon. I quickly scanned the archive with Avira Antivir (free version) and it detected nothing wrong. But of course i did not open it and instead i threw it to the recycle bin.

Some moments later, avira informs me that it has discovered a variant of the worm "Palevo.DP". It moved it to quarantine and then deleted it. But it did not end there, some minutes later it detected the same malicious file this time in another directory and did the same. Yet, moments later it detected it for the third time.

My question is:
Do you think this worm has been completely purged from my PC or do you think it has propaged all over it? i've ran Malwarebyte's antimalware, Lavasot Ad-Aware and a bunch of other anti spyware programs, doing full system scans everytime. I also ran a full system scan with Avira and nothing popped. Is it possible to get infected with it by just downloading the .exe file or do you need to actually execute it?

Do you think this worm may have hidden itself very well so the programs can't find it? i cerntainly have noticed a little bit of slowdown with my pc and my internet connection (maybe that's just mycrappy ISP but who knows.)

I would be very grateful if someone could help me verify that this nasty thing hasn't left a single trace of it on my PC because i regularly do online shopping with my debit card and i don't feel kinda safe right now.

Here are the images from the event logs of Avira:
http://img72.imageshack.us/i/worm1z.jpg/ <- First detection, the file was in the recycle bin at this time.
http://img688.imageshack.us/i/worm2.jpg/ <- Second detection, at this moment the .exe deleted from the recycle bin.
http://img269.imageshack.us/i/worm3.jpg/ <- Third detection and last. Again, i deleted the file from the recycle bin.

My OS is Windows XP Pro.



Thank you very much!

Edited by quietman7, 05 May 2010 - 01:12 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 PM

Posted 05 May 2010 - 01:17 PM

Please do not post active links to malware or possible malware related sites. I have disabled the one(s) you posted so others do not accidentally click on it.

There are no guarantees or shortcuts when it comes to malware removal and the use of specialized fix tools, especially when dealing with backdoor Trojans and rootkits. Infections will vary and some will cause more harm to your system than others as a result of it having the ability to download more malicious files. Thus, sometimes it takes several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous. Lets try something different.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please download Norman Malware Cleaner and save to your desktop.
alternate download link
  • Be sure to read all the information Norman provides on the same page.
  • Restart your computer in "Safe Mode".
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file a log file named NFix_date_time (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
  • Copy and paste the contents of that file in your next reply.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.


Please download and scan with the McAfee Avert Stinger Tool.
Be sure to print out and follow the instructions provided for running a scan but do the scan in "Safe Mode". After the scan is complete, click the File menu and select Save report to file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users