Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with pciide.sys.vir and autorun.inf.vir and just-in-time-debugger and google-re-direct and 1 other


  • This topic is locked This topic is locked
9 replies to this topic

#1 JSR2010

JSR2010

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 02 June 2010 - 03:37 PM

Okay, so I admit that I did not read this forum first, which would have been best, but another and followed the instructions there, as such have run combofix. I am posting here because it seems as though this is a good step towards securing my pc.

I am running Windows XP professional, Version 2002 Service Pack 3. on a Dell Latitude D820

I have had serious problems with a google redirect virus and a Just in time debugger, and one other which kept popping up giving me fake error messages and pop-ups. I believe that while searching for a way to eliminate that one i got another virus.

I have run the following programs in an effort to fix

smitfraudfix (no log for this one....maybe I didn't save)
Bitdefender on line scan (twice)
malware bites anti malware
super anti spyware
and combofix (twice)

Logs are attached.

I ran the smitfraudfix, installed AVG free, ran bit defender, then the super anti spyware then the combo then bitdefender again.

today the AVG scan brought up
"Object name";"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP583\A0088452.sys"
"Detection name";"Virus identified Win32/Patched.DY"
"Object type";"file"
"SDK Type";"Core"
"Result";"Moved to Virus Vault"
"Action history";"Moved to Virus vault"


I am running AVG free as my virus protection, though that is new since the attack, previously it had been Mcaffee, but the subscription lapsed and I failed to notice/take action.

Any recommendations as to "the best" anti-mal/spy/ad/virus programs?

The functionality of my computer is greatly restored, but I am un-sure as to whether this is just on the surface
What I would like to know is
a) am I cleared/cleaned up?
b)how bad were these...annoying or was someone trying to steal passwords.....would it be safe to use my computer for banking
c) what should I do to protect against similar threats
d) how to delete the autorun.inf.vir in the quarantine folder
e) is using AVGfree asking for trouble?
f) I have backed up but am concerned that my external HD might have similar malware. What do I do about this.
h) If I installed AVG and my computer was infected does that mean AVG is not catching it?

Thanks for any help

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:15 PM

Posted 06 June 2010 - 10:10 AM

Hi JSR2010,

Welcome to BC Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please just let me know if you still need assistance.

#3 JSR2010

JSR2010
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 09 June 2010 - 12:54 PM

Farbar- thanks, I think that I do need a bit of help, but really I want to know based on the logs I posted, is my pc clean? It is running much more smoothly, I think that my computer is virus free, but I don't understand the logs. My avg scan today said that nothing was found.
THanks in advance for any help.



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:15 PM

Posted 09 June 2010 - 01:03 PM

Everything looks good and the ComboFix logs seem clean. thumbup2.gif


It is important to uninstall ComboFix.

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.




#5 JSR2010

JSR2010
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 09 June 2010 - 01:07 PM

Awesome thank you very much.
One last question I have an external HD that I use as a backup, and for music storage but haven't re-attached since I realized I was infected. What is the best way to search/clean this external HD? Is it unfounded to assume it is infected because my pc was and it was attached at the point of first infection?


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:15 PM

Posted 09 June 2010 - 01:15 PM

The music, photo, document files and the like will not get infected. Usually executable files might get infected. However, you can attach the external HD, run a full scan of Malwarebytes (with the available drive letters selected). Also run a full scan of AVG while the HD is attached.

#7 JSR2010

JSR2010
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 09 June 2010 - 01:47 PM

When I opened and ran malware bytes the AVG resident shield popped up with "e:\System Volume Information\_restore{5ACC0FCE-622A-4807-ADB5-82AFE1375520}\RP22\A0018697.exe";"Virus identified Worm/AutoRun.FR";"Infected"
and below it said Process name C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Is this AVG responding to the fact that Malwarebytes is searching my files?

A screen shot is attached.


Malware bytes log below

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

6/9/2010 2:45:45 PM
mbam-log-2010-06-09 (14-45-45).txt

Scan type: Full scan (E:\|)
Objects scanned: 201504
Time elapsed: 25 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\Norton\Keygen\keygen_noUPX.exe (Malware.Tool) -> Quarantined and deleted successfully.

Attached Files



#8 JSR2010

JSR2010
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 09 June 2010 - 02:33 PM


The AVG scan log is
"E:\System Volume Information\_restore{DFE8908F-340D-4202-A500-7B1DEAEC694C}\RP38\A0014667.exe";"Virus identified Worm/AutoRun.FR";"Moved to Virus Vault"
"E:\System Volume Information\_restore{6B6D80B3-42EE-48CB-8C94-A88B9D93DB27}\RP18\A0003911.inf";"Virus found Worm/AutoRun";"Moved to Virus Vault"
"E:\System Volume Information\_restore{6B6D80B3-42EE-48CB-8C94-A88B9D93DB27}\RP18\A0003910.exe";"Virus identified Worm/AutoRun.FR";"Moved to Virus Vault"
"E:\System Volume Information\_restore{5ACC0FCE-622A-4807-ADB5-82AFE1375520}\RP22\A0018698.inf";"Virus found Worm/AutoRun";"Moved to Virus Vault"
"E:\System Volume Information\_restore{5ACC0FCE-622A-4807-ADB5-82AFE1375520}\RP22\A0018697.exe";"Virus identified Worm/AutoRun.FR";"Moved to Virus Vault"


which I hope means yes, it was infected, but the worm or whatever got moved to the 'vault' and now is unable to do harm.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:15 PM

Posted 09 June 2010 - 03:19 PM

Malwarebytes found a keygenerator. You know what that is, don't you?

The malware files detected by AVG are all in System Volume Information folder where the restore-points are kept. And they are AutoRun worm.

Please read this carefully: http://www.zyxware.com/articles/2007/08/14...virus-infection

To take care of it do the following. Have all the storage media (flash drive, external HD, et.) ready to insert for disinfection when the tool asked to do it.
  1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    • Turn of the auto-protect or resident-shield of your antivirus.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning which takes only a few seconds and then exit the program.
    • Reboot your computer when done.

    Note 1:Please temporarily disable your anti-virus program before downloading this tool as it can be falsely flagged as malware: How to disable anti-virus programs
    Note 2: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


  2. While your external HD is inserted:
    • Go start => Right-click My computer and select Properties.
    • Under System Restore tab select E (the external HD).
    • Click on Settings... Check "Turn off system restore on this drive". Click OK and then Yes to Prompt.
    • Again while E is selected click on Settings... uncheck "Turn off system restore on this drive". Click OK twice.



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:15 PM

Posted 14 June 2010 - 06:27 AM


This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users