Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV and malware scans say PC is clean... I dont think it is!


  • This topic is locked This topic is locked
15 replies to this topic

#1 Davince

Davince

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 16 June 2010 - 04:42 AM

3 weeks ago my XP Pro sp3 machine became infected with Trojan Backdoor Generic12.BOWL. Within a few minutes it had turned off my firewall and installed a couple of others as well, including Generic17, Generic18 and Cryptic.ZPF

I turned off system restore, entered safe mode and ran AVG command line scanner, then Malwarebytes, then Superantispyware, then Trojan Remover, rebooting into safe mode after each application was run.

All found something to complain about and remove successfully, after which I rebooted into safe mode, and ran each consecutively - all came up clean, however a couple of times the computer just suddenly cycled through a complete shut down - correctly, as though I had gone start>shut down rather than just a sudden turn off. All applications closed correctly and power down. Rerunning all scans turned up no problems, re running in safe mode again all reported clean

Then yesterday upon start up it suddenly has the AV security suite virus on there, so again... off with restore, into safe mode, run all the above AGAIN only to find 8 more trojans / virus etc. Ran them all several times, plus this time ran an AVG linux recovery CD to give an extra little something. All are now reporting the system is clean... but it's just randomly shut down again, so I just don't trust it!!

What else can I do?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:39 AM

Posted 16 June 2010 - 08:23 AM

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. Why? MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails or you cannot boot up normally. If that is the case, after completing a safe mode scan, reboot normally, update the database definitions through the program's interface (preferable method) and try rescanning again.

Crashes (BSOD), unexpected shutdowns, sudden freezing, random restarting, and booting problems could be symptomatic of a variety of things to include hardware/software issues, overheating caused by a failed processor fan, bad memory (RAM), failing or underpowered power supply, CPU overheating, motherboard, video card, faulty or unsigned device drivers, CMOS battery going bad, BIOS and firmware problems, dirty hardware components, programs hanging or unresponsive in the background, and sometimes malware. Even legitimate programs like CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) can trigger crashes, various stop error messages and system hangs so you may or may not be dealing with multiple issues which are not all malware related. If the computer is overheating, it usually begins to shutdown/restart on a more regular basis. Troubleshooting for these kinds of issues can be arduous and time consuming. There are no shortcuts.

When Windows XP detects a problem from which it cannot recover, it displays Stop Error Messages which contain specific information that can help diagnose and resolve the problem detected by the Windows kernel. An error message can be related to a broad number of problems such as driver conflicts, hardware issues, read/write errors, and software malfunctions and malware. In Windows XP, the default setting is for the computer to reboot automatically when a fatal error or crash occurs. You may not see the error code because the computer reboots too fast.

An easier alternative is to turn off the automatic reboot feature so you can actually see the error code/STOP Message when it happens - this is also known as the Blue Screen Of Death (BSOD). To change the recovery settings and Disable the Automatic Restart on System Failure in Windows XP, go to Start > Run and type: sysdm.cpl
Click Ok to open System Properties.

Alternatively you can just press WINKEY + Pause/Break keys to bring up System Properties.
  • Go to the Advanced tab and under "Startup and Recovery", click on the "Settings" button and go to "System failure".
  • Make sure "Write an event to the system log" is checked and that "Automatically restart" is unchecked.
  • Click "OK" and reboot manually for the changes to take effect.
This can also be done in the Windows Advanced Options Menu as shown here here by pressing the F8 key repeatedly like you would do for entering safe mode.

-- Vista users can refer to these instructions: How To Disable the Automatic Restart on System Failure in Windows Vista.

Doing this won't cure your problem but instead of crashing and restarting you will get a blue diagnostic screen with an error code (as shown in this example) and other information to include file(s) that may be involved which will allow you to better trace your problem. Write down the full error code and the names of any files/drivers listed, then provide that information in your next reply so we can assist you with investigating the cause. Without that specific information, we would only be guessing rather than troubleshooting.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Davince

Davince
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 16 June 2010 - 09:10 AM

Thank you for your very full response.

Co-incidentally while waiting for a reply I have run them all in normal mode too, all 4 scans have shown clear and okay. The shut down problem is brand new, and only happened after attempting to clean the system up, and was simultaneous with the appearance of the Trojan.Fakealert infection, so although I do not rule out your comments I would be extremely surprised if it had suddenly developed another problem at the same time?

I already have the BSOD set up to enable me to see errors, only of course I'm not getting any in this instance, just a "normal" shut down proceedure, without it being requested.

If you had AVG, Malwarebytes, Superantispyware and trojan remover all telling you a system is clean, what would you rate the chances of it being infected still?!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:39 AM

Posted 16 June 2010 - 09:23 AM

If you had AVG, Malwarebytes, Superantispyware and trojan remover all telling
you a system is clean, what would you rate the chances of it being infected
still?!

That would be hard to pinpoint without further investigation as the causes can be attributed to any number of reasons as I previously spoke about.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Then try doing an online scan to see if you find anything else that the other scans may have missed.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Davince

Davince
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 17 June 2010 - 05:35 AM

well that took a bit of time! scan result as follows:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, June 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, June 16, 2010 13:28:45
Records in database: 4285747
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 86289
Threats found: 4
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 03:37:10


File name / Threat / Threats count
C:\Documents and Settings\Derek\Application Data\Thunderbird\Profiles\21ytfz74.default\Mail\192.168.1-1.250\Inbox Infected: Trojan-Spy.HTML.Bankfraud.nv 1
C:\Documents and Settings\Derek\Application Data\Thunderbird\Profiles\21ytfz74.default\Mail\mail.nykglobal.com\Inbox Infected: Trojan-Spy.Win32.Zbot.ubb 1
C:\Documents and Settings\Derek\Application Data\Thunderbird\Profiles\21ytfz74.default\Mail\mail.nykglobal.com\Trash Infected: Trojan.Win32.VBKrypt.ln 1
C:\Program Files\GlobalSCAPE\CuteFTP\cutftp32.exe Infected: not-a-virus:NetTool.Win32.ZXProxy.lo 1

Selected area has been scanned.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:39 AM

Posted 17 June 2010 - 07:41 AM

cutftp32.exe (Winsock FTP Client) is an executable from the software CuteFTP version 1.6.0 by Alex Kunadze

http://processlist.com/info/cutftp32-3.html

Programs classified as NetTool are designed to work with a network (for example, remotely rebooting a computer, scanning open network ports, remotely launching random applications, etc.). These features allow cyber criminals use them for malicious purposes, although the programs themselves are not malicious.

http://www.securelist.com/en/descriptions/old215608

As the scan indicates, the file is not-a-virus. However, some programs may at times be detected by anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", or "Potentially Unwanted Program" because they can be misused by attackers.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. If you installed or recognize the program, then you can ignore the detection. If not, then it can be removed.

For the remaining detections, delete/empty the files from your Thunderbird mail Inbox and Trash. If you don't have anything important, to be on the safe side I would clean out everything in case the scan missed something.

I know scans are time consuming but I would recommend doing another/different scan.

Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to begin.
  • If offered the option to get information or buy software. Just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

    C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Davince

Davince
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 17 June 2010 - 09:21 AM

yeah Cute FTP was my install, to manage our website :thumbsup:

To be on the safe side, I made a backup of all historic emails (in finance, so unfortunately have to keep EVERYTHING for 6 years!!!) and then deleted the complete profile set and started again. Really not helpful but if it has to be done, it has to be done. Will re-run Kaspersky to see if they have gone from the list okay, then run eset after that :flowers:

Thanks again for the help, it is very much appreciated.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:39 AM

Posted 17 June 2010 - 09:29 AM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Davince

Davince
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 18 June 2010 - 04:09 AM

Eset picked up nothing!

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=dc0d43670916ac49bc14f97577163f85
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-18 09:06:21
# local_time=2010-06-18 10:06:21 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1029 16777189 100 100 0 11042807 0 0
# compatibility_mode=8192 67108863 100 0 96 96 0 0
# scanned=86675
# found=0
# cleaned=0
# scan_time=2862


Will now re-run Kasp, if that finds nothing I'll run everything else once more and go skipping merrily into the sunset! (after making a disc image LOL)

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:39 AM

Posted 18 June 2010 - 06:26 AM

Ok. Also let me know how the computer is running afterwards.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Davince

Davince
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 18 June 2010 - 08:42 AM

well, we have a clean result now from eset, Kaspersky (well, with the warning of cuteftp as above, obviously), Malwarebytes, Superantispware... the computer hasn't shut itself down at all today, and seems to be running okay - was never the fastest machine in the world and it still isn't LOL

Any other tests / scans I should run? I'd like to be 110% certain it's clean, as I have a new hard drive sat beside me to go in it for disk images and backups LOL

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:39 AM

Posted 18 June 2010 - 01:46 PM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Posted Image > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Davince

Davince
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 21 June 2010 - 04:50 AM

well, was just about to do a new restore point, Malwarebytes was running in the background ... System shut itself down again. Nice and controlled as usual, no BSOD or anything, so I think it's back :thumbsup:(

This is a bloomin nightmare, I've got so much work on and I can't do anything till its sorted

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:39 AM

Posted 21 June 2010 - 06:07 AM

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Davince

Davince
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 22 June 2010 - 09:09 AM

Log is up now, thanks Quietman :thumbsup:

http://www.bleepingcomputer.com/forums/t/326246/post-deletion-of-multiple-infection-problem/

will sit patiently and await response




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users