Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

email virus- JS/TROJANDOWNLOADER.PEGEL.BR infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 hydrive

hydrive

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 16 June 2010 - 06:25 PM

Hi, I am trying to fix a computer on our network (the computer is running win xp). The employee should have contacted me sooner, he just contacted me a few days ago and said he has had this problem the past month or so, just now it has gotten worse then ever so he is seeking help. The problem he is having is nod32 av software is picking up emails containing viruses. He gets about 10 - 20 per hour. It is classified as a JS/TROJANDOWNLOADER.PEGEL.BR infection according to nod32. I have ran lots of cleaners / scanners, but none can seem to cure it- (even after I run the scanners in safe mode.)

Below are a list of things that I did to try and fix this. *Before I ran the programs I made sure all program updates were installed.
- Ran windows update and installed all new updates (including security updates).
- Deleted temp files on computer
- Ran Disk cleanup
- C Cleaner
- adaware (lavasoft)
- Malwarebytes
- Spybot search and destroy
- Stinger (by McAfee)
- Hitman Pro
- W32.Netsky@mm Removal Tool
- Trend micro housecall

None of the above fixed the problem.

He has an iphone too, and he gets messages in both the computer as well as on the iphone. Something I tried was I turned the computer off for a few hours, and during that time no viruses were received. I powered the computer back up and within minutes he got another virus email to both the iphone as well as his inbox in outlook, so it appears that the virus is generating itself from the computer. Any info on how to fix would be appreciated!

PS below is a screen shot I took a few hours ago which shows a few files that were detected by nod32 in outlook. There were hundreds listed here, I deleted them prior however. I also deleted the deleted files, to remove all virus infected files.

PPS- I know the three infected files shown in the screen shot appear to be from "facebook" but usually they are all random email addresses.

Attached Files


Edited by Orange Blossom, 16 June 2010 - 07:14 PM.
Move to AII as no logs posted and prep. guide not followed. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:41 AM

Posted 16 June 2010 - 09:25 PM

Hello and welcome.. JOTTI and VT scan ..This is possibly a False positive. We should double check it before we take

action.

Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


NOTE:
For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 hydrive

hydrive
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 16 June 2010 - 11:22 PM

Hi, I am alittle confused what you want me to upload to jotti. The infections are in the email, so I assume you want me to save one of the files in the email to the computer, then upload that file for scanning?

I am physically at the computer right now, he has 152 items in his infected folder. All of the files attached are only text files. I saved one to the desktop and uploaded it- nothing was found.

I then opened the file and there is no text in the document, so I dont know if maybe nod32 deleted the file and replaced it with that empty text file?

#4 hydrive

hydrive
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 17 June 2010 - 03:31 AM

Hi I did a test- I disabled the antivirus software and waited a little while. Turns out them text files that I mentioned above are from nod32. It deletes the infected file and replaces it with the text file.

When A/V was disabled the attachment name was titled "photo.html" and I saved it, uploaded it to jotti, and 4 of the scanners found malware in that file. Below is the info from jotti.

dr. web - 2010-06-17 JS.Redirector.based.3
Nod32- 2010-06-16 JS/TrojanDownloader.Pegel.BR
sophos- 2010-06-17 Troj/JSRedir-BO
virus buster- 2010-06-16 JS.Redirector.Gen.8

Just for the record I just re enabled nod32 and cleaned the infected file. So that should answer your original question!

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:41 AM

Posted 17 June 2010 - 10:36 AM

Ok, good I thought there had to be some file... any way.. the only way we can clean this is in the Malware Removal forum..

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 hydrive

hydrive
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 17 June 2010 - 07:15 PM

thanks for your help, I will start this tonight and will post a msg in the removal logs section probably tomorrow. Thanks again for your help!

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:41 AM

Posted 21 June 2010 - 08:31 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/326173/jstrojandownloaderpegelbr-email-virus/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users