Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with generic18.BALF


  • Please log in to reply
4 replies to this topic

#1 kasnarada

kasnarada

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 31 July 2010 - 01:05 PM

Hello everybody,

this is my first topic and I already need help ... hope you can solve my problem.

I recently got infected by a trojan horse named generic18.BALF. I've got a PC running with windows XP. I've got AVG and MBAM.
The horse was detected by AVG and appears to infect severals files ... 26 exactly! Many of the files are programs likes itunes, winamp, soundmax, even AVG and when AVG put the infected files in quarantine some of the shortcuts to these programs disappeared from my tool bar ... so I decided to restore the files eventhough the virus was still active.
The horse also generates pop ups all the time.
Don't know if it helps but here are the files infected as shown in AVG

"F:\WINDOWS\Temp\SAAG.TMP\SETUP.EXE";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\WINDOWS\system32\CmTlo12.com";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\WINDOWS\JM\JMINSIDE.EXE";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\WINDOWS\Fonts\CmTlo12.com";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\Winamp\winampa.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\QuickTime\qttask.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\QuickTime\qttask .exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\QuickTime\qttask .exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\Java\jre1.5.0_11\bin\jusched.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\iTunes\iTunesHelper.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\HP\hpcoretech\hpcmpmgr.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\HP\hpcoretech\hpcmpmgr .exe";"Cheval de Troie : Generic18.BALF";"Il est nécessaire de redémarrer l'ordinateur pour terminer cette action"
"F:\Program Files\HP\HP Software Update\HPWuSchd2.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\D-LINK\D-LINK WIRELESS G DWA-110\AIRGCFG.EXE";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\BboxUpdate\BTLiveUpdate.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\AVG\AVG9\avgtray.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLISTART.EXE";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\Analog Devices\SoundMAX\Smax4.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\Analog Devices\SoundMAX\Smax4 .exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\Analog Devices\Core\smax4pnp.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"
"F:\Documents and Settings\utilisateur\Local Settings\Application Data\CmTlo12.exe";"Cheval de Troie : Generic18.BALF";"Placé en quarantaine"

MBAM doesn't say that my computer is infected when I run a scan.

Ok, I've read the guidelines before posting, I hope I didn't forget anything,

Thanks you for taking time to answer my problem,

P.S.: hope my english is not too bad and you understood what I meant.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:32 PM

Posted 31 July 2010 - 04:54 PM

Hello I need to ask if you updated MBAM prior to scannong.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 kasnarada

kasnarada
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 01 August 2010 - 03:20 AM

ok, I updated MBAM the day before the infection appeared.
I did the scan with SAS but didn't check "C:\" but "F:\" because my system is operating on the "F:\" drive, "C:\" is only a slave. I hope I did the right thing ...

Here is the log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/01/2010 at 09:51 AM

Application Version : 4.41.1000

Core Rules Database Version : 5297
Trace Rules Database Version: 3109

Scan type : Complete Scan
Total Scan Time : 00:37:17

Memory items scanned : 485
Memory threats detected : 0
Registry items scanned : 6194
Registry threats detected : 6
File items scanned : 63344
File threats detected : 10

Trojan.Agent/Gen-Proxy[MailBot]
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\cbssreg
F:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SETTINGS\CBSS.DLL

Trojan.Agent/Gen-Pikr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\cbssreg
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\cbssreg#DllName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\cbssreg#Startup
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\cbssreg#Impersonate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\cbssreg#Asynchronous

Adware.Tracking Cookie
cdn5.specificclick.net [ F:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\NYGSKJ53 ]
objects.tremormedia.com [ F:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\NYGSKJ53 ]
F:\Documents and Settings\LocalService\Cookies\system@ads.cpxcenter[2].txt
F:\Documents and Settings\LocalService\Cookies\system@bizzclick[1].txt
F:\Documents and Settings\LocalService\Cookies\system@content.yieldmanager[1].txt
F:\Documents and Settings\LocalService\Cookies\system@myroitracking[1].txt

Trojan.Agent/Gen-Virut
F:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR .EXE.OLD

Trojan.Dropper/SVCHost-Fake
F:\WINDOWS\TEMP\CRNC.TMP\SVCHOST.EXE

Trojan.Downloader-Gen/SVCHost-Fake
F:\WINDOWS\TEMP\DIBA.TMP\SVCHOST.EXE

Still, when I rebooted some icons in my tool bar on the right (where you have the time, sound, language settings ...) were still missingd after the quarantine of the virus in AVG eventhough I had the files restored before performing what you asked ... AVG icon and SoundMax disappeared ...

Then, I had an alert saying that the generic host process for Win32 services stopped working. Here is what it said about the error:

szAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : urlmon.dll
szModVer : 8.0.6001.18904 offset : 0002df76

Files included in the error report

F:\DOCUME~1\UTILIS~1\LOCALS~1\Temp\WER2d40.dir00\svchost.exe.mdmp
F:\DOCUME~1\UTILIS~1\LOCALS~1\Temp\WER2d40.dir00\appcompat.txt

I hope this is useful,

do I have to do something else? Is my computer ok now?

Thanks again for helping.

#4 kasnarada

kasnarada
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 01 August 2010 - 03:46 AM

ok, I tried a scan with AVG after rebooting and it still finds this generic18.BALF

When I opened the internet another alert popped up while AVG was scanning and more files were found.

this is a part of what was found ( AVG is still scanning )

"F:\Documents and Settings\utilisateur\Local Settings\Application Data\CmTlo12.exe";"Cheval de Troie : Generic18.BALF"
"F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe";"Cheval de Troie : Generic18.BALF"
"F:\Program Files\Analog Devices\Core\smax4pnp.exe";"Cheval de Troie : Generic18.BALF"
"F:\Program Files\Analog Devices\SoundMAX\Smax4 .exe";"Cheval de Troie : Generic18.BALF"
"F:\Program Files\Analog Devices\SoundMAX\Smax4 .exe";"Cheval de Troie : Generic18.BALF"
"F:\Program Files\Analog Devices\SoundMAX\Smax4.exe";"Cheval de Troie : Generic18.BALF"
"F:\Program Files\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE";"Cheval de Troie : Generic18.BALF"
"F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLISTART.EXE";"Cheval de Troie : Generic18.BALF"
"F:\Program Files\AVG\AVG9\avgtray.exe";"Cheval de Troie : Generic18.BALF"
"F:\Program Files\BboxUpdate\BTLiveUpdate.exe";"Cheval de Troie : Generic18.BALF"
"F:\Program Files\D-LINK\D-LINK WIRELESS G DWA-110\AIRGCFG.EXE";"Cheval de Troie : Generic18.BALF"
"F:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe";"Cheval de Troie : Generic18.BALF"

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:32 PM

Posted 01 August 2010 - 03:33 PM

I see we found this... Trojan.Agent/Gen-Virut This is most unfortunate..

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutVirut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgĺsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users