Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan got past McAfee, don't know what it is


  • Please log in to reply
15 replies to this topic

#1 C.Kyuubi

C.Kyuubi

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 07 January 2011 - 03:22 PM

My computer has been infected with a trojan that came from the Mx One "antivirus" program. I did willingly download the mxone.exe file from the website. (Google searches seemed to come up clean, but...) McAfee picked it up and tried to stop it, but I believe it has already gotten in. I have not logged back into Vista since, but I have used Linux (Ubuntu 10.10). Loading Linux up caused it to search for hard drive errors before loading the OS. Then, I put in the Live CD. The Live CD's system time jumped ahead by five hours whenever I used it. I am not sure if this is normal. So, points of interest:
-I want to completely clean Vista. I have an XP partition and three Ext3 Linux partitions as well, however, and I want to be sure that they don't carry the virus.
-I had my USB drive in when the computer was infected...I guess that means it's at risk.
-I have some CD-Rs with anti-malware programs installed in them, plus RKill (though not updated), so no need to download all of them on the internet as far as I can tell. That includes MBAM, Combofix, and more I can't remember...

Thanks.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 AM

Posted 07 January 2011 - 03:55 PM

Hello, I suppose you downloade X to lean a flash drive. It would appear the Flash Drive is infected and probably now the machine.

Lets run Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 C.Kyuubi

C.Kyuubi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 07 January 2011 - 05:17 PM

Thank you for a quick reply! I've been trying to get help with this for a while now. Unfortunately, Flash Disinfector did not install correctly, and would not open when I clicked on it. I would assume this is the trojan's doing. MBAM was already installed on my computer before this happened, but I did not run it yet. Is it okay to run Flash Disinfector in safe mode? (I know this is NOT okay for MBAM.) Also, I am running KlamAV on the Linux Live CD. I won't delete anything with it yet, but it might be able to tell something about what is causing the problem.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 AM

Posted 07 January 2011 - 06:09 PM

You can try it in safe mode at worst it will not run.,

Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails.

If you cannot use or complete a scan in normal mode, then try performing a Quick Scan in "Safe Mode". After reboot, click the Logs tab and copy/paste the contents of the new report in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 C.Kyuubi

C.Kyuubi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 07 January 2011 - 09:15 PM

KlamAV scan has completed. Unfortunately, I could not manage to get a log, so I took screenshots of the entire thing instead. My apologies...I know it is quite inconvenient, and the whole file names cannot be seen. :/ I do not see the name of a virus, but there are definitely some disturbing things in the list. Only Vista's drive, C, was scanned. 57 files detected...

http://i271.photobucket.com/albums/jj159/crystal_kyuubi/KlamScanPg1.png?t=1294451626
http://i271.photobucket.com/albums/jj159/crystal_kyuubi/KlamScanPg2.png?t=1294451656
http://i271.photobucket.com/albums/jj159/crystal_kyuubi/KlamScanPg3.png?t=1294451676
http://i271.photobucket.com/albums/jj159/crystal_kyuubi/KlamScanPg4.png?t=1294451692
http://i271.photobucket.com/albums/jj159/crystal_kyuubi/KlamScanPg5.png?t=1294451708
http://i271.photobucket.com/albums/jj159/crystal_kyuubi/KlamScanPg6.png?t=1294451723
http://i271.photobucket.com/albums/jj159/crystal_kyuubi/KlamScanPg7.png?t=1294451744
http://i271.photobucket.com/albums/jj159/crystal_kyuubi/KlamScanPg8.png?t=1294451760
http://i271.photobucket.com/albums/jj159/crystal_kyuubi/KlamScanPg9.png?t=1294451777
http://i271.photobucket.com/albums/jj159/crystal_kyuubi/KlamScanPg10.png?t=1294451798

I did not quarantine anything yet. It seems it has attacked Microsoft Office (of course), and is hiding something in the WINDOWS/Installers folders. ...And is "factory" on page 1 my factory settings? ~.~; Should I do anything else before going back into Windows? Once I shut the computer off, Klam's scan will be gone... Should I try to install the Flash Disinfector to Windows from here? Delete any of these files? Run another program? Also...I was wondering if system restore would be at all effective. Of course I would still do more to my computer to make sure it's gone. Some viruses take over the restore files as well. However, there's no guarantee that this virus does that (unless the images above say otherwise) and I don't think it'd hurt anything. I know the date the virus got in. Is it worth a shot? (I'm sorry, you asked me to do these two simple things and I'm getting all off track... ^.^; )

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 AM

Posted 07 January 2011 - 09:43 PM

OK, it is very diificult to ascdertain the infection. But there are a load of broken exe and empty files and I would fix (quarantine before delete if possible) all of them first. If the malware keeps breaking siles we cannot advance.

Run MBAM .. Run Flash D if it will.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 C.Kyuubi

C.Kyuubi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 08 January 2011 - 05:02 PM

Here's the MBAM log. Sorry for a late response. It didn't pick anything up on the quick scan. Could it be...a rootkit?


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5485

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

1/8/2011 4:59:20 PM
mbam-log-2011-01-08 (16-59-20).txt

Scan type: Quick scan
Objects scanned: 166298
Time elapsed: 3 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Edit: Nor did a full scan detect anything... :/ Vista, XP and Dell RECOVERY all came up with nothing.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5485

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

1/8/2011 5:59:32 PM
mbam-log-2011-01-08 (17-59-32).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 325055
Time elapsed: 56 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Edit 2: Flash Disinfector still says it didn't install correctly. I'm wondering if it could possibly be the link. I'm also wondering if this is one big false alarm. However, I finally got the idea to look in McAfee and actually read what items it quarantined at the exact time it detected the trojan. Could this really be the Artemis! virus?

Quarantined Items

Item:UNCONFIRMED 82276.CRDOWNLOAD
Threat:Artemis!F645F0FDF891
Detected:1/5/2011 10:34PM
Status:Detected
File Path: C:\USERS\*username*\DOWNLOADS
Threats Detected: Artemis!F645F0FDF891 (Trojan)

Item:F_0007C5
Threat: Artemis!F645F0FDF891
Detected: 1/5/2011 10:34PM
Status:Detected
File Path: C:\USERS\*username*\APPDATA\LOCAL\GOOGLE\CHROME\USERDATA\DEFAULT\CACHE
Threats Detected: Artemis!F645F0FDF891 (Trojan)

Item:UNCONFIRMED 82276.CRDOWNLOAD
Threat: Artemis!F645F0FDF891
Detected: 1/5/2011 10:34PM
Status:Detected
File Path: C:\USERS\*username*\DOWNLOADS
Threats Detected: Artemis!F645F0FDF891 (Trojan)

Edited by C.Kyuubi, 08 January 2011 - 06:23 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 AM

Posted 08 January 2011 - 09:14 PM

Hello there is a McAfee proceedure here to determine what that is.

"Artemis" & Other Possibly False Detections


Let us know.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 C.Kyuubi

C.Kyuubi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 08 January 2011 - 09:25 PM

Will do. But first, I should mention that I have encountered a similar issue before. Less than a month ago, I got a trojan notification from McAfee in the bottom-right corner of the screen, when I was downloading GimPhoto from its original website, which is...a completely legitimate program. After researching it, I found no symptoms and figured that it was just a false positive. I had GimPhoto before when I was running AVG, and nothing was picked up. I believe it was the same crdownload type of file, and possibly the exact same threat name. Which leads me to believe one of two things. Either it was not an error and my files have been being eaten away at for about a month, or both of these are false and this is just a McAfee thing.

But that brings up one more thing I'm wondering about. Why does KlamAV detect so many broken files? Are ALL of those something I can disregard?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 AM

Posted 08 January 2011 - 09:38 PM

We may still have an infectio, I am trying to determine that one.

Lets' upload these files for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 C.Kyuubi

C.Kyuubi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 09 January 2011 - 07:20 PM

Here are the results for one of the crdownload files. Four of them came up positive, but all of them have differing opinions on the name. I...kind of chickened out of restoring the other two files after this. ^_^; Forgive me. Should I try them too?

ArcaVir 2010-06-11 Found nothing F-Secure 2010-06-11 Found nothing
Avast! 2010-06-11 Found nothing Ikarus 2010-06-11 Found nothing
AVG 2010-06-11 Found nothing Kaspersky 2010-06-11 Found nothing
Antivir 2010-06-11 Found nothing NOD32 2010-06-11 Found nothing
Bitdefender 2010-06-12 Found nothing Panda 2010-06-11 Found nothing
ClamAV 2010-06-11 Found nothing Quick Heal 2010-06-11 Found nothing
CPSecure 2010-06-12 Troj.Downloader.W32.Adload.fu SOPHOS 2010-06-11 Sus/VB-H
Dr.WEB 2010-06-12 Found nothing VBA32 2010-06-11 Trojan.Win32.Zmunik.st
F PROT 2010-06-11 Found nothing VirusBuster 2010-06-11 Trojan.PEPM.XQ

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 AM

Posted 09 January 2011 - 09:20 PM

Hi, I have to go with it is malware. Just these 2 reseaches indicaate it would have Backdoor and Injector capability.
http://www.threatexpert.com/report.aspx?md5=2145683c5b5531b1c3b0c0d950dcc939
http://www.securelist.com/en/descriptions/4064336/Trojan.Win32.Zmunik.nw

These are not good to have as this allows hackers to remotely control your computer, steal critical system information and download and execute files.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Since these malwares appear to be well hidden and dangerous to leave or guess at for that matter. We will need stronger specialixed tools and one on one removal/

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 C.Kyuubi

C.Kyuubi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 10 January 2011 - 03:51 PM

Ouch... That's not the kind of thing a computer owner wants to hear. :( Fortunately, I do not do any banking and the like on my computer, but I do have a Facebook account and some other things that might be a bit sensitive. My bleepingcomputer.com password is unique. I will change my other passwords promptly. I think a Nintendo Wii would be pretty virus-safe for that. ;) I will probably simply wipe my flash drive, as it does not contain any info I really need right now. Thanks for your help up until this point. I owe you an arm and a leg for all the help.

However, I do have one more question before I seek other advice. There are about three or four other computers sharing the same network running Vista and XP that DO get used for transactions. Is this particular rootkit/trojan/whatever able to infect them as well? How can I confirm that they are safe? (Speaking of which, I better scan my XP partition with KlamAV... Who knows what malware like this is programmed to do. :/)

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 AM

Posted 10 January 2011 - 04:12 PM

I know it getting like Stupid with malware. I would scan each PC with MBAM just to see. As you wil be posting in the Removal forum.. I would brig this up with them as they wil want to have a look at it all.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 C.Kyuubi

C.Kyuubi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 10 January 2011 - 04:59 PM

Sure thing. I'll post back here once this has been all figured out. :) Thanks again. My next step: Convincing the others on the network that downloading MBAM is definitely not going to ruin their computer... ^_^;




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users