Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SUcv.exe


  • This topic is locked This topic is locked
14 replies to this topic

#1 hatemalware

hatemalware

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 10 March 2011 - 09:13 PM

Recently, I ran BitDefender on my Windows 7. It said that I was infected with Gen:Variant.FakeAlert.18. The file was SUcv.exe, and it was located in a temp folder. I know it may be a false positive, but I couldn't find that particular file online. Is it possible that I have a virus?

BC AdBot (Login to Remove)

 


#2 coles1mom

coles1mom

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:31 AM

Posted 10 March 2011 - 09:39 PM

Scan with MBAM just to be sure.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 AM

Posted 11 March 2011 - 11:41 PM

It does appear to be a malware related file. What did Bitdefender do with it?

TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 hatemalware

hatemalware
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 13 March 2011 - 09:52 PM

Bitdefender deleted the file. So what exactly does that file do? I'm just worried that I may have other problems that bitdefender did not detect.

Edited by hatemalware, 13 March 2011 - 09:53 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 AM

Posted 13 March 2011 - 10:01 PM

Heres a little explanation TFC - Temp File Cleaner by OldTimer

Let's run these and see ifthere is anything else

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware



ESET Online Scan
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 hatemalware

hatemalware
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 13 March 2011 - 11:42 PM

I ran both MBAM and ESET. Here are the logs

MBAM log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6046

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/13/2011 8:12:50 PM
mbam-log-2011-03-13 (20-12-50).txt

Scan type: Quick scan
Objects scanned: 168333
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET log

C:\Program Files\Cain\Abel.exe a variant of Win32/CainAbel.AA application cleaned by deleting - quarantined
C:\Program Files\Cain\Cain.exe a variant of Win32/CainAbel application cleaned by deleting - quarantined



Does the malware I am infected with have the ability to steal personal information? Will I have to change all my passwords?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 AM

Posted 14 March 2011 - 07:20 PM

Hello these yes... (Backdoor.Bot) and Win32/CainAbel.AA

For example if I was such a a person and your router was open, I would connect to it. Then I would run somethin called CainAbel to sniff your packets serving a a middle man. Using this information it would be possible me to enter your bank account.

backdoor Trojans[/url], Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Where to draw the line? When to recommend a format and reinstall?


Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation. Let me know how you wish to proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 hatemalware

hatemalware
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 14 March 2011 - 08:48 PM

Does this virus spread through the network? I scanned my other computer with MBAM, but nothing came up. Does that mean it is clean? Also, I always check my bank/credit card records to make sure that nothing is stolen. If I continue to monitor my records, is it still necessary to notify the banking or credit card institutions? I'm not sure, but I don't believe I have entered any credit card or banking information in this computer. I have only used accounts such as paypal, amazon, and email. So as long as I change my passwords, it's ok right?

Also, I would like to proceed with disinfection. Should I post a Hijack this log here? Thank You for the help.

Edited by hatemalware, 14 March 2011 - 08:48 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 AM

Posted 14 March 2011 - 09:01 PM

Ok ,yes change your passwords then.
Let's do a rootkit check.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension
    .
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local
    Disk C:).
  • Copy and paste the contents of that file in your next reply.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 hatemalware

hatemalware
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 15 March 2011 - 12:45 AM

I ran both TDSS and MBAM. What is normal mode for MBAM? I just ran it normally. Neither tests came up with anything. Also, my brother told me he downloaded Cain and Abel to test if people could use that program to hack our computer through the network. He said he was pretty sure it's not a virus.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 AM

Posted 15 March 2011 - 02:57 PM

Normal as opposed to Safe mode. If you installed that then fine. It is picked up as an intusion which it is. So I say you are OK now as the bot and Cain were working together. Had you not installed it you had a problem.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 hatemalware

hatemalware
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 15 March 2011 - 04:05 PM

So the bot was part of the Cain program? My brother said he didn't know what the bot was.

#13 hatemalware

hatemalware
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 15 March 2011 - 06:32 PM

Also, what was the original file that bitdefender found? (SUcv.exe)

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 AM

Posted 15 March 2011 - 07:08 PM

Hello again we do have an info stealer here.. I was still researching this Bot. At first I thought they were the same item but I have found they are not,, 19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot)

ThreatExpert
http://www.threatexpert.com/report.aspx?md5=eef4cf9b4fc936adeb5dea03562faddd

The (SUcv.exe) was a malware file that BitDefender removed.

To clean this now.. We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 20 March 2011 - 04:39 PM

Malware topic here: http://www.bleepingcomputer.com/forums/topic385963.html

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MR Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users