Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm infection


  • Please log in to reply
7 replies to this topic

#1 xenox

xenox

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 17 June 2011 - 12:11 PM

Hi all, I'm having the infection as follows in my windows server 2008 and several network pc

Worm:VBS/Cantix.A
Worm:VBS/Cantix!inf
Worm:VBS/Cantix.A!Ink

It basically duplicates folder shortcuts of all folders, I've done scans with kaspersky, malwarebytes etc but to no avail. would appreciate if someone can help me. Thanks

xx/06/2011 04:54 PM Task started File Anti-Virus Kaspersky Small Office Security
xx/06/2011 05:15 PM Detected: Worm.VBS.Cantix.a D:\xxxx\dekstop.ini System
xx/06/2011 05:15 PM Detected: Worm.VBS.Cantix.a D:\xxxx\2010 Folder\dekstop.ini System

and the list goes on.

BC AdBot (Login to Remove)

 


#2 xenox

xenox
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 17 June 2011 - 07:40 PM

any info on the removal?

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:29 PM

Posted 17 June 2011 - 11:16 PM

Hello,

I'm moving this topic to the Am I infected forum.

If you haven't already, you need to isolate all the computers from each other; otherwise the infections will spread and multiply across all the computers.

How many computers are you talking about?

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 xenox

xenox
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 18 June 2011 - 10:08 AM

Hi Orange Blossom, we have 1 server and 20 desktop computers

#5 PhilT

PhilT

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 18 June 2011 - 10:52 AM

There's a description at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AVBS%2FCantix.A

It suggests removing with Microsoft Safety Scanner http://www.microsoft.com/security/scanner/en-us/default.aspx

#6 xenox

xenox
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 18 June 2011 - 11:48 AM

There's a description at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AVBS%2FCantix.A

It suggests removing with Microsoft Safety Scanner http://www.microsoft.com/security/scanner/en-us/default.aspx


hi PhilT, i've already run the Microsoft Safety Scanner, it did not detect anything

#7 xenox

xenox
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 18 June 2011 - 12:37 PM

It also creates these 3 files

autorun.inf
folder (C:\Windows\system32\wscript.exe //e:VBScript dekstop.ini "Folder")
thumbs.db

[autorun]
open=WScript.exe //e:VBScript dekstop.ini auto
shell\open=Open
shell\open\Command=WScript.exe //e:VBScript dekstop.ini auto
shell\open\Default=1
shell\explore=Explore
shell\explore\Command=WScript.exe //e:VBScript dekstop.ini auto

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:29 AM

Posted 18 June 2011 - 02:58 PM

Hi xenox,

Since a server and several terminals are involved, it is very hard to clean this using forum instructions.
The problem is that this kind of malware can jump from terminal to terminal and uses USB removable storages devices as well.
The only way to clean this, short from a reformat, is to isolate every computer on the network, clean all of them, make sure any shared drives/all USB storage drives used are cleaned as well, and only then reconnect the server and terminals.

The fastest solution is most likely to disconnect, reformat and reinstall the OS on all terminals, then clean the Server and reconnect everything.

Either way, this is not something that we can help you with on a forum. As this sounds like an office situation, I recommend consulting a network administrator/IT support about this.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users