Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rozena Detected on 4GB removable Disc


  • Please log in to reply
14 replies to this topic

#1 Jove

Jove

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:07 PM

Posted 20 April 2012 - 06:56 PM

I placed a 4 GB removable disc into my USB port, and avg detected an infection, . .

This turned out to be "E:\BioPrint.exe";"Virus found Rozena";"Infected"

I opted tp rmove to vault and a message stated that it could not be healed etc.

however when I go to the detailed Object Information it reads;

"Object name";"E:\BioPrint.exe"
"Detection name";"Virus found Rozena"
"Object type";"file"
"SDK Type";"Core"
"Result";"Object is inaccessible."
"Action history";""

However in the scan overview it reads
Infections found 1
Removed and Healed 1
Not removed ot healed 0

So I guess I should take that as its ok to proceed, . .as I want to reformat this for use
it was given to me by a friend.


but also it is presently formatted as an FAT

and I am thinking that is not for my PC I need an NTFS format, . .

I'd appreciate it if you can advise me as to how I can change the formatting so that it is NTSF

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:07 PM

Posted 20 April 2012 - 07:56 PM

Hello Jove, this is a trojan dropper,not a rootkit or worse. So if you are going to reformat then all these malwares will get wiped off the drive also.
I would use NTFS

Did you run MBAM also,I thibk you have that too,no?

If you want a secons opinion,I know this will find and remove that,if it exists.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.



Here's quietman7's format info

he safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:07 PM

Posted 20 April 2012 - 08:27 PM

Hi boopme, .

It looks like your saying this isn't so bad, . . because its a dropper, . . but then

what Quietman is saying looks like I am about to have a catastrophy, . . how in the world will I find all the file extensions wow what did I do this time? I mean I would not have asked here if it were not for the fact that AVG scan first read not cured etc. and then in the other result said zero infection.

my PC is loaded with many files , . . can I put the extensions in a search ?

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:07 PM

Posted 20 April 2012 - 08:44 PM

Hi Jove, dont make a big deal of iy. I just posted it as a guide line for safety.
He's making an assumption that one may have a very serious malware. A dropper is no joy just its not self replicating as others are,
He's also considering you may not kknow if there are any infections on here and by not backing up those files ypu will not back up an infection and re install it..

Roxene

Edited by boopme, 20 April 2012 - 08:45 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:07 PM

Posted 21 April 2012 - 12:10 AM

Ok I see, . .

After I scan with ESETS and I place the R-Disc back into the USB, if I get another warning of a virus etc. can I proceed to format with out risking an infection that potentially can enter into by any of various ways to my PC ?

So your saying that after I scan with MBAM and Esets I can back up my files as I would normally do ?

Thanks boopme

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#6 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:07 PM

Posted 21 April 2012 - 08:07 AM

C:\Documents and Settings\Jp\My Documents\InternationalPrimoPDF.exe Win32/OpenCandy application deleted - quarantined


The above is what I have found in the Eset scan however I do not think the scan was complete

BTW I have a Primo program on my desk top
pls, . tell me is there some kind of relationship between these?

////////////////////////////////////////////////

From the very little I have read about this infection, . .
it seems to describe a virus that would be of use to someone who wanted to
find a way to get into your computer, byt adding a user, . . where the next thing I can imagine would be to do this remotely after you are infected would that make sense ?

Edited by Jove, 21 April 2012 - 08:10 AM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:07 PM

Posted 21 April 2012 - 09:35 AM

Most likely the Primo Software installs the Open Candy.

OpenCandy is not a virus or malware. However, since it is responsible for displaying advertisements, it may be detected (and sometimes removed) by various anti-virus and other security scanning tools as Adware, a classification that broadly defines the term as any software package which automatically displays advertisements in any form in order to generate revenue. For example, the Microsoft Malware Protection Center (MMPC) detects the program as Adware:Win32/OpenCandy, a low level threat and so does McAfee.

In response to this detection, OpenCandy has provided the following information:Of course OpenCandy is in business to make money so they are going to defend their product and portray it in a positive light. For another opinion, you may want to read: OpenCandy: A New Kind of Adware/Spyware.

IMO, removal of OpenCandy detections is an optional choice. I have provided the information so you can make an informed decision as whether to remove it or not.



OpenCandy is an advertising application distributed by the OpenCandy Software Network which displays ads in other programs. The use of advertisement is a way to promote software packages and recover development costs. OpenCandy is not installed on a computer, does not collect personally identifiable information and in most cases allows the user to choose whether or not to install advertised software recommended by the vendor. Although no personal information is collected, the software does collect anonymous statistics about events and other data during installation. See What information does OpenCandy collect?

This is what OpenCandy has to say about their product.

OpenCandy provides a plug-in that developers include in their software to earn money by showing recommendations for other software in their installers. Developers use this money to keep their software free and invest in further software development. The installer uses the OpenCandy plug-in to present a software recommendation...during installation. You have complete control to accept the software recommendation by selecting either the “Install” or “Do not install” options on the software recommendation screen.

What is OpenCandy?

The OpenCanday network has partnered with various popular and trusted software developers who bundle their product as part of the program's software installation package. A list of such developers can be found here. Some vendors will clearly advise the use of OpenCandy before downloading their software, while others may provide confusing or no information at all. An example would be SIW (System Information for Windows) which clearly indicates on their website the use of OpenCandy.

What is OpenCandy?
OpenCandy is similar to Google AdSense, except it displays advertisements in installation program instead of websites. These advertisements promote another software packages. The advertisements are selected by providers of software being installed. When user installing a software (SIW) chooses to install promoted package, revenue is generated and shared between OpenCandy and software providers (SIW developers).

SIW Home Edition is bundled with OpenCandy

Thanks to quietman7 for the write up.

Edited by boopme, 21 April 2012 - 10:02 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:07 PM

Posted 21 April 2012 - 05:48 PM

I found the following and view it with some amateurish interest;


Trojan:Win32/Swrort.A
(?)

Encyclopedia entry
Updated: Apr 17, 2011 | Published: Jun 28, 2010

Aliases

W32/Rozena.A.gen!Eldorado (Command)
W32/Swrort.A (Norman)
Win32/Swrort.A!generic (CA)
Win32/Rozena.AA (ESET)
Trojan.Win32.Rozena (Ikarus)
Swrort.a (McAfee)
Mal/Swrort-A (Sophos)
Trojan.Win32.Swrort.A (Sunbelt Software)


Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.125.235.0
Released: Apr 21, 2012 Detection initially created:
Definition: 1.71.2046.0
Released: Jan 11, 2010


So let me ask you ; concerning the last update (Detection last updated:
Definition: 1.125.235.0 Released: Apr 21, 2012 )

If you can, please, tell me what is that saying about Microsoft, and concerning that particular rather late date ?

Edited by Jove, 21 April 2012 - 05:51 PM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#9 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:07 PM

Posted 21 April 2012 - 06:15 PM

What I referred to in Post #6 ;
From the very little I have read about this infection, . .
it seems to describe a virus that would be of use to someone who wanted to
find a way to get into your computer, byt adding a user, . . where the next thing I can imagine would be to do this remotely after you are infected would that make sense ?


If this coincides with this report;

Technical Information (Analysis)
Trojan:Win32/Swrort.A is a detection for files that try to connect to a remote server. Once connected, an attacker can perform malicious routines such as downloading other files.

Trojan:Win32/Swrort.A may arrive in the system as a downloaded file from a malicious site or may be used as payloads of exploit files.

Once executed, Trojan:Win32/Swrort.A may connect to a remote server using different port numbers. Once connected, an attacker can perform malicious routines such as downloading other malware and executing them.

In the wild, Trojan:Win32/Swrort.A is known to connect to the following servers:


202.54.98.156 via TCP port 4444
10.10.10.31 via TCP port 443
188.50.82.246 via TCP port 1234


Analysis by Elda Dimakiling


Then what is being said is that the intruder perpetrator is spying or has the capabilities to spy on the contents of your computer on a remote basis.

Would that be correct ?

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:07 PM

Posted 22 April 2012 - 02:02 PM

That is true about the malware. It wants to phone home as we say.. This type of malware I would recommend a reformat to remove and guarantee the PC's trustworthiness, As you indicated you were planning to reformat I just gave you how so it would be clean.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:07 PM

Posted 22 April 2012 - 08:35 PM

Sorry Boopme, . . I am not sure I understand.

I meant that I wanted to reformat the 4G Flash Drive, are we meaning the same thing.

MBAM Detected from quick scan zero

I will do another scan with ESET


This was found on the two hard drives oppose to the flash drive, . .
My C drive and and external HD
As you can see I have had an interest in a foreign language



"Scan ""Scan whole computer"" completed."
"Warnings";"4";"4";"0"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Sunday, April 22, 2012, 6:28:55 PM"
"Scan finished:";"Sunday, April 22, 2012, 9:11:11 PM (2 hour(s) 42 minute(s) 16 second(s))"
"Total object scanned:";"347249"
"User who launched the scan:";"Jp"

"Warnings"
"File";"Infection";"Result"
"E:\My Documents-041611\E-File\My Doc-100209\Downloads\Babylon7_chinese_setup.exe";"Corrupted executable file";"Moved to Virus Vault"
"E:\My Documents-041611\E-File\My Doc-100209\Downloads\Babylon7_chinese_setup(2).exe";"Corrupted executable file";"Moved to Virus Vault"
"C:\Documents and Settings\Jp\My Documents\E-File\My Doc-100209\Downloads\Babylon7_chinese_setup.exe";"Corrupted executable file";"Moved to Virus Vault"
"C:\Documents and Settings\Jp\My Documents\E-File\My Doc-100209\Downloads\Babylon7_chinese_setup(2).exe";"Corrupted executable file";"Moved to Virus Vault"


BTW,
When or if I reformat the FD, the virus protection will go off as before will that mean I am reinfected prior to doing a reformat ?

Edited by Jove, 22 April 2012 - 08:36 PM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:07 PM

Posted 22 April 2012 - 08:53 PM

I misunderstood. I thought you were formatting the PC.

What is your OS again?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:07 PM

Posted 22 April 2012 - 09:01 PM

The OS WXP, . . ?

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:07 PM

Posted 22 April 2012 - 09:43 PM

Flash_Disinfector is a specialized fix tool created by sUBs to remove infections that load an autorun.inf file on removable media. Flash_Disinfector will create a hidden "dummy" autorun folder/file with special permissions in each partition and every external drive that was connected when the tool was run. This folder helps to keep the malicious autorun.ini file from being installed on the root drive and running other malicious files which will infect the computer.


Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:07 PM

Posted 22 April 2012 - 09:58 PM

Thanks Boopme,

I'm not sure when I'll do that flash drive, since I am trying to find out why this happen to me, and did someone try to give me a drive that will compromise the security of my PC,
for some kind of spying, etc.

You couldn't tell me where I might be able to read about such covert activities that concern the criminals value and use of such an item, . . could you ?

I mean something in the a plain non-technical language that would describe the affair of
spying and stealing information from someone computer.

I don't need to know how its done, but I,d like to know what transpires.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users