Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing threats detected


  • This topic is locked This topic is locked
2 replies to this topic

#1 nv87654

nv87654

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 11 July 2012 - 03:18 PM

We have recently had a home PC infected (with SMART H.D.D and maybe more). After many, many anti-malware scans with various anti-malware products, registery fixes, etc., we have finally gotten the PC "cleaned" enough to boot into normal mode and appears to be stable so far.

Finally, last night, we uninstalled McAfee and installed our newly purchased Kaspersky Pure 2.0 and ran a Full Scan. The Full Scan found the following threats:

Trojan-Spy.Win32.Carberp.e (from Outlook email ... UPS_Print_label.exe) ... Reason is: Disinfection impossible

Worm.Win32.Mabezat.h (from Outlook email multiple attachments - ...e_231.zip // Gift_Certificate_231.exe // UPX) Reason is: Disinfection impossible

Trojan-Dropper.Win32.Agent.bzst (from Outlook email attachments ... iTunes_certificate_297.zip // iTunes_certificate_297.exe //UPX Reason is: Disinfection impossible


My questions are:

1. What does the Fix button actually try to do?

2. Can we even "Fix" them since Kaspersky gave reason of: Disinfection impossible (is this because they are "packed" or "zipped"?

3. What are these Trojans and the Worm we found and what is the behavior and threat description for these?

4. What is a UPX?

Thanks for your help.

BC AdBot (Login to Remove)

 


#2 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 PM

Posted 16 July 2012 - 12:00 PM

**In any case where you happen to be busy or unable to give us a reply, we would be grateful if you keep us informed in advance and we will be more than happy to wait. Failure to do so we will have your thread closed in THREE(3) days. :)


Hello there, nv87654

:welcome:

I'm Conspire, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Read the entire procedure
  • It is important to perform ALL actions in sequence.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with me till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

IMPORTANT NOTE : Please do not delete anything unless instructed to. Remember to backup all your important data(if possible) before moving on.

---------------------------------------------------------------------------------------------------

1. Not sure what Fix button you are referring to.

2. Based on my first observation, I can tell that these detected items are mainly from your email attachments. You will need to delete them manually but careful not to open attachments inside.

3. The behaviour of these trojans and worms generally will spread itself once executed. It will drop some files and patch system drivers to allow hackers access computer through backdoor. Kind of like someone jumps into your house and open your backyard door to let other burglars in.

4. UPX is a packer for executables. It's more of a file compression program to reduce the size.

---------------------------------------------------------------------------------------------------

Hello there,

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click on Minimal Output at the top
  • Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click OK to load a custom scan from a file or Cancel to cancel"
  • Click the OK button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic
===================================================

Posted Image
  • Please download GMER from one of the following locations, and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zip Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Extract the contents of the zipped file to desktop (applicable only to Zip mirror) .
  • Double click Posted Image or Posted Image on your desktop.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    Posted Image

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


===================================================

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===================================================

On your next reply please post :
OTL log
GMER log
Checkup log

Please STOP and let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#3 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 PM

Posted 19 July 2012 - 10:23 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users