Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backup.exe virus?


  • Please log in to reply
37 replies to this topic

#1 Smash591

Smash591

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warner Robins, Ga
  • Local time:06:31 AM

Posted 06 August 2012 - 10:56 AM

I beleive this to be the start of a potentially long process. My wife just called me at work and announced she has just screwed up her computer. The story goes she clicked on a link in Facebook (1st problem), and immediately she received a pop up warning window asking if she wanted to run Backup.exe from an unknown publisher. She clicked "No" and immediately the window popped back up asking the same question. She repeatedly answered "No" about 20 times before giving up and manually powering off the PC via the power button 7 sec hold. On restarting and logging back in to her account she says all hell broke loose with a massive quantity of error messages capped by one that said "I/O error" and something about not being able to access partitions on the hard drive. Crap... right?
The machine in question is a Dell touchscreen PC running Win7 Ultimate and using Microsoft Security Essentials with auto-update turned on. The PC is currently un-plugged and off.

My question is this: is there some new virus out there that looks like this (see above) and how should I proceed. I'm at work now and will return home this afternoon to combat this problem. Any advice going into this battle would be greatly appreciated. Once I'm home and able to assess the problem in person, I'll post updated details.

Thanks.

S.O.

BC AdBot (Login to Remove)

 


#2 SRP1

SRP1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 06 August 2012 - 07:50 PM

I have been hit with this also this evening. I will be waiting for some type of update.

#3 Smash591

Smash591
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warner Robins, Ga
  • Local time:06:31 AM

Posted 06 August 2012 - 09:29 PM

Alright, here is what I know so far. I was able to startup the machine normally and log into my account normally. I ran a targeted scan on my wife's user directory and MS Security Essentials found "TrojanDownloader: Java/OpenConnection.ZJ" and claimed to have cleaned it. I then ran a full scan on the computer and it returned OK and fully protected. I then went to the user account control and downgraded all user accounts to standard users and created a separate Admin account and password protected it with a different password. I then rebooted and logged into my wife's account and immediately the error's started popping up. At one point the error that Windows had lost access to the System partition and needed to scan and repair the HD. I waited and then errors started flooding in saying Attrib.com couldn't execute. At that point I power cycled the machine and logged back into my account and I'm typing to you know on it.

How do I identify and clean my wife's account?

S.O.

The PC is a Dell Inspiron One and is running MS Windows 7 Home Premium service pack 1 64-bit OS. It has MS Security Essentials installed and updated with yesterday's signatures.

#4 Smash591

Smash591
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warner Robins, Ga
  • Local time:06:31 AM

Posted 06 August 2012 - 10:02 PM

I re-ran the MSSE on my wife's user directory and this time it came up clean.

I have downloaded/installed Malwarebytes and am currently running a full scan... will post the results as soon as I have them.

#5 SRP1

SRP1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 07 August 2012 - 05:28 AM

I had to hard kill my machine then I came up in safe mode. Unfortunately I was in the admin account when this occurred yesterday evening so I will take your lead on creating a new admin account with different password when I get through this. So I installed Malwarebytes from an old version I had in a folder from a win7 attack last year. It ran late into the evening so I just saw the results this morning. It found two registry data issues called PMU.Hijack.StartMenu. I sure hope this is it. McAfee shoed all clear. I had also noticed the path to the Backup.exe that was trying to be opened yesterday C:\user\<account name>\AppData\Local\temp\Bacup.exe (hidden directory).This file was apparently is shown when I mouse over it as File Description:VLC Media Player, Compay: The VideoLAN Team, Created: 8/6/2010. I not sure if this is an issue but I guess I will use Eraser to delete this thing since I don't use VLC Media Player and it is probably residual from having three teenagers in the home back then. I am flying by the seat of my pants here so we shall see.

#6 SRP1

SRP1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 07 August 2012 - 05:58 AM

Before I deleted backup.exe I had mcafee scan it again. Nothing found. Reboot normal mode, network still disconnected for security not that I know if it will help but hey, this is on a Vista Box by the way. I had notice whe this happened that McAfee had been stopped and would not run when l first got hit. On reboot I am getting the following error message about 20 times ( which also occurred last night but I had shut down so fast [apparently not fast enough though] so this is the first time I could read it)
:
System Message - Write Fault Error
A Writecommand during the test has failed to complete. This may be due to a media or read/write error. The system generates an exception error when using a reference to an invalid system memory address.

I then get a System Error. Hard disk failure detected and am presented with two options. Scan and Repair or Scan Later.

Now allowing !S to scan the drive. WTF, now I am being told I have seven critical HDD errors and I only have the trial version of this File Recovery software. I think I just stepped in a big pile of manure again like that Win7 issue last year.

Time to google this stuff now. If anyone has any ideas, now would be a good time to chime in here... LOL.

#7 SRP1

SRP1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 07 August 2012 - 06:08 AM

"System Check is a fake computer analysis and optimization program from the FakeHDD family of rogues. This rogue displays false alerts that are designed to make you think that your computer has hard disk problems that have lead to corrupt and missing data. It displays these alerts in order to scare you into purchasing the program so that you can fix these issues. In reality, though, there is nothing wrong with your hardware or data, so please ignore any error messages that this program displays. System Check is installed through hacked sites that exploit vulnerabilities in software that may be installed on your computer or through fake online scanner pages. Once installed, System Check will display false error messages and security warnings on the infected computer. These messages will state that there is something wrong with your computer's hard drive and then suggests that you download and install a program that can fix the problem. When you click on of these alerts, System Check will automatically be started."

This is from an article here at Bleepingcomputer.com. Unfortunate for me it says not to delete any files from your user temp directory which I did. This just gets better every minute.

#8 Smash591

Smash591
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warner Robins, Ga
  • Local time:06:31 AM

Posted 07 August 2012 - 06:19 AM

Mine took a different path, Malwarebytes shows "Backdoor.Agent.RC2Gen" was found twice but not deleted. ??? I am attaching the log in hopes of an assist.

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.06.13

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Admin :: CAROLS-NEW-PC [administrator]

8/6/2012 10:55:38 PM
mbam-log-2012-08-07 (07-12-48).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 533963
Time elapsed: 1 hour(s), 6 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\ProgramData\NxuXDmPMgbl.exe (Backdoor.Agent.RC2Gen) -> No action taken.
C:\Users\Carol\AppData\Local\Temp\LmR0IQgy7voDZx.exe.tmp (Backdoor.Agent.RC2Gen) -> No action taken.

(end)

S.O.

#9 SRP1

SRP1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 07 August 2012 - 06:28 AM

Here is the article link: http://www.bleepingcomputer.com/virus-removal/remove-system-check
Apparently I deleted the file where the rogue put my Start menu or something like that.
I sure hope I can do restore later after this Malwarebytes scan finishes with the current updates.

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:31 AM

Posted 07 August 2012 - 06:33 AM

SRP1

Please create a new topic to avoid confusion

Smash591

Do you still need help?

#11 SRP1

SRP1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 07 August 2012 - 06:45 AM

My apologies. I was unaware that I needed a separate thread for what seems to be the same issue but I will comply.

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:31 AM

Posted 07 August 2012 - 06:47 AM

:)

#13 Smash591

Smash591
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warner Robins, Ga
  • Local time:06:31 AM

Posted 07 August 2012 - 06:54 AM

Narenxp,
yes... I still need help. I just uploaded the malwarebytes log (see above) this am and I'm not sure what it means.

Smash

#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:31 AM

Posted 07 August 2012 - 06:55 AM

Please remove the infections,update MBAM and run scan again and make sure it comes out clean

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Edited by narenxp, 07 August 2012 - 06:56 AM.


#15 Smash591

Smash591
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warner Robins, Ga
  • Local time:06:31 AM

Posted 07 August 2012 - 07:12 AM

I will, however, it will be this afternoon before I can access the computer. Thank you for your time and assistance.

Smash




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users