Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

File server infected with Win32/Fakerecy and Win32/Autorun!inf


  • Please log in to reply
4 replies to this topic

#1 fakerecy

fakerecy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 14 January 2015 - 05:45 PM

Hello,

We have a small office with a Dell Poweredge 2950 file server running Ubuntu 10.04.4. It is on 24/7 and wired to several workstations running Window 7 Pro, Windows 8 Pro, and Windows 8.1 Pro. The only antivirus in use on these workstations is Microsoft Security Essentials or Windows Defender.

 

Several days ago, a Full Scan in Defender detected these 2 items:

Worm:Win32/Autorun!inf (file:Z:\FolderA\autorun!inf)

Worm:Win32/Fakerecy.A (file:Z:\FolderA\Recycled\ctfmon.exe)

FolderA is a shared network folder/drive residing on the file server, which is also shared in its entirety as drive Z.

Defender's suggestion is to remove them, so they were removed.

 

However, scanning again immediately afterward, using MSE or Defender, shows the same two worms. Webroot, Avast, Kaspersky, Panda, Malwarebytes were also tried, but either did not detect the worms (though some of those programs may not have the ability to scan a network drive) or removed them only for the worms to reappear, as MSE and Defender.

 

Local scans of several Windows 7 and Windows 8 workstations were done, but the worms are not detected locally in drive C, only in the shared FolderA on the file server.

 

How should I go about removing these worms?

 

Thank you


Edited by fakerecy, 14 January 2015 - 05:47 PM.


BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:58 PM

Posted 16 January 2015 - 02:39 PM

Hi. Firstly please read and respond to the below:

 

:exclame: Company Computers
 
Since this is a company computer, you may need to obtain permission to carry out the steps I give to you. We will be making system-wide changes to this computer which may be against your company's IT policy. Such action may result in disciplinary action being taken against you. I must stress that I, in no way, accept liability for this or for any unforeseen eventuality as a result of the instructions I give you (including, but not limited to, data loss).
 
In addition, if your company has an IT support infrastructure I urge you to contact them to resolve your issue - it's what they're paid to do; whereas I volunteer.  
 
In order to continue to receive my help I would like you to confirm that you have the authority to work on the PC and that you accept my conditions.


Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 fakerecy

fakerecy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 16 January 2015 - 03:08 PM

Hi. Firstly please read and respond to the below:

 

:exclame: Company Computers
 
Since this is a company computer, you may need to obtain permission to carry out the steps I give to you. We will be making system-wide changes to this computer which may be against your company's IT policy. Such action may result in disciplinary action being taken against you. I must stress that I, in no way, accept liability for this or for any unforeseen eventuality as a result of the instructions I give you (including, but not limited to, data loss).
 
In addition, if your company has an IT support infrastructure I urge you to contact them to resolve your issue - it's what they're paid to do; whereas I volunteer.  
 
In order to continue to receive my help I would like you to confirm that you have the authority to work on the PC and that you accept my conditions.

Hello, thank you for the reply.

I confirm that I have permission from the company to carry out any steps you may give me. I also agree to not hold you responsible in any way for any actions that may result from any changes I may carry out.

We are a small company and don't have a dedicated IT professional on staff. I am responsible for IT, but don't have formal training, though much experience in Windows gained from troubleshooting and installing things at work and home. Linux experience has been limited to running commands given to me by the consultant who set up our Linux file server, who is now unavailable to troubleshoot this worm.



#4 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:58 PM

Posted 16 January 2015 - 08:45 PM

Hi

However, scanning again immediately afterward, using MSE or Defender, shows the same two worms.

Please provide the log files for MSE and Defender showing these.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#5 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:58 PM

Posted 26 January 2015 - 03:02 PM

Hi do you still need help?

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users