Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem with pendrive, Gamarue infection?


  • Please log in to reply
9 replies to this topic

#1 MajkelTMB

MajkelTMB

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 11 June 2015 - 10:29 AM

Hi!

First of all my English is not perfect and I'm new here. The problem is with my friends notebook. Her laptop got infected probably from pendrive. She only has MBAM and sent me 2 screens what could it be. When she plugs other pendrive the only thing she can see is shortcut, and sometimes when she plug pendrive (not always) MBAM show info about virus/infection.

PJXvtCv.jpg

73QMCUz.jpg



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:07:01 PM

Posted 11 June 2015 - 10:57 AM

Hello and welcome to Bleeping Computer :)

Win32/Gamarue is a worm that spreads via emails and flash drives. You will need an antivirus to detect it - Malwarebytes Anti-Malware is not meant to be used against worms.

Due to the nature of this infection, I must warn you of the following...

Looking through your logs I noticed that your machine is infected with a backdoor Trojan.

They allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please change all your passwords on a known clean and secure machine, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be removed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Regards,
Alex

#3 MajkelTMB

MajkelTMB
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 11 June 2015 - 11:30 AM

"Looking through your logs" - what logs heh? you've noticed that only looking at screen? Have just sent message to my friend and informed about situation, I will edit my post after she decide whether format or not. Thanks for quick reply :).



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:07:01 PM

Posted 11 June 2015 - 11:33 AM

Please post a new post instead of editing, as I do not get a notification if you edit a post :)

#5 MajkelTMB

MajkelTMB
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 12 June 2015 - 09:06 AM

Ok please write instruction what to do as I can't format this notebook now :).

#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:07:01 PM

Posted 12 June 2015 - 10:08 AM

Hello there,

Please run these.

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
  • Click on Scan to be taken to the scan options. If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
  • Click on the Full Scan button to start the scan.
  • When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop, and attach it to your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
===

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
As for the flash drive... it is better to format it as any data that may be present on the drive is probably corrupted by the worm and lost.

Regards,
Alex

#7 MajkelTMB

MajkelTMB
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 13 June 2015 - 04:36 AM

Here are results
Eset

C:\Users\Patrycja\AppData\Roaming\obffuukfuk.exe a variant of Win32/Kryptik.DLZA trojan cleaned by deleting - quarantined

C:\Users\Patrycja\AppData\Roaming\obpufffpup.exe a variant of Win32/Bundpil.CV.gen worm cleaned by deleting - quarantined
Operating memory a variant of Win32/Bundpil.CS worm

Emsisoft:

Emsisoft Emergency Kit -Wersja 9.0
Ostatnia aktualizacja: 2015-06-12 19:29:28
Nazwa użytkownika: Patrycjusz\Patrycja
 
Ustawienia skanera:
 
Typ skanu: Pełny skan
Obiekty: Rootkity, Pamięć, Ślady, C:\
 
Wykrywanie PNP: Włączone
Skanowanie plików skompresowanych: Włączone
Skanowanie ADS: Włączone
Filtr rozszerzeń plików: Wyłączone
Zaawansowana pamięć podręczna: Włączone
Bezpośredni dostęp do dysku: Wyłączone
 
Skanowanie uruchomiono: 2015-06-12 19:30:15
 
Przeskanowano: 293053
Wykryto: 0
 
Koniec skanu: 2015-06-12 20:46:36
Skan trwał: 1:16:21


#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:07:01 PM

Posted 13 June 2015 - 05:00 AM

Hello there,

Kaspersky Virus Removal Tool

Please download Kaspersky Virus Removal Tool from here.
  • Right click on KVRT.exe and select Run as Administrator.
  • Read the EULA, then select Accept.
  • Wait for Kaspersky Virus Removal Tool to initialize.
  • In the main screen, select Change parameters, place a checkmark in System drive, then click OK.
  • Click Start scan.
  • Wait for Kaspersky Virus Removal Tool to complete scanning.
  • When the scan is finished, select Neutralize all for all detected objects.
  • Close Kaspersky Virus Removal Tool when done.
Let me know if it found anything.

Regards,
Alex

#9 MajkelTMB

MajkelTMB
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 14 June 2015 - 07:16 AM

Kaspersky hasn't found anything, what now?



#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:07:01 PM

Posted 14 June 2015 - 07:18 AM

Did you reformat the flash drive? If you did, please check if the problem mentioned at the start still exists.

Alex




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users