Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

gen:Variant.Graftor.323.916 is infecting my own programs


  • This topic is locked This topic is locked
3 replies to this topic

#1 mihnea

mihnea

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 01 February 2017 - 04:29 PM

Hi,

 

I have the following problem: a virus is infesting my programs, it's attacking small programs that I write myself(because I am reviewing c/c++ and all the .exe files that i generated. If I press ctrl+f5 in visual C community  I get a linker error because the exe file is being blocked by the antivirus. I also get a warning for variant.razy and now some other trojans( Trojan.generic.4102792.I will be forced to disactivate the anti-virus cause I need to keep reviewing C.

 

Attached File  screen.jpg   91.25KB   1 downloads
Attached File  FRST.txt   33.79KB   5 downloads

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:33 AM

Posted 02 February 2017 - 08:55 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files\McAfee\SiteAdvisor\saffplg.xpi => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
U3 a3ltiucd; C:\Windows\system32\Drivers\a3ltiucd.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder)
S3 mfesapsn; \??\C:\Program Files\McAfee\SiteAdvisor\mfesapsn.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:CB0AACC9 [140]
AlternateDataStreams: C:\Users\Mihnea\Downloads\adobe_flash_setup.exe:BDU [0]
AlternateDataStreams: C:\Users\Mihnea\Downloads\adwcleaner_6.043.exe:BDU [0]
AlternateDataStreams: C:\Users\Mihnea\Downloads\reason-core-security-setup.exe:BDU [0]
AlternateDataStreams: C:\Users\Mihnea\Downloads\vs_community_ENU__1521066390.1484839319.exe:BDU [0]
AlternateDataStreams: C:\Users\Mihnea\Downloads\WUD250B1002Setup.exe:BDU [0]
C:\Windows\system32\Drivers\a3ltiucd.sys

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

For your added security I suggest that you update the following programs.

JAVA

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882
===

ADOBE READER
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
<<<>>>

Remove the old versions via the Control Panel > Programs > Programs and Features if still present.

Adobe Reader 9.3.2 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A93000000001}) (Version: 9.3.2 - Adobe Systems Incorporated)
Java™ 6 Update 20 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216020FF}) (Version: 6.0.200 - Sun Microsystems, Inc.)

Please post the logs and let me know what problem persists with this computer.

#3 mihnea

mihnea
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 02 February 2017 - 06:49 PM

Gen:Variant.Graftor.323916

La multi ani!
Va doresc sanatate, implinirea celor mai tainice dorinte. Sa adaugati multi ani vietii, dar si viata anilor ce

vor urma, in asa fel incat sa va fie fiecare zi prilej de bucurie.

Ok, I have done what you asked, Java did not appear as installed, that was just an old leftover. And I don't use

adobe, I use foxit.

Here is the FRST fixlog:

ix result of Farbar Recovery Scan Tool (x86) Version: 29-01-2017
Ran by Mihnea (02-02-2017 22:14:48) Run:2
Running from C:\Users\Mihnea\Downloads
Loaded Profiles: Mihnea (Available Profiles: Mihnea)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files\McAfee\SiteAdvisor

\saffplg.xpi => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] -

hxxps://clients2.google.com/service/update2/crx
U3 a3ltiucd; C:\Windows\system32\Drivers\a3ltiucd.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte

File/Folder)
S3 mfesapsn; \??\C:\Program Files\McAfee\SiteAdvisor\mfesapsn.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:CB0AACC9 [140]
AlternateDataStreams: C:\Users\Mihnea\Downloads\adobe_flash_setup.exe:BDU [0]
AlternateDataStreams: C:\Users\Mihnea\Downloads\adwcleaner_6.043.exe:BDU [0]
AlternateDataStreams: C:\Users\Mihnea\Downloads\reason-core-security-setup.exe:BDU [0]
AlternateDataStreams: C:\Users\Mihnea\Downloads\vs_community_ENU__1521066390.1484839319.exe:BDU [0]
AlternateDataStreams: C:\Users\Mihnea\Downloads\WUD250B1002Setup.exe:BDU [0]
C:\Windows\system32\Drivers\a3ltiucd.sys

Reboot:

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92} => value removed successfully.
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => key removed successfully.
a3ltiucd => service not found.
HKLM\System\CurrentControlSet\Services\mfesapsn => key removed successfully.
mfesapsn => service removed successfully.
C:\ProgramData\TEMP => ":CB0AACC9" ADS removed successfully..
"C:\Users\Mihnea\Downloads\adobe_flash_setup.exe" => ":BDU" ADS not found.
C:\Users\Mihnea\Downloads\adwcleaner_6.043.exe => ":BDU" ADS removed successfully..
"C:\Users\Mihnea\Downloads\reason-core-security-setup.exe" => ":BDU" ADS not found.
C:\Users\Mihnea\Downloads\vs_community_ENU__1521066390.1484839319.exe => ":BDU" ADS removed successfully..
C:\Users\Mihnea\Downloads\WUD250B1002Setup.exe => ":BDU" ADS removed successfully..
"C:\Windows\system32\Drivers\a3ltiucd.sys" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 50973372 B
Java, Flash, Steam htmlcache => 9858 B
Windows/system/drivers => 5006202094 B
Edge => 0 B
Chrome => 0 B
Firefox => 378693714 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
LocalService => 0 B
NetworkService => 0 B
Mihnea => 21436017 B

RecycleBin => 42429106 B
EmptyTemp: => 5.1 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 22:21:08 ====

The C: partition indeed went from 7,5 to 13,7 free GB, did notice the viruses are filling my drive, don't know

how Temp can grow in 5 GB.
Here is the MalwareBytes Ani Malware log, I reentered the program and exported after the fix.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/2/17
Scan Time: 10:48 PM
Logfile: export_log_malwarebytes.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1162
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Mihnea-PC\Mihnea

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 295816
Time Elapsed: 22 min, 43 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
PUP.Optional.Plumbytes, HKLM\SOFTWARE\Plumbytes Software, Quarantined, [10860], [262040],1.0.1162

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)


AdwCleaner did not find any threats.

# AdwCleaner v6.043 - Logfile created 02/02/2017 at 23:52:11
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-02.2 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X86)
# Username : Mihnea - MIHNEA-PC
# Running from : C:\Users\Mihnea\Desktop\adwcleaner_6.043.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****



***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [11297 Bytes] - [01/02/2017 12:23:02]
C:\AdwCleaner\AdwCleaner[C2].txt - [844 Bytes] - [02/02/2017 23:52:11]
C:\AdwCleaner\AdwCleaner[S0].txt - [10544 Bytes] - [01/02/2017 12:21:13]
C:\AdwCleaner\AdwCleaner[S1].txt - [1311 Bytes] - [01/02/2017 20:58:36]
C:\AdwCleaner\AdwCleaner[S2].txt - [1383 Bytes] - [02/02/2017 23:51:48]

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1136 Bytes] ##########

Should I have added them as files instead of posting?

And graftor is still here when I try to run a Visual C program. I deleted the .exe file from the solution because acces was denied, rebuild the solution and acces is being blocked by bitdefener and I get a linker error. :(
I must shutdown anti-virus protection or try to mark it as a false positive, I need to continue my work.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:33 AM

Posted 03 February 2017 - 08:36 AM

This looks like a false positive. A process/files is being blocked in your D:\Program c\ ....

I suggest you take this matter with Bitdefender.

What to do when Bitdefender detects legitimate applications
https://www.bitdefender.com/support/what-to-do-when-bitdefender-detects-legitimate-applications-491.html




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users