Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Behavior:Win32/Gamarue.gen!A


  • Please log in to reply
1 reply to this topic

#1 Martybartfast

Martybartfast

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 17 June 2017 - 08:35 AM

OS: Windows 8.1 Home 64bit

 

A week ago I got a virus from a USB stick I had used to print some documents at a print shop. The virus was disguised as a volume folder but was actually the following shortcut:

C:\Windows\system32\cmd.exe /c start rundll32  \bbfbffdbdfdfdbbfbdbbdffbdfbffbdffbbfbdfdbfff.bbfbffdbdfdfdbbfbdbbdffbdfbffbdffbbfbdfdbfff,NdJVdRNtddZxldtd

 

Windows Defender caught the virus straight away, reporting it as:

Worm:Win32/Gamarue.AU

Category: Worm
Description: This program is dangerous and self-propagates over a network connection.
Recommended action: Remove this software immediately.
Items:
startup:C:\Users\MyUsername\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O.lnk
file:C:\Users\MyUsername\AppData\Roaming\eeNtb4m0BP.exe
file:C:\Users\MyUsername\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O.lnk
 

I rebooted, ran a full scan, ran Microsoft's MSRT, ran a Malwarebytes scan (registered version), and all came up clean.

 

But then 40 minutes later I got a message from Windows Defender saying it has detected:

Behaviour:Win32/Gamarue.gen!A

Category: Suspicious Behaviour
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
internalbehavior:8C5D57978E84D404E7C24D6719A0DB56

 

The event log shows the process name as C:\WINDOWS\SysWOW64\msiexec.exe and the user as NT AUTHORITY\SYSTEM

 

It says I need to reboot to complete the removal. But after rebooting the same detection comes up every time the system is idle and runs a scan. I'm still getting these reports a week later.

 

I haven't seen any suspicious network connections or busy background processes, but these reports are still a worry.

 

What do these internalbehaviour detections even mean?

 

Could someone please help me clean my computer? Thank you to anyone who can help.

 

Martin



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:45 PM

Posted 17 June 2017 - 12:16 PM

Welcome to BC...

 

Give Eset Online scanner a shot at finding and removing the malware. If that doesn't do it then start a new topic in the malware removal forum per instructions below.

 

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

Again..if Eset doesn't solve the problem then follow these instructions:

 

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users