Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32 Malware Repeat


  • Please log in to reply
6 replies to this topic

#1 Jimjet

Jimjet

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 04 February 2007 - 06:22 AM

Hi all! this is first post so it may be a bit long winded!
At the start of the year I received a new hub system from BT (British Telecom) and loaded it following the disc instuctions,soon as I loaded it I started to get problems,files not opening, down loads being corrupted that sort of thing,after talking to a mate who knows a bit about computers he thought it may be a virus,I thought that was a bit strange since my McAfree didn't see it and the scan did not spot it.After getting parinode I talked to my bank who made me do a online scan F-secure.com,this found a W32 Malware, the bank shut my internet access so fast and my cards u would not believe(better safe than sorry) I then spent money getting my system cleaned out and reinstalled but as soon as I loaded the Hub I got reinfected,I managed to get rid of it quick and nothing seems to be playing up but I am scanning my system on a regular basses and found it again! and cleaned it out again, also the scan skips some window files i.e-C:\WINDOWS\SYSTEM32\CONFIG\SAM so I don't know if my system clean or not or if the virus is in one of the files I can't scan.
I did send a complaint ticked to BT and they gave me instuctions to down load there firewall and virus scanner but to do what they say means I would have to remove McAfree for Norton and I'm not sure about that.also I don't get the rest of the instuction's they gave me about changing from ethernet to USB
and down loading new drivers for the USB, I still don't know how much damage has been done to the Window files? can anyone give me any idear's on what to do?

BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:03:43 PM

Posted 04 February 2007 - 09:48 AM

IMPORTANT NOTE: Backdoor Trojans are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. You should consider all your passwords to be compromised. They should be changed by using a different computer and not the infected one. Do not change passwords or do any transactions while using the infected computer because an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.Start up in safe mode and do the same scans After that:
Download and scan with SUPERAntiSypware Free for Home Users

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* When done, select "Scan for Harmful Software".
* There are three scanning options. Choose "Perform Complete Scan" and click "Next".
* When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
* Make sure they all have a checkmark next to them and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* Click Preferences and then click the statistics/logs tab.
* Click the dated log and press View log. A text file will appear so you can see the results.
* Select close to exit the program.
* Scan in SAFE MODE

After that, download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE using the F8 method.

Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.please post back the results

Edited by fozzie, 04 February 2007 - 09:49 AM.


#3 Jimjet

Jimjet
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 04 February 2007 - 01:59 PM

Hi thanks for the info I did what you said to the letter.
The only things that were red flagged was stuff for McAfree when I put these in quarantine the McAfree did not work and the amount of trouble I went through to get it to work again was unbelievable!
but there was nothing on any of the scans and the F-scan skipped only 2 file's but as I say nothing else showed. The only thing that is concerning me is that the last attack I had was when I ran the BT help desk and it makes me wonder about the hub system,I believe it has its own fire and maybe memory also one of my internet games (Auto Assault) hasn't worked right since I put on the Hub I think I had better ask that on the gaming forum!
I also found updates on windows and this site works a lot quicker
so do you think there is anything else I should try or just run the scans when I start?

#4 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:03:43 PM

Posted 04 February 2007 - 06:19 PM

Try the scans in safe mode.

#5 Jimjet

Jimjet
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 05 February 2007 - 12:38 PM

Did that thanks and didn't show anything,
thank you for the help. :thumbsup:

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,960 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:43 AM

Posted 05 February 2007 - 11:41 PM

A few things here. I have found reading through other threads that Dr. Web Cure-It does falsely identify some of the McAfee files, and it can create other problems. Frankly, Dr. Web Cure-It is a software that I would avoid unless I am specifically advised to use it by someone in the malware team.

What are your computer specs.? Brand, model etc.
What brand and model is this hub other than the fact that it is British Telecom? There may be issues of hardware incompatibility or perhaps software incompatibility between the hub and the OS, drives etc. software.
What operating system are you using?

Did you retain the F-Secure log? It is possible that what it flagged were false positives. If you have that log, can you post the results of that log?

Did SUPERAntiSpyware find anything, or was it just the Dr. Web Cure-it?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 Jimjet

Jimjet
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 07 February 2007 - 12:31 PM

Hi the F/secure scan report was something I did print out when it stated I had a problem and here is the high lights -
W32/Malware (virus)

C:\PROGRAM FILES\BT HOME HUB\HELP\VENDORS\BTBB\CONTENT\TEMPLATE\DRIVEN_DEV\BROADBANDASST\CPE.EXE
(Deleted & Submitted)

On safe mode it scanned all but 2 files,the other scans were clear

as for the model of the hub,BT just seem to call it the The BT Home Hub which isn't very helpful I know!
its also wireless capable but I do not use that.
my system is the Dell XPS 600 (which when it goes wrong is a nightmare to sort and they charge you a arm and a leg for help!)
also a note of interest the McAfree stuff had to be completely removed and replaced with Norton because I could not get the thing to down load in the right place or work and the Norton is free at the moment with the BT site (don't know for how long!)but the internet explorer and the BT site seems to work alot better thru it and the scans I have been doing seem to be virus free.
The last time I was infected with the virus the only thing I did different was to use the BT Help short cut which sends you to there Help site that auto checks the connection and asks you if you want to run a health check on you line ect
I am talking to BT about that and when I understand the reply I'll post it???!
other wise I think my system is clear,thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users