Hello everybody, anybody please help me with my problem: i have problems with a virus that create exe files named noda32.exe drweb32.exe, usecure32.exe, also create a autorun.inf file that execute and generate this exe files. My Avast 5.0 don´t detect anything, but i know about those files because i see it in the linux OS and erase these files from the linux system. tahkyou for your help…
Hi try this first and if you continue to have problems let me know
http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Ok, thank you so much for your help, i will try with your advice. Do you know what kind of virus is it? also generates a webguard32.exe file. That suppose that virus name is S3[1].EXE Cloaked Malware accord to the next page:
http://www.prevx.com/filenames/190285492820155185-X1/S3[1].EXE.html
Is that correct? its a fake information?
Thanks…
Hi Edy,
Based on : http://www.prevx.com/filenames/776547172199560090-X1/OTTO4[1].EXE.html
The unsafe files using this name are associated with the malware group:
* Cloaked Malware
I think it’s true that is Cloaked Malware.
Just follow what is essexboy has guide you.
Could you post the MBAM log please
Thanks for your help, mbam it’s a very good tool for my problem. Now, this is the content of the autorun.inf file that executes in the Windows OS…
ë?e??ØC!?év@h?L???õ?Xv??Cs??<?ùÊI?àÒ??msO??tæLO???ç<wÝ?à??àÆx?<h{l?BØ???LÒÍbOxÝ?$?v
[autorun
;NY???àtÇ???xy%?`íÇ?Árñ#ö?ÍeMía<???AB?Ce?Í?ò??.wìë???:.
open=antivira/antivira32.exe
;NY???àtÇ???xy%?`íÇ?Árñ#ö?ÍeMía<???AB?Ce?Í?ò??.wìë???:.
icon=SHELL32.dll,4
;NY???àtÇ???xy%?`íÇ?Árñ#ö?ÍeMía<???AB?Ce?Í?ò??.wìë???:.
usEautoplay=1
;NY???àtÇ???xy%?`íÇ?Árñ#ö?ÍeMía<???AB?Ce?Í?ò??.wìë???:.
action=Open folder to view files using Windows Explorer
;NY???àtÇ???xy%?`íÇ?Árñ#ö?ÍeMía<???AB?Ce?Í?ò??.wìë???:.
shell\\\open\\\command=.\antivira/antivira32.exe
;NY???àtÇ???xy%?`íÇ?Árñ#ö?ÍeMía<???AB?Ce?Í?ò??.wìë???:.
shell\\explore\\command=antivira/antivira32.exe
;NY???àtÇ???xy%?`íÇ?Árñ#ö?ÍeMía<???AB?Ce?Í?ò??.wìë???:.
this file content changes and generate files with the names of the exe files of the some Antivirus software. Sometimes generates drweb32, noda32, usecure32, etc.
here is the log file of te one of the infected computers. I have to remove manually, mbam don´t execute anything to remove or eliminate this files.
Malwarebytes’ Anti-Malware 1.44
Versión de la Base de Datos: 3838
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
08/03/2010 01:25:18 p.m.
AVc
Tipo de examen : Examen Completo (C:|)
Objetos examinados: 184619
Tiempo transcurrido: 1 hour(s), 26 minute(s), 10 second(s)
Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 1
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 13
Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)
Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)
Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)
Valores del Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) → No action taken.
Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)
Carpetas Infectadas:
(No se han detectado elementos maliciosos)
Ficheros Infectados:
C:\Documents and Settings\Carmen Alvarado\Configuración local\Temp\053.exe (Backdoor.Tofsee) → No action taken.
C:\Documents and Settings\Carmen Alvarado\Configuración local\Temp\106.exe (Trojan.Inject) → No action taken.
C:\Documents and Settings\Carmen Alvarado\Configuración local\Temp\168.exe (Trojan.Inject) → No action taken.
C:\Documents and Settings\Carmen Alvarado\Configuración local\Temp\768.exe (Trojan.Inject) → No action taken.
C:\Documents and Settings\Carmen Alvarado\Configuración local\Temp\792.exe (Backdoor.Tofsee) → No action taken.
C:\Documents and Settings\Carmen Alvarado\Configuración local\Temp\961.exe (Backdoor.Tofsee) → No action taken.
C:\Documents and Settings\Carmen Alvarado\Configuración local\Temp\968.exe (Trojan.Inject) → No action taken.
C:\RECYCLER\S-1-5-21-6291803670-5875355504-665003095-8540\MsMxEng.exe (Trojan.Inject) → No action taken.
C:\System Volume Information_restore{E13A5326-BB59-4A38-8118-7A6A9DD01300}\RP59\A0004897.exe (Malware.packer) → No action taken.
C:\System Volume Information_restore{E13A5326-BB59-4A38-8118-7A6A9DD01300}\RP77\A0008633.exe (Backdoor.Tofsee) → No action taken.
C:\System Volume Information_restore{E13A5326-BB59-4A38-8118-7A6A9DD01300}\RP82\A0012333.exe (Trojan.Inject) → No action taken.
C:\System Volume Information_restore{E13A5326-BB59-4A38-8118-7A6A9DD01300}\RP84\A0012516.exe (Trojan.Inject) → No action taken.
C:\System Volume Information_restore{E13A5326-BB59-4A38-8118-7A6A9DD01300}\RP87\A0012819.exe (Trojan.Inject) → No action taken.
If you haven’t already done so - Run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.