Replicating worm/malware? Help!

system · January 23, 2011, 12:24am

Hi guys.

I’ve got this strange bug coming up in my avast scans. It says it reached the end of the file.

I located the files and deleted them and the entire folder they were in *my pc didnt need it anyway It also said something about the file type was a File Creator? or something like that.

I re-boot, scan again, and it’s back, with a new name, in ALL CAPS, even the .exe.

It has |>[emul]>|sfx_manifest_ at the end of .exe

It’s located in my C: folder, and this time I cant find the folder the scan says it’s in.

Is there a way to force the file into the vault? Do any of you know about this?

OH, I also discovered my email sent a link to all of my contacts, including my alt email.

I checked it, and it was some suspicious URL like internet38.co.cc

Pondus · January 23, 2011, 12:29am

Try this and see if it find and remove anything

Malwarebytes Anti-Malware 1.50.1 http://filehippo.com/download_malwarebytes_anti_malware/
always update the program so you have lates database before you scan
click the remove selected button to quarantine any infections found
you may post the scan log here

system · January 23, 2011, 12:30am

I have malwarebytes, and it didnt detect anything.

Should I run a startup scan?

Pondus · January 23, 2011, 12:40am

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt.)

system · January 23, 2011, 1:12am

Here you go.

Pondus · January 23, 2011, 1:22am

Essexboy is notified, he is in bed now so check back later

system · January 23, 2011, 3:38am

Thanks.

Do any of you have an idea of what caused my email to send links to my contacts? What type of infection is that?

Pondus · January 23, 2011, 10:01am

do you use webmail or a mail client ?

if you use webmail i guess the only thing you can do is change your password and contact
your mail supplier

If you use a mail client do download the mail to your comp it can be malware, if so Essexboy will find it

How do Spammers get my Email Address?
http://www.newcreations.net/webmaster/spam.html

Why am I getting spam from myself?
http://ask-leo.com/why_am_i_getting_spam_from_myself.html

essexboy · January 23, 2011, 12:20pm

It is an emulator of some sort - but OTL does not show it so we will look a bit deeper

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

system · January 23, 2011, 6:02pm

here ya go.

essexboy · January 23, 2011, 8:48pm

Could you post the full path and name of the file as Combofix cannot see it either

system · January 23, 2011, 9:53pm

Okey doke.

C:\System Volume Information_restore[20523164-F7F0-4C1C-9FDA-94189E543E47}\RP334|A0150691.EXE|>[emul]>|sfx_manifest_

and

C:\System Volume Information_restore[20523164-F7F0-4C1C-9FDA-94189E543E47}\RP334|A0150692.EXE|>[emul]>|sfx_manifest_

Trouble is, I can’t find these files in my C: folder. There is no folder named “System Volume Information”.

Is there any way this is related to my email sending spam to my contacts?

essexboy · January 23, 2011, 11:04pm

AH OK they are in system restore so lets clear them

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

system · January 24, 2011, 12:12am

Alright. I did it.

I’m gonna scan again to check. Do you want the log? I attached it.

Hmm… before, there were two files like the ones I posted, but they ha different names and were in my WORKS files in C:. MSWORKS that is.

I deleted them with the System Mechanic Incinerator but they came back on restart, as the ones we just took care of. They should be gone now because of the OTL, right?

system · January 24, 2011, 3:37am

It worked! It’s gone! Thank you so much!

essexboy · January 24, 2011, 6:30pm

What problems now ?

Replicating worm/malware? Help!

Announcements