[Resolved] darica.exe

Help I think my system is infected by a virus. Whenever I insert my USB disk an autorun.inf, BUBAMARA folder with a darica.exe file in it is created. I get the error “Cannot delete: it is being used by another person or program” when I try deleting those files from the usb.

Is this a virus? I was using SOPHOS and now I installed Avast free. I already tried full console scan using SOPHOS but it was unable to detect a virus. Now with avast, I haven’t tried using the boot-time scan yet but tried scanning the usb disk and didn’t detect a virus.

I’ve googled about this and I this is the closest info that I find and it is in spanish… i think…
http://www.forospyware.com/t338042.html

Welcome to the forum, and I’m sorry to hear about your trouble. First I need some additional information about your system.

  • What is your OS, (32 or 64-bit)?
  • What security software do you currently and previously have on your machine, including AV and FW?
  • Are you current with your MS (if you have Windows) and software updates?
  • What version of Avast did you install? 5.0.594 is the latest version.
  • Are your Avast definitions up to date?
  • Did you uninstall Sophos per the vendor’s uninstaller or some other way PRIOR to installing Avast?
  1. Was this a new USB stick or one you had used before?
  2. Was it used on another machine or only this one?

Information about my system:

  • Windows XP Professional SP3 32-bit
  • Previous Security Software SOPHOS
    Current Security Software Avast! Free Antivirus 5.0, Windows Defender and Windows Firewall
  • I am not that current with Windows Update
    can’t download or install update:
    Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86
  • I have the latest version of Avast installed
  • Avast Definition is up to date
  • Uninstalled Sophos through this removal instructions http://www.sophos.com/support/knowledgebase/article/11019.html
  1. Was this a new USB stick or one you had used before?
    One that I used before.
  2. Was it used on another machine or only this one?
    It was used on another machine. And I think I got this problem through the usb stick.

More info: The BUBAMARA folder and Darica.exe file are hidden with SHR attributes.
Thanks… :slight_smile:

Check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
· Download free http://www.malwarebytes.org/ for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select “Perform FULL Scan”, then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts – Click OK to either and let MBAM proceed with the disinfection process; If asked to restart the computer, please do so immediately.

Thanks Safesurf, I’ll try Malwarebytes and I’ll inform you about the result.

After running MBAM and posting the results, then update your Avast definitions and do an Avast Boot-time scan and report the results as well. Thank you.

Here is the entire report of the MBAM Full Scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4451

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/20/2010 4:26:26 PM
mbam-log-2010-08-20 (16-26-26).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 281253
Time elapsed: 1 hour(s), 6 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\kmalate\Application Data\mmmpc.exe (Heuristics.Shuriken) -> No action taken.
C:\Documents and Settings\kmalate.MEDICARDPHILS\Application Data\mmmpc.exe (Heuristics.Shuriken) -> No action taken.

The infected files are now Quarantined. I’ll do the Avast Boot-time scan next but I might not able to finish that today. The infected is an office machine and we don’t have work this weekend.
I might just post the report after a couple of days.

Thank you very much for your help SafeSurf… :slight_smile:

[quote author=kmalate link=topic=62991.msg531741#msg531741 date=1282295032]
Files Infected:
C:\Documents and Settings\kmalate\Application Data\mmmpc.exe (Heuristics.Shuriken) -> No action taken.
C:\Documents and Settings\kmalate.MEDICARDPHILS\Application Data\mmmpc.exe (Heuristics.Shuriken) -> No action taken.

kmalate, it appears from the MBAM log that the infected files were not moved to quarantine…it states “no action taken.” Can you open MBAM > look at the Quarantine tab and see if anything is in there to verify if the infected items are there or not? You should also have a copy of this log sitting in the MBAM Log (5th tab from left). Also make sure under Scanner Settings, that all boxes are checked off. If the infected items are not in quarantine, please update MBAM again, check your settings, and run the full scan to put them in quarantine. Reboot.

After this, you can update your Avast definitions (if it wasn’t done already) and run a Boot-time scan. Let me know how this goes for you. Enjoy your weekend. Thank you.

Hi forum friends,

A proposed cleansing routine can be found here: http://www.forospyware.com/t338042.html (at least the first and second step proposed there, then there could follow a avast full scan or log-on scan)

polonus

Thank you Polonus for posting the cleansing link. :wink:

I still need to verify information from the OP in my previous post regarding his/her MBAM scan.

Here is the information on CCleaner: http://www.piriform.com/ccleaner is a freeware system optimization, privacy and cleaning tool. There is a Slim version available as well at http://www.piriform.com/ccleaner/builds. It removes unused files (cache, temporary Internet files, etc.) from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. Additionally it contains a fully featured registry cleaner. Remember when installing to uncheck the Yahoo toolbar.

Information and Download Flash Disinfector by sUBs from http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/ and save it to your desktop.
· Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
· The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
· Wait until it has finished scanning and then exit the program.
· Reboot your computer when done.
Note: Flash Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.

There is also another USB Flash Disinfection tool available that vaccinates the USB, and can also vaccinate the computer (if you choose): Panda USB Vaccine - Antimalware and Vaccine for USB devices, which is available free here…
http://www.pandasecurity.com/homeusers/downloads/usbvaccine/
for on-demand or resident.

Again, after using any of these tools, you should follow up by updating your Avast definitions, and run a FULL Avast scan as posted above. Thank you.

@ kmalate, Please let me know about about your MBAM scan (the first step). Thank you.

Hi everyone…
SafeSurf I look at the Quarantine tab and there is two item in it, Vendor = Heuristics.Shuriken. I remember that I quarantine the infected files after the MBAM scan. There are no items in the Log Tab, maybe I missed some settings during the scan but I have a copy of the log in desktop.

Here is the result of the Avast Boot-Time Scan:

http://img823.imageshack.us/img823/8706/scanresult.jpg

I can’t repair two infected files.

The virus have been deleted,and gone forever so no need to be panic maybe the virus deleted by another program or by you.

You can recheck with MBAM if you want. Just make sure you update first, then run a Quick scan. Check your quarantine tab to see if anything is there…and leave anything that is there sitting there.

The next step is running CCleaner. Have you downloaded and run this yet? See my previous post. Keep this tool as this is a very helpful tool that many of us use regularly.

After this, you need to download and run one of the Flash Disinfectors/USB Vaccine (see my previous post).

Let me know how you do.

No Bubamara folder with darica.exe is created anymore on my usb stick. :smiley:

Thank you for the new free security tools, I now have MBAM, Panda USB Vaccine, CCLeaner and Avast antivirus installed. I already finished running all this tools, I am even using Avast! Anti virus as screen saver. :slight_smile:

So everything is fixed and working properly? I’m so glad. :slight_smile:

If you feel that your issue is now resolved/fixed, please go back to the open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed.

Thank you for allowing me to assist you. Please feel free to come back any time you need help, or to browse and learn. We are here 24/7. Thank you again. :slight_smile:

Yes, everything is now fixed and working properly… Thank you very much. ;D
I will now modify this post’s title/subject.

new variants of such crap (formerly MalOb-AI and something caught proactively as SuspBehav) are detected as MalOb-BZ now… you can update your VPS and check the roots of your drives for some remnants of this nasty…

By what? Behavior Shield?

no, SuspBehav is a “regular” heur detection