8 Replies Latest reply on Sep 16, 2009 6:07 AM by paullotion

    My PC got infected by an unknown virus

      Hi,

      I found my PC had been infected with a virus/trojan that spreads via autorun.inf.

      When my PC is infected, whenever a USB memory stick or an external hard drive is plugged into this PC, I'd later see two hidden files "autorun.inf" & "ntlog.dll" stored in it when I use it again on another computer with an updated Mcafee antivirus software.

      Mcafee antivirus reports the detected "ntlog.dll" file is a trojan named "Generic.dx!eh".

      Upon each detection of this virus, McAfee doesn't remove the "autorun.inf" file from the external device, but it deletes the "ntlog.dll" file and the icon of this external device which carried this virus cannot be double clicked to open in the "My Computer" window.

      Another thing which looks suspicious is that the window's registry has been changed after scanning my PC with an anti-spyware software. But it didn't specifically list out any spywares detected.

      Antivirus Softwares on the PCs:

      The PC infected by the virus - McAfee version 8.0 [DAT created on 2nd June 2009]

      The PC Reported the virus - McAfee version 8.5i [DAT created on 25th August 2009]

      I have submitted samples of these infected files for avertlabs to analysis, but their reply is just that the ntlog.dll is an infected file and the autorun.inf is sent for further investigation.

      And that doesn't actually tell me more than their antivirus product.

      Can anyone please tell me if you also have experienced the same problem with this so called "Generic.dx!eh" and suggest something i can do to remove it from the current infected PC?

      More importantly, I also wish to know if there is a way to find out how and when my PC got infected, and what this virus can actually do to my PC, e.g can it download further new virus/malware into my PC?

      Anyone's reply would be appreciated! Thanks.
      Regards,
        • 1. RE: My PC got infected by an unknown virus
          Peacekeeper
          Firstly the info on the found virus is shown here
          http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=150814

          Check and see if the changes mentioned were made .

          You should hear from Avert soon re if the other 1 is infected

          See if someone more experienced in virus removal can help further.

          BTW your choice of a name might be vetoed it could be confusing to other users. Will pass this up the line sorry.
          • 2. RE: My PC got infected by an unknown virus
            Vinod R
            Download
            http://ad13.geekstogo.com/RootRepeal.zip

            extract the file and then run the .exe file.

            Click on reports tab ensure that all options are checked and then you allow it to doa full scan

            once done copy th econtents of the log that gets created and paste it to

            www.pastebay.com and refer a link here.


            Note: if the scan does not complete in normal try that in safe mode
            • 3. RE: My PC got infected by an unknown virus
              Peter M
              That one machine on VSE 8.0 should be upgraded to at least 8.5i but any questions regarding VSE should go in Corporate/Desktop & Server as we have no knowledge here.
              • 4. RE: My PC got infected by an unknown virus


                Thanks for your help vinod_r2! I have downloaded it and run the scans today. The first download using Internet Explorer was not successful, it shows that the page corresponding to this link can not be directed. Firefox allowed me to download it.

                Please note that, in the "Settings" manual, I ticked the check boxes of some options which are not selected by deflaut. The details of these settings are pasted below & the options which I checked before running the scans are labeled with a green word "checked" here.

                Settings

                General:
                Disk Access Level-High

                Only show suspicious objects in report-checked
                Enable advanced options-checked

                Drivers:
                Handle built-in Windows objects-checked
                Verify digital signatures (experimental)-checked

                Files:
                Exclude pagefile-checked
                Check for file size differences-checked
                Exclude common file types-checked
                Use lowest level for MBR check.-checked

                Processes:
                Check for locked processes-checked

                Ssdt & Shadow Ssdt:
                Check for hooked SYSENTER/INT 2E (SSDT page)-checked
                Only display hooked functions.-unchecked

                Stealth Objects:
                Exclude .NET modules-checked
                Exclude Microsoft signed modules-checked

                Before the first scan, I clicked the "Report" tab as you said in your message above, but the dialogue with options of what to scan for didn't pop up. It only pops up a dialogue of what drives of my PC to scan, in my case, which are only C and D drives.

                I therefore run the scans separately by clicking the different tabs each by each, and until I came to "Report" again, the dialogue with options of what to scan pops up this time. Then I checked all boxes in that dialogue and run a full scan there.

                Here are links to the scan logs:

                RootRepeal_report_09-13-09_(13-00-22).txt
                http://pastebay.com/53850

                RootRepeal-v1.3.5.0-Scan_Drivers.txt
                http://pastebay.com/53851

                RootRepeal-v1.3.5.0-Scan_Files.txt
                http://pastebay.com/53853

                RootRepeal-v1.3.5.0-Scan_Processes.txt
                http://pastebay.com/53854

                RootRepeal-v1.3.5.0-Scan_Stealth_Objects.txt
                http://pastebay.com/53856

                RootRepeal-v1.3.5.0-Scan_SSDT.txt
                http://pastebay.com/53857

                RootRepeal-v1.3.5.0-Scan_Shadow_SSDT.txt
                http://pastebay.com/53858

                Please let me know if you think I should uncheck/check some of the options in the current "Settings", I'll change it & run the scan again.
                • 5. RE: My PC got infected by an unknown virus
                  Peter M
                  Hi, sorry to butt in. I have altered your User Name to Averter as the one you had before is the trade name of our Threat Center.
                  I believe the Forum Administrator emailed you about it. If the one I chose isn't suitable say so and I'll alter it again.
                  • 6. RE: My PC got infected by an unknown virus


                    The username is ok, but do you have any ideas what's going on inside my PC from the scan logs I posted out earlier?
                    • 7. RE: My PC got infected by an unknown virus
                      Peacekeeper
                      As vinod_r2 asked better get him to return. will chase him up
                      • 8. RE: My PC got infected by an unknown virus
                        Hello

                        Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

                        Please insert your flash drive before we begin!

                        Download Flash_Disinfector by sUBs and save it to your desktop.

                        * Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
                        * The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
                        * Wait until it has finished scanning and then exit the program.
                        * Reboot your computer when done.

                        Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.