[nv87654]

We have recently had a home PC infected (with SMART H.D.D and maybe more). After many, many anti-malware scans with various anti-malware products, registery fixes, etc., we have finally gotten the PC "cleaned" enough to boot into normal mode and appears to be stable so far.

Finally, last night, we uninstalled McAfee and installed our newly purchased Kaspersky Pure 2.0 and ran a Full Scan. The Full Scan found the following threats:

Trojan-Spy.Win32.Carberp.e (from Outlook email ... UPS_Print_label.exe) ... Reason is: Disinfection impossible

Worm.Win32.Mabezat.h (from Outlook email multiple attachments - ...e_231.zip // Gift_Certificate_231.exe // UPX) Reason is: Disinfection impossible

Trojan-Dropper.Win32.Agent.bzst (from Outlook email attachments ... iTunes_certificate_297.zip // iTunes_certificate_297.exe //UPX Reason is: Disinfection impossible


My questions are:

1. What does the Fix button actually try to do?

2. Can we even "Fix" them since Kaspersky gave reason of: Disinfection impossible (is this because they are "packed" or "zipped"?

3. What are these Trojans and the Worm we found and what is the behavior and threat description for these?

4. What is a UPX?

Thanks for your help.

[Advertisements]

Sometimes files get infected but can be cleaned and the original file recovered. That's what Kaspersky means by disinfection. In the case of the files you list they probably can't be disinfected because they are 100% viruses. I doubt that being in a zip is a problem. These appear to be attachments to emails so I expect if you delete the emails that would solve your problem. Probably sent to you by an infected machine so no great loss. I'm no expert on Kaspersky but it should be able to delete them for you.

UPX is a kind of compression (like zip) which is often used by viruses.

If you want to post an OTL log I can check it over for you.
Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.


Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
services.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

[RKinner]

Sometimes files get infected but can be cleaned and the original file recovered. That's what Kaspersky means by disinfection. In the case of the files you list they probably can't be disinfected because they are 100% viruses. I doubt that being in a zip is a problem. These appear to be attachments to emails so I expect if you delete the emails that would solve your problem. Probably sent to you by an infected machine so no great loss. I'm no expert on Kaspersky but it should be able to delete them for you.

UPX is a kind of compression (like zip) which is often used by viruses.

If you want to post an OTL log I can check it over for you.
Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.


Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
services.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

[nv87654]

Thanks for your response, RKinner. It was good information you gave. I appreciate it very much.

We are still a bit unclear about whether or not we should configure Kaspersky to unpack Packed files during the scan and if that is generally safe for the tool to unpack Packed files. Does that mean that the tool will unzip the bundle, scan the files, and then zip it back to its original form? Is it quarantined during the cleaning process?

Also, a couple of Kaspersky forum responses instructed us to delete these emails manually (via Outlook) and NOT use the Kaspersky tool to delete them. They seemed to be saying that sometimes the tool could possibly delete more than you would want to be deleted (???).

I will get back with you about the OTL logs. Thanks.

[RKinner]

I have very little experience with Kaspersky so the forum people may know more. Deleting the files manually should be safe enough and shouldn't be too hard if Kaspersky gives you enough info to identify them. Remember that Outlook will not really delete them. It will just move them to the trash folder. You will need to empty the Outlook trash folder to get rid of them completely.

I don't expect it will hurt to allow Kaspersky to check packed files. I suspect the main objection would be that it might take a lot longer to do. Couldn't tell you exactly how it goes about looking at packed files.

[nv87654]

Thanks for the advice Rkinner. I appreciate it.