Do I have Malware?

I was recently using a tool called swissknife to format an external harddrive to FAT32 format and accidentily quick formatted another external harddrive with all my photos and other stuff on.

In a panic to recover the files I could find no easily explained way of undoing the quick format (I had exited the swissknife program so undoing was not an option) I got hold of a program called EaseUS partition recovery or something through a friend of a friend.

I would normally stay away from files that I am unaware of but I was worried about losing my folder of photos of my children and so morality came second to sensibility.

I installed the program and run it, it took a long time to scan for the deleted files but about 10 minutes into the scan a black window (dos style) popped up with a white underscore (cursor) flickering randomly around the windo, I assumed this was just a window to show that it was running.

The window had at the top C:\documents\..blahdyblah\Temp\setup1j.exe < the blahdy blah is just because I cant remember the filepath exactly but I am definitely sure of it being in Temp and called setup1j.exe.

I blocked the program from accessing the internet and left it to run.

It found all my files and I did recover them with minor faults in just the odd file and foldernames.

Because the photographs where now safe I was still wondering about the black window which still hadnt done anything except the randomization of the white underscore.

I took a chance and closed it, it crashed and closed but the Easeus program still ran normally (recovering less important files.

 

I decided to look further, a google search of "setup1j.exe" showed only a couple of results, 1 is foreign and the other is to a site promoting malware removal, it showed a list of malware names and the 'setup1j.exe' was in the list.

 

Norton quick scan showed nothing, a scan of the program installer showed nothing, a scan of my entire documents and setting showed nothing and a scan of the easeus folder showed up clean too.

 

Yes, I am an idiot for risking installing a program given to me from someone who I hardly know and yes im an idiot for letting it run for around 30 hours or so to scan and restore.

I was in a panic and if I lost the pictures of the kids I would never be able to forgive myself so running a program that might be dodgy and may even land me in trouble was an easy choice and I got my photos back.

however was the window something to worry about or did I just have something running NIS2009 didnt detect?

 

PS: I have wisely now ordered the program legitimately and rightly so, apart from the apparant malware from the file I was given it did do its job.

 

PPS: Yes, again, I was an idiot, lesson learnt.

Hi, imprimis,

 

Is the pop-up still there?  If so, could you Post us a Screen Shot please.

 

Did you Run Norton LiveUpdate and then do a Full System Scan with Norton 2009 in Safe Mode, Dis-Connected from the Internet, which should be followed up by a second Full System Scan in Safe Mode?  If not, please do this.  Also, is there anything in your Norton Product's History?

 

How is your computer Running now?  And how was it Running before Running that Program?  What is your O.S. and S.P., e.g. Windows X.P., Service Pack 03?

 

Please let us know how you get on.

 

 

How to Post a Screen Shot to the Forums: http://community.norton.com/norton/board/message?board.id=forum_feedback&thread.id=1366.

 

How to Start Your Computer in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam.

 

 

 

[Edit: Added More Information]

 

Message Edited by Floating_Red on 04-25-2009 09:47 AM

Having never used this program before, it is hard to tell you if that was a legitimate function or not.  Copies of copies of copied program have these kinds of things if you now what I mean.  To ease your mind, do the following:

 

Download MalwareBytes AntiMalware for this link .  Get the free version as this will not interfere with Norton. 

Install MBAM and update the definitions (click on the update tab). 

Update Norton by running live update until it says there are no more updates.

Boot into safe mode (tap F8 key during power up of system until Advance Options menu comes up and select Safe Mode).

Run MBAM and have it fix / delete what it finds if anything.  Follow the directions to clean any malware it might detect.

 

Reboot normally and run a full scan with Norton.

 

If both come up clean, you are good to go.

imprimis:-,

I don't know if you have any Malware or not, but it's best to be sure...

If you don't already have it, download Malwarebytes


http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

and also SuperAntiSpyware

http://www.superantispyware.com/download.html

Download the FREE versions.

I would run live update and fully update your NIS program,  reboot in safe mode and run a full scan.

Then  reboot  to normal mode and  get the latest update for Malwarebytes, followed by a reboot to safe mode and full scan using Malwarebytes.

Then finally a reboot to normal mode and getting the latest updates for SuperAntiSpyware followed by another reboot to safe mode with a full scan by SuperAntiSpyware.

 

 

 

 

Hang on a moment, people.  We don't even know what O.S. this User has and the User has not Confirmed yet if they have Completed a Full System Scan.  My Instructions may work just with Scanning with Norton.  And we don't even know how the User's computer is Running or if the pop-up is still there.

 

Thanks for the tips guys I just want to clear a few things up before anything first.

 

My PC was running fine before I installed easeus and it is seamingly running fine albeit a slight lag due to the program running.

I still have files I want to restore but I guess I can let these go into the abyss if I really have to, its more convenience of not having to reinstall around 300gb of games.

 

Before during and after this black screen that I closed and it just crashed on itself when doing so it hasnt appeared to have done anything, it hasnt added anything to my startup programs, i dont have any popups, redirects or anything I can see, the task manager looks normal, the only addition is Navw32.exe running but then that ties in with easeus data recovery wizard being open, it isnt currently transferring it is just open showing the files that was lost in the quick format/partition, I just have a scan running with norton on the external drive I am copying my recovered files to but 141,000+ files in it hasnt found anything.

 

I am running WindowsXP SP3 and NIS2009

 

I already downloaded a free trial version of malwarebytes from the official site but have yet to install it.

I was worried it would clash or ask me to restart my pc, and I was kind of hoping to recover a few more files before taking action but again this isnt a worry as they are only installed games.

 

I would run one of them hijack this logs I often see but am a little worried it would have personal information within it, especially things like my windows key or norton key or something.

 

My steps to take was to recover more files that are games that take hours to install with all the updates, patches and add ons.

Once happy that I had what I wanted and could lose the rest to close easeus.

However I am skipping this step and will lose the lot, so I will just have to reinstall all my games over time (no biggie, just time consuming).

 

Run a full system scan (which may take a while seeing as I have around 1 and half TB of files (yes I need a clean out).

Then install malwarebytes and run that.

THEN restart into safe mode providing the previous scans came up clean.

Then rescan my C:/windows folder.

All the while looking for odities like lag or anything else that doesnt sit right.

 

The reason for waiting to restart is that I am a little worried incase something is waiting for a restart before activating, hence scanning first.

 

This is why I came here first. I am one to panic and try to counter things before they happen (except when it came to my photos).

 

Problems first erose because Windows wouldnt let me format into FAT32, I need it as FAT32 so I can plug it in other media reading hardware.

 

Please note that it has been a couple of days (dont ask how long exactly I am on some pretty strong meds) and I havent noticed anything odd, nothing has tried to access the net, no pop ups, redirects, etc, just the slow down whilest the program was running.

 

Now I have closed EaseUs and the only thing running is Firefox (obviously) and still scanning the drive that I copied to (now  180,000+ files and still clean.).

 

Is it normal for explorer to be running around  40-50 at this point whilest a scan is running?

 

if above image doesnt show http://img13.imageshack.us/img13/7044/taskmg.jpg

 

Message Edited by imprimis on 04-25-2009 02:25 AM

Who is User Imp?

 

Just be sure that, whenever Running Anti-Virus Scans, make sure you Update the Product(s) and are Dis-Connected from the Internet.  Please feel free to do a Full System Scan in in Normal and then in Safe Mode, just as long as you do one in Normal and Safe Mode. 

 

The explorer could be caused by Programs using this or something on the Web Page or Malware using Explorer.

 

Also, if anything suspicious pops up, you can Close it by alt and F4, because just Clicking the "X" or "Cancel" in the window, you may still become Infected.  Is the little black box still appearing?

 

 

[Edit: Added More Information]

 

Message Edited by Floating_Red on 04-25-2009 10:49 AM

Please be advised that you do not need to Buy Malwarebytes' Anti-Malware; the paid Version adds Real-Time Protection which you don't need because you have Norton.  The Install of Malwarebytes' should only take around thirty seconds.  You can also keep Malwarebytes' on your computer and can be used as an On-Demand Scanner alongside Norton.

 

 

Malwarebytes' Anti-Malware for Windows: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=contentBody;mostPopTwoColWrap.

 

 

 

[Edit: Added More Information]

 

Message Edited by Floating_Red on 04-25-2009 10:54 AM

The User IMP is me (imprimis) as admin no other acounts have been made and guest accounts is turned off.

 

There is a scan still running on the drive I moved my files to, I have disconnected the drive safely that I restored from ready for a full format.

 

The possibility of the explorer being infected is what I fear, unless the scan makes the explorer run at 40ish.

I only have the scan running, and firefox open with just this forum on.

 

 The scan is currently at 287,000+ files and remember this is only the external drive for now, once that shows clean I will then go through the steps I said I would take.

Although scanning the external drive again until in safe mode I will skip when I do my pre-reboot scan, as that is already in progress.

 

So once this scan on my external drive is finished I will scan the whole of C:\ drive then that is both drives scanned.

Once this is done I will install malwarebytes and scan the whole system (currently just the c:\ drive and external drive).

Then providing nothing comes up with either NIS2009 and Malwarebytes I will restart into safe mode after unplugging from the net.

I will then run both programs again, NIS2009 first then malware bytes, and then providing all is well restart into safe mode and report back.

 

If I cant restart for some reason what should I do?

I need to know this because this is the only PC and I cant get to another PC or laptop to get further advice.

 

PS: does this super anti spyware program need to come into play at all?

 

PPS: NIS2009 scan of external completed and was clean.

 

Explorer still using upto 50 cpu

Message Edited by imprimis on 04-25-2009 02:57 AM

Hi,  imprimis,

 

What Scan are you currently doing?

 

Please could you just Open your Norton Product and Click on "Scan Now" then "Full System Scan".  And please Perform a Scan of all Drivers with Malwarebytes' so we can be sure that there is nothing on your External Hard Drive.

 

I would suggest Printing off the Safe Mode instructions.  If when in Safe Mode you cannot Re-Start, please go in to the Administrator Account in Safe Mode and Scan with both Products.  Then go back in to your Account in Safe and do another Full Scan with both Products.

 

If Malwarebytes' and Norton do not Find anything and your computer is Running Fine, then SUPERAntiSpyware may Not be Required.

 

When Reporting Back, please list everything you did exactly please.

 

Please let me know if you have any other Questions or Concerns.

 

_________________________

 

How many Tabs you got Open and how many Windows you got Open with your Browser?  What Web Sites are you on?

 

 

[Edit: Added More Information]

 

Message Edited by Floating_Red on 04-25-2009 11:09 AM

I just finished the scan of the external drive, earlier I did a quick scan, followed by a scan on the documents folder.

Uninstalled EaseUS and a program I dont remember installing called R-Recover (might be just part of R-Recover) It asked me to restart to complete removal but I chose no because I want to scan first.

I ran a window wash and a cclean a few times after closing down firefox to clear out any remnants of the recovery.

I installed malwarebytes and updated it, that is now running a full sytem scan (both drives)

Then I will run a full system scan using NIS2009 (I didnt think it would be a good idea to run both programs at once).

Then providing it all comes up clean I am still unsure why explorer.exe is running at  40-50.

 

I will now wait for these scans, I am worried about restarting without solving the issue first, should I then download and install super virus thingy from the link mentioned in an earlier post and scan with that, will it clash with NIS2009?

 

Regardless of the outcome of the scans I will post here before I attempt a restart into safe mode.

 

PS: my account (imp) is the admin account.

 

Message Edited by imprimis on 04-25-2009 03:17 AM

You should be Dis-Connected from the Internet on the computer/laptop with Suspected Infection.  You should be Scanning all Drives Available when Clicking on "Full Scan".  If possible, please could you Stop the Current Malwarebytes' Scan Running, Dis-Connect from the Internet and then re-start the Scan please if using the computer with Suspected Infection. 

 

When you Re-Start in Safe Mode, you will see what I mean about the Administrator Account.

 

OK I will do that now but before I go in your sig you have " Install all Relevant Patches as soon as Possible." 

 Do I need to do this manually if I have autoupdate on NIS2009? (ps auto update seems to be fine too).

 

Ive never understood what the patches meant or if I needed to get them or indeed worry about them at all as not everyone who uses NIS2009 will know to check the forums for updates.

That refers to the Patches Released by Microsoft this Month (April 2009).  Please make sure you have at least all the Critical Updates installed.

 

EaseUS is a legitimate piece of software and wont install malware. 

 

http://www.easeus.com/


Floating_Red wrote:

That refers to the Patches Released by Microsoft this Month (April 2009).  Please make sure you have at least all the Critical Updates installed.

 


 

Imprimis- Do you have your computer set to automatically seek and download microsoft updates? Mine is set like that and every month on 2nd tuesday it will automatically download all the critical and important microsoft updates for my machine and microsoft products ( ex office)

 

I have Vista Home premium

 OK I am back and here is what I have done so far.

 

I disconnected from the net and ran a full system scan on NIS2009 and then with malwarebyte.

Nortons showed nothing but Malware bytes found 1 item in my sytem folder, I cant remember where I cannot find the log even though I saved one.

 

When I went to quarantine it Norton then decided to see it as a threat and removed it, a little late there norton but at least it finally recognized it when pointed out by malwarebytes.

 

Please note that F:\ is my external drive I moved my files to.

I had moved my files from E:\ (external drive) to F:\ (another external drive but formatted with swissknife to FAT32)

 

Risk name: Trojan Horse

Risk Type: Virus

Risk Level: High

Dependencies: No known dependencies

 

 Affected areas:

1 File

1 Browser Cache

 

 f\system volume information\_restore{45fe83f3-355e-412e-a5d2-039e279ed9e1}\rp239\a0062934.exe

 

Removed Resolved No Action

 I also submitted it to symantec.

 

After the scan I had a bit of a clear out, I uninstalled Java(TM)6_Update from the add and remove programs and when I did   it closed and reopened explorer (just where the screen does a hard refresh) and in the task manager the explorer went from using 40-50 down to 0-1 so that seemed to fix that issue which hasnt returned touch wood.

 

I then restarted the pc into safe mode and scanned again with both NIS2009 and Malwarebytes, both came up clean.

I havent noticed any odd behaviour.

I have now used windows to full format the drive that I took the items to, updated NIS2009 and windows (I have auto updates turned on anyway for both).

And come here to post the updated info.

 

Would it be a good idea to turn off system restore and back on again to clear out any nasties that may be saved?

I feel once the format has fully completed of my E:\ drive (the external I moved the items from) I will move the recovered items there manually so no system files are carried over too, then do a full format using windows of the F:\ external drive, however I want it to be in FAT32 and windows doesnt ever seem to allow this?

 

Any further action needed about the malware that was removed?

 

If I update windows and it says

High-priority updates
No high-priority updates for your computer are available

do I still need to download some patches? if so which ones and what happens to people who dont come to the forums to know about these patches, surely they should be automatic updates?

 

Any help on formatting my F:\ external to FAT32 would be appreciated.

Message Edited by imprimis on 04-25-2009 09:55 PM

In answer to the question on the System Restore, Yes turn it off and then turn it back on.  That should clear the recover catche.  As to formatting the external hd for Fat32, let me check and I’ll be right back.

 I am going to use Tokiwa Fat32formatter (free) http://tokiwa.qee.jp/EN/Fat32Formatter/

This way is supposed to not lose half the capacity like swissknife and doesnt need to install anything either.

 

However the other questions still remain.

 

1. Do I need to take any further action regarding the virus?

 

2. If I update windows and it says

High-priority updates
No high-priority updates for your computer are available

do I still need to download some patches? if so which ones and what happens to people who dont come to the forums to know about these patches, surely they should be automatic updates?

Message Edited by imprimis on 04-26-2009 12:57 AM

Sorry, got side tracked.  Your answers:

Fat32formatter would be good (increased capacity is always a good thing).

 

1)  If the scans are clean and your deleted the system restore (off and then back on) - then no more actions; you have cleaned it well. (quick actions actually caught it before it did much if any damage).

 

2)  Windows update High-priority are the recommended fixes for the holes in the released code.  Other patches (lower priorities) can be left out if you want.  Need the critical and high levels at least to be safe.

 

Not sure I understand the reference you mean in updates / patches?  Are you talking about Windows or Norton?  The Norton patches are posted here for the convenience of the people who visit here on the chance that this will fix the error they are experiencing.  The patches are also available from the knowledge base articles on Symantec's / Norton's web page.  Critical fixes and product updates / upgrades are handled through the Live Update process (to date there have been three major upgrades on the engines and features since NIS2009 was first released)