Fujack.AB virus

Okey, thsi damn thing is p!55!ng me off since yesterday. NOD32 says you got a "FUJACK.AB" virus in "E:\games.exe" .
It says "the infection occured on a newly created file. The file was moved to quarantine" Last night I found a games.exe file in c: and deleted it manually.

Isn't there any way I can find the root of the cause.
I am NOT gonna change my always ON Antivirus but maybe there's a on-demand only antivirus.

I did a complete scan 3-4 times and it did not find any threats.
oh yes, I havent installed anything that may have infected my PC. My hijackthis log file hasn't got anything bad either. Help please

Quote:

Originally Posted by "HIJACKTHIS"

Logfile of HijackThis v1.99.1
Scan saved at 11:46:33, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
G:\Java\jre1.5.0_11\bin\jusched.exe
G:\Unlocker\UnlockerAssistant.exe
G:\Internet Download Manager\IDMan.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\WINDOWS\system32\ctfmon.exe
G:\Google\Google Talk\googletalk.exe
G:\TechSmith\SnagIt 8\SnagIt32.exe
H:\Wiki\Wiki\WikidPad\WikidPad.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
G:\TechSmith\SnagIt 8\TSCHelp.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
g:\VMware\VMware Workstation\vmware-authd.exe
D:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
D:\WINDOWS\system32\vmnat.exe
D:\WINDOWS\system32\vmnetdhcp.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\cidaemon.exe
D:\WINDOWS\system32\cidaemon.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINDOWS\system32\svchost.exe
G:\uTorrent\utorrent.exe
G:\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\system32\inetsrv\DavCData.exe
G:\Sify Broadband\BBClient.exe
D:\Program Files\Eset\nod32.exe
G:\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\cidaemon.exe
H:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sifymax.com/bbhome/?useri...886b9dd0e48453
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - G:\Internet Download Manager\IDMIECC.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - g:\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - g:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - g:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - g:\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - g:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - g:\TEXTware\QUICKfind\PlugIns\IEHelp.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - g:\FlashFXP\IEFlash.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - g:\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - g:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Zone Labs Client] "g:\\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "g:\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "G:\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [RemoteControl] g:\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [iTunesHelper] "g:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "g:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "G:\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [IDMan] G:\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SifyBB] G:\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [googletalk] "g:\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WikidPad.lnk = H:\Wiki\Wiki\WikidPad\WikidPad.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = G:\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = G:\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: SnagIt 8.lnk = G:\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Append to existing PDF - res://g:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://g:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://g:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://g:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://g:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://g:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://g:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://g:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All Links with IDM - G:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - G:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - g:\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - g:\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - g:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B294F51-CE42-4504-9887-2C886F6C94CF}: NameServer = 202.144.13.50,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B294F51-CE42-4504-9887-2C886F6C94CF}: NameServer = 202.144.13.50,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B294F51-CE42-4504-9887-2C886F6C94CF}: NameServer = 202.144.13.50,202.144.66.6
O17 - HKLM\System\CS3\Services\Tcpip\..\{0B294F51-CE42-4504-9887-2C886F6C94CF}: NameServer = 202.144.13.50,202.144.66.6
O20 - Winlogon Notify: MCPClient - D:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - G:\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - g:\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - D:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - D:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - D:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

Google shows no useful links either (

[anandk]

what do the properties of the games.exe show ? is it a crack btw ?
or maybe ur c/games.exe created this one on e/. get it analysed at
http://www.virustotal.com/en/virustotalf.html
http://virusscan.jotti.org/
with multiple anti malware scanners.
disable system restore, run ccleaner and rescan ur pc in safe mode.
ya ur hjt log is clean...
another thing nod32 is know to depend on heusristics so a case of false positive cannot be ruled out. these 2 online scans can throw more light.

[Kiran.dks]

The report has no issues. I think the worm has been detected and removed by NOD32.

It is a worm with backdoor functionality for the Windows platform. W32/Fujacks-N spreads to other network computers. Worm.Win32.Fujack.ab is also called as WORM_FUJACKS.ES - W32.Fujacks.A.

More Info here.

@ anand: well the only dialog box I see is the one in screenshot. lol, its not a crack or something. The file doesn't even exist whenever I go and browse.
Like I said, I found a games.exe in C:\ and deleted. So now I don't have any games.exe file to scan but then, who the heck creates this file. When NOD32 says no threats on a full scan.
I even tried a rookit detector by sophos. But couldn't find a threat.

BTW, won't an online scan take just too much time considering I got around 80gigs data. Or does it do selective scanning?

[s18000rpm]

no man, anand asked to get the "games.exe" checked online in those site.

Quote:

Virustotal does not substitute any antivirus software installed in a PC, as it only scans individual files on demand.

upload that file there & wait for the results.

__________



lool Quick Heal & e-Safe deteted nfshp2.exe (NFS game) as a possible threat (DNAscan , trojan).