Photo.SCR infection not successfully removed?

[Luv2Lafmcc 0]

HI

 

I have a NAS that I have scanned and cleaned several times, yet each time, PHOTO.SCR propagates in the folders again. What do I do? eset seems to catch and clean, but is apparently not removing the cause. The infection is only on the network drive, and not on my main computer. Please help.

[Marcos 5,069]

Please post the appropriate record from the Detected threats log. Have you scanned your NAS completely and no threat was found?

[mandiato 19]

HI

 

I have a NAS that I have scanned and cleaned several times, yet each time, PHOTO.SCR propagates in the folders again. What do I do? eset seems to catch and clean, but is apparently not removing the cause. The infection is only on the network drive, and not on my main computer. Please help.

 

Maybe source of infection is another machine whioch has got access to NAS files, if so, as long as you don't clean infected machines those files will appear again. It could be virtually anything - including OS on NAS itself.

[Luv2Lafmcc 0]

 

HI

 

I have a NAS that I have scanned and cleaned several times, yet each time, PHOTO.SCR propagates in the folders again. What do I do? eset seems to catch and clean, but is apparently not removing the cause. The infection is only on the network drive, and not on my main computer. Please help.

 

Maybe source of infection is another machine whioch has got access to NAS files, if so, as long as you don't clean infected machines those files will appear again. It could be virtually anything - including OS on NAS itself.

 

 

 

I have done a scan of both my laptop (where eset resides) and the NAS. there are no other computers that access the NAS. I am currently doing another scan of the NAS drive, and will post the scan log. The NAS is 2tb in size, so it take a bit.

 

On the scan of my laptop, no threats found. I would think the if the threats are found only on NAS (T drive) than eset should clean and threat should not come back.

[Luv2Lafmcc 0]

Wouldnt the OS of the NAS get scanned by eset and cleaned?

 

Here is info on the NAS i have:

 

Buffalo LinkStation2

 

Model : LS-WTGL/R1-V3

Firmware Version: 3.10

[Luv2Lafmcc 0]

this seems to be what the current scan is detecting on the NAS : win32/crytes.AA worm

 

hxxp://www.virusradar.com/en/Win32_Crytes.AA/description

[Luv2Lafmcc 0]

Please post the appropriate record from the Detected threats log. Have you scanned your NAS completely and no threat was found?

[Luv2Lafmcc 0]

Scan Log

Log Version of virus signature database: 14485 (20161122)

Log Date: 11/22/2016  Time: 9:22:08 AM

Log Scanned disks, folders and files: T:\


Log (below has been truncated as its too long to post here on the forum)
T:\Mcc2TB\_Utorrents_\2014 movies\Enemy.2013.HDRip.XviD.MP3-RARBG\Photo.scr - Win32/Crytes.AA worm - cleaned by deleting [1]
T:\Mcc2TB\_Utorrents_\2014 movies\Locke 2013 1080p BRRip x264 DTS-JYK\Photo.scr - Win32/Crytes.AA worm - cleaned by deleting [1]
T:\Mcc2TB\_Utorrents_\2014 movies\Obvious.Child.2014.1080p.WEB-DL.DD5.1.H264-RARBG\Photo.scr - Win32/Crytes.AA worm - cleaned by deleting [1]
T:\Mcc2TB\_Utorrents_\2014 movies\Photo.scr - Win32/Crytes.AA worm - cleaned by deleting [1]
T:\Mcc2TB\_Utorrents_\2014 movies\Prisoners 2013 CAM x264 AC3 UNiQUE\Photo.scr - Win32/Crytes.AA worm - cleaned by deleting [1]
T:\Mcc2TB\_Utorrents_\2014 movies\Starred.Up.2013.1080p.BluRay.H264.AAC-RARBG\Photo.scr - Win32/Crytes.AA worm - cleaned by deleting [1]


Log
Number of scanned objects: 83604
Number of threats found: 982
Number of cleaned objects: 982
Time of completion: 12:34:04 PM  Total scanning time: 11516 sec (03:11:56)

Notes:
[1] Object has been deleted as it only contained the virus body.
 

[Luv2Lafmcc 0]

I would appreciate instruction on how to properly remove this from my NAS.

 

Thank you

[Dangermouse 5]

I would appreciate instruction on how to properly remove this from my NAS.

 

Thank you

 

As a preventative measure, you should stop downloading torrents with unauthorised versions of copyrighted content - this is a well-known way to get your computer infected.

 

It's also important to realise that the NAS isn't just another network drive, it's a computer in its own right, albeit with an OS that is probably a variant of linux.

 

Although you are seeing the Photo.scr infection on the NAS folders, if you refer to the information for the infection, hxxp://www.virusradar.com/en/Win32_Crytes.AA/description

you will see that the infection also includes infecting the registry of your computer.

 

Therefore, you need to clean your computer and NAS at the same time; it's probably better to do the computer first, with the NAS and any other network or USB devices disconnected.

 

Make sure that your copy of ESET is up-to-date with the latest definitions, and that all of the scanning/cleaning options in ESET are configured to scan all types of files, and use Strict Cleaning.

 

Do a full scan of the computer with ESET and allow it to remove any infections it finds - it might need to reboot afterward.

 

Then run a malware scan with another piece of software, just for a second opinion - I'd recommend Malwarebtes anti-malware free edition - as it might find traces that ESET doesn't; no single piece of security software can catch all threats.

 

Once you are sure that your machine is clean, go into System Restore, switch it off and reboot Windows - this will remove all previous restore points and prevent you inadvertently restoring to an infected state. Once the machine has rebooted, switch System Restore back on, create a new restore point and reboot the system again - you now have a clean machine with a clean restore point.

 

Next, ESET scan any other devices that get attached to the computer via LAN or usb, e.g. thumbdrives, external drives, smartphones, etc., to make sure that you have nothing that is acting as an infected carrier for malware.

 

Once you have clean devices, you're then ready to scan and clean the NAS. If you don't use FTP for anything, then disable it in your NAS, your computer, your firewall and your router. 

 

Spreading

Win32/Crytes.AA is a worm that repeatedly tries to connect to various IP addresses.

 

The FTP protocol is used.

Edited December 12, 2016 by Dangermouse

[hedgelayer 0]

Hi Luv2Lafmcc I have exactly the same issue with my Buffalo Linkstation 2. Did you ever get this issue resolved ? If so I would be very grateful if you let me know how you did it.

 

Many thanks

James

 

[Marcos 5,069]

3 hours ago, hedgelayer said:

Hi Luv2Lafmcc I have exactly the same issue with my Buffalo Linkstation 2. Did you ever get this issue resolved ? If so I would be very grateful if you let me know how you did it.

What happens if you run a full disk scan and then re-scan it? Is the malware still detected? Even after running a scan after a computer restart?

[Luv2Lafmcc 0]

7 hours ago, hedgelayer said:

Hi Luv2Lafmcc I have exactly the same issue with my Buffalo Linkstation 2. Did you ever get this issue resolved ? If so I would be very grateful if you let me know how you did it.

 

Many thanks

James

 

Hi James. I unfortunatly have N O T been able to remove this pesky issue. It has not spread to any other drive, but when I do a full scan, and eset removes all infections, withing a week or 2, it starts to pop up again. I have even spent the entire evening going thru my folder trees and removing ANY file that wasnt needed. Really pesky issue.

 

James, do you bit torrent?

[Luv2Lafmcc 0]

3 hours ago, Marcos said:

What happens if you run a full disk scan and then re-scan it? Is the malware still detected? Even after running a scan after a computer restart?

nothing. When i do a full drive scan, it locates the infections, cleans them. I run it again and zero infections are found. Then, a few days later, the SCR files start popping up again in the various subfolders. I keep the file view sorted by "date modified" so I can easily tell when its starting up again. Then I just do a full scan.

I would LOVE to have a resolution to this.

[jdashn 12]

Sounds to me like you are scanning the 'drive' that the nas is presenting to your windows machine, which likely does not include the NAS OS. I understand this might be difficult due to what the OS chooses to allow you to share. 

One way to be sure you know where the infection is coming from would be to check your router at home, you should be able to list all devices connected (check manufacturer instructions) which will help you be sure there isn't a pesky laptop sitting under a bed connected to wifi.. or a neighbor with evil intent.. If nothing is showing up there that you've not scanned all drives for... then (as suggested previously) you should turn off FTP on your NAS device. The infection you have spreads via FTP, if you turn off the FTP service on your NAS device the only way it can infect it's self is via it's self.. if you can narrow it down to definitely being on the device, but cannot allow ESET to scan the OS.. you need to contact the Manufacturer of your NAS device to find out how to allow you to scan it with a virus scanner. 

The scr files you're finding are not the infection it's self, but rather a sign of the infection (like a fever is not an illness just the sign of one), cleaning those will not clean the infection -- you need to find the source. it's accessing your NAS via FTP using default passwords.. either internally (the nas OS) or externally (a different computer with access to the files).

jdashn

 

 

[Luv2Lafmcc 0]

you are correct, I am scanning the Networked drive presented to my laptop.

There are no unknown network connections, nor is my network open. No one is connected other than me.

I have turned off the FTP server. I'll post when i next see the SCR file show up.