Symantec SEP repeatedly finds Trojan.Gen.SMH

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by JoeM_MG, May 13, 2014.

  1. JoeM_MG

    JoeM_MG Private E-2

    SEP started detecting this on 4/28 shortly after Paul installed Firefox with "Security Risk Found!Trojan.Gen.SMH in File: C:\Users\Paul\AppData\Local\Temp\is954281375\MySearchDialUpdate.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully." repeats with various files, mostly temp files. I have cleaned with SEP and run checks with Malwarebytes (which found nothing). It keeps coming back. The only pattern I have noticed is that the catches are usually (maybe always) very shortly after SEP updates its virus definitions.

    I ran your suggested suite of checks without taking any corrective actions. The logs are attached.

    Thanks,

    Joe Marshall
     

    Attached Files:

    JoeM_MG, May 13, 2014
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Users\Paul\Documents\Optimizer Pro
C:\Users\JoeM\AppData\Local\Temp\*.*
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OptimizerPro_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OptimizerPro_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OptProStart_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OptProStart_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E]
[-HKEY_LOCAL_MACHINE\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
[-HKEY_USERS\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-19\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0871F3D4-E03D-4710-AE65-11A9D499E761}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 14, 2014
    #2
  3. JoeM_MG

    JoeM_MG Private E-2

    I ran the suggested programs under the user JoeM. Requested logs are attached.

    When I ran JRT, it found a bad module and wanted to reboot right then.

    Creating a registry backup
    Checking Startup
    Checking Modules

    A bad module has been detected!
    A reboot is required to remove modules.

    Press 'y' to reboot now
    Press 'n' to reboot later
    Reboot now? [y,n]

    This was not covered in your instructions.I told it to reboot and it picked up after the reboot. It did not say what the module was.

    I finished capturing the logs about 1AM. Paul started to use his computer about 9:30AM this morning. He got another Symantec Endpoint Protection Notification at 10:22AM:

    Scan type: Auto-Protect Scan
    Event Risk Found!
    Security risk detected: Trojan.Gen.SMH
    File: C:\Users\Paul\AppData\Local\Temp\DWHA4BE.tmp
    Location: C:\Users\Paul\AppData\Local\Temp
    Computer: Paul-W7
    User: SYSTEM
    Action taken: Pending Side Effects Analysis : Acess denied
    Date found: Wednesday, May 14, 2014 10:22:28AM

    There are 26 more such events in the log all starting right after a definition update in SEP (guessing that triggered a scan).

    What should I do next?
     

    Attached Files:

    JoeM_MG, May 14, 2014
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Per your logs you are not posting any logs from a user account named Paul. You need to run the scans on the account that you are having problems with and attach the logs ( all of them from the beginning ) Cleaning the JpeM account is not necessarily going to fully clean the Paul account.

    Also how JoeM and Paul using/logging into this PC? Is this some kind of server? The account info for JoeM and Paul does not even show up in some of the logs. Only the below show
    Code:
    Is Admin? | Username
------------------
   Yes    | Administrator (Disabled)
          | Guest (Disabled)
   Yes    | LclAdmin
    But in other logs I can see info for JoeM and Paul. However it is telling me something about the users folder being on drive Z rather than drive C where Windows is located. Do you have some of the user account folders located on different drives? This could be problematic for many scans. Also if you did not make this strange setup, perhaps there is a problem in your environment variables. But I think you did setup it up this way ( not a good idea ) because I see the below( just a small sample for joem ( the user name does not even match the folder names - one is lower case the others have upper case)
    Not that case matters for Windows in some cases but for other cases it does. But having the homedrive say it is Z when it should be C is problematic. Perhaps you are actually sending logs for the wrong PC if this is a server and Paul is actually running from another drive on another PC.
     
    Last edited: May 14, 2014
    chaslang, May 14, 2014
    #4
  5. JoeM_MG

    JoeM_MG Private E-2

    I am sorry. I did not understand or see anything about the importance of different accounts.

    Paul and JoeM are domain accounts. Paul is the user of the machine. I am JoeM and use the machine very infrequently. LclAdmin is a computer account used to install the OS and not afterwards.

    I will rerun the first steps as Paul and forward the logs shortly.

    Joe M
     
    JoeM_MG, May 15, 2014
    #5
  6. JoeM_MG

    JoeM_MG Private E-2

    I thought I edited the previous reply to show:

    G:, I:, K:, and Z: are all mapped to the SBS 2008 server. Z: is added by the SBS wizards when creating the account and putting the user on the computer. All profile information should be on C:, there are no roaming profiles. Z: is seldom used. I: and Z: can be used to manually copy or place documents on the server. I do not know why the wizards set HOMEDRIVE as Z: or what impact that might have.

    I ran the initial set of programs as Paul and have attached the logs. This run made no changes.

    Thanks
     

    Attached Files:

    JoeM_MG, May 15, 2014
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. There is a good chance that you are have false detection issues by Symantec. However there is some junkware on this user account to cleanup to so let's do that and see what happens.

    Do you know what the below recent folder is for?
    C:\Users\Paul\AppData\Roaming\1H1Q


    Run the below while logged into the Paul user account.

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

 
:Files
C:\Windows\System32\drivers\{2c976a7f-dbdc-4756-870f-f6d183fe7a7e}w.sys
C:\Windows\Temp\*.*                                                                           
C:\Users\Paul\AppData\Local\Temp\*.*

:Reg
[-HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1143\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}]
[-HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1143\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1143\Software\Conduit]
[-HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1143\Software\IM]
[-HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1143\Software\ImInstaller]
[-HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1143\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1143\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 16, 2014
    #7
  8. JoeM_MG

    JoeM_MG Private E-2

    The requested logs are attached.

    The last SEP notice was 6:24PM last night, but the only activity since then has been me (as Paul) running the cleaners around midnight and now looking around. I got the expected IE message that the default search provider had been corrupted when I started IE.

    >There is a good chance that you are have false detection issues by Symantec.

    10+ Other computers not getting them. There must be comething crucially different about Paul or computer Paul-W7 if this is the case.

    >Do you know what the below recent folder is for?
    > C:\Users\Paul\AppData\Roaming\1H1Q

    No. Best guess is that it is part of Firefox installation or some junk that came with it. The timing associates it with the FF installation and the start of the SEP notifications. Paul downloaded and installed Firefox when the recent zero-day IE vulnerability hit.
    4/28/2014 10:55:07AM C:\Program Files\Mozillla\* (most FILES) were created
    4/28/2014 10:55:19AM C:\Users\Paul\AppData\Roaming\1H1Q was created.
    4/28/2014 10:55:19AM C:\Users\Paul\AppData\Roaming\1H1Q\Firefox Packages\uninstaller.exe was created. This is the only file in the only path under 1H1Q. uninstaller.exe shows a modification date of 4/24/2014 1:33:14PM, a size of 574,504 bytes, and no detail information.
    4/28/2014 10:56:40AM First SEP Event log entry "Security Risk Found!Trojan.Gen.SMH in File: C:\Users\Paul\AppData\Local\Temp\is954281375\MySearchDialUpdate.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully."
    4/28/2014 10:56:57AM Next SEP Event log entry "Security Risk Found!Trojan.Gen.SMH in File: C:\Users\Paul\AppData\Local\Temp\is954281375\uninstall.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully."
    4/28/2014 10:57:07AM C:\Program Files\Mozillla was created. Also most sub-folders.
    4/28/2014 10:57:14AM Next SEP Event log entry "Security Risk Found!Trojan.ADH.2 in File: C:\Program Files\WiseEnhance\WiseEnhanceBHO.dll by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully."
    ...
    4/28/2014 6:23:04PM Next SEP Event log entry I copied (I may have ignored some) "Security Risk Found!Trojan.ADH.2 in File: C:\Program Files\WiseEnhance\bin\WiseEnhance by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully."

    Paul will start using his computer again this afternoon. I will report on his experience at the end of the day (Pacific).

    Thanks,

    Joe M
     

    Attached Files:

    JoeM_MG, May 16, 2014
    #8
  9. JoeM_MG

    JoeM_MG Private E-2

    Paul used the computer for acouple of hours this afternoon. There was a report of 7 items found in a SEP scan that looked like they had already been quarantined. I have attached both the scan window and the export of SEP Quarantine (originally .csv). I have not cleared/purged quarantine.

    Paul did not get any other SEP notifications.

    Thanks,

    Joe M
     

    Attached Files:

    JoeM_MG, May 16, 2014
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Empty the SEP quarantine folder and also do the below.

    Delete the below folder if it exists:
    C:\Program Files\WiseEnhance

    Do the below to flush restore points:
    • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
    • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
    • Then we want you to Enable System Restore to create a new clean Restore Point.
    Now reboot the PC and see if anymore detections occur. If they do, I would like you to try and get a copy of one of the files into a ZIP file and attach it here. You will have did disable SEP inorder to do this.
     
    chaslang, May 17, 2014
    #10
  11. JoeM_MG

    JoeM_MG Private E-2

    SEP quarantine cleaned.

    C:\Program Files\WiseEnhance has been deleted. It existed, but was empty.
     
    JoeM_MG, May 17, 2014
    #11
  12. JoeM_MG

    JoeM_MG Private E-2

    Ignore previous partial post -- timeout and unexpected tab behavior.
    ------------------------------------------------------------------
    SEP quarantine cleaned.

    C:\Program Files\WiseEnhance has been deleted. It existed, but was empty.

    Restore points cleared.

    Waiting to see if problem recurs.

    Notes, in case the info prooves useful:

    File search for "WiseEnhance" also found
    C:\Users\Paul\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\OZH0J5SM\api.wiseenhance[1].xml
    Create: 4/30/14 11:04:04AM
    Modify: 5/05/2014 12:12:16PM
    Size: 175,349 bytes
    C:\Users\Paul\AppData\Local\Microsoft\Internet Explorer\DOMStore\AQUM4GVL\api.wiseenhance[1].xml
    Create: 4/30/14 10:54:41AM
    Modify: 5/02/2014 4:40:13PM
    Size: 174,154 bytes
    This file attached with .txt extension.

    Getting Service Control Manager Error 7026 event on startup: "The following boot-start or system-start driver(s) failed to load: {2c976a7f-dbdc-4756-870f-f6d183fe7a7e}w"

    Registry search for "WiseEnhance" found a number of entries (see: attached search results clip). I was not able to find the file C:\Windows\system32\drivers\{2c976a7f-dbdc-4756-870f-f6d183fe7a7e}w.sys.

    Thanks,

    Joe M
     

    Attached Files:

    JoeM_MG, May 17, 2014
    #12
  13. JoeM_MG

    JoeM_MG Private E-2

    > ... see if anymore detections occur. If they do, I would like you to try and get a copy of one of the files into a ZIP file and attach it here. You will have to disable SEP in order to do this.

    This may be premature, but if I disable SEP how will I know that there is a file to copy or where it is?

    Thanks,

    Joe M
     
    JoeM_MG, May 17, 2014
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You put things in the wrong order. ;) Per my instructions See if it happens again and if it does then you will need to disable SEP to get a copy of one of the files.

    You may even have to get the copy from the quarantine folder since SEP may have already removed it as soon as it is detected.

    Also, please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :regfind
{2c976a7f-dbdc-4756-870f-f6d183fe7a7e}
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.
     
    chaslang, May 19, 2014
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds