Trojan.Gen.2 will not go away

[TriBeCa99]

Quote:

Originally Posted by chaslang

Okay but this log does not show it. Are you saying it comes back again after the next reboot?

No reboot necessary, it just comes back. I generally only reboot the system when windows releases patches, and even then sometimes I'm forced to wait another week or two before I get a chance to take it offline.

It's entirely possible, if not likely, that that's what SEP is picking up on--the reinfection.

So for example, my computer has not been rebooted since the last set of logs I uploaded, and yet see the attached RK log.

Is it possible the smb share I have mounted from my linux machine with ~2.4TB of data on it is reinfecting it? Or from somewhere else over my work network?

[chaslang]

Quote:

Originally Posted by TriBeCa99

Is it possible the smb share I have mounted from my linux machine with ~2.4TB of data on it is reinfecting it? Or from somewhere else over my work network?

Back in message #13 you stated

Quote:

There are two network drives normally mounted, both from the same server which is an Ubuntu box I maintain. However, I've been replacing the RAID array in that box with larger drives, and the server was off the entire weekend so nothing could have spread over those drives.

Can you please disconnect this PC from network and then have RogueKiller fix those same entries and immediately reboot. After reboot see if they are really fixed. If they are, still remain disconnected from the network and periodically check to see if they come back.

[TriBeCa99]

I kept the rig offline (cable disconnected) for about 18 hours overnight yesterday and it was clean when I came in this morning. The most recent log is attached.

Unfortunately I have to have it online, so it's plugged in again. I'll let you know if /when it gets infected again.

[chaslang]

Quote:

Originally Posted by TriBeCa99

I kept the rig offline (cable disconnected) for about 18 hours overnight yesterday and it was clean when I came in this morning.

Well then perhaps we have learned that another piece of equipment on your network is the source of the reinfection. Each time I have said you were clean, you were clean until some length of time later with the PC connected to the network. With it disconnected, it seems to remain clean.

Now it is always possible that something on this PC is dialing out and redownloading the infection, but that seems less likely since nothing shows in the logs and your Symantec Endpoint firewall should be protecting you from this happening.... well hopefully it does unless someone has given the process permissions thru the firewall.

[TriBeCa99]

Just ran a scan before leaving work here, and sure enough it was infected again. I've removed the offending files, but of course they'll be back.

How should I proceed? I didn't notice any exceptions I don't recognize in the firewall rules. Is it more likely to be coming from my Ubuntu server that I am mounting two shares from, or is it equally likely to be coming from any random device on my work's local network?

[chaslang]

Quote:

Originally Posted by TriBeCa99

Just ran a scan before leaving work here, and sure enough it was infected again. I've removed the offending files, but of course they'll be back.

Don't remove them next time. First look to see if the file actually exists. If it does, put a copy of it into a ZIP file and attach it here. Then after you have the ZIP file attached fix the problem with RogueKiller. And then immediately do the below

Navigate to the below folder:
C:\Users\Jared\AppData\Roaming

Create a folder ( not a file ) with the below name:
service1043.exe

Change the permissions of this new folder to be Read-Only, Hidden

While scans may still detect this strangely named folder, let's see if it blocks the ability of the infection from creating the file.

Quote:

Originally Posted by TriBeCa99

How should I proceed? I didn't notice any exceptions I don't recognize in the firewall rules. Is it more likely to be coming from my Ubuntu server that I am mounting two shares from, or is it equally likely to be coming from any random device on my work's local network?

It could be coming from anywhere. Including removable drives.

[TriBeCa99]

Unfortunately the service1043.exe file does not seem to exist... at least not in that location

[chaslang]

Hmmm! I wonder if it is hidden or it comes and goes? Try creating the below FOLDER name:

C:\Users\Jared\AppData\Roaming\service1043.exe

If you cannot create the folder, it would mean there is a file there already using that name.


The next time you see that the registry entries have appeared, do not fix them. Try running the below online scan and attach the ESET log.

Using ESET's Online Scanner

[TriBeCa99]

Okay sooooo.... things did not go exactly as planned.

First off, I was able to create the service1043.exe directory no problem, even when roguekiller reported the threat as present.

Next, I tried running ESET. It was a looooooooong scan and I ended up having to leave before it was done. While it was working, it reported Win32/PrcView as a thread, in addition to Win32/Dorkbot.D worm.

I left work with it still running, and when I came in the next day my computer had BSOD'd. So I was unable to acquire a log.

I reran it yesterday before leaving and it was done when I came in. There were no threats and I couldn't find any way to get a log out of it (given that there were no threads). There was a link file in some backed up data that it had quarantined, so I instructed it to delete that.

Since I didn't have an ESET log for you, I ran RK and attached that log instead. As you can see service1043 was still there. I deleted it, so we'll see if it comes back tomorrow....

[chaslang]

When this problem appears, is Symantec actually detecting it? If so perhaps it is already removing something we need to see that is not showing up in scans.

However that being said, I still have to go back to the fact that this does not show up when you are not connected to your network, so I have to wonder if the problem is coming from your some other PC on your network.

Do you have any files/folders shared on this PC?

[TriBeCa99]

Quote:

Originally Posted by chaslang

When this problem appears, is Symantec actually detecting it? If so perhaps it is already removing something we need to see that is not showing up in scans.

However that being said, I still have to go back to the fact that this does not show up when you are not connected to your network, so I have to wonder if the problem is coming from your some other PC on your network.

Do you have any files/folders shared on this PC?

Symantec detects it at some point, but based on the results of past RK logs it does not detect it at the moment the computer gets reinfected, but at some time later. Also, Symantec only ever identifies a problematic temp file, and is basically never able to do anything other than log it.

Yes, I too wonder if the problem is from some other PC on the network.... I'm not sharing any folders, but I do have two samba shares mounted from an Ubuntu box.

[chaslang]

Quote:

Originally Posted by TriBeCa99

First off, I was able to create the service1043.exe directory no problem, even when roguekiller reported the threat as present.

Does this folder still exist? If so, there is never any real infection of file named sevice1043.exe running since it can't exist with that folder in place.

Quote:

Originally Posted by TriBeCa99

Next, I tried running ESET. It was a looooooooong scan and I ended up having to leave before it was done. While it was working, it reported Win32/PrcView as a thread

Just a false detection of process.exe used by MGtools and many other programs. It is just a simple command line task manager.

Quote:

Originally Posted by TriBeCa99

in addition to Win32/Dorkbot.D worm.

Would need a log showing where this is found to determinie if it is real or not. Nothing related to this showed in other logs but those logs would not detect all aspects of this infection if it did exist. I would however expect that your Symantec Antivirus program would detect it.



Please download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Remove Policies Set By Infections
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

Now run RogueKiller and attach a new log. If those lines exist, do not fix them. Just run the below:

Download SystemLook_x64 from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :regfind
  service1043.exe
  :filefind
  service1043.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

[TriBeCa99]

Quote:

Originally Posted by chaslang

Does this folder still exist? If so, there is never any real infection of file named sevice1043.exe running since it can't exist with that folder in place.

Yes, the folder still exists.

Quote:

Originally Posted by chaslang

Would need a log showing where this is found to determinie if it is real or not. Nothing related to this showed in other logs but those logs would not detect all aspects of this infection if it did exist. I would however expect that your Symantec Antivirus program would detect it.

Sadly the PC BSOD'd before the log was created. I can try a full system scan with SEP.... Like I say it does report "Trojan.Gen.2" on a regular basis, but not Dorkbot.D.

Quote:

Originally Posted by chaslang

Please download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Remove Policies Set By Infections
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

Now run RogueKiller and attach a new log. If those lines exist, do not fix them. Just run the below:

Download SystemLook_x64 from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :regfind
  service1043.exe
  :filefind
  service1043.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

All done, logs attached. Finds the registry entries but no files....

[chaslang]

Quote:

Originally Posted by TriBeCa99

All done, logs attached. Finds the registry entries but no files....

Okay. Hopefully you still have not tried to fix these. I want to run the below ComboFix scan but only while these still exist.


Now download and save a copy of combofix.exe and save it directly onto your Desktop folder.
Then right click on it and select Run As Administrator. Do not disturb it by clicking in the window that opens or it may stall.
After it finishes, it may reboot your PC. Attach the C:\combofix.txt log that it creates.
If after running Combofix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

[TriBeCa99]

Okay, here's the log. And no, I didn't fix them prior to running this scan.

[chaslang]

Okay the only thing Combofix showed was the below folder I had you create

Code:

2012-09-20 15:41 . 2012-09-20 15:41 -------- d-----w- c:\users\Jared\AppData\Roaming\service1043.exe

Is it possibly that you can uninstall ALL of the Adobe software you have on this PC just to make sure it is really not some how related to Adobe?

Also let's do the below with ComboFix where I'm going to remove those registry keys and replace them with a dummy entry.



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

ClearJavaCache::
KILLALL::

DirLook::
c:\users\Jared\AppData\Roaming\service1043.exe

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-
"Adobe Reader Speed Launcher"="dummy"
[HKEY_USERS\S-1-5-21-1277685125-4187367947-72843683-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-
"Adobe Reader Speed Launcher"="dummy"

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

[TriBeCa99]

Unfortunately I've been too busy working on this machine to follow the instructions in your last post.

However, I also happen to have noticed that I have seen no sign of the virus (no alerts from SEP) in over a week of continuous uptime. That hasn't happened since the infection appeared.

In short, it looks to me like something we did in the last little while finally cleaned the infection permanently.

What do you think?

[chaslang]

Quote:

Originally Posted by TriBeCa99

However, I also happen to have noticed that I have seen no sign of the virus (no alerts from SEP) in over a week of continuous uptime. That hasn't happened since the infection appeared.

Were any other PCs on the network removed from the network or shutdown during this time? Or did any other PCs recently go thru a malware cleaning/scanning process .... even if automatic via an antivirus program?

Quote:

Originally Posted by TriBeCa99

In short, it looks to me like something we did in the last little while finally cleaned the infection permanently.

What do you think?

I would not think so since you still had the problem after previous fixes and you did not run the most recent one.

[TriBeCa99]

My work network has probably roughly 1,000 PCs on it, so I can't really answer your first question.

Couldn't Windows Repair or ESET have fixed it? Unfortunately I don't remember exactly but I think the last time I saw SEP report an infection was around the time I ran those.

[chaslang]

Quote:

Originally Posted by TriBeCa99

Couldn't Windows Repair or ESET have fixed it? .

I cannot really say for sure with having seen a log but we were not able to get one. Is it possibly.... yes.




If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Press and hold the Windows key and then press the letter R on your keyboard. This opens the Run dialog box.
   • Copy and paste the below into the Run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
8. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!