Fake Java Update Malware--Ambiguous Path Exploit

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mobius21, Aug 7, 2009.

  1. mobius21

    mobius21 Private E-2

    Hi,

    I have a PC issue that I think is related to installing a fake java update. The malware produces two effects:

    1) The following error message appears in my Webroot Spy Sweeper log upon boot up:

    8/7/2009 1:00:09 PM: Warning: Unable to secure run key from ambiguous path exploit for HKLM\Software\Microsoft\Windows\CurrentVersion\Run\23C3F5C0. Parse Failure

    Google sources provided information that it means a rootkit-masked registry is in use, and that it has the potential for introducing additional malware into a computer system. In addition, a Google search links the error message in the Webroot log as being related to a fake Java update and problems with Spy Sweeper.

    2) A small image appears for a couple of seconds, saying “Information” and "Please wait a moment…” (Please see attached).

    I have uninstalled all but the basic Java. What remains are;

    Java 2 Runtime Environment, SE v1.4.2_19 and
    Java™ 6 Update 14.

    Then I downloaded and ran Marwarebytes’ Anti-Malware. It found nothing. I also got an updated version of HijackThis but have not run it yet.

    I’m concerned there might be some kind of keylogger or screen capture setup. How can I get rid of this? Any help would be appreciated. :cool
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.
    • If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First. If TDSSserv is not found, just continue on with the READ & RUN ME.
    READ & RUN ME FIRST. Malware Removal Guide
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:
    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
  3. mobius21

    mobius21 Private E-2

    Hello Again,

    After running all the malware scans the PC now runs faster. However, one of the two issues I reported on earlier remain.

    The error messages in Webroot Spyware's log files no longer report that they cannot stop an ambiguous path exploit and additional error messages about every action I take on the computer.

    The second issue had to do with an image that appeared briefly on the screen stating, "Information, Please Wait." This message is then followed by a popup from Spy Sweeper, asking if I want to report an error to Webroot. This image appeared twice: once when I was editing the scanning schedule for Spy Sweeper and again shortly after I exited Spy Sweeper. In fact, it popped up when I hit Finish and every time I hit the Back button.

    I am attaching two files concerning the results: 1) a screen shot of the image, and 2) Spy Sweeper's new log files (note: no error messages listed).

    I will post log files for the scans as a separate post.


    I am attaching a screen shot o
     

    Attached Files:

  4. mobius21

    mobius21 Private E-2

    NOTES:

    Ran SUPERAntiSpyware. Threats found: Adware.Tracking Cookie, Malware.Installer-Pkg/Gen. All found on the C: drive. Threats removed and SASlog.txt completed successfully.

    Ran MalwareBytes. EE not removed as it is a registered product.

    Ran Combofix. I had to download and install the Microsoft Recovery Console. I deactivated Spy Sweeper and Norton Internet Security, including shields and firewall. Combofix seems to run from the location where it was downloaded so I had to crank up an external HD where I set it to continue the scan phase. While preparing the Log Report there was an error message: Windows-No Disk "Exception Processing Message C0000013 Parameter 756bf7c 4 75b6bf7c 75b6bf7c" I hit Continue 3 times and got past the error message. Note this error message might be related to the fact that I had not completely disabled Norton Intenet Security 2009 virus shield and Firewall (the trick is to right-click on the Norton Internet Security icon).

    Ran RootRepeal. No comments.

    (Continued)
     

    Attached Files:

  5. mobius21

    mobius21 Private E-2

    Ran MG Tools. I proceeded to Completely disable Norton Internet Security 2009 by:

    Right-Click on Icon and selecting:
    Disable Smart Firewall, and
    Disable Antivirus Auto-Protect

    MG Tools ran without any error messages.

    ___________________________________________________

    One final thought. I am still getting the following:

    Spy:) Sweeper's Internet Communication Shield has blocked access to a potentially threatening Web site: 77.41.6.48
    This site is on a list of sites known to be related to spyware.

    TIA
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log from MGtools is too incomplete to be of any use to us. You need to make sure all of the protection software is disabled (that includes, Norton and Spysweeper) are disabled and then do the below.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). DO NOT close the command prompt window that opens until it tells you that it is finished.

    Then attach the new C:\MGlogs.zip file

    All of your issues may not be due to malware, but I do see some items requiring removal in the RootRepeal log (two questionable drivers: qwbyunh.sys and sprs.sys). I need the complete MGlogs.zip file to continue. Also I noticed AskToolbar which we suggest that you uninstall.

    Your problems with WebRoot's software should be discussed with Webroot. What I would say is to uninstall it. You probably should not be running it with Norton anyway since you have Norton's full security suite. They will conflict with each other and will slow your PC down tremendously.
     
    Last edited: Aug 17, 2009
  7. mobius21

    mobius21 Private E-2

    Great chaslang :),

    I am attaching an update of the MGlogs.zip file. I hadn't read and followed the instructions exactly. I had run MGtools.exe from an external hard drive. So I copied the same file to the root, C:\ drive and ran it again.

    I had sent a ticket to Webroot about these issues but all I got back was a machine-generated email suggesting a couple types of infection to look into further (including Conficker).

    Also, I would never dream of using two different anti-virus softwares--especially not with Norton. Norton Internet Security does have an anti-virus component built-in, along with its anti-virus and stuff. So I do have two Spyware trackers, both having shields plus scanning. But my experience has been that no one anti-spyware tool catches them all (from the days when I was using Spybot and Adaware), so I have preferred having two anti-spyware softwares. And I think each product has been getting more capable over the years. But if I even suspect a conflict I think your advice to discontinue Webroot's Spy Sweeper makes sense.

    Anyway, my system does not seem to be acting buggy, for what that's worth.

    Please see attached.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not recommended for the same reasons as with antivirus programs.



    Uninstall the software:
    Ask.com Toolbar
    Java(TM) 6 Update 14

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  9. mobius21

    mobius21 Private E-2

    Hello again chaslang,

    I uninstalled Ask.com & Java 6 Update 14, and then disabled both Norton and Webroot temporarily.

    I ran C:\Mgtools\analyse.exe by: double click, Run. No codes or buttons displayed. I checked Mglogs.zip and found:

    09-Extra button (no name)… listed under hijackthis.lo

    I ran HijackThis, checked the above file, selected fix, and then exited.

    I completed ComboFix run with message that it had expired and would scan with reduced functionality.

    Spy Sweeper reactivated so I shut it down again. Msg: Windows-No Disk, Exception Processing Message C00000013, Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c 75b6bf7c

    I Downloaded JRE update 16 from MajorGeeks. Upon install: “Java Setup Error 25099. Unzipping core files failed.” And “Install Failed.” The Java site help page informed: jqs.exe is running and has not terminated…

    I tried both fixes. Neither one worked. First, I checked the listings in the Services tab of the Task Mgr. to see if I could stop a running jqs.exe file, but it was not listed. Then I did Run, cmd, “net stop Java Quick Starter.” Reply: NET STOP service.

    Then I changed part of the install directory from: C:\Program Files\Java\JR6 to \JR6b and tried again. This time it worked. Webroot’s Spy Sweeper informed it was installing BHOs and other related files. I allowed the following:

    jp2ssv.dll
    ssv.dll
    jqs.exe

    The PC runs faster now, particularly Windows XP and I.E. Also, there is no more icon popping up to announce: “Information…please wait.” Also there are no strange messages in SpySweeper logs.

    Please see attached: 1) ComboFix.txt, and 2) Mglogs.zip
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In my fix was the below line:
    You will now need to redo the fix after downloading the current version of ComboFix. Start with the point of running ComboFix and work all the way thru to the end including attaching new logs. If the installation of the new Java still fails, just skip it.
     
  11. mobius21

    mobius21 Private E-2

    OK, I'm back. First my dial tone and DSL landline died and I got the telephone guy to come out and fix it. Within hours a surge protector between the phone jack and modem somehow managed to get fried. So I ran a twisted pair wire going to the DSL modem through the surge protector in my UPS.

    Also, I got another BSOD caused by the file nv4_disp. It has to do with my graphics card, an Nvidia GEForce 9400 GT. This BSOD has been happening before I started malware cleaning my machine. It was a memory timing problem. So I went to the NVIDIA forum and downloaded and installed the patch: nv4loopfix.zip. Works OK now-no more BSODs.

    Then I downloaded and installed the latest version of ComboFix and ran the sequence outlined in my last post with no error messages. I then uninstalled all Java software, including JRE6 update 14, deleted the folder for JRE6 under Program Files, and installed JRE6 update 16 with no error messages. Java works fine now.

    Thanks again for your help on this project.

    I am attaching updated files for : 1) ComboFix.txt, and
    2) mglogs.zip
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs are clean.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  13. mobius21

    mobius21 Private E-2

    Hello again Chaslang,

    Great work you’re doing here.

    I still have an issue with redirects. When I upgraded my video card to the NVIDIA GeForce 9400 GT and installed the drivers from a CD, I still was unable to play DVD movies in the normal format or to use Daemon Tools Lite to mount and play an ISO image. I am still getting BSODs for that particular application. The author of the patch I got from an NVIDIA forum described it as a beta version and suggested alternative system settings instead of the patch.

    None of this has much to do with malware, except that I downloaded and installed an Active X app from the NVIDIA website about the time the browser redirects began. The purpose of the app was to check and see if I had the latest driver for my video card and there could be some connection between these two events.

    I have Google Desktop, but the homepage is not affected. Noting the primary redirect as “ad.doubleclick.net” I downloaded HostsXpert from MajorGeeks. First I backed up the Hosts file and cleared the cache for the DNSClient Service. Then I downloaded and installed the mvps file. I note an entry for 127.0.0.1 ad.doubleclick.net among hundreds of others. That didn’t fix anything. More work is needed.

    Here is the message I consistently get several seconds after viewing the Amazon.com website:

    Sorry, we couldn't find http://..........ad.doubleclick.net...5;s=92;s=32;s=270;s=152;s=150;s=m1;z=1;tile=3. Here are some related websites:

    Any ideas?
     
    Last edited by a moderator: Sep 11, 2009
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are not having malware problems. You are just blocking the advertisements and software your PC manufacturer (probably Dell) installed is causing the problem. Uninstall "URL Assistant" and let me know what happens after a reboot.
     
  15. mobius21

    mobius21 Private E-2

    Yep, that worked. So I completed the final tasks and backed up my System Drive twice--once using Norton Ghost 12.o and again using Acronis True Image Home 11.0.

    My computer works fine now. :) :drink
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Excellent! ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds