Log files

Discussion in 'Malware Help (A Specialist Will Reply)' started by BigBrother70, Oct 14, 2010.

  1. BigBrother70

    BigBrother70 Private E-2

    Hey all. The past few times I've posted on here, the infection has been pretty blatant- the type that really overtakes your machine and leaves nothing to subtlety :).

    Well, this time it was a lot smaller and might have even been eliminated before I even started the usual removal process. Please read these notes below before checking out the logs, they're important!

    Here's what happened- my AntiVir auto monitor popped up that it had found malware:

    "Virus or unwanted program 'TR/Rootkit.Gen3 [trojan]'
    detected in file 'C:\System Volume Information\_restore{2CDD6290-3AC2-4A34-8524-4D9087F2F507}\RP279\A0026304.sys.
    Action performed: Deny access"

    I let it clean it, and then ran MBAM and SAS just to be sure. SAS found nothing and MBAM found one thing:

    "Files Infected:
    C:\Documents and Settings\Tom\Local Settings\temp\806.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully."

    But AntiVir found a few more things while MBAM was running:

    "Virus or unwanted program 'TR/Dldr.Code.LK.18 [trojan]'
    detected in file 'C:\Documents and Settings\Tom\Local Settings\temp\806.tmp.
    Action performed: Deny access"

    "Virus or unwanted program 'EXP/JS.Pdfka.cus.2 [exploit]'
    detected in file 'C:\Documents and Settings\Tom\Local Settings\temp\plugtmp-8\plugin-wzav.pdf.
    Action performed: Deny access"

    "The file 'C:\Documents and Settings\Tom\Local Settings\temp\jar_cache2568285989766487648.tmp'
    contained a virus or unwanted program 'JAVA/OpenStream.B' [virus]"

    and I had it clean those as well.

    Anyway, since then, scans came up clean, but having done this whole rigmarole before for serious infections, I wanted to be extra cautious and run the whole slew of tests.

    So, attached are my resultant logs. There were a few hiccups/oddities along the way:

    1. During ComboFix, I got an Application Error for a program called "PEV.exe"

    2. RootRepeal didn't manage to finish all the way- it hit this: "Error Reading Boot Sector". Note, however, that I had had disk damage recently and I've been having all sorts of minor problems with programs accessing certain parts of disk.

    3. During MGTools, I got the error you'll see in the attached "JIT error.png". Interestingly, this is the exact same error I've been getting for the past few weeks every time I boot up the computer- make of it what you will :)

    Well, that's about it. Logs are attached, and I want to thank you sincerely in advance as you've been enormously helpful before and I'm sure will be again! Oh, and just so you know, there was no illegal downloading or adult content browsing that brought this on. I have no shame here and would have told you if so- it's not stuff that I browse!

    Thanks!
     

    Attached Files:

    BigBrother70, Oct 14, 2010
    #1
  2. BigBrother70

    BigBrother70 Private E-2

    The other files...
     

    Attached Files:

    BigBrother70, Oct 14, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Important Notice: A new version of SUPERAntiSpyware is available.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this log later.

    WinSCP 4.2.3 beta <--- Uninstall this only if you did not intentionally install it yourself.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
C:\Documents and Settings\Tom\Local Settings\Application Data\765611~1 
RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Boot Camp\bootcamp .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
File::
c:\windows\system32\SET27.tmp
c:\windows\system32\SET2D.tmp
c:\windows\system32\SET33.tmp
c:\windows\system32\SET32.tmp
c:\windows\system32\SET2C.tmp
c:\windows\system32\SET28.tmp
c:\windows\system32\SET34.tmp
C:\Documents and Settings\Tom\Local Settings\temp\jna58254.tmp
C:\Documents and Settings\Tom\Local Settings\temp\temp0.jar
Folder::
c:\windows\DEA314C409294250BC9298E4C105F28D.TMP
Driver::
uyvbu
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Java(TM) 6 Update 21 <--- Uninstall this

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Tell me how things are running for you now. :) Don't forget to attach the new SAS log.
     
    Kestrel13!, Oct 15, 2010
    #3
  4. BigBrother70

    BigBrother70 Private E-2

    Thanks Kestrel. Here goes:

    1. ComboFix oddly gave me a warning the first time I ran that this was not a 2000 or XP machine. Did a screencap and am attaching it here.

    2. ComboFix was stalling a lot on its update download- several times until it worked. Same for the Windows Recovery Console download. So I'm not sure if it carried out what it was supposed to via CFScript.txt, even though I did launch each time by dragging the text file onto it. But I'm sure the logs will tell all :)

    3. I had never before noticed ComboFix needing to upload something when it was done. This time, it told me to connect to the internet (my wireless was off at the time) so it could upload some piece of data for malware inspection. It failed its upload and saved it for me in C:\. Let me know if you need it.

    4. Thanks for the Java updating- your guys' instructions, btw, list Update 21 as the latest- this one is 22. Just thought you should know.

    Attached is everything you requested.

    Thanks so much!
     

    Attached Files:

    BigBrother70, Oct 15, 2010
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No they don't. The instructions stated the below
    Which was correct at that time ( Last edited by chaslang; 07-19-10 at 16:13.. Reason: Link to test version ) and which is why it is worded this way. We don't really want to keep changing the instructions every day. ;)
     
    chaslang, Oct 16, 2010
    #5
  6. BigBrother70

    BigBrother70 Private E-2

    Hey Kestrel - I know general rules are only to reply once you get a chance to respond to my last post, but something relevant happened I thought you should know about. I visited a very innocuous site yesterday that I normally visit every day, and wouldn't you know it, it just so happens that it's been compromised during the time I'm trying to get everything fixed :). (The site, in case you care, is www.snipershide.com, though I would NOT advise visiting now!!)

    Anyway, the moment I visited it, the machine started working way too hard and popups were getting blocked. Avira reported the following:

    "The file 'C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\gid1qvp5.default\Cache\_CACHE_002_'
    contained a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus]
    Action(s) taken:
    The file was moved to the quarantine directory under the name '4e511ab5.qua'."

    (I moved to quarantine and deleted.)

    I then ran both SAS and Avira full scan and neither came up with anything.

    Hate to throw this type of thing in the mix midst-cleanup, but, as I said, it was totally unexpected and a site that's never been problematic before!

    Thanks.
     
    BigBrother70, Oct 17, 2010
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No that's fine.

    Now we need to use ComboFix again
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
c:\windows\system32\SET2E.tmp
C:\Documents and Settings\Tom\Application Data\mmrpzlic.dat
C:\Documents and Settings\Tom\Local Settings\temp\jna6579.tmp
C:\Documents and Settings\Tom\Local Settings\temp\temp0.jar
C:\Documents and Settings\Tom\Local Settings\temp\~pst5138.tmp
RenV::
c:\program files\iTunes\ituneshelper .exe
Folder::
c:\documents and settings\Tom\Local Settings\Application Data\765611~1
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know how the machine is running now.
     
    Kestrel13!, Oct 18, 2010
    #7
  8. BigBrother70

    BigBrother70 Private E-2

    Hey Kestrel, thanks.

    Ok, minor issues:

    1. ComboFix, on first run, hung for over 45 mins at the "takes about 10 mins" step. So I rebooted and ran again- no problems.

    2. During writing of the log, I got the error I got a while back for some program called PEV.exe - Application Error and some memory addresses. No idea if it was related or just part of the bootup process. In any case, ComboFix finished and I have the log here. MGTools ran without a problem.

    I did have another question for you though. During these various infections, I've really gotten paranoid about key logging. As I'm not nearly as knowledgeable as you folks, I wanted to get your opinion on the issue- are keyloggers still a major part of the arsenal in these malware attacks? Should I buy a new machine and reset all my vital passwords? (Kinda thinking I should...) Or am I being overly paranoid? I haven't seen any indicators yet of intrusion, but do I really want to wait for that? Anyway, not sure here, and as said, you guys know this field best. Thoughts?

    Thanks so much, and logs attached.
     

    Attached Files:

    BigBrother70, Oct 18, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No signs of keyloggers from what I can see, you had a bit of Vundo that's all.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Oct 18, 2010
    #9
  10. BigBrother70

    BigBrother70 Private E-2

    Thank you Kestrel- amazing as always. I really appreciate the help.

    One minor point - My system restore was already off when I went to check, so I simply turned it back on. Assume that's ok.

    I'm awfully tempted now to go through with every step you recommend in keeping oneself clean, including purchasing the full version of SAS and the other steps:

    * Spybot - installed as recommended using SDhelper and Immunize
    * SpywareBlaster with all protection enabled.

    My question is, in this case, would such tools have protected me? (you can probably still go check out www.snipershide.com to see the culprit if you have a safe enough machine and don't mind risking it)

    Thanks again,
    BB
     
    BigBrother70, Oct 18, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're most welcome. :)

    Yes, no worries.
    Nothing is 100%, but sure... they could have prevented something or alerted you to odd behaviour.

    Think I'll steer clear of it until I have done my latest back up :-D

    No problem ;)
     
    Kestrel13!, Oct 18, 2010
    #11
  12. BigBrother70

    BigBrother70 Private E-2

    Heh, thanks.

    Three follow up questions:

    1. In going over the suggested steps to protect myself, I was a little unclear, in your suggested step for one active blocker, how Avira and SAS would be considered- Avira is always on by default now, but I would *GLADLY* go buy a full version of SAS for realtime blocking. Are these both considered the same category for the purpose of that step? Should I have both protecting in realtime, or just one?

    2. After installation, is there a way to tell with Spybot if SDhelper is enabled? I couldn't seem to find it if so, and though I set it at installation, it's one of those things I like to check.

    3. Does Major Geeks accept donations? I don't quite have the means yet but would like to donate in the future. And is there a way to call you out specifically for your help? You've assisted me on more than one occasion and I know "thank you"s don't exactly buy bread :).
     
    BigBrother70, Oct 18, 2010
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, alongside your antivirus you could use a real time blocking antispyware app such as MalwareBytes or SUPERantispyware if you purchase one of them (Don't purchase both) I personally only use the free versions of both SAS and MBAM which do NOT provide real time protection.

    To enable "SDHelper"

    • Go into Spybot > Mode > Advanced Mode > Tools > Resident.
    • check (if checked) the following:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Exit and restart all Windows Explorer and Internet Explorer sessions.

    At the end of all my posts is a blue link entitled "support MajorGeeks" where you can go take a look at various geekwear and purchase if you so desire, which helps the site. :)
    That's flattering that you would like to call me out for help if ever you need it in future, but hopefully you will not be getting infected again! :) If you do, the way it works here is that we answer posts on an oldest to newest basis, and so we get through the work queue in the correct order. For example if you posted tomorrow night for help, and aimed the post at me, I would have to ignore it and answer older threads first. So if ever you need the site in future, it may not be me who assists you, but all of the malware fighters here are amazing people, so either way you are always in good hands whoever takes your thread on. :)
     
    Kestrel13!, Oct 19, 2010
    #13
  14. BigBrother70

    BigBrother70 Private E-2

    Oh I think you misunderstood- by call you out for your help, I meant (had you said you accept donations) indicate by name that Kestrel was particularly helpful and thus ensure you either get some part of it or get whatever other form of payment or thanks or compensation you guys use (hence "thanks alone" don't buy bread! :) )

    But, it sounds like that wouldn't be feasible. Well... 'least I tried! :)

    Also do you use realtime protection at all then?
     
    BigBrother70, Oct 19, 2010
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Oh I see what you mean now! Yes, just show your support if you wish by purchasing some geekwear :cool

    I use avast free edition antivirus which offers real time protection. My Antispyware apps are the free versions of both SUPERantispyware and MalwareBytes though, and so do not offer real time protection. Then again, I don't do a whole lot of surfing to different sites, only file research etc; I usually have a tab open on google and one for Majorgeeks. I don't do an awful lot of downloading either. And I donot use software such as Limewire or BitTorrent.
     
    Kestrel13!, Oct 19, 2010
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just a note! ;) The free version of Avast Antivirus includes antispyware protection just like AVG and Avira. See: http://www.avast.com/free-antivirus-download
     
    chaslang, Oct 19, 2010
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds