Is this as serious as it sounds?

Discussion in 'Malware Help (A Specialist Will Reply)' started by rwallsten, Mar 29, 2010.

  1. rwallsten

    rwallsten Private E-2

    It all started a couple of weeks ago when AVG Free detected and dealt with a Trojan.

    I didn't think much more about it then, but last week I was encouraged by an open source enthusiast to try ClamWin anti-virus. ClamWin found and dealt with yet another Trojan, and my level of suspicion went up a notch.

    I had also installed ClamAV, was away from the computer for a couple of hours, and that's when the real trouble started.

    Upon my return, the ClamAV log reported that 2 threats had been detected - 2 instances of W32.Dropper had been installed - and that subsequently more than 8000 (!!!) 'known programs' had been installed. Among the the 'known programs' were some ClamAV temp files, but also files with names such as tmp.exe, rd.exe, new_chrome.exe, and so on.

    ClamAV was for some reason disabled and didn't work anymore. And when using the Chrome browser I noticed changes of appearance, in both browser and display of webpages, that seemed suspicious, in particular as new_chrome.exe was one of the downloaded files.

    I uninstalled Chrome, tried some free scanners - of which SpyDoctor reports Rootkit.TDSS related to the soundcard equalizer drivers (uacflt.sys and uacb.dll - before completing the clean-up as instructed on this forum.

    Logs attached and MGlogs in next post.

    So I wonder if this is as serious as it sounds? Is my computer infected beyond recovery, or is there a way to clean this up?

    I would be most grateful for assistance on this.

    Thanks,
    Robert
     

    Attached Files:

    rwallsten, Mar 29, 2010
    #1
  2. rwallsten

    rwallsten Private E-2

    MG log.
     

    Attached Files:

    rwallsten, Mar 29, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You have traces of AVG, Clam-win, and McAfee in your logs, but none of them are in your add/remove program list.

    You are running ComboFix from the wrong place. Please put it directly on your desktop, not here:
    Running from: c:\documents and settings\Robert Wallsten\My Documents\Downloads\ComboFix.exe

    Use windows explorer to find and then right click and choose properties and tell me if this is signed and what it may apply to ( also give me the full name of it):
    Code:
    C:\WINDOWS\system32\a2e87~1       21 Mar 2010          36  "?ƒ
    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe

Folder::
c:\documents and settings\Robert Wallsten\.matplotlib
c:\documents and settings\Robert Wallsten\_ipython
c:\program files\Common Files\ParetoLogic
c:\documents and settings\All Users\Application Data\ParetoLogic
c:\documents and settings\Robert Wallsten\.idlerc
c:\documents and settings\Robert Wallsten\.octave_hist
C:\tmp

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A87E45F-537A-40B4-B812-E2544C21A09F}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69A87B7D-DE56-4136-9655-716BA50C19C7}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Mar 29, 2010
    #3
  4. rwallsten

    rwallsten Private E-2

    Tim,

    first of all, thank you very much for rapid and professional response. The work done by you and the other contributors to MG fills me with the deepest respect and gratitude.

    The file in C:\WINDOWS\system32 that you ask for details about cannot be found.

    Please find the logs you asked for attached, produced exactly as instructed.

    Thank you again,

    Robert
     

    Attached Files:

    rwallsten, Mar 29, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean, though I am still concerned about that one file.

    You couldn't find any file that could be this:
    C:\WINDOWS\system32\a2e87(~1) disregarding the ~1.

    With the creation date being 21 Mar 2010?
     
    TimW, Mar 29, 2010
    #5
  6. rwallsten

    rwallsten Private E-2

    Thanks, that's good to hear. And, no, no trace of such a file. Could it be that the AV software I ran took care of it?

    Also, in view of the actions taken earlier, I'd like to ask if you found Ipython/Octave/Matplotlib to be problematic/infected or if the deletion of user settings was for other reasons?

    Again, many thanks.

    Robert
     
    rwallsten, Mar 29, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Frankly, I missed seeing Python in your add/remove programs list and thought them to be leftovers. We can restore those files if necessary. Just dont do the following if you do. If not, go ahead with this:

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Mar 29, 2010
    #7
  8. rwallsten

    rwallsten Private E-2

    Thanks Tim, no worries about the python files. I'll sort that out by myself.

    I take your message to mean that I have reason to believe that my pc is clean, and that brings great relief.

    My sincere thanks for your help.

    Robert
     
    rwallsten, Mar 29, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome..safe surfing. :)
     
    TimW, Mar 29, 2010
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds