worm-koobface alerts

Dangerous · Feb 21, 2010

Hi there,

Having a problem with my registered SpySweeper W/Antivirus giving file alerts for worm-koobface whenever I finish a web session and run CCleaner. This does not happen every time, but it happens often. The file it quaranines is always in C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\wgo54x7s.default\cache.

I do not social network at all, don't have a facebook account, and am careful about clicking on any suspicious links. I am also the only user on this computer.

This never shows up in a scan, only when CCleaner is run. (set at 7 passes) I have run several online scans with OneCare, Housecall, and Eset, and nothing shows up. I have also used RootkitRevealer, Gmer, RootRepeal, and Sophos Anti rootkit, and nothing out of the ordinary shows up.

I recently renewed my SS subscription, and just in case, I uninstalled it and redownloaded it again from Webroot's site. I'm wondering if this is just a false positive or if I truly do have a problem..

Just for good measure I have followed the READ & RUN instructions and the logs are attached, except SAS found nothing, therefore no log was generated. In the whole process nothing was unusual except a file deleted by Combofix, comctl.oca. Is this file a problem?

I hope that's enough information, and thanks in advance.

Kestrel13! · Feb 22, 2010

1. Before we continue I would like for you to ensure that MGTools.exe is indeed directly on your C Drive and not in any other location, such as the desktop where you have it.

2. I would like for you to use MSConfig to put this machine back into normal start up mode. Only then continue with the below.

and the logs are attached, except SAS found nothing, therefore no log was generated.
Click to expand...

The log is retrievable from this location and I would like for you to attach it anyway regardless of whether it found anything ot not.

C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\SUPERAntiSpyware Scan Log - 02-21-2010 - 13-27-14.log
Click to expand...

3. Do you have any idea what all the below are? I only pasted a few lines in, there are many of them:

c:\documents and settings\All Users\Application Data\MGS\cache\_\_crt_reddog.17e4bed26b7398ee9c45c72ed478a759.dll
2010-02-15 17:03 . 2010-02-15 17:03 73811 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\_\_crt_mhblackjack.031a97dbfc22ce8c3c008e321e750432.dll
2010-02-13 00:45 . 2010-02-13 00:45 24638 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\_\_crt_scratch.960d1fa68750fa010e573df52f42c947.dll
2010-02-13 00:45 . 2010-02-13 00:45 114822 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\_\_crt_progcyberstud.e038aa28085a77aa97b543eea1b2f3b9.dll
2010-02-13 00:45 . 2010-02-13 00:45 41013 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\_\_crt_cyberstud.1b8f431ce9dfe38861b98045dc7bc82c.dll
2010-02-13 00:41 . 2010-02-13 00:41 393216 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\f\flyingwitchbonus.178abae7811f3ce106a1068e2f8e83aa.dll
2010-02-13 00:41 . 2010-02-13 00:41 352256 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\spinningwandbonus.71b441eaf88d72b917384cc517583ca7.dll
Click to expand...

4. Please go to Add/Remove programs and uninstall the following software:

Spin Palace Casino

Club World Casinos

5. Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

If ComboFix tells you it needs to update to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

File::
C:\WINDOWS\system32\QKYAVNU
c:\windows\winstart.bat

DirLook::
C:\MGS
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. and SAS.

7.Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

8. Let me know if the threat is still being detected by SS.

Dangerous · Feb 22, 2010

Hi,

MGT has been moved to C:, sorry about that.
MSConfig set to normal, didn't realize that installing recovery console changed it.

MGS is Microgaming, a Casino I play at, never had a problem with it, but uninstalled it anyway via CP, although it leaves behind a lot of stuff that has to be done manually, which I didn't do, sorry. I have not been there since this started, so doubtful it is the cause.

Clubworld is also safe, but uninstalled per your request anyway.

QKYAVNU I believe is part of my Power shot Camera software, but ran the CF script as requested.

Ran the MGtools\GetLogs.bat file.

All requested logs attached.

Thanks

Dangerous · Feb 22, 2010

Forgot to add, I did get one error with CF for Process.dll not found, as I don't have framework installed.

Thanks

Kestrel13! · Feb 22, 2010

1. Reinstall your casino software then if you wish. WebOfTrust gave a bad report about it and I didn't know if it was the cause of your problems but I think as you say it's okay.

QKYAVNU I believe is part of my Power shot Camera software, but ran the CF script as requested.
Click to expand...

Not sure about that so let's restore the file and then I can take a look at it.

2. Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

If ComboFix tells you it needs to update to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

DeQuarantine::
C:\Qoobox\Quarantine\C\WINDOWS\system32\QKYAVNU.vir
QUIT::
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

The DeQuarantine.txt will be in on the C: Drive. Please attach it.

3. Could you please get this: QKYAVNU into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following:

%systemdrive%\MGTools\zip "%systemdrive%\collect.zip" c:\windows\system32\QKYAVNU
Click to expand...

log retrievable @ C:\collect.zip. Please also attach this.

4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the other logs I requested.

5. Is spysweeper still detecting the problem?

Dangerous · Feb 22, 2010

The collect.zip file is too big to upload, other logs attached.

Kestrel13! · Feb 22, 2010

Well, all I can say is let's give it some time and see if Spysweeper still locates the threat. Then we can deal with it accordingly. Let me know.

Dangerous · Feb 22, 2010

Just to be on the safe side, I deleted QKYAVNU, if it is a required file I can always re-install the camera suite. Viewing it in notepad had several references to camera related software, but one never knows.

I ran CCleaner after deleting it, and got the alert again for a file in Mozilla cache, strange, as this is the only site visited since the last scans. :confused

If the logs were clean, I hope this is just a false positive, and as stated in the OP, I just renewed my SS subscription and updated to the newest version.

I might try opening a ticket with webroot and see what they have to say.

Kestrel13! · Feb 22, 2010

Viewing it in notepad had several references to camera related software, but one never knows.
Click to expand...

Then it sounds legit, only my reseach on the file turned up nothing, hence my desire to kill it.

I might try opening a ticket with webroot and see what they have to say
Click to expand...

Yes you could do this and in the meantime I will have a whisper in Chaslang's ear and see what he can tell us.

Dangerous · Feb 22, 2010

Then it sounds legit, only my reseach on the file turned up nothing, hence my desire to kill it.
Click to expand...

Understandable, a google search of the file name yielded nothing, and I'm always suspicious of files with random letters in the name also.

I did submit a ticket with webroot, will see what they say.

in the meantime I will have a whisper in Chaslang's ear and see what he can tell us.
Click to expand...

I appreciate the help thus far, I hope he can shed some light on this.

Dangerous · Feb 23, 2010

Hmmm.....

Interesting development, as I was reading through some of the posts here (it's always good to learn), I got an alert from SS file shield in the middle of browsing. Same thing, worm-koobface, quarantined from Firefox cache.

I tried a little experiment after that, browsed a few pages here and elsewhere then closed Firefox. Went to the cache file and performed a security sweep on it, and it came up clean. Then I ran CCleaner and got an alert, the quarantined file was from the Firefox cache. :confused

Kestrel13! · Feb 24, 2010

Try this:

Now let's flush the Java Cache

Click Start > Settings > Control Panel

Double click the Java icon (be patient, it may take a while to open)

Now click the General tab and under the Temporary Internet File area

Click the Settings button and then click the Delete Files... button.

In the next popup click OK.

If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches.

Now let's flush the FireFox Cache
To flush your FireFox Cache:

click Tools

select Options

select Privacy

in the section labeled Private Data click Clear Now

Now let's flush the Internet Explorer Cache
To flush your Internet Explorer Cache:

click Tools

Internet Options

Now on the General tab and click Delete Files and select Delete all Offline content too

Click OK.

When it finishes Click OK.

How are things now?

Dangerous · Feb 24, 2010

Cleared Java cache (it was empty)
The button you described in Firefox does not exist, but I did clear the history and cookies.
Cleared IE cache (it was empty)

Interesting, I have seen the private data button there before, but it seems to be missing. There is a clear offline files button under advanced/network, and nothing listed in the exceptions file. I'm running Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6.

I did update Firefox not long ago, I wonder if I got a corrupted version, however I did uninstall CCleaner and Firefox and re-installed them two days ago with no change. I run CCleaner on a regular basis, and it clears all the cache automatically, Firefox, IE, and Java are all selected, in fact that is when this file alert pops up, when it deletes the Firefox cache.

Just a thought, I have CCleaner set to NSA (7 passes), perhaps this is being detected by SS as a behavioral issue, but doesn't explain the alert while browsing here the other day. Perhaps a query to Firefox and Piriform might be in order as well, and with your permission I will link this thread so I don't have to go over all this again.

I got a response from Webroot, they wanted me to do scans with SS, run bootlog, GMER, and WrLog and send them logs, which I did. Pretty much the same as your R&RMF. Still waiting for the reply.

Thanks for the help so far.

Dangerous · Feb 24, 2010

I attached this, but I guess it got lost in editing.

Kestrel13! · Feb 24, 2010

Run This:

Using ESET's Online Scanner

Click the <<Back button then click

Attach the ESETScan.txt to your next reply.

Dangerous · Feb 24, 2010

Haven't had time to run eset yet, it takes hours on my machine. :zzz

I did get a reply from Webroot that finally addresses my question to them.

Hello,
I'm sorry for any confusion with your ticket.
After examining all the information and logs you returned to us, I cannot locate any traces of an infection on your machine. I agree with you that your computer is clean.
It looks like there was a problem with one of the definitions we put out the last couple of days. I had another ticket today where someone said that a couple of .bin files in the temp folder alerted as worm-koobface, I noticed the same files in your temp folder. He said that after updating to the latest definitions that the alerts stopped.
Click to expand...

He then went on to explain how to update the program. I have it set to auto updates and get new definitions every day, so I doubt updating will help but I did run the updates anyways.

Will run Eset later today and post results. As referenced in OP, the last Eset scan was clean.

Thanks

Kestrel13! · Feb 24, 2010

Well, good to know, but I'll still hold off from giving you final steps for a little while. Let me know over the next day or so about how it's going. Thanks, Kes

Dangerous · Feb 24, 2010

Hi Kes,

Don't really need the final steps, already cleaned things up thanks.

I did manage to capture one of the files that SS was triggering on, if scanned with SS there is no threat found, delete no problem either, but when I ran CCleaner to empty the trash it triggered the alert.

Kinda confirms my suspicion that the problem lies with SS?

Attached the file in case you're interested, and will update when finished with Webroot.

Thanks for all the help.

Kestrel13! · Feb 24, 2010

You're welcome. Here are the final steps anyway.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Surf safely! And yes, so let me know what the upshot of the webroot reply was.

Dangerous · Feb 28, 2010

Here is Webroots final reply:

Hi,
Since I only help customers clean infections from their systems and yours is clean, I can only give you a suggestion regarding this issue.
Please try shutting down Spy Sweeper and then running CCleaner to avoid what sounds like a conflict between the two applications over which is going to handle a file. You should do the same while logged into any other user accounts that are on your system.
After running CCleaner, go ahead and run a full sweep in Spy Sweeper.

As for your file, please submit any suspicious files to our partner Sophos using the following link:
http://www.sophos.com/support/knowledgebas...icle/11490.html

If you believe that there is a conflict between CCleaner and Spy Sweeper, please either have someone at CCleaner or yourself use the link on our web site to submit a request to look into it.
http://www.webroot.com/En_US/about-contact...2313b0e85f2d61d
At the very bottom:
Software Vendors
Submit a request to investigate if you believe Spy Sweeper is incorrectly detecting your product.
Click to expand...

And a reply from the CCleaner forum:

Hi,

CCleaner deletes a file by calling a very standard Windows API called "DeleteFile".

If you are using CCleaner's Secure Deletion option, then CCleaner needs to open the file to overwrite and then uses the same Windows API above to delete the file.

Try to turn off Secure Deletion if you are using it and run some testing.

Otherwise, there is really nothing extraordinary that CCleaner does when deleting a file.

Let us know

Thanks
Click to expand...

I tried to report this to Webroot using the supplied link in their reply, but only Piriform can report it and get Webroot to investigate. . There is a reply in the CCleaner forum from another user with the same problem:

Hi,

I'm new to the forum. However, I have been having almost exactly the same issues with Webroot & Ccleaner. I have Ccleaner set to 1 pass, secure deletion, and every once in a while, when running Ccleaner, "Webroot Internet Security Essentials" pops up and warns of a "Koobface" Trojan. I have run several "full" scans of my machine and dozens of "Quick" scans. None have detected a virus. I submitted a ticket to Webroot. So far I have received the usual broad sweeping answers. I will continue to follow up with Webroot.

I have created a folder for copies of my Firefox Cashe files, then copied the Cashe to that folder, the run Webroot on the folder and find no problems, then run Ccleaner and about 1 in 10 times, up pops a koobface warning. I run a folder scan on the files I copied and still no problems are found.

This problem is really a challenge because it can go a couple of days without showing up. I don't know if Ccleaner is writing files (during the overwrite process) that Webroot is picking up, or if Webroot is looking at odd behavior, or if it's in the Webroot definitions. I assume Ccleaner uses totally random data to overwrite the files, which makes the problem even more confusing. I wish that Ccleaner included a setting to make it write all zeros. That would eliminate the random data issue. When Ccleaner is run it overwrites a lot of files; the recycle bin, the explorer files, etc. Each time Webroot warns of a koobface alert, it always comes from the Firefox Cache. However, keep in mind I don't use Internet explorer hardly at all.

Here's some facts:
Machine: HPdv1000
Op Sys: Win XP SP3 (system updates are current within a few days)
Webroot: 6.1.0.145 (engine version: 3.4.1 - Latest data Update 2/27/2010)
Ccleaner: v2.27.1070
First detected: Feb 17, 2010

Today, my other machine, a Sony Desktop, pops up with the same Webroot alert while running Ccleaner. I hardly ever even use that machine to go to the internet. It also contains the same version of Webroot, and It's virus database is up to date. The only difference is the version of Ccleaner is v2.26.1070

Here are my possible conclusions:

1: Webroot is falsely detecting behavior or,
2: Ccleaner has got a problem or,
3: This is one very scary Trojan, because it alludes multiple scans!!!

That's all I know for now, any comments are welcome.
Click to expand...

Sorry for the long post, but I want to get the information out there for the other users with this problem.

Dangerous · Feb 28, 2010

Forgot to add, the results from Eset's Online Scanner were clean, nothing found.

Kestrel13! · Mar 1, 2010

Dangerous, thankyou very much for the information. I was not seeing malware in your logs and I knew your system was clean. Thanks for info you provided, I am sure it will be beneficial to others in the future!

Dangerous · Mar 1, 2010

You're welcome, and thank you for all the help. You guys are the best!

Happy hunting.

worm-koobface alerts

Dangerous Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Dangerous Private E-2

Attached Files:

Dangerous Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Dangerous Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Dangerous Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Dangerous Private E-2

Dangerous Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Dangerous Private E-2

Dangerous Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Dangerous Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Dangerous Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Dangerous Private E-2

Dangerous Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Dangerous Private E-2