Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exploit.JS.pdfka.awl, Trojan.Dropper - is the computer now clean or not?


  • Please log in to reply
3 replies to this topic

#1 cathyb9

cathyb9

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 28 December 2009 - 08:32 AM

Hello,

I am running Windows 7, with the Zone Alarm suite (antivirus and firewall) and Spybot SD resident. This morning, ZA showed up a virus. I've taken the steps shown below and the machine now seems to be clean. Could you please check the logs and let me know whether the machine is definitely clean, or do I need to take further action?

This morning, my regular computer scan showed that it was infected with Exploit.js.pdfka.awl. There were apparently two infections - one which was quarantined and which I subsequently deleted, the other of which Zone Alarm couldn't quarantine or delete. I set it to 'delete on reboot', but there was no indication that when I rebooted that it had removed the infection.

I've checked the virus scan logs, but all the logs from before 6.00pm this evening have vanished. (there is an option to clear all logs, but if I did click it, it was accidental.) All I can remember is that the virus was lurking in files which had been transferred from a computer which crashed irreparably in early December. That computer had been running AVG suite for antivirus, firewall and antispyware and was running Windows XP.

After this, I updated and ran MalwareBytes in safe mode. It found Trojan.Dropper in files which had come from the old computer. The log follows:

Malwarebytes' Anti-Malware 1.42
Database version: 3442
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

28/12/2009 5:14:52 PM
mbam-log-2009-12-28 (17-14-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 256404
Time elapsed: 1 hour(s), 32 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Cathy B\ [path deleted as it includes my full name] \Local Settings\Temporary Internet Files\Content.IE5\27P2TMRL\op[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

I also downloaded, updated and ran Superantispyware, and found 3 tracking cookies:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/28/2009 at 08:10 PM

Application Version : 4.32.1000

Core Rules Database Version : 4415
Trace Rules Database Version: 2243

Scan type : Quick Scan
Total Scan Time : 00:39:15

Memory items scanned : 599
Memory threats detected : 0
Registry items scanned : 531
Registry threats detected : 0
File items scanned : 34030
File threats detected : 3

Adware.Tracking Cookie
C:\Users\Cathy B\AppData\Local\Temp\Low\Cookies\cathy_b@serving-sys[2].txt
C:\Users\Cathy B\AppData\Local\Temp\Low\Cookies\cathy_b@revsci[2].txt
C:\Users\Cathy B\AppData\Local\Temp\Low\Cookies\cathy_b@bs.serving-sys[1].txt

Then I downloaded, updated and ran Avira (having first disconnected from the internet and disabled Zone Alarm). It found no infections at all:



Avira AntiVir Personal
Report file date: Monday, 28 December 2009 22:34

Scanning for 1478296 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista 64 Bit
Windows version : (plain) [6.1.7600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CATHYB-PC

Version information:
BUILD.DAT : 9.0.0.418 21723 Bytes 2/12/2009 16:28:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 13/10/2009 00:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 26/02/2009 23:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 00:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 26/02/2009 23:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 6/11/2009 20:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 19/11/2009 09:52:25
VBASE002.VDF : 7.10.1.1 2048 Bytes 19/11/2009 09:52:26
VBASE003.VDF : 7.10.1.2 2048 Bytes 19/11/2009 09:52:26
VBASE004.VDF : 7.10.1.3 2048 Bytes 19/11/2009 09:52:27
VBASE005.VDF : 7.10.1.4 2048 Bytes 19/11/2009 09:52:27
VBASE006.VDF : 7.10.1.5 2048 Bytes 19/11/2009 09:52:27
VBASE007.VDF : 7.10.1.6 2048 Bytes 19/11/2009 09:52:28
VBASE008.VDF : 7.10.1.7 2048 Bytes 19/11/2009 09:52:28
VBASE009.VDF : 7.10.1.8 2048 Bytes 19/11/2009 09:52:28
VBASE010.VDF : 7.10.1.9 2048 Bytes 19/11/2009 09:52:29
VBASE011.VDF : 7.10.1.10 2048 Bytes 19/11/2009 09:52:29
VBASE012.VDF : 7.10.1.11 2048 Bytes 19/11/2009 09:52:30
VBASE013.VDF : 7.10.1.79 209920 Bytes 25/11/2009 09:52:31
VBASE014.VDF : 7.10.1.128 197632 Bytes 30/11/2009 09:52:35
VBASE015.VDF : 7.10.1.178 195584 Bytes 7/12/2009 09:52:36
VBASE016.VDF : 7.10.1.224 183296 Bytes 14/12/2009 09:52:37
VBASE017.VDF : 7.10.1.247 182272 Bytes 15/12/2009 09:52:41
VBASE018.VDF : 7.10.2.30 198144 Bytes 21/12/2009 09:52:42
VBASE019.VDF : 7.10.2.63 187392 Bytes 24/12/2009 09:52:43
VBASE020.VDF : 7.10.2.64 2048 Bytes 24/12/2009 09:52:44
VBASE021.VDF : 7.10.2.65 2048 Bytes 24/12/2009 09:52:44
VBASE022.VDF : 7.10.2.66 2048 Bytes 24/12/2009 09:52:45
VBASE023.VDF : 7.10.2.67 2048 Bytes 24/12/2009 09:52:45
VBASE024.VDF : 7.10.2.68 2048 Bytes 24/12/2009 09:52:45
VBASE025.VDF : 7.10.2.69 2048 Bytes 24/12/2009 09:52:46
VBASE026.VDF : 7.10.2.70 2048 Bytes 24/12/2009 09:52:46
VBASE027.VDF : 7.10.2.71 2048 Bytes 24/12/2009 09:52:47
VBASE028.VDF : 7.10.2.72 2048 Bytes 24/12/2009 09:52:47
VBASE029.VDF : 7.10.2.73 2048 Bytes 24/12/2009 09:52:47
VBASE030.VDF : 7.10.2.74 2048 Bytes 24/12/2009 09:52:48
VBASE031.VDF : 7.10.2.77 73216 Bytes 28/12/2009 09:52:48
Engineversion : 8.2.1.122
AEVDF.DLL : 8.1.1.2 106867 Bytes 7/11/2009 20:38:52
AESCRIPT.DLL : 8.1.3.4 586105 Bytes 28/12/2009 09:53:01
AESCN.DLL : 8.1.3.0 127348 Bytes 28/12/2009 09:52:59
AESBX.DLL : 8.1.1.1 246132 Bytes 7/11/2009 20:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 28/12/2009 09:52:57
AEPACK.DLL : 8.2.0.3 422261 Bytes 7/11/2009 20:38:40
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/11/2009 20:38:38
AEHEUR.DLL : 8.1.0.189 2195833 Bytes 28/12/2009 09:52:55
AEHELP.DLL : 8.1.9.0 237943 Bytes 28/12/2009 09:52:51
AEGEN.DLL : 8.1.1.82 369014 Bytes 28/12/2009 09:52:51
AEEMU.DLL : 8.1.1.0 393587 Bytes 7/11/2009 20:38:26
AECORE.DLL : 8.1.9.1 180598 Bytes 28/12/2009 09:52:50
AEBB.DLL : 8.1.0.3 53618 Bytes 7/11/2009 20:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 11/12/2008 21:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 26/08/2009 04:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 03:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 4/12/2008 23:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 04:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 29/01/2009 23:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 04:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 1/02/2009 21:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 4/12/2008 23:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/05/2009 04:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 13/10/2009 01:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files (x86)\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Monday, 28 December 2009 22:34

Starting search for hidden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'audiodg.exe' - '0' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'WmiPrvSE.exe' - '0' Module(s) have been scanned
Scan process 'taskmgr.exe' - '0' Module(s) have been scanned
Scan process 'TPCHWMsg.exe' - '0' Module(s) have been scanned
Scan process 'TosSENotify.exe' - '0' Module(s) have been scanned
Scan process 'TPCHSrv.exe' - '0' Module(s) have been scanned
Scan process 'TosSmartSrv.exe' - '0' Module(s) have been scanned
Scan process 'TMachInfo.exe' - '0' Module(s) have been scanned
Scan process 'HCMSoundChanger.exe' - '1' Module(s) have been scanned
Scan process 'CFSwMgr.exe' - '1' Module(s) have been scanned
Scan process 'NDSTray.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '0' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'SSUPDATE.EXE' - '0' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '0' Module(s) have been scanned
Scan process 'TWebCamera.exe' - '1' Module(s) have been scanned
Scan process 'TRCMan.exe' - '1' Module(s) have been scanned
Scan process 'ToshibaServiceStation.exe' - '0' Module(s) have been scanned
Scan process 'TUSBSleepChargeSrv.exe' - '1' Module(s) have been scanned
Scan process 'ItSecMng.exe' - '1' Module(s) have been scanned
Scan process 'KeNotify.exe' - '1' Module(s) have been scanned
Scan process 'SSScheduler.exe' - '1' Module(s) have been scanned
Scan process 'JungleDiskMonitor.exe' - '0' Module(s) have been scanned
Scan process 'SynTPHelper.exe' - '0' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'TosReelTimeMonitor.exe' - '0' Module(s) have been scanned
Scan process 'TosNcCore.exe' - '0' Module(s) have been scanned
Scan process 'HDMICtrlMan.exe' - '0' Module(s) have been scanned
Scan process 'Teco.exe' - '0' Module(s) have been scanned
Scan process 'ThpSrv.exe' - '0' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '0' Module(s) have been scanned
Scan process 'RAVCpl64.exe' - '0' Module(s) have been scanned
Scan process 'TCrdMain.exe' - '0' Module(s) have been scanned
Scan process 'SmoothView.exe' - '0' Module(s) have been scanned
Scan process 'TPwrMain.exe' - '0' Module(s) have been scanned
Scan process 'explorer.exe' - '0' Module(s) have been scanned
Scan process 'dwm.exe' - '0' Module(s) have been scanned
Scan process 'ForceField.exe' - '0' Module(s) have been scanned
Scan process 'taskhost.exe' - '0' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned
Scan process 'CFProcSRVC.exe' - '1' Module(s) have been scanned
Scan process 'CFIWmxSvcs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'SDWinSec.exe' - '1' Module(s) have been scanned
Scan process 'TecoService.exe' - '0' Module(s) have been scanned
Scan process 'TosCoSrv.exe' - '0' Module(s) have been scanned
Scan process 'TODDSrv.exe' - '0' Module(s) have been scanned
Scan process 'ThpSrv.exe' - '0' Module(s) have been scanned
Scan process 'sqlwriter.exe' - '0' Module(s) have been scanned
Scan process 'SeaPort.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'JungleDiskMonitor.exe' - '0' Module(s) have been scanned
Scan process 'BcmSqlStartupSvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '0' Module(s) have been scanned
Scan process 'ISWSVC.exe' - '0' Module(s) have been scanned
Scan process 'vsmon.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'winlogon.exe' - '0' Module(s) have been scanned
Scan process 'lsm.exe' - '0' Module(s) have been scanned
Scan process 'lsass.exe' - '0' Module(s) have been scanned
Scan process 'services.exe' - '0' Module(s) have been scanned
Scan process 'csrss.exe' - '0' Module(s) have been scanned
Scan process 'wininit.exe' - '0' Module(s) have been scanned
Scan process 'csrss.exe' - '0' Module(s) have been scanned
Scan process 'smss.exe' - '0' Module(s) have been scanned
35 processes with 35 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '27' files ).


Starting the file scan:

Begin scan in 'C:\' <S3A8029D003>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.


End of the scan: Monday, 28 December 2009 23:31
Used time: 57:05 Minute(s)

The scan has been done completely.

22181 Scanned directories
327970 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
327968 Files not concerned
19553 Archives were scanned
2 Warnings
2 Notes

Then I ran Malwarebytes and ZoneAlarm again, and neither of these programs found any problems. Is the computer now clean, or do I need to take further action (a HijackThis file, for instance?)

Thanks for your help!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:15 AM

Posted 28 December 2009 - 12:09 PM

Hello, here's what we should do. You probably have cleared it. This ia an Exploit malware .. This one like Adobe..
So Update any Adobe Apps you may have at that link..
Use limited user accounts as these exploits need Admin rights to function. Don't give them that.

Let's get a second opinion.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 cathyb9

cathyb9
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 29 December 2009 - 12:51 AM

Hello, thanks for your help!

I had trouble with the limited account. When I created one and tried to work from it, it wouldn't allow me to connect to my broadband modem.

So I had to run ESET from the admin account.

I ran ESET then, and it found no threats. What do you think, is it fine now?

Thanks again! You guys are fantastic.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:15 AM

Posted 29 December 2009 - 11:04 AM

Ok this looks good.. Yes for certain functions you will need to use the Admin account. But that's the idea. use it when you need to. Don't use it regularly as it allows the malware world to have those Admin rights when you are in it. So just as you were prevented so are they.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users