MBAM shows possible Koobface?

Hello,

A recent quick scan was run on the computer that produced the Worm.Koobface file, which it says was quarantined and deleted. I ran a quick scan today that produced the Heuristics.Shuriken file, which was also quarantined and deleted. When I saw the recent quick scan log with the Koobface file, I ran a full scan (after the quick scan) with no results found.

I poked around a few sites to get familiar with both, and am more concerned with the Koobface result. Is it anything I need to look into further, or has MBAM successfully deleted it?

Log #1:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4339

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/22/2010 7:11:59 PM
mbam-log-2010-07-22 (19-11-59).txt

Scan type: Quick scan
Objects scanned: 140590
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Guest\AppData\Local\Temp\svchost.exe (Worm.KoobFace) -> Quarantined and deleted successfully.


Log #2:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4404

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/7/2010 4:08:23 PM
mbam-log-2010-08-07 (16-08-23).txt

Scan type: Quick scan
Objects scanned: 143340
Time elapsed: 6 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Guest\AppData\Local\Temp\0.3661488185817129.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.



I ran a quick scan today because I was on a few websites and got a pop up "Windows will shut down in 10 minutes", and another that said "Windows will shut down in 2 minutes", at which point it did shut down. I'm not very familiar with Windows 7, so I didn't know if this was legit, but I was on the Guest account and the computer is not set up to automatically install any updates (it is set to download but ask when to install), so I couldn't come up with any reason for it to restart itself. I didn't know if this was a cause for alarm, but I ran a quick scan anyway, and I haven't had any other problems with how the computer has been running. But, after reading about how fun Koobface has been for a lot of people... I wanted to post to be sure.

*edit*
I just now ran a full scan with SAS, it found 106 tracking cookies, but that's it. I can post the log for that if you would like. I had it remove the tracking cookies, at that point it asked to reboot, and I allowed it.

Thanks!

Edited by carissa_lee_, 07 August 2010 - 09:31 PM.

Hi, these scans look pretty good. You may need to ask sbout the shutdowns in the WIN7 forum as I don't belive they are malware. Let's do an onloine scan first .

ESET

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the ESET Online Scanner button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Eset Smart Installer icon on your desktop.
• Check the "YES, I accept the Terms of Use"
• Click the Start button.
• Accept any security warnings from your browser.
• Check Scan archives
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push "List of found threats"
• Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the "<<Back" button.
• Push Finish

In your next reply, please include the following:

• Eset Scan Log

Thanks so much for the quick reply!

I wasn't sure if the pop up was malware-related, since it seems a lot of the recent viruses like to disguise themselves as legit software, I've had some that use the same look and feel of Norton or Windows products, or something similar. I also have never seen it before, since I am unfamiliar with 7 and don't use this computer that often. Unfortunately I didn't think to get a screen shot of the pop up (IF it happens again, I hope that I will think a little quicker next time!), but the pop up itself looked weird to me. I wish I could remember the exact wording, it would probably help. It only gave me one option, "Ok" (I think), which I thought was odd, since pop ups usually have two, i.e. "Continue" or "Cancel". I ended up clicking the X in the corner, in case it was a malware attempt trying to get me to click the only button to begin a download of some kind. I tried to find anything like it using google, but no luck, although since it's possible I have the wording wrong it would obviously hinder any searches I tried.


Anyhow, I was hoping the ESET scan would product 0 results, but it did give 1...

ESET Online Scan results:

C:\Users\Guest\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\309f68bd-40266c27 probably a variant of Win32/Agent trojan deleted - quarantined

Edited by carissa_lee_, 08 August 2010 - 01:41 AM.

Hello, then we will run one more and see.
Also in the future if you see a suspect window,bettter than the X ,as that can now be a malware exe trigger, press Ctrl + Shift + Esc .
This will open open Task manager (also works in XP,Vista),there you can highlight and select End Process and safely close that item.

Clean your Temp files... TFC by OT
Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Is it normal for TFC to lag as I am restarting/shutting it down? When I clicked restart computer (as it did not ask me to reboot), I had it stick on the "Logging Out" blue screen for around 8 minutes before I did a manual shut down.

MBAM:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4408

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/8/2010 3:44:02 PM
mbam-log-2010-08-08 (15-44-02).txt

Scan type: Quick scan
Objects scanned: 143028
Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Other than TFC is all else running well now?

My apologies on the slow reply!

The computer seems fine, I didn't have any real problems in the first place (other than the random Windows pop up), I just got those questionable results after one of the regular MBAM scans. Mostly wanted to make sure there something nasty hiding that I didn't know about.

I appreciate the help with making sure the computer is clean. I spend too much of my time reading about a lot of computer viruses so I can make sure to keep up with the newer and sometimes creative threats out there, and come across articles talking about the ones that lie silent on your computer waiting for you to enter your information... so I always wonder "what if?", lol. I may be overly paranoid, but I just like to make sure, especially since other people use this computer do log into banking sites and such. I tell them it's not a good idea, but they don't listen to me.

Anyhow. Thanks again

Your welcome.. They write new bad stuff everyday so it's always good to stay on top.

Tips to protect yourself against malware and reduce the potential for re-infection:

• Simple and easy ways to keep your computer safe.
• How did I get infected?, With steps so it does not happen again!.
• Hardening Windows Security - Part 1 & Part 2.
• Configuring Internet Explorer for Practical Security and Privacy - How to Secure Your Web Browser.
• Your Guide To Staying Safe Online.
• Use Task Manager to close pop-up messages to safely exit malware attacks.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

• Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:

• USB-Based Malware Attacks.
• When is AUTORUN.INF really an AUTORUN.INF?.
• Please disable Autorun asap!.