Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Alert- would like assistance reviewing logs


  • Please log in to reply
4 replies to this topic

#1 uwwmatt

uwwmatt

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 20 July 2011 - 07:44 PM

Yesterday my Windows Security Essentials virus scan found a Trojan, and some security exploits.

From the History Log
VirTool:Win32/Obfuscator.QR
TrojanDownloader:Win32/Tracur.Y
Exploit:Java/CVE-2010-0840.DR
Exploit:Java/CVE-2010-0840.DT

I would like to make sure everything was found and removed. I noticed in similar posts people were asked to run a few programs, so I thought I would be proactive and go ahead and run them. I also ran Hijackthis, but it seems that people don't post those logs on this forum.

Below you will find the logs for:
-Security Check
-MiniToolbox
-Malwarebytes' Anti-Malware
-GMER


Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.3.181.34
Adobe Reader X (10.1.0)
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbam.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
Hijackthis Trend Micro HiJackThis HiJackThis.exe
``````````End of Log````````````

MiniToolBox by Farbar
Ran by Admin (administrator) on 20-07-2011 at 18:56:40
Windows 7 Professional Service Pack 1 (X64)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================


127.0.0.1 activate.adobe.com

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Matt-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
Physical Address. . . . . . . . . : E0-CB-4E-5D-12-09
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d897:b398:8ff5:4c55%10(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.0.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, July 20, 2011 6:03:49 PM
Lease Expires . . . . . . . . . . : Thursday, July 21, 2011 6:03:48 PM
Default Gateway . . . . . . . . . : 10.0.0.1
DHCP Server . . . . . . . . . . . : 10.0.0.1
DHCPv6 IAID . . . . . . . . . . . : 249613134
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-5B-A1-49-E0-CB-4E-5D-12-09
DNS Servers . . . . . . . . . . . : 10.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{DBE11166-72F8-49D7-B573-F593BB4131F8}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:2cdd:337:f5ff:fffc(Preferred)
Link-local IPv6 Address . . . . . : fe80::2cdd:337:f5ff:fffc%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 10.0.0.1

Name: google.com
Addresses: 74.125.225.51
74.125.225.48
74.125.225.49
74.125.225.52
74.125.225.50


Pinging google.com [74.125.225.81] with 32 bytes of data:
Reply from 74.125.225.81: bytes=32 time=55ms TTL=52
Reply from 74.125.225.81: bytes=32 time=55ms TTL=52

Ping statistics for 74.125.225.81:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 55ms, Maximum = 55ms, Average = 55ms
Server: UnKnown
Address: 10.0.0.1

Name: yahoo.com
Addresses: 72.30.2.43
98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65


Pinging yahoo.com [69.147.125.65] with 32 bytes of data:
Reply from 69.147.125.65: bytes=32 time=75ms TTL=50
Reply from 69.147.125.65: bytes=32 time=76ms TTL=50

Ping statistics for 69.147.125.65:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 75ms, Maximum = 76ms, Average = 75ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=3ms TTL=128
Reply from 127.0.0.1: bytes=32 time=1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
===========================================================================
Interface List
10...e0 cb 4e 5d 12 09 ......Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.3 20
10.0.0.0 255.255.255.0 On-link 10.0.0.3 276
10.0.0.3 255.255.255.255 On-link 10.0.0.3 276
10.0.0.255 255.255.255.255 On-link 10.0.0.3 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.3 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.0.3 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:2cdd:337:f5ff:fffc/128
On-link
10 276 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::2cdd:337:f5ff:fffc/128
On-link
10 276 fe80::d897:b398:8ff5:4c55/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/19/2011 05:16:48 PM) (Source: Application Hang) (User: )
Description: The program Steam.exe version 1.0.968.628 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1174

Start Time: 01cc466140d3799b

Termination Time: 15

Application Path: D:\Steam\Steam.exe

Report Id: b9629929-b254-11e0-94f6-e0cb4e5d1209

Error: (07/18/2011 07:11:46 PM) (Source: Application Error) (User: )
Description: Faulting application name: plugin-container.exe, version: 5.0.0.4183, time stamp: 0x4df952a0
Faulting module name: NPSWF32.dll, version: 10.3.181.34, time stamp: 0x4e0117de
Exception code: 0xc0000005
Fault offset: 0x00178918
Faulting process id: 0xa80
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (07/18/2011 06:09:17 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/14/2011 05:51:36 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/13/2011 07:21:38 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/11/2011 00:58:36 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/10/2011 04:05:10 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/09/2011 01:54:07 PM) (Source: Application Hang) (User: )
Description: The program Ad-AwareAdmin.exe version 9.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 89c

Start Time: 01cc3e44b84509c8

Termination Time: 10

Application Path: C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe

Report Id: d0c75d29-aa5c-11e0-a7f5-e0cb4e5d1209

Error: (07/09/2011 09:49:35 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/06/2011 06:34:53 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.


System errors:
=============
Error: (07/20/2011 06:04:31 PM) (Source: Service Control Manager) (User: )
Description: The Superfetch service terminated with the following error:
%%2

Error: (07/20/2011 06:02:24 PM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (07/20/2011 05:53:42 PM) (Source: Service Control Manager) (User: )
Description: The Superfetch service terminated with the following error:
%%2

Error: (07/19/2011 09:14:23 PM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (07/19/2011 05:51:52 PM) (Source: Service Control Manager) (User: )
Description: The Superfetch service terminated with the following error:
%%2

Error: (07/19/2011 05:49:22 PM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (07/19/2011 04:27:19 PM) (Source: volsnap) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (07/19/2011 03:24:38 PM) (Source: Service Control Manager) (User: )
Description: The Superfetch service terminated with the following error:
%%2

Error: (07/18/2011 09:58:48 PM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (07/18/2011 05:03:27 PM) (Source: Service Control Manager) (User: )
Description: The Superfetch service terminated with the following error:
%%2


Microsoft Office Sessions:
=========================
Error: (07/19/2011 05:16:48 PM) (Source: Application Hang)(User: )
Description: Steam.exe1.0.968.628117401cc466140d3799b15D:\Steam\Steam.exeb9629929-b254-11e0-94f6-e0cb4e5d1209

Error: (07/18/2011 07:11:46 PM) (Source: Application Error)(User: )
Description: plugin-container.exe5.0.0.41834df952a0NPSWF32.dll10.3.181.344e0117dec000000500178918a8001cc45a2a394df19C:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dllb0606707-b19b-11e0-babb-e0cb4e5d1209

Error: (07/18/2011 06:09:17 PM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*d:\program files\spybot - search & destroy\DelZip179.dlld:\program files\spybot - search & destroy\DelZip179.dll8

Error: (07/14/2011 05:51:36 PM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*d:\program files\spybot - search & destroy\DelZip179.dlld:\program files\spybot - search & destroy\DelZip179.dll8

Error: (07/13/2011 07:21:38 PM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*d:\program files\spybot - search & destroy\DelZip179.dlld:\program files\spybot - search & destroy\DelZip179.dll8

Error: (07/11/2011 00:58:36 PM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*d:\program files\spybot - search & destroy\DelZip179.dlld:\program files\spybot - search & destroy\DelZip179.dll8

Error: (07/10/2011 04:05:10 PM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*d:\program files\spybot - search & destroy\DelZip179.dlld:\program files\spybot - search & destroy\DelZip179.dll8

Error: (07/09/2011 01:54:07 PM) (Source: Application Hang)(User: )
Description: Ad-AwareAdmin.exe9.0.0.089c01cc3e44b84509c810C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exed0c75d29-aa5c-11e0-a7f5-e0cb4e5d1209

Error: (07/09/2011 09:49:35 AM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*d:\program files\spybot - search & destroy\DelZip179.dlld:\program files\spybot - search & destroy\DelZip179.dll8

Error: (07/06/2011 06:34:53 PM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*d:\program files\spybot - search & destroy\DelZip179.dlld:\program files\spybot - search & destroy\DelZip179.dll8


========================= Memory info: ===================================

Percentage of memory in use: 15%
Total physical RAM: 16375.05 MB
Available physical RAM: 13887.47 MB
Total Pagefile: 32748.3 MB
Available Pagefile: 30065.43 MB
Total Virtual: 4095.88 MB
Available Virtual: 3980.3 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:29.72 GB) (Free:4.49 GB) NTFS
2 Drive d: (Back up) (Fixed) (Total:596.17 GB) (Free:217.89 GB) NTFS
5 Drive h: (Elements) (Fixed) (Total:1863.01 GB) (Free:1768.45 GB) NTFS

========================= Users: ========================================

User accounts for \\MATT-PC

Admin Administrator ASPNET
Guest Matt


== End of log ==

-------------------------------------------------------
Malwarebytes Log
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7215

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

7/20/2011 6:52:13 PM
mbam-log-2011-07-20 (18-52-13).txt

Scan type: Quick scan
Objects scanned: 139348
Time elapsed: 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER found nothing and the log was empty.

Edited by uwwmatt, 20 July 2011 - 07:45 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:10 PM

Posted 20 July 2011 - 08:48 PM

Looks good. Lets see if ESET sees anything.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 uwwmatt

uwwmatt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 20 July 2011 - 08:56 PM

Funny you should say that. It is currently 99% complete right now, however its been saying that for about 30 minutes. So far ESET says 1 infected file Java/trojandownloader.OpenStream.NCA trojan. I will post the log when it finishes.

#4 uwwmatt

uwwmatt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 20 July 2011 - 10:21 PM

Results from ESET
C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\7788bc6-1504c8bc Java/TrojanDownloader.OpenStream.NCA trojan deleted - quarantined

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:10 PM

Posted 21 July 2011 - 02:10 PM

I think you are good here now.
If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Posted Image > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users