Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan disguised as Adobe Update Install


  • This topic is locked This topic is locked
4 replies to this topic

#1 PowerGirl

PowerGirl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 27 July 2011 - 10:17 AM

Posting my experience in case it will help someone else. If anyone has any additional solutions - or if there is something further you would suggest I do to ensure my solution sticks and virus is completely eradicated, please share. On Monday 7/25/11, I had what seemed like a standard and legitimate Adobe request (popup) to install updates. I agreed... to my demise. I knew better - I know to go to official sites to check for updates, I know it! But, did not do it. Immediately I did not feel right about it, so tried to cancel and disable my pc, turn off, remove battery, anything to stop but it was too late and adobeupdater.exe was installed. I quickly did a Vipre virus scan and it turned up clean. I knew it was wrong. I phoned Vipre/GFI tech support twice that evening with their suggestions for different solutions, one being to run Malwarebytes' Anti Malware, but it also turned up clean. Continued searching the net for recognized adobe fake updates, etc and found quite a few. Seems this "Adobe Updater" virus has been around a while, in one form or another. Microsoft Security Essentials seemed to have excellent details on what sounded like my virus problem, so I uninstalled Vipre and downloaded MSE (free) and ran it - it found and killed the following:
Exploit:Java/ByteVerify.D
Exploit:Java/ByteVerify.RP
Trojan:Java/Agent.B
Exploit:Java/ByteVerify.E

Things seem to be running ok now, but I'm skeptical that the virus is completely gone... perhaps it skulks in the background waiting for the moment to pounce, or I could be paranoid. All of my recent documents were removed from view as were all of my quick link programs from the Start menu. Since removing the malware, a new problem has come up with the Windows Installer popping up every time I try to open a file, so I'm working on that through the XP forum.

Edited by hamluis, 27 July 2011 - 10:27 AM.
No logs, moved to Am I Infected from Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:25 AM

Posted 27 July 2011 - 10:20 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 PowerGirl

PowerGirl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 01 August 2011 - 03:12 PM

downloaded and ran securitycheck.exe as instructed, but a Notepad did not automatically come up. All that it would do is show the black screen first with 'Collecting Information Done' and then "Preparing Done!"

downloaded MiniToolBox as instructed, results below with name deleted for privacy:
MiniToolBox by Farbar
Ran by (*name deleted for privacy*) (administrator) on 01-08-2011 at 13:56:09
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================
127.0.0.1 localhost
========================= IP Configuration: ================================
# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip
# Interface IP Configuration for "Local Area Connection"
set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp
# Interface IP Configuration for "Wireless Network Connection"
set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp

popd
# End of interface IP configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : (*private*)

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : tu.ok.cox.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : tu.ok.cox.net

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

Physical Address. . . . . . . . . : 00-1D-09-D5-DB-6A

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 70.189.82.91

Subnet Mask . . . . . . . . . . . : 255.255.252.0

Default Gateway . . . . . . . . . : 70.189.80.1

DHCP Server . . . . . . . . . . . : 172.19.57.19

DNS Servers . . . . . . . . . . . : 68.105.28.11

68.105.29.11

68.105.28.12

Lease Obtained. . . . . . . . . . : Monday, August 01, 2011 1:29:23 PM

Lease Expires . . . . . . . . . . : Tuesday, August 02, 2011 1:29:23 PM


Ethernet adapter Wireless Network Connection:


Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Dell Wireless 1505 Draft 802.11n WLAN Mini-Card

Physical Address. . . . . . . . . : 00-1F-3A-98-D3-61

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.104

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 68.105.28.11

68.105.29.11

Lease Obtained. . . . . . . . . . : Monday, August 01, 2011 8:14:10 AM

Lease Expires . . . . . . . . . . : Tuesday, August 02, 2011 8:14:10 AM

Server: cdns1.cox.net
Address: 68.105.28.11

Name: google.com
Addresses: 74.125.91.106, 74.125.91.147, 74.125.91.99, 74.125.91.103
74.125.91.104, 74.125.91.105


Pinging google.com [74.125.93.103] with 32 bytes of data:

Reply from 74.125.93.103: bytes=32 time=47ms TTL=54

Reply from 74.125.93.103: bytes=32 time=48ms TTL=54


Ping statistics for 74.125.93.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 47ms, Maximum = 48ms, Average = 47ms

Server: cdns1.cox.net
Address: 68.105.28.11

Name: yahoo.com
Addresses: 209.191.122.70, 67.195.160.76, 69.147.125.65, 72.30.2.43
98.137.149.56

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:

Reply from 98.137.149.56: bytes=32 time=61ms TTL=56

Reply from 98.137.149.56: bytes=32 time=64ms TTL=56

Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 61ms, Maximum = 64ms, Average = 62ms

Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1d 09 d5 db 6a ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
0x3 ...00 1f 3a 98 d3 61 ...... Dell Wireless 1505 Draft 802.11n WLAN Mini-Card - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 70.189.80.1 70.189.82.91 20
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 25
70.189.80.0 255.255.252.0 70.189.82.91 70.189.82.91 20
70.189.82.91 255.255.255.255 127.0.0.1 127.0.0.1 20
70.255.255.255 255.255.255.255 70.189.82.91 70.189.82.91 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.104 192.168.0.104 25
192.168.0.104 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.0.255 255.255.255.255 192.168.0.104 192.168.0.104 25
224.0.0.0 240.0.0.0 70.189.82.91 70.189.82.91 20
224.0.0.0 240.0.0.0 192.168.0.104 192.168.0.104 25
255.255.255.255 255.255.255.255 70.189.82.91 70.189.82.91 1
255.255.255.255 255.255.255.255 192.168.0.104 192.168.0.104 1
Default Gateway: 70.189.80.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/29/2011 05:08:48 PM) (Source: MSSQL$MSSMLBIZ) (User: )
Description: The file "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\master.mdf" is compressed but does not reside in a read-only database or filegroup. The file must be decompressed.

Error: (07/28/2011 05:07:42 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft SQL Server 2005 Express Edition -- Error 29503. The SQL Server service failed to start. For more information, see the SQL Server Books Online topics, "How to: View SQL Server 2005 Setup Log Files" and "Starting SQL Server Manually."
The error is (3417) .

Error: (07/28/2011 05:07:41 PM) (Source: MSSQL$MSSMLBIZ) (User: )
Description: The file "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\mastlog.ldf" is compressed but does not reside in a read-only database or filegroup. The file must be decompressed.

Error: (07/28/2011 05:07:41 PM) (Source: MSSQL$MSSMLBIZ) (User: )
Description: The file "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\master.mdf" is compressed but does not reside in a read-only database or filegroup. The file must be decompressed.

Error: (07/28/2011 00:37:41 PM) (Source: Broadcom ASF IP and SMBIOS Mailbox Monitor) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (07/28/2011 08:15:36 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft SQL Server 2005 Express Edition -- Error 29503. The SQL Server service failed to start. For more information, see the SQL Server Books Online topics, "How to: View SQL Server 2005 Setup Log Files" and "Starting SQL Server Manually."
The error is (3417) .

Error: (07/28/2011 08:15:35 AM) (Source: MSSQL$MSSMLBIZ) (User: )
Description: The file "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\mastlog.ldf" is compressed but does not reside in a read-only database or filegroup. The file must be decompressed.

Error: (07/28/2011 08:15:35 AM) (Source: MSSQL$MSSMLBIZ) (User: )
Description: The file "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\master.mdf" is compressed but does not reside in a read-only database or filegroup. The file must be decompressed.

Error: (07/26/2011 02:37:45 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8402.0, P4 0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (07/25/2011 06:52:24 PM) (Source: Windows Search Service) (User: )
Description: A document ID cannot be allocated.

Context: Windows Application, SystemIndex Catalog

Details:
The content index server cannot update or access information because of a database error. Stop and restart the search service. If the problem persists, reset and recrawl the content index. In some cases it may be necessary to delete and recreate the content index. (0x8004117f)


System errors:
=============
Error: (08/01/2011 01:29:22 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.100.2 for the Network Card with network address 001D09D5DB6A has been
denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).

Error: (08/01/2011 01:28:50 PM) (Source: Dhcp) (User: )
Description: The IP address lease 70.189.82.91 for the Network Card with network address 001D09D5DB6A has been
denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).

Error: (08/01/2011 00:23:45 PM) (Source: Print) (User: *private deleted*)
Description: The document Microsoft Word - Envelopes1 owned by *private deleted* failed to print on printer Brother MFC-6890CDW Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 65536. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\(*Private). Win32 error code returned by the print processor: Microsoft Word - Envelopes10. Microsoft Word - Envelopes11

Error: (08/01/2011 09:24:14 AM) (Source: Print) (User: *private deleted*)
Description: The document https://secure.foxrentacar.com/RezDone.aspx?SID=e2ad16ce-4c26-4 owned by *private deleted* failed to print on printer Brother MFC-6890CDW Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 524288. Number of bytes printed: 0. Total number of pages in the document: 6. Number of pages printed: 0. Client machine: \\(*PRIVATE). Win32 error code returned by the print processor: https://secure.foxrentacar.com/RezDone.aspx?SID=e2ad16ce-4c26-40. https://secure.foxrentacar.com/RezDone.aspx?SID=e2ad16ce-4c26-41

Error: (08/01/2011 08:44:42 AM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.100.2 for the Network Card with network address 001D09D5DB6A has been
denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).

Error: (08/01/2011 08:14:56 AM) (Source: Service Control Manager) (User: )
Description: The Pml Driver HPZ12 service terminated with the following error:
%%126

Error: (08/01/2011 08:14:56 AM) (Source: Service Control Manager) (User: )
Description: The Net Driver HPZ12 service terminated with the following error:
%%126

Error: (07/29/2011 05:09:14 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft SQL Server 2005 Express Edition Service Pack 4 (KB2463332).

Error: (07/29/2011 05:08:48 PM) (Source: Service Control Manager) (User: )
Description: The SQL Server (MSSMLBIZ) service terminated with service-specific error 3417 (0xD59).

Error: (07/29/2011 08:02:14 AM) (Source: Service Control Manager) (User: )
Description: The Pml Driver HPZ12 service terminated with the following error:
%%126

Microsoft Office Sessions:
=========================
Error: (04/25/2011 02:03:54 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6555.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 23201 seconds with 8700 seconds of active time. This session ended with a crash.

Error: (03/29/2011 11:16:23 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 13101 seconds with 9720 seconds of active time. This session ended with a crash.
========================= Memory info: ===================================
Percentage of memory in use: 46%
Total physical RAM: 2038.29 MB
Available physical RAM: 1081.1 MB
Total Pagefile: 3931 MB
Available Pagefile: 2954.55 MB
Total Virtual: 2047.88 MB
Available Virtual: 1997.77 MB
========================= Partitions: =====================================
1 Drive c: () (Fixed) (Total:111.73 GB) (Free:74.12 GB) NTFS
========================= Users: ========================================
User accounts for \\(*PRIVATE)

Administrator Guest HelpAssistant
(*name deleted for privacy*) SUPPORT_388945a0

== End of log ==


downloaded and ran MBAM again as instructed, results (however, I must say that I did this the day I downloaded the virus, ran it and it came back clean):
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7347

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/1/2011 2:12:33 PM
mbam-log-2011-08-01 (14-12-33).txt

Scan type: Quick scan
Objects scanned: 183447
Time elapsed: 10 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
=============================
have not had time to do GMER yet....

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:25 AM

Posted 01 August 2011 - 07:52 PM

I'll be around to see your GMER log.

Also....

Re-run MiniToolbox.

Checkmark following boxes:
  • List Installed Programs
Click Go and post the result.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,049 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:25 AM

Posted 05 August 2011 - 01:03 AM

Hello

I see that you have a topic posted in the log forum here: http://www.bleepingcomputer.com/forums/topic411590.html

We do not allow more than one topic for the same computer and the same issue as this causes confusion, and in this case may make the disinfection process more difficult.

Please note: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by an MRT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take a few more days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users