Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit infection / maybe network stack / ZeroAccess ?


  • This topic is locked This topic is locked
35 replies to this topic

#1 snoopy8

snoopy8

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 08 December 2011 - 05:17 PM

Hello,

I have recently had a malware / rootkit infection which seems to have been now
partially repaired. This has led to the present situation which is, I am unable
to run ComboFix to either verify whether the rootkit is still there, or get a
clean scan to verify it has been removed.

Here is what happened:

- first noticed browser redirects. Links clinked on sometimes (but not always)
were redirected to odd-looking fishy advertising-looking sites; one of these
was "chinaontv.com"

- upon beginning to inspect the system, also found the following:

- odd-looking process was running in task manager (and other task listing tools)
this process had a name which consisted of two long numbers separated by a colon ":",
ending with the .exe extension (later determined to be metadata stream - read on)

This process was unable to be killed (some sort of access denied message) from either
task manager or taskkill.exe

- some Windows sysinternals tools I use would not launch/run;

process explorer


- sometimes (but not always) between one and three suspicious-looking processes,
names like "drs.com", "crss.com" would be running. Further inspection revealed "run" entries for
these in the Registry. These could be removed, but would reappear within a few minutes
or less

- found services entry (but not in service applet) for the odd-looking numerical-named
process; this could be removed but always showed up again at reboot (surmised
process would re-write on shutdown), including Last Known Good entries

- Also; my Norton Internet Security installation seems to have been damaged / inactivated
(subs. was expired anyways)



Steps Taken

Ran a few miscellaneous tools; notably:


SpyBot Search & Destroy

- found around half dozen problems

- fixed these

- seems to have removed the secondary bad processes

system got a little better (?)


HijackThis - would not run all parts!

- overall scan not run

- but ADS scan turned up numerical-named process as metadata / ADS on
C:\WINDOWS



Then:

Tried ComboFix


- first time, found "serious infection" of a network stack rootkit

- didn't catch name (ZeroAccess sounds familiar but not sure)

- "yes" prompt disappaeared and/or program froze while tring to make note of this

- now won't run (freezes)


Current status:

- system seems much healthier

- suspicious processes gone from task listing tools, and Registry startup entries

- not convinced fully removced

- firefox still funky
- can't get ComboFix scan to complete
- can't run DDS (see DDS log section)

Current issue:

- want to run ComboFix but freezes

- does this mean system is still marred ?

- how to run other tools to verify system now clean or find remaining / additional

infections (recommendations)

- OH and Recovery Console installed by ComboFix is broken

- how to tell whether Firefox is compromised ? (will probably reinstall anyway...)





************ DDS.txt log ****************

NOTE: DDS would not run, froze partway through. no log
(also no DDS Attach.txt file to attach...)

*****************************************

Attached File  ark.txt   12.22KB   2 downloads

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 AM

Posted 08 December 2011 - 08:12 PM

Hi

Yes it looks like you are still infected

try this:


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs


NEXT


Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file.


NEXT



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 snoopy8

snoopy8
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 09 December 2011 - 05:17 AM

Hello,

Thanks for the response. Here are the results.

OTL

- scan run apparently to completion (?)

- only OTL.txt was produced. Found no Extras.txt

attachments: OTL.txt


MBRCheck

- apparently ran to completion

- apparently nothing unusual found

- MBRCheck*.txt attached


TDSSKiller

- scan run

- found 1 object

- selected Cure, rebooted to finish cure

- TDSSKiller*.txt attached


NOTES

- I notice sometimes you said "copy and paste", other times said "attach". Not sure if you really
mean to just copy-and-paste in some cases but I have attached everything. Hope this is OK.


- By the way, maybe I should mention the initial infection, as well as most of my previous removal
efforts, occured in September. I mention this since I notice some settings in the OTL scan
refer to a file age setting of 30 days...

Attached File  OTL.Txt   130.83KB   7 downloads
Attached File  MBRCheck_12.09.11_02.44.55.txt   8.81KB   2 downloads
Attached File  TDSSKiller.2.6.22.0_09.12.2011_02.50.18_log.txt   65.36KB   2 downloads

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 AM

Posted 09 December 2011 - 09:47 AM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 snoopy8

snoopy8
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 10 December 2011 - 02:44 AM

Hello,

I have downloaded and (attempted to) run ComboFix as indicated.

It appeared to freeze early on. It appeared to successfully install
the Recovery Console; then the output in the command window
went as far as saying as saying how long the scan should take
(10 minutes but maybe double for bad infections ?), and no more
output appeared after that.

I let it sit for about 60 minutes, then cold-killed and restarted the
system. It appeared the whole system was frozen (GUI and everything, not
just the ComboFix program or window); so I hard-restarted (power button).

I was very careful not to bump the mouse pointer or anything. So I am
pretty sure it was not from being (accidentally or intentionally) moused.

Here are some miscellaneous notes:


ComboFix:

I had previously (tried to) run ComboFix back in September amongst
the other various repair attempts. I did not attempt to "uninstall"
or otherwise clean the system of traces of previous ComboFix
"installations" or runs. Just downloaded the newest copy from the
link(s) indicated, to the Desktop, and ran it (re-named an older copy
so as not to interfere with presence of the new one).

Did not find any log file C:\ComboFix.txt; also didn't find any
such file on Desktop (didn't look much farther than that though).


Recovery Console:

A previous installation of Recovery Console was on the system, from
previous ComboFix attempts; but was broken. So I removed this first
before running ComboFix this time (manual removal instruction from MS
knowledgebase).

Upon this run of ComboFix, it appeared to successfully install Recovery
Console again; but (after cold-restarting system) attempts to boot into
Recovery Console to see if it is working failed ("corrupted" system file
amongst Recovery Console files).

Restore Point:

- a new restore point does not appear to have been created by ComboFix


Antivirus (re: disabling antivirus software before running ComboFix):

AS stated, I had had an installation of Norton Internet Security
prior to the infection in September. However, as part of the infection,
it appears to have been disabled/damaged.

I checked in the Task Manager task listing - it does not seem to be running
(main NIS process "ccsvchost.exe" is not present).

Anyway it does not appear to be running. And for what it's worth,
Windows Security Center does not appear to recognize the presence of any
antivirus software currently installed.

But I have not attempted to uninstall it either so all the installed
application files comprising NIS are still on the system as far as I know,
except for however they may have been damaged/altered/removed by the infection.



So in summary:

- could try to completely uninstall NIS (I know Symantec has programs that
are supposed to remove all traces of any installation) but have not tried this

- could try to remove previous traces of previous ComboFix installations/runs ?

- not sure if broken Recovery Console means anything


But have not tried any of that. Just ran the newest ComboFix as indicated,
then cold-restarted the system. I did not try to re-run ComboFix or do anything
else at this point.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 AM

Posted 10 December 2011 - 10:12 AM

Hi

Try using the Norton Removal tool first

  • Download the appropriate Norton Removal Tool from HERE and save it to your desktop.
  • Next Double click on Norton_Removal_Tool.exe to run the tool.
  • Follow the on-screen instructions.
  • Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.


Now delete the copy of ComboFix that you have on your system and download a fresh copy,

then do the following:

Press the WinKey + R to open a run box:

Copy/paste the following text into the open run box > Click OK

ComboFix /nombr

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 snoopy8

snoopy8
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 11 December 2011 - 03:37 AM

Hello,

I did as suggested/instructed and got a different result this time - ComboFix
seems to have run to completion.

Details and Notes:

NIS Removal

- used Norton Removal Tool

- tool appears to have reported successful uninstallation

- a brief check of filesystem seems to show NIS files all removed
(one file left in C:\program files\common files\symantec but assuming this is irrelevant)


ComboFix Run

- deleted previous combofix executables from Desktop, ran fresh newly-downloaded copy

- appears to have run to completion


ComboFix - additional notes

- As mentioned, I had previously not removed traces of previous ComboFix runs.
What I may not have mentioned, is that part of this was an unusual folder/link
of some sort called "My Computer", under C:\. When going into this, it appeared
to contain a representation of what you would expect to find under My Computer
if you double-click on it or otherwise enter it with Windows Explorer: drive listing etc.

I had assumed this was some sort of link or virtual filesystem or something created by
previous ComboFix runs.

With this run of ComboFix, this was gone from under C:\ after the ComboFix run was completed.
I am assuming this is a good thing and means something happened the way it ought to have.

- Removed previous copies of ComboFix exe's from Desktop and ran new fresh copy with /nombr
from Run dialog as indicated


Notes on the ComboFix run:

- it didn't install the recovery console (since was there from previous)

- it did some sort of registry backup (this was something new unless I just missed it before)

- ComboFix restore point seems to have been created this time

- went through approx. 50 stages (or more?) as indicated by output in command window

- runtime was approx. 25 min. ?

- near end, around the time removal of some things was complete and a log was being created,
my Linksys wireless config applet popped up and wanted me to re-connect to a wireless network;
assuming this is normal (seemed to part of re-initialization of the desktop session or something)


Log file is attached.

Attached File  ComboFix.txt   17.34KB   5 downloads

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 AM

Posted 11 December 2011 - 03:24 PM

what you have described is normal,

Please run the following:


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs


NEXT


Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 snoopy8

snoopy8
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 12 December 2011 - 08:07 AM

Hello,

I have run as described and results are attached.

OTL run

- appeared to run to completion

- OTL.txt attached

- found no Extras.txt


MalwareBytes AntiMalware

- output attached


ESET scannaer

- output attached


Attached File  OTL.Txt   117.21KB   2 downloads
Attached File  mbam-log-2011-12-11 (14-27-59).txt   1.85KB   1 downloads
Attached File  ESETSCAN.txt   4.14KB   1 downloads

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 AM

Posted 12 December 2011 - 09:48 AM

Hi

Please run the following:


Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    SRV - File not found [Disabled | Stopped] --  -- (DBSYPIHDJ)
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:58869
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:58869
    IE - HKU\S-1-5-21-2505351160-2589800181-2619313026-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50162
    FF - prefs.js..extensions.enabledItems: ClickPotatoLite@ClickPotatoLite.com:10.0.621.0
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\ClickPotatoLite@ClickPotatoLite.com: C:\Program Files\ClickPotatoLite\bin\10.0.621.0\firefox\extensions
    [2011/09/18 23:43:11 | 000,004,320 | ---- | C] () -- C:\Documents and Settings\tr\Application Data\DFAE.2D1
    
    :Files
    C:\Documents and Settings\tr\Application Data\Sun\Java\Deployment\cache\6.0\1\27ac3f81-3cc1bf9e	
    C:\Documents and Settings\tr\Application Data\Sun\Java\Deployment\cache\6.0\59\5ee2d53b-522351e2	
    C:\Documents and Settings\tr\Application Data\Sun\Java\Deployment\cache\6.0\63\21d0e0bf-61993d67	
    C:\Documents and Settings\tr\Desktop\2011-07_pdf_and_pdf-word_tools_downloaded\foxtab_pdfconverter\PDFConverterSetup.exe	
    C:\Documents and Settings\tr\Desktop\vdownloader-download_2011-06\SoftonicDownloader_for_vdownloader.exe	
    C:\Documents and Settings\tr\Desktop\vdownloader-download_2011-06\VDownloaderSetup.exe	
    C:\Documents and Settings\tr\Desktop\vdownloader-download_2011-06\VDownloaderSetup[1].exe	
    C:\Documents and Settings\tr\Desktop\veoh-web-player_download_2011-11\VeohWebPlayerSetup_eng.exe	
    C:\Documents and Settings\tr\My Documents\Downloads\BitTorrent-6.2(2).exe	
    C:\Documents and Settings\tr\My Documents\Downloads\BitTorrent-6.2(3).exe	
    C:\Documents and Settings\tr\My Documents\Downloads\BitTorrent-6.2(4).exe	
    C:\Documents and Settings\tr\My Documents\Downloads\BitTorrent-6.2(5).exe	
    C:\Documents and Settings\tr\My Documents\Downloads\BitTorrent-6.2.exe	
    C:\Program Files\Eyetide Media\Eyetide Viewer\VVSNInst.exe	
    C:\Program Files\Mozilla Firefox.prev.2010-03-19\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll	
    C:\Program Files\Veoh Networks\VeohWebPlayer\OCSetupHlp.dll	
    C:\Program Files\Veoh Networks\VeohWebPlayer\qlps-qlipso-sntb.exe	
    E:\users\tr\download\BitTorrent-6.2.exe	
    E:\users\tr\other\gimmick_games\Felix2.exe	
    E:\users\tr\other\other\unkosher\play\screensavers\Eyetide Installer.exe	
    E:\users\tr\other\other\unkosher\play\screensavers\Eyetide Installer2.exe	
    E:\users\tr\screensavers\screensaver-downloads\popularscreensavers_2010-10\PopularScreenSavers.exe	
    E:\users\tr\screensavers\screensaver-downloads_2010-01\popularscreensavers_2.3.50\PopularScreensaversSetup2.3.50.62.ZRfox000.exe
    ipconfig /flushdns /c
    
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log


NEXT


Please advise ho the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 snoopy8

snoopy8
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 12 December 2011 - 06:09 PM

Hello,

I have run the OTL custom fix and I am attaching the results.

If it is OK, I would like to evaluate the system a little bit
and post again regarding the state of things and whether there
are outstanding issues (I would like to reinstall firefox and
see how things are running - assuming doing something like
reinstalling firefox is OK at this point).

Attached is the latest log.

Attached File  12122011_083337.log   11.42KB   1 downloads

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 AM

Posted 12 December 2011 - 06:54 PM

yes, looks good

reinstall FireFox

also make sure your Java is up to date

Posted Image Your Java is out of date.
Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Let me know how the computer is running, if it is OK then we can clean up the tools

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 snoopy8

snoopy8
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 14 December 2011 - 03:31 PM

Hello,

Thanks for a little bit of patience. I have now updated firefox with
a fresh installation and tried things a little bit. (I spent a bit of
time reading up on uninstallation to manually get out old profile data and
program files etc.)

(But, I didn't get as far as manually removing any old registry stuff
- assuming this probably won't matter I hope).

As far as I can tell things seem to work OK. Firefox is back to normal
- a little sluggish occasionally compared to other browsers (chrome &
Safari) but I think it's just a firefox issue at this point. (Extraordinarily
sluggish and erratic performance of Firefox, especially when first launched,
was one of the symptoms following the infection and also a marred firefox
GUI which made me think firefox was specifically damaged. But it seems more
OK now, probably back to how it should be).



I guess one question I have, if I may ask, is: I was a little concerned
about uninstalling Firefox because I know sometimes an uninstall uses a
.exe supplied by the app, and believing firefox to have been compromised
I could not be sure that the uninstall .exe (if there is one) was not also
compromised in some way. But not finding any such thing as a firefox
removal tool or instructions for a full manual uninstall, I went ahead
and used add/remove programs to do it. I would have preferred to avoid that
but I was not sure what else to do.

In the same vein, when the infection first occurred, one of the first things I
did was to try another browser - MS Internet Explorer - which at the time
also displayed the redirect behavior. I rarely use IE and have not tried it
again since then (I've been using chrome and Safari during the interim).


So

1) Is there any reason to be worried about firefox because of having run the
uninstall which may (or may not) have used a .exe supplied by firefox during the
uninstallation (and which may or may not have been infected in the first place)?

2) Is there any reason now, to uninstall and reinstall IE?


Or are the above just being paranoid. After all I am assuming if there were a
problem in either of the above, it would have showed up in the scan(s) and/or
fix(es).



Whew! Sorry if that's a little long but that's the state of things - I see no
overt signs of infection right now and things seem mostly normal but those
are some lingering doubts or questions about it that I have.


Then the other question would be, is there any way to run a scan of some sort
and get a clean result to verify things are removed at this point (or is it
sufficient that the scans/fixes run to this point have been satisfactory?
For example would it be appropriate to try to run ComboFix to see if it gives
a clean result (and what about having had to run with the /nombr flag, does
that mean anything).


I actually launched GMER and ran a scan to see what would happen (I assumed
this is a noninvasive/nondestructive thing to do), and nothing came up at
initial launch (which I assume is good), in contract to previously when
the tcp, udp etc. device paths would come up at initial launch. The full
scan revealed a much shorter list of things than before which I assume is good
(notably the aforementioned network device paths were absent). I could post
the log if you wish.

I also tried DDS, which froze (still) - not sure if this matters.


OK - sorry again for the length. Any answers or suggestions to any of the
above would be welcome, otherwise I am ready for whatever is appropriate to
do next.


By the way I also tried to update Java as indicated - nothing appeared to
happen (assuming it is in fact up to date?) - the Java tool indicated last
update was 3/6/2011.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 AM

Posted 14 December 2011 - 05:42 PM

Hi,

there shouldn't be an issue with IE at this point.

Sometimes DDS and ComboFix get hung on mbr.exe on some machines, it doesn't mean the machine is still infected

Did you re-install Norton as your antivirus, is it up to date? If you are without an antivirus, give Microsoft Security Essentials a try, install it and run the program, let me know if it finds anything

http://www.microsoft.com/security_essentials/


try running ComboFix again allow it to update, but it probably won't run without the /nombr switch unless you have completely uninstalled Norton and there are leftovers interfering?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 snoopy8

snoopy8
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 16 December 2011 - 03:25 PM

Hello,

I hope the delay is OK again. The Microsoft security scan
in particular took a while and a did a few other things too.

I have not reinstalled Norton yet - my subscription had
expired and it was just running on whatever the latest
updates had been. I will probably re-activate it or
try some other paid solution at some point, but maybe I
will wait a little while and try something free to see
how that works.


I have installed Microsoft Security Essentials as suggested,
and ran both a Quick Scan and a Full scan.

The Quick Scan detected an old screensaver I have had on
the system for years but haven't used much lately (it frequently
gets detected by antivirus programs) - I hadn't really inspected
setting before running the Quick Scan so it just took the default
action of completely removing it.

Other than that it didn't seem to find anything.



The Full Scan however found a few more things, but they seemed to be
just in the quarantine area(s) of some of the previously-run tools,
mostly OTL.

Notably something called

Exploit:Java/CVE-2010-0094.BW

as well as several variants of this, all with varying two-character
extensions in place of the .BW, about 7 of them altogether.

Also something called

Win32/Cycbot!cfg


I don't see a way to export a report about it (?) but attached is
a cut-and-paste of the information regarding the first one of the Java
exploits, as well as the Win32/Cycbot item. I could cut and paste more of
these if desired.


I did try ComboFix again with allowing it to update. You are right,
it did not run without /nombr.

I did something like the following:

1) ran ComboFix (with update) with /nombr - ran to completion

2) tried without /nombr - system froze, hard-restarted

3) ran again with /nombr - ran to completion again, log file was
largely similar but slighlty different.


I have attachedd the two ComboFix run logfiles if you wish to look at them.



Also, I did a couple of GMER scans to see what would happen and I have
attached these. (They were at different times, maybe one was before
running MS Security Essentials and the second was after, or something
like that).

Attached File  Explot_Java_CVE-2010-0094.BW__info.txt   1.04KB   1 downloads
Attached File  Backdoor_Win32_Cycbot!cfg__info.txt   859bytes   1 downloads
Attached File  COMBOFIX-nombr.txt   16.13KB   2 downloads
Attached File  COMBOFIX-nombr-2.txt   14.75KB   1 downloads
Attached File  GMER.log   5.85KB   2 downloads
Attached File  GMER-2.log   6.31KB   1 downloads




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users