Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GAC_MSIL


  • This topic is locked This topic is locked
26 replies to this topic

#1 mlk23

mlk23

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 07 March 2012 - 04:45 PM

Hello,

My computer was infected 10 days ago with the 'FedEx invoice' Trojan. For the last week I have been running scans non-stop using McAfee, McAfee's Stinger and Malwarebytes. In the few days following the FedEx infection, they were finding and deleting various Trojans, but for the last week none of the tools have found anything to worry about. However, I ran the McAfee getsusp tool, and it listed 96 files as suspicious, almost all in the folder Windows/assembly/GAC-MSIL. (The log is attached.)

A bleeping-computer moderator sent me to http://www.bleepingcomputer.com/forums/topic34773.html and told me to do steps 6-9. I have disabled my CD emulator software using Defogger, but I cannot download dds.scr. When I click the link it does not download. If I try to force it to open in a new window, it just brings up a blank tab. (I thought McAfee or Malwarebytes might be preventing the download so I temporarily disabled them, but the same thing happened.


I would appreciate any help you can give me.
Yours,
mlk23

BC AdBot (Login to Remove)

 


#2 mlk23

mlk23
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 08 March 2012 - 07:18 AM

10 days ago, I had the 'FedEx invoice' virus on my computer. I ran Malwarebytes, McAfee and Stinger scans, and in the few days following the infection they found and deleted a few Trojans. For the past week they have found nothing. However, getsusp has found 96 suspicious files on my computer, most of them in the Windows>Assembly>GAC_MSIL folder. The getsusp log is attached.

I have attached the DDS logs as requested.

I have also run GMER but it said that it found no modification, and returned a blank log. That said, the system, section, devices, modules, processes, thread and libraries boxes were all greyed out (and could not be ticked), so they were not scanned.

I appreciate all and any help you can offer,
mlk23

EDIT: Topics merged ~Budapest

Attached Files


Edited by Budapest, 11 March 2012 - 06:36 PM.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:57 AM

Posted 12 March 2012 - 04:45 AM

Hi,

If help still needed post fresh DDS logs, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 mlk23

mlk23
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 12 March 2012 - 07:04 AM

New DDS reports attached.

Thank you!Attached File  DDS.txt   15.7KB   1 downloads

Attached Files



#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:57 AM

Posted 12 March 2012 - 11:13 AM

Hi again,


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 mlk23

mlk23
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 12 March 2012 - 12:27 PM

I have attached the combo fix log. (As it ran, I kept getting a message to say that it could not find NIRKMD, and to check that I had typed the name correctly. I just OK-ed the message away, since that seemed to be all I could do.)

I cannot run dds,scr again, because when I try to do so, I get a message saying 'Illegal operation attempted on a registry key that has been marked for deletion.' I get the same message when I try to re-enable McAfee or Malwarebytes, and when I go into (as far as I can tell) every application on my computer.

Panicking a bit here!

Attached Files

  • Attached File  log.txt   15.89KB   4 downloads


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:57 AM

Posted 12 March 2012 - 12:34 PM

Hi,

Reboot should make it possible to run those again.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 mlk23

mlk23
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 12 March 2012 - 01:33 PM

Hi,

Ah, as you say, the reboot put an end to that panic - thank you!

Attached are the new DDS files (and the same Combo log which I attached previously).

Yours,
mlk23

Attached Files



#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:57 AM

Posted 13 March 2012 - 07:05 AM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
DirLook::
C:\ProgramData\F4D561F3000ABF93001FFB51B4EB2367


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.


Get Adobe Reader update 10.1.2 here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...


Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 7 Update 3.
  • Click the
    Download
    button under JRE.
  • Check the box that says:
    Accept License Agreement.
  • Click on the jre-7u3-windows-i586.exe link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u3-windows-i586.exe to install the newest version.

* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 mlk23

mlk23
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 14 March 2012 - 11:41 AM

Sorry to take so long. I have done all that. Attached are a new combofix log and new DDS logs. ESET did not create a log, but just said at the end that it found no infections.

Attached Files



#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:57 AM

Posted 15 March 2012 - 01:14 AM

Hi,

No problem with the delay :). Go to c:\programdata folder and delete F4D561F3000ABF93001FFB51B4EB2367 subfolder if it exists there. How's the system running?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 mlk23

mlk23
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 15 March 2012 - 07:38 AM

Hello!

That subfolder was there so I've deleted it. The system is running fine as far as I can tell.

Yours,
mlk23

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:57 AM

Posted 15 March 2012 - 09:49 AM

Good. Let's see the final steps then :)


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Select c: drive and click Configure...
7. Select Turn off protection
8. Press OK.
Repeat steps 6-8 for each hard drive.

B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.


Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade B)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 mlk23

mlk23
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 15 March 2012 - 12:18 PM

Hello! I have done all those things. I still have a couple of queries though, I'm afraid.

1) Windows Defender is no longer working. (It was fine earlier today.) I get a message saying that a problem caused this program's service to stop. I clicked the 'Start now' button to force it to restart but I just got a time out error message (0x800705b4). A reboot does not help.

2) I also ran getsusp again, which was what alerted me in the first place that there was a problem on my computer. It is still highlighting 96 files on my computer as suspicious, most of them still in the windows>assembly>GAC_MSIL. I have attached the log. Maybe this is nothing to worry about? :huh:

Yours,
mlk23

Attached Files



#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:57 AM

Posted 16 March 2012 - 12:50 AM

1) Please post fresh dds logs.

2) I don't think those are anything to worry about.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users