Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lingering Problem?


  • This topic is locked This topic is locked
10 replies to this topic

#1 luddy

luddy

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 21 April 2012 - 09:07 AM

Win7 SP1 x64
NIS 2011

Ran a setup.exe from unknown source and something tried to export my VPN key (saw my VPN info on screen waiting for password to export) and received a bunch of svchost popups for outbound firewall, all of which I blocked.

Rebooted machine, ran Trojan Remover and Malware Bytes quick scan, which found nothing. Also ran Malware Bytes full scan of C drive with nothing found.

Found 3 folders (from time of incident) under my Roaming folder (C:\Users\John\AppData\Roaming) with various files---deleted all 3 folders.

Utom folder
-----wyhou.exe

Ripey folder
----ocubc.woo file

tor folder
--hidden_service folder
---------hostname file
---------private_key file
lock file
state file



Any ideas what this is? I want to make sure it is all gone.

During all the svchost popups from my NIS firewall, they wouldn't stop even though I kept clikcing not allowed so I eventually rebooted while setup.exe running.

UPDATE: This setup.exe was run around 1:30pm on 4/20/2012.

I did find this: https://www.torproject.org/docs/hidden-services.html.en

Attached Files


Edited by luddy, 21 April 2012 - 10:57 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 26 April 2012 - 09:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your DDS log is clean.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs for my review.

Please let me know what problem persists.

#3 luddy

luddy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 26 April 2012 - 06:28 PM

I downloaded ComboFix and SecurityCheck as requested. I disabled NIS 2011 antivirus for 5 hours and shutdown MalwareBytes. I started ComboFix and it gave a warning about Nortin still running so I disabled the firewall for 5 hours as well. It gave one more warning and ocntinued. It has been sitting at Completed Stage_4 for over 2 hours now. Any ideas how to proceed? I see no disk activity or anything. PC is still responsive and not hung. Started taskmanager and see pev.3xe increasing handles using 13% CPU and two CF13810.3xe running but not using CPU. Waiting to hear from you.

Note that after reboot back on 4/20 I have not seen any issues on this machine. Full MBAM scan of OS drive was clean, Trojan Remover scan also clean. NIS has not alerted on anything strange.

WOW It finally finished...or at least it said it did. Attached is the log. Also attached it the SecurityCheck log.

Edited by luddy, 27 April 2012 - 10:13 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 27 April 2012 - 07:17 AM

Your logs are clean.

For your added security.

Learn how to install Windows 7 Service Pack 1 (SP1)
http://windows.microsoft.com/installwindows7sp1
===

Please let me know of any remaining issues with this computer.

#5 luddy

luddy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 27 April 2012 - 07:34 AM

That's good news. I already have SP1 installed.

Is there anything I need to do to clean up the ComboFix software? This morning I noticed IE asked if it should be my default browser so obviously it made some changes. This was before I rebooted.

Thanks!

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 27 April 2012 - 09:29 AM

The security tool is not reporting it correctly. I will investigate.

Results of screen317's Security Check version 0.99.32
Windows 7 x64 (UAC is enabled


===

IE default browser issue.
Go Tools > Internet Options > Programs (tab) and uncheck "Internet Explorer
should check to see whether it is the default browser".

===

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#7 luddy

luddy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 27 April 2012 - 09:48 AM

Thansk for your help. Would you remove the logs I posted from this "case" for security purposes? Thanks nasdaq!

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 27 April 2012 - 10:08 AM

Do you means the logs you attached?

If this is the case I cannot remove them.

#9 luddy

luddy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 27 April 2012 - 10:16 AM

I was able to delete the ComboFix and SecurityCheck logs but not the DDS or attach.txt logs. I dont want the thread removed just the files I attached but it looks like it is impossible even for me to edit the original post.

Thanks for all your help!

Edited by luddy, 27 April 2012 - 10:26 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 28 April 2012 - 07:38 AM

The logs are in the server and I cannot access them also.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 04 May 2012 - 09:31 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users