Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Unclosable iexplorer.exe in Task Manager


  • This topic is locked This topic is locked
8 replies to this topic

#1 Ajantes

Ajantes

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 16 September 2012 - 05:37 AM

This is a slightly strange post for help, and I hope you won't consider it a waste of your time to reply. It involves undirected use of ComboFix, which I only realised afterwards can be hazardous and is not advised. Rather than plough on and compound my mistake, I thought I'd ask for some help/get some reassurance.

I noticed that I had a couple of iexplorer.exe processes running in Windows Task Manager, which I thought was odd as I use Firefox instead of IE. As they reappeared instantly whenever I closed them, I assumed they were a sign of malware. I ran HijackThis to see if there was anything I didn't recognise from previous scans in there, and there were a few things which looked fishy to me. However, it's been ages since I last used it, I've added lots of software to my PC since then, and I'm not really confident enough with tech in general to simply use HijackThis to remove stuff I don't like.

I therefore searched google for the 'unwanted iexplorer.exe' symptom and followed the instructions given to someone else for cleansing his system. I downloaded and ran Malwarebytes' Anti-Malware, which found and removed one virus, but the iexplorer.exes were still running. I then downloaded and ran ComboFix, which deleted several files and seemed to fix the problem (getting rid of the iexplorer.exes). Running HijackThis to recheck for the suspicious-looking entries, I found it clean.

My problem is this: I'm not sure what sort files ComboFix removed, and therefore how badly compromised my PC was, or even if it still contains traces of malware. In particular, I'm not use if I need to i) re-set passwords and ii) get a new credit card issued, and I certainly don't want to take these steps until I know my PC's clean.

I'm therefore submitting the DDS and GMER logs as requested in the hopes that you can tell me whether my system's clean or not. Please note that these logs were created AFTER I ran ComboFix.

While I understand that it might be of little use to you, I'm also going to attach the ComboFix log (from the ComboFix scan I ran BEFORE doing the DDS/GMER scans), so you can see exactly what sort of files it found and removed from my system. I'm hoping that you can tell me whether any of the items removed were sufficiently nasty that I should consider resetting passwords/getting my credit card reissued. Don't worry, I understand that ultimately it's my decision and responsibility, but I was just hoping for some sort of reassurance about the level of threat my PC was exposed to by the malware it had before I ran ComboFix.

Also, I understand that it's advised to delete ComboFix from your system once you're done with it, but that any back-ups it makes are deleted along with, so I wanted to make absolutely sure I was safe to get rid of ComboFix.

Apologies for failing to follow the proper procedure in the first place. It wasn't until I was doing some browsing around the subject after using ComboFix that I realised running it unsupervised was a no-no! I hope you'll forgive the breach of procedure and can help me out.

Regards,

Ajantes


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by Houghton at 9:02:37 on 2012-09-16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3325.1611 [GMT 1:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Norton Internet Security\Engine\19.8.0.14\ccSvcHst.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Norton Internet Security\Engine\19.8.0.14\ccSvcHst.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2090106
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\19.8.0.14\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\19.8.0.14\ips\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\19.8.0.14\coIEPlg.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\ntunecmd.exe" boot "c:\users\houghton\appdata\local\nvidia corporation\ntune\profiles\userdflt.nsu"
mRun: [Bluetooth HCI Monitor] RunDll32 HCIMNTR.DLL,RunCheckHCIMode
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: o2.co.uk\*.broadband
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B5623776-CD9A-4AA5-894D-C63C3DE8A844} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{EF1EA3BD-EB87-4B02-9D75-F0711B46A108} : DhcpNameServer = 10.25.8.1
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\houghton\appdata\roaming\mozilla\firefox\profiles\r97v8zgq.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\users\houghton\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-4 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1308000.00e\symds.sys [2012-8-15 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1308000.00e\symefa.sys [2012-8-15 924320]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.5.0.145\definitions\bashdefs\20120905.001\BHDrvx86.sys [2012-8-31 995488]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1308000.00e\ccsetx86.sys [2012-8-15 132768]
R1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\drivers\hssdrv6.sys [2012-7-10 35560]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.5.0.145\definitions\ipsdefs\20120914.001\IDSvix86.sys [2012-9-14 386720]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1308000.00e\ironx86.sys [2012-8-15 149624]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1308000.00e\symtdiv.sys [2012-8-15 345208]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-4-4 63928]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 hshld;Hotspot Shield Service;c:\program files\hotspot shield\bin\openvpnas.exe [2012-8-3 476016]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe [2012-8-3 387440]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\19.8.0.14\ccsvchst.exe [2012-8-15 138272]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-9 106656]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-23 135664]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2012-4-26 13224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-23 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-9-5 114144]
S3 Sony PC Companion;Sony PC Companion;c:\program files\sony\sony pc companion\PCCService.exe [2012-4-26 155320]
.
=============== Created Last 30 ================
.
2012-09-15 21:58:07 -------- d-----w- C:\Poker
2012-09-15 18:15:15 -------- d-----w- c:\users\houghton\appdata\local\PokerStars
2012-09-15 18:15:01 -------- d-----w- c:\program files\PokerStars
2012-09-15 17:09:40 -------- d-----w- c:\users\houghton\appdata\local\Trusteer
2012-09-15 16:49:25 -------- d-sh--w- C:\$RECYCLE.BIN
2012-09-15 16:33:07 98816 ----a-w- c:\windows\sed.exe
2012-09-15 16:33:07 518144 ----a-w- c:\windows\SWREG.exe
2012-09-15 16:33:07 256000 ----a-w- c:\windows\PEV.exe
2012-09-15 16:33:07 208896 ----a-w- c:\windows\MBR.exe
2012-09-15 16:32:57 -------- d-----w- C:\ComboFix
2012-09-15 15:39:08 -------- d-----w- c:\users\houghton\appdata\roaming\Malwarebytes
2012-09-15 15:38:57 -------- d-----w- c:\programdata\Malwarebytes
2012-09-15 15:38:56 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-15 15:38:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-06 12:32:34 -------- d-----w- c:\users\houghton\appdata\local\{AC235EFE-F558-11E1-8270-B8AC6F996F26}
2012-09-05 16:29:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-09-05 16:29:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-09-05 16:29:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-09-05 16:29:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-09-05 16:29:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-09-05 16:29:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-09-05 16:29:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-09-05 15:34:29 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-05 07:11:45 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-09-04 05:05:22 2047488 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2012-09-05 16:41:33 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-09-05 15:33:54 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-05 15:33:54 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-06 18:43:46 4927856 ----a-w- c:\windows\system32\hss-update.upd
2012-07-10 02:48:18 35560 ----a-w- c:\windows\system32\drivers\hssdrv6.sys
2012-07-06 02:17:57 574112 ----a-w- c:\windows\system32\drivers\nis\1308000.00e\srtsp.sys
2012-07-06 02:17:57 32928 ----a-w- c:\windows\system32\drivers\nis\1308000.00e\srtspx.sys
2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-22 07:09:01 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2012-06-22 07:09:01 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2012-06-22 07:09:00 98816 ----a-w- c:\windows\system32\mfps.dll
2012-06-22 07:09:00 586240 ----a-w- c:\windows\system32\stobject.dll
2012-06-22 07:09:00 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2012-06-22 07:09:00 2873344 ----a-w- c:\windows\system32\mf.dll
2012-06-22 07:09:00 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2012-06-22 07:09:00 209920 ----a-w- c:\windows\system32\mfplat.dll
2012-06-22 07:08:59 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2012-06-22 07:08:58 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2012-06-22 07:08:58 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2012-06-22 07:08:58 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2012-06-22 07:08:58 478720 ----a-w- c:\windows\system32\dxgi.dll
2012-06-22 07:08:58 37376 ----a-w- c:\windows\system32\cdd.dll
2012-06-22 07:08:58 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2012-06-22 07:08:58 258048 ----a-w- c:\windows\system32\winspool.drv
2012-06-22 07:07:19 4096 ----a-w- c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
2012-06-22 07:07:18 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2012-06-22 07:07:18 519680 ----a-w- c:\windows\system32\d3d11.dll
2012-06-22 07:07:18 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2012-06-22 07:07:18 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2012-06-22 07:07:18 252928 ----a-w- c:\windows\system32\dxdiag.exe
2012-06-22 07:07:18 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2012-06-22 07:07:18 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
.
============= FINISH: 9:03:02.94 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 AM

Posted 18 September 2012 - 09:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your logs are clean.

Please run these tools and submit the logs for my review.

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Remove the AdWare, PUP (Potentially Unwanted Program) identified by this tool.

Please download AdwCleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

===

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Please let me know if you have any issues with this computer.

#3 Ajantes

Ajantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 19 September 2012 - 01:30 PM

Hi nasdaq, thanks for taking the time to help me out, I really appreciate it.

Pasted below are the 3 logs you requested.

I'm pretty sure a lot of my 3rd party software is outdated, and may therefore be a potential risk. It was my intention to follow the process outlined elsewhere in this forum (http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/), and recommended by one of your fellow malware advisers in their sig, for ensuring these programs stay up to date. However, I wanted to wait for your all-clear before doing this, in line with the "don't download anything new until we give you the all-clear" instructions.


Results of screen317's Security Check version 0.99.51
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.0.1400
CCleaner (remove only)
JavaFX 2.1.1
Java 7 Update 7
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader X 10.1.3 Adobe Reader out of Date!
Mozilla Firefox (15.0)
Google Chrome 21.0.1180.89
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````


# AdwCleaner v2.002 - Logfile created 09/19/2012 at 17:06:12
# Updated 16/09/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Houghton - HOUGHTON-PC
# Boot Mode : Normal
# Running from : C:\Users\Houghton\Desktop\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\Mozilla Firefox\Extensions\afurladvisor@anchorfree.com
Folder Deleted : C:\ProgramData\~0

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\Houghton\AppData\Roaming\Mozilla\Firefox\Profiles\r97v8zgq.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v21.0.1180.89

File : C:\Users\Houghton\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1117 octets] - [19/09/2012 17:04:12]
AdwCleaner[S2].txt - [1472 octets] - [19/09/2012 17:06:12]

########## EOF - C:\AdwCleaner[S2].txt - [1532 octets] ##########


C:\Qoobox\Quarantine\C\Users\Houghton\AppData\Roaming\acsqd.dll.vir a variant of Win32/Medfos.DC trojan cleaned by deleting - quarantined
C:\Users\Houghton\AppData\Local\{AC235EFE-F558-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan cleaned by deleting - quarantined
C:\Users\Houghton\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\71cfa04f-32369315 Java/Exploit.CVE-2009-3867.AK trojan deleted - quarantined
C:\Users\Houghton\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\1fe6b2f-6d28b96e a variant of Java/Exploit.CVE-2012-4681.AN trojan deleted - quarantined

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 AM

Posted 19 September 2012 - 03:00 PM

Update these and let me know what problem persists.

Critical vulnerabilities have been identified in Adobe Flash Player v11.3.300.264 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

#5 Ajantes

Ajantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 19 September 2012 - 08:31 PM

I can't currently seem to update Flashplayer.

I tried to download the file from your link, and it provided me with a file that I could not run. When I double-clicked on it (or right clicked then chose 'Run as Administrator') it simply did nothing. I thought this seemed a bit suspicious, so I checked out the file's properties and noticed its publisher appears to be 'Solid State Networks', whereas Flashplayer and Reader files are usually published by 'Adobe Systems Inc.' The File Version was also listed as 3.3.3.0, instead of the 11.4.402.278 that was listed at the download page.

I tried to download the Reader update from your link too, and got exactly the same result: a file I couldn't run, published by Solid State Networks and that listed its version as exactly the same as the Flashplayer one: 3.3.3.0.

I tried heading straight to the Adobe page from google instead of going through your link, but the files I ended up with were exactly the same.

I'm not sure what's going on, but it seems as though there is either a problem with the latest versions of Flash and Reader that Adobe have put out, or the files are bogus. I certainly hope I haven't downloaded more malware onto my system!

In order to get around the fact that the Adobe site wasn't playing ball, I downloaded and ran the Secunia PSI tool I linked in the post above. This succeeded in updating Reader, but only updated my 'Version 10.XXX' Flashplayer to the most recent 10.XXX version, instead of the 11.XXX version.

Therefore, my Flashplayer is still not up to date. I'm hoping that the problem is on Adobe's end, and that I'll be able to download a properly runnable file when I try again tomorrow.

As for problems: my system doesn't seem to be suffering from any at all at the moment. As far as I can tell, everything is working perfectly, and there are no visible signs of malware at all.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 AM

Posted 20 September 2012 - 07:09 AM

This is an interested page.
http://www.solidstatenetworks.com/solid-state-networks-unveils-digital-delivery-application-platform/

How this came to your system is unknown to me.

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#7 Ajantes

Ajantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 20 September 2012 - 09:29 AM

Combofix and the other various log-creators/scanners have all been removed now.

The system still seems to be clean.

I'm guessing that means we're at the end of the process here. One thing I was concerned about: given the files that were deleted during my ComboFix run (attached to my first post) and given the Trojans that ESET Scan found and removed, does it seem to you that my computer was infected with sufficiently nasty malware for me to need to reset all my passwords and take other measures to ensure my various online accounts aren't hacked? I've got lots of passwords for lots of things, and it'll be a real pain to reset and relearn them all. Obviously it'll be a bigger pain if my online bank account gets hacked and I lose a load of money though.

I understand that it's ultimately my choice and my responsibility if I decide or don't decide to do this, but I guess what I'm asking is this: given the files removed during the cleaning process, would you reset your various passwords if you were me ? :)

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 AM

Posted 20 September 2012 - 10:48 AM

I would certainly change my bank password.

The others I let you decide the gravity of the others.

#9 Ajantes

Ajantes
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 20 September 2012 - 01:13 PM

OK, I'll sort that out.

It seems as though we're done, so I just want to say thanks for helping me out. You guys offer a fantastic service here, especially considering you're doing it as volunteers.

Thanks again, and keep fighting the good fight! :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users