Trojans Medfos.B, ZeroAccess, Fareit, Sirefef, and all their relatives - Need assistance!

[TheDarkKnight]

Hello Woe_is_Me_n_myPC,

Let's look at the Windows Defender issue first.

Please see this Microsoft topic:

http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/391470b9-a577-441e-96ad-12b40ab78c93/

Try the suggestions there and let me know how that goes.

[Woe_is_Me_n_myPC]

Hey DarkKnight,

Thanks for the link on the Windows Defender issue. No luck in getting it started, but I ended up doing a fair amount of research, and it turns out, this is a widespread issue. After it all, I think I am so-far satisfied with the explanation below (and in the two links), but wanted to see what your thoughts are.

do I need to have both windows defender and security essentials on at the same time

I just want to know if I must have windows defender and security essentials on at the same time and ho do I do this I have tried to get inti defender with no results.

Kosh Vorlon - MS MVP replied on February 15, 2012

• 
  

MVP Community Moderator Community Star

Not only is it not needed, but it should not be done. When MSE installs, it disables Defender in Vista and W7 and uninstalls it in XP. Having both on at the same time would cause conflicts and problems. Every protection provided by Defender is included in MSE anyway. Please see the following: http://answers.microsoft.com/en-us/protect/forum/protect_start/windows-defender-and-microsoft-security-essentials/5309cb8d-02e1-40e8-974f-0dcedb9ab9fd.

http://answers.microsoft.com/en-us/protect/forum/mse-protect_start/security-essentials-and-windows-defender/4637cd8d-537e-44b4-a3ef-ed9e6a3e3ed2

I also manually downloaded the update file for Defender....turns out it is the exact same file as today's MSE update file. That bolstered my confidence quite a bit, but it seems a little weird to have a disabled-by-design program installed...

IE back button still works intermittently...about 50/50 working/not working, and the same with search from the address bar.

One other curiousity discovered after running Windows Repair-AiO is Windows Update stated I had 'Never' checked for Updates, and that Updates were installed 'Never.' The Update History (previously a two-year record of all updates) had been empted. Apparently this was reset...is that how it works? Is there a backup of that info anywhere within the file system...just curious?

Thanks!

~Karen

Woe_is_Me_n_myPC

[TheDarkKnight]

Hello Woe_is_Me_n_myPC,

Because you have MSE installed (silly me!) then yes Windows Defender can be disabled.

You may like to try reinstalling IE and seeing if that helps.

Apparently this was reset...is that how it works? Is there a backup of that info anywhere within the file system...just curious?

I am not familiar with this happening with the tool; I would have to check with the developer.

=====

Please run a free online scan with the ESET Online Scanner.

Note: You can use Internet Explorer or Mozilla Firefox for this scan.

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start.
  
• When asked, allow the ActiveX control to install.
  
• Click Start.
  
• Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  
• Click Scan.
  Wait for the scan to finish.
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  
• Copy and paste that log as a reply to this topic.

[Woe_is_Me_n_myPC]

Hi DarkKnight,

***Below is the result from the ESET scan... Note, the log text is short with little info within it, thus I created a second file of the findings, which I captured from the user interface:

<file://C:\ProgramFiles(x86)\ESET\ESET Online Scanner\log.txt

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

====

ESETresults.txt>>>

C:\Users\Christian\AppData\Local\Microsoft\Windows Live Mail\Gmail (kare 49c\[Gmail]\Spam\51EC592E-000026B2.eml HTML/Phishing.LinkedIn.A trojan

C:\Users\Christian\Downloads\HomyFadsSetup.exe Win32/InstallMonetizer.AF application

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\updater-startnow-200-2.5-g[1].exe a variant of Win32/Toolbar.Zugo application

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\updater-startnow-200-2.5-g[1].exe a variant of Win32/Toolbar.Zugo application

====

***I have not yet reinstalled IE due to time restraints, but it also occurred to me that one of the threats above could be causing the anomalous behavior of IE9. Should I perhaps consider an IE reinstall after some cleanup is completed?

>>>>Update on IE9 Behavior:

• Back button - improved functioning today (doesn't make sense, but it is better)
  
• Search from address bar - works sometimes, other times NOT.
  
• Discovered that my IE settings had been changed.
  
• Some Google search results looked 'off' to me. I could be wrong here, but they just seemed off, and I'm a bit apprehensive nowadays about clicking on any 'ol site, so I didn't investigate.
  

***Found my list of installed updates here: Control Panel\Programs\Programs and Features\Installed Updates, but they are (still) gone from Control Panel\System and Security\Windows Update\View update history. Research indicates this commonly occurs when a file fixer or cleaner has been run.

***Also... 34 of my currently installed programs have the date reset to 2/17/2013 (date Windows Repair-AIO was run). Not sure of the rhyme or reason behind which ones were reset and those that were not. This worries me (mildly)...especially since Microsoft Office Professional Plus 2010 is on the list.

***There is a MSE update KB2804527 (actually an 'upgrade') available (listed as 'important' in Windows Update), which does not automatically install. I investigated and it seems many folks are having beaucoup problems installing the update. I thought it best not to pursue that until I get an all-clear from you. (Just want to ensure I'm in a stable position before embarking on that.) Google KB2804527 and you'll find pages of issues, all from the past few days.

Sorry for the long detail here, DarkKnight. Please let me know what I should do next!

~Karen

Woe_is_Me_n_myPC

[TheDarkKnight]

Good evening Woe_is_Me_n_myPC,

To do this, please set Win7 to show hidden/system files and folders so that you can find them:

• Please click Start and open My Computer.
  
• On the Organize tab, click on Folder and search options.
  
• On the View tab, uncheck Hide file extensions for known file types.
  
• Also uncheck Hide protected operating system files (Recommended) and click Yes on the warning message.
  
• Under Hidden files and folders, check Show hidden files, folders, or drives.
  
• Click Apply.
  
• Click OK and close My Computer.

I will give you instructions for hiding them again after it looks like your computer is clean.

=====

Now, pleas navigate to these files and delete them:

C:\Users\Christian\AppData\Local\Microsoft\Windows Live Mail\Gmail (kare 49c\[Gmail]\Spam\51EC592E-000026B2.eml

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\updater-startnow-200-2.5-g[1].exe

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\updater-startnow-200-2.5-g[1].exe

=====

Should I perhaps consider an IE reinstall after some cleanup is completed?

Yes, I think that is a good idea.

of the rhyme or reason behind which ones were reset and those that were not. This worries me (mildly)...especially since Microsoft Office Professional Plus 2010 is on the list.

While it has reset some things like this, do not be concerned.

***There is a MSE update KB2804527 (actually an 'upgrade') available (listed as 'important' in Windows Update), which does not automatically install. I investigated and it seems many folks are having beaucoup problems installing the update. I thought it best not to pursue that until I get an all-clear from you. (Just want to ensure I'm in a stable position before embarking on that.) Google KB2804527 and you'll find pages of issues, all from the past few days.

Good idea.

=====

Please download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[Woe_is_Me_n_myPC]

Hi DarkKnight,

Files deleted (one already had been); and the results from Security Check....

====

Results of screen317's Security Check version 0.99.58

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Microsoft Security Essentials

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

McAfee SiteAdvisor

Malwarebytes Anti-Malware version 1.70.0.1100

AVG PC Tuneup 2011

JavaFX 2.1.1

Java 6 Update 24

Java 7 Update 9

Java version out of Date!

Adobe Flash Player 11.5.502.149 Flash Player out of Date!

Adobe Reader 10.1.4 Adobe Reader out of Date!

Mozilla Thunderbird (17.0.2)

Google Chrome 24.0.1312.56

Google Chrome 24.0.1312.57

````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials MSMpEng.exe

Microsoft Security Essentials msseces.exe

Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe

Cox Secure Online Backup for Windows Filesystem Watcher DigiData.FilesystemWatcher.Service.Watcher.exe

Cox Secure Online Backup for Windows Scheduler OnlineBackup.SchedulerService.exe

Cox Secure Online Backup for Windows Auto Update OnlineBackup.UpdateSystemTray.exe

Cox Secure Online Backup for Windows vewatch.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

[TheDarkKnight]

Good afternoon Woe_is_Me_n_myPC,

Your version of Java is out of date. It's important to remove older versions of Java since it does not do so automatically and older versions can leave you vulnerable.

Please follow the instructions below to update Java:

• Please go to the below link and download the latest Windows 7 version:
  

http://www.java.com/en/download/manual.jsp

• Save it to your Desktop.
  
• Please go to Start>Control Panel>Programs.
  
• Navigate to any versions of Java (J2SE Runtime Environment) you have installed. They will have this icon next to them:
  
• Select Uninstall.
  
• Please double-click the installer and follow the prompts to install the latest version once all the previous versions have been successfully removed.

=====

Next, your version of Adobe Reader is out of date. It could have security vulnerabilities, so please follow these instructions to update it:

• Please go to Start>All Programs>Adobe Reader.
  
• Open Adobe Reader and navigate to Help>Check for Updates.
  
• Please follow the prompts to install the latest version.

Also, your version of Adobe Flash Player is out of date. Please follow these instructions to update to the latest version:

Go to the Adobe Global Notifications Update website here:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html#118377

A small box to the right within the window should load. Please select how often you would like Adobe to check for a new update for its Flash Player.

Note: This has to be done separately for Firefox and IE.

If a new version is found:

• Please tick the License Agreement.
  
• Click Install.
  Note: If you are running Mozilla Firefox all of its windows will need to be closed.
• Click Done.

Note: In future if an update is available Adobe will notify you on your Desktop via the Adobe Download Manager.

=====

In your reply please let me know how the updates go and how your computer is running.

[TheDarkKnight]

Just a side note: I am away until Tuesday.

[Woe_is_Me_n_myPC]

Hello DarkKnight,

Apologies for the delay, I had to travel unexpectedly but it gave me the opportunity to complete the Java, Reader and Flash Player updates, as well as review some of the other issues. Finally, last night I was in the process of preparing a forum reply to you when….

MSE detected Trojan JS/Seedabutor.B during real-time scanning. (Oy vey iz mir )

2013-02-26T05:07:31.697Z DETECTIONEVENT Trojan:JS/Seedabutor.B file:C:\Users\Christian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3T3XY9UN\most2[1].htm;

Security Essentials encountered the following error: Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this computer.

I quickly closed IE, which was set to delete temporary internet files upon exit. I believe that is why the MSE dialog indicated the malware wasn't found, plus, the Content.IE5 folder was empty when I checked it. A subsequent MSE full scan was clean, as was an MBAM quick scan, however, I've used Chrome, not IE, since this detection (24 hours ago).

This is the first concrete evidence of infection since 2/19, and, aside from the ongoing unstable behavior of IE9 over the past two weeks, my PC had been running pretty well.

====

Here is a rundown of changes I have made since your last post:

-Via Control Panel\All Control Panel Items\Programs and Features:

· Uninstalled Java 6 Update 24

· Uninstalled Java 6 Update 17 (64-bit)

· Uninstalled Java fx 2.1.1

· Uninstalled Java 7 Update 9 (Java se runtime environment 7)

· NOTE: Msi entry in Event viewer says Java Auto Updater removal failed

-At Java.com: Installed Java 7 Update 15 (Java se runtime environment) for 32-bit IE browser

-Manually downloaded & installed Java 7 Update 15 for my 64-bit IE browser

-Uninstalled Reader X (10.1.4)

-Installed Reader XI (11.0.2)

-Uninstalled Opera 12; Installed Opera 12.14

-Updated Flash Player:

· V 11.6.602.171 (32-bit) – Chrome

· V 11.6.602.168 (64-bit) – IE9

· V 11.6.602.168 (64-bit) – Opera

· Updated/Installed Flash Player 11 ActiveX

· Installed Shockwave 12.0.0.1

-Uninstalled Skype Click-to-Call v5.6.8442

-Disabled Bonjour (Apple) in via Windows Services Panel

-Woe is IE9 Notes:

· Continued unreliability (all intermittent) issues include: blank screen (new tab won’t load a page); tab will freeze, forcing me to close the tab; slow performance; back button and search from address bar malfunction; several app hangs. As mentioned before, I think IE settings have changed without my knowledge.

· Started IE without extensions and thought it ran better, but only used it in this mode for a short time.

· Disabled several extensions in an attempt to improve performance.

· Ran Microsoft FixIt – thought I would try this before resorting to the Uninstall/Reinstall option we discussed earlier.

· Today I opened a saved shortcut associated with IE, and when IE opened, a warning at the bottom of the browser stated that ‘Protected mode is turned off’ and something else (didn’t catch what it was) was turned off. I immediately clicked the option to turn them on, then quickly exited IE to avoid using it until I consult with you. I have never seen this message before, so I am now convinced the settings are somehow changing. Also, FixIt, which was run just 24 hours beforehand, should have returned IE to the default settings, correct?

====

-I think folks can sometimes go a little crazy trying to analyze errors in Event Viewer, so I try not to ever overthink it. BUT!… I have a recurring error (every ten minutes, non-stop) that I should mention, just in case it is connected to Trojan troubles. I discovered this a week or more ago, and investigated: It began within two minutes of the Windows Repair-AIO scan/reboot, and hasn't stopped since. Again, I don’t mean to muddy the water, as I can certainly deal with this later if it is an entirely separate issue. (Details at end of post, as an FYI)

====

Hoping this latest instance is an isolated incident (since it was just a temp Internet file), and not a lingering infection from the original attack, but how does one know?

Thank you for your continuing assistance!

~Karen

Woe_is_Me_n_myPC

Log Name: System

Source: Microsoft-Windows-DistributedCOM

Date: 2/26/2013 10:42:38 PM

Event ID: 10016

Task Category: None

Level: Error

Keywords: Classic

User: SYSTEM

Computer: laptop

Description:

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID

{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}

and APPID

{344ED43D-D086-4961-86A6-1106F4ACAD9B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />

<EventID Qualifiers="49152">10016</EventID>

<Version>0</Version>

<Level>2</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2013-02-27T04:42:38.000000000Z" />

<EventRecordID>596078</EventRecordID>

<Correlation />

<Execution ProcessID="0" ThreadID="0" />

<Channel>System</Channel>

<Computer>laptop</Computer>

<Security UserID="S-1-5-18" />

</System>

<EventData>

<Data Name="param1">application-specific</Data>

<Data Name="param2">Local</Data>

<Data Name="param3">Launch</Data>

<Data Name="param4">{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}</Data>

<Data Name="param5">{344ED43D-D086-4961-86A6-1106F4ACAD9B}</Data>

<Data Name="param6">NT AUTHORITY</Data>

<Data Name="param7">SYSTEM</Data>

<Data Name="param8">S-1-5-18</Data>

<Data Name="param9">LocalHost (Using LRPC)</Data>

</EventData>

</Event>

[TheDarkKnight]

Hey there Woe_is_Me_n_myPC,

I think that is just an isolated incident. Please see below for some advice on security, and in particular, using other browsers instead of IE, as it is unsafe in comparison to choices like Chrome and Firefox.

Please download TFC to your Desktop.

• Open the file and close any other windows.
  
• It will close all programs itself when run; make sure to let it run uninterrupted.
  
• Click the Start button to begin the process. The program should not take long to finish its job.
  
• Once its finished it should reboot your machine; if not, do this yourself to ensure a complete clean.

=====

A little housekeeping to uninstall ComboFix:

Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK:

ComboFix /uninstall

To remove all of the tools we used and the files and folders they created do the following:

Double click OTL.exe.

• Click the CleanUp button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Right-click the Recycle Bin and please select Empty Recycle Bin.

=====

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:

IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running the following program (there is a free version available):

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

[Woe_is_Me_n_myPC]

Hey DarkKnight,

The housekeeping is done and things are running pretty smoothly....

I think that is just an isolated incident.

I figured as much, but considering the extensive infection I had, I wasn't sure.

This was one tough adventure, as I hadn't encountered a virus of any kind in four years or more. This was a nasty, pernicious troupe of trojans, and though I considered myself cautious and somewhat knowledgeable, this experience has valuable lessons. I've always disabled jusched over the past years because it didn't work right. But then I hadn't manually updated my Java 7 for 3 1/2 months. Worse, I hadn't uninstalled Java 6 before updating to J7. I was an easy target.

I appreciate your advice on browsers...I am using Chrome (even though I was running Chrome when attacked), and have used Opera as well. I ran Firefox last year for a bit, but now intend to install it again, possibly as my default browser. As for my problematic IE--I will forget it for now...I read today that Microsoft will roll out IE10 to Win7 users as an update. Also thank you for the security info and reading material.

I am extremely grateful for your knowledge, assistance and professionalism (and the Malwarebytes Forums are outstanding).

Many, MANY Thanks and Kudos to you, DarkKnight.

~Karen

Woe_is_Me_n_myPC

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!