Jump to content

Do I have malware ?


Recommended Posts

Hi.

I am looking for a little help / advice about a possible malware problem. I stress possible because I’m not quite sure whether I’m being a little paranoid or whether there’s something else wrong with my computer (i.e. a hardware / software problem).

I did run windows memory diagnostic which reported a possible hardware / memory problem so it’s possible that my computer is experiencing some sort of memory corruption / failure that is causing these problems. It may or may not be malware related.

Firstly - here are the symptoms….

I have had a couple of BSOD events in the past couple of weeks whilst online as well as occasional browser crashes (firefox), superfetch failures, various messages about svchost.exe, windows search indexer has stopped working etc. and various other glitches / failures on my system in recent weeks (sorry - I can’t remember the name of every event that has happened).

I have Norton360 installed and although superficially it appears to be working I have been having frequent update failures. I often get messages that virus definitions, web protection definitions have failed to install etc. However - these glitches appear to be temporary and the updates always get installed eventually after a number of attempts.

I also have the free version of Super Anti-Spyware installed which also occasionally has trouble installing updates. When this occurs I use the alternate start version and the updates then install.

I have the free version of Malwarebytes and have today activated the 14-day trial of the full version. It seems to be functioning but when I first activated the realtime module something weird happened - the whole system froze up and I had to do a forced shutdown.

After rebooting everything seemed to be normal again.

I also have the Malwarebytes Anti-Rootkit and Norton Power Eraser utilities.

I have ran full scans in safe mode numerous times with all of the above programs but nothing has been found, but I can’t shake the feeling that something might be lurking and possible interfering with the security products on my system.

I have taken the first bit of advice here and ran dds. Please find the logs attached below.

I would be really grateful if a resident expert could take a look and give me an opinion.

Thank you in advance.

Link to post
Share on other sites

A small update - two recent app crash events...

Malwarebytes Anti-Malware stopped working

Problem Event Name: APPCRASH

Application Name: mbam.exe

Application Version: 1.75.0.1

Application Timestamp: 511f8eb2

Fault Module Name: ntdll.dll

Fault Module Version: 6.0.6002.18541

Fault Module Timestamp: 4ec3e3d5

Exception Code: c0000005

Exception Offset: 00066626

OS Version: 6.0.6002.2.2.0.768.3

Locale ID: 2057

Additional Information 1: 7443

Additional Information 2: 9de561f03c0b3bb361c405ea1f4cf48c

Additional Information 3: 1931

Additional Information 4: 3aa28a177fcd01c635ced2051c0b2c4f

---------------------------------------------------------------------------------------------------------

Symantec Error Reporting stopped working

Problem Event Name: APPCRASH

Application Name: SymErr.exe

Application Version: 4.3.0.7

Application Timestamp: 5102d0a9

Fault Module Name: SYMHTMDX.DLL

Fault Module Version: 7.3.0.30

Fault Module Timestamp: 5111c8e4

Exception Code: c0000005

Exception Offset: 00062177

OS Version: 6.0.6002.2.2.0.768.3

Locale ID: 2057

Additional Information 1: fd00

Additional Information 2: ea6f5fe8924aaa756324d57f87834160

Additional Information 3: fd00

Additional Information 4: ea6f5fe8924aaa756324d57f87834160

Link to post
Share on other sites

  • Root Admin

Most of your issues appear to have started on or about May 27, 2013. Did you install some piece of hardware or some type of software such as maybe a new antivirus or something?

Please print the following so that you can review it offline if needed.

If you have any questions please let me know, otherwise please do the following.

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop cf-icon.jpg and select "Run as Administrator".

  • A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.

Notes:

[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh :excl:

Reply & Copy & Paste contents of the C:\Combofix.txt log

and tell me, How is the system now icon_question.gif

Re-enable your antivirus program.

Link to post
Share on other sites

Hello Ron,

Thank you for responding.

To answer your question: no I have not made any hardware changes to the computer. But I did buy a new Toshiba 1TB External HDD and for some reason Norton detected and deleted an orphan autorun.inf file from the drive even though it was brand new from Amazon and had never been used. As for software - I used to use Webroot up until a few months ago but I found it was constantly crashing firefox, blocking half the websites I regularly visit and making Norton impossibly slow so I uninstalled. After I uninstalled Webroot these problems went away.

The only software I have installed in recent weeks is the free version of Super Anti-Spyware and MBAR and these were installed after my problems started.

My main concern though is that there are frequent installation errors with updates for N360, MBAM and SAS. The updates always download but then I get installation error messages and I need to keep trying over and over until they finally install. I know malware can try to interfere with this process.

I have now ran combo fix as instructed. Log to follow in next post...

Link to post
Share on other sites

ComboFix 13-06-03.06 - Andrew 04/06/2013 12:09:34.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3068.1858 [GMT 1:00]

Running from: c:\users\Andrew\Desktop\ComboFix.exe

AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\Roaming

c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini

c:\windows\security\Database\tmp.edb

.

.

((((((((((((((((((((((((( Files Created from 2013-05-04 to 2013-06-04 )))))))))))))))))))))))))))))))

.

.

2013-06-04 11:15 . 2013-06-04 11:15 -------- d-----w- c:\users\Andrew\AppData\Local\temp

2013-06-04 11:15 . 2013-06-04 11:15 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-05-31 19:35 . 2013-05-31 19:35 146648 ----a-w- c:\windows\system32\drivers\48230029.sys

2013-05-25 19:44 . 2013-06-03 20:15 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)

2013-05-24 08:39 . 2013-05-24 08:39 -------- d-----w- c:\users\Andrew\AppData\Roaming\SUPERAntiSpyware.com

2013-05-24 08:38 . 2013-06-03 16:36 -------- d-----w- c:\program files\SUPERAntiSpyware

2013-05-24 08:38 . 2013-05-24 08:38 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2013-05-24 06:29 . 2013-05-24 06:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-05-24 06:29 . 2013-04-04 13:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-05-24 05:46 . 2012-11-16 02:45 36512 ----a-r- c:\windows\system32\drivers\SymIMV.sys

2013-05-22 07:32 . 2013-06-03 03:24 -------- d-----w- c:\users\Andrew\AppData\Roaming\vlc

2013-05-15 04:21 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2013-05-15 04:04 . 2013-04-15 14:20 638328 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2013-05-15 04:04 . 2013-04-13 10:56 37376 ----a-w- c:\windows\system32\cdd.dll

2013-05-15 04:04 . 2013-04-09 01:36 2049024 ----a-w- c:\windows\system32\win32k.sys

2013-05-09 20:58 . 2013-05-09 20:58 -------- d-----w- c:\users\Andrew\AppData\Local\ElevatedDiagnostics

2013-05-09 06:23 . 2013-06-01 22:28 -------- d-----w- c:\users\Andrew\AppData\Local\NPE

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-06-04 00:21 . 2013-02-18 20:55 952 --sha-w- c:\programdata\KGyGaAvL.sys

2013-05-15 04:20 . 2013-05-03 05:41 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-05-15 04:20 . 2013-05-03 05:41 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-11 13:25 . 2013-04-10 15:23 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-03-11 13:25 . 2013-04-10 15:23 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-09 03:45 . 2013-04-10 15:23 49152 ----a-w- c:\windows\system32\csrsrv.dll

2013-03-09 01:28 . 2013-04-10 15:23 64000 ----a-w- c:\windows\system32\smss.exe

2013-03-08 03:53 . 2013-04-10 15:23 376320 ----a-w- c:\windows\system32\winsrv.dll

2013-03-08 03:52 . 2013-04-10 15:23 2067968 ----a-w- c:\windows\system32\mstscax.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-04-04 317280]

"AML"="c:\program files\Sony\VAIO Launcher\AML.exe" [2008-06-13 1097728]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-05-15 61440]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2008-07-16 01:04 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

.

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-05-23 119056]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2013-06-04 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-03 04:20]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 194.168.4.100 194.168.8.100

FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\8aqgjr5u.default\

FF - ExtSQL: 2013-05-24 06:47; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.1.22\IPSFFPlgn

FF - ExtSQL: 2013-05-24 07:01; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.1.22\coFFPlgn

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-WudfPf

SafeBoot-WudfRd

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-06-04 12:15

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.3.1.22\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b4

.

Completion time: 2013-06-04 12:16:51

ComboFix-quarantined-files.txt 2013-06-04 11:16

.

Pre-Run: 207,398,801,408 bytes free

Post-Run: 207,330,611,200 bytes free

.

- - End Of File - - C98FB6599D7BAC116020205E08C6E933

Link to post
Share on other sites

  • Root Admin

Please run the following scanner.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please that file on your next reply.

Link to post
Share on other sites

Hi.

I have run TDSS killer. Logs to follow.

However I feel I should mention that once installing and rebooting two things happened - a black box appeared with 'cmd.exe' in it. This has also been happening on boot-up on average about once a day for the past couple of weeks - a black box with 'cmd.exe' will flash up on screen for just a second.

Also on this occasion there were two vaio update icons in my task bar, normally there should only be one.

NB - Sorry but the forum won't let me copy & paste post the full log in one post. I have attched the file but if you prefer I can copy & paste the log in several parts. Let me know what you prefer.

Thanks.

Link to post
Share on other sites

  • Root Admin

Most of the helpers seem to like the logs posted inline - I appear to be almost the lone wolf where I actually prefer them to be attached as I open them in a text editor to help automate research and replies.

Anyways... the log shows that it's clean. You can delete the program and the log at this time. (don't touch combofix yet, leave it alone)

I'd like to get a new set of DDS logs now and then we'll see if we can cleanup any left over startup items that you may not want.

Thanks

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool.

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.


    When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file in most cases.

Link to post
Share on other sites

  • Root Admin

Please download MBAR from here and extract the files from the zip to a new location.

http://www.malwarebytes.org/products/mbar/

Follow the directions for usage from that page and check for updates and scan everything.

Then post back the log file for it and let me know if it found anything or if you had trouble using it.

Thanks

Link to post
Share on other sites

Hi.

I have had to run MBAR twice. The first time I ran it although the scanner in the foreground window seemed to run and complete, everything else behind it locked up (the mbar file folder, task bar etc.).

After the scan the whole system was locked (was unable to get task manager up) and I had to do a forced shutdown.

Upon reboot I tried MBAR again and it ran without any problems this time.

Here are the logs...

Link to post
Share on other sites

  • Root Admin

Interesting... The logs show what appears to be ongoing damage unless maybe the time entries were wrong.

Please do the following.

Delete your current DDS logs and MiniToolbox logs. Then reboot the computer 2 times

After rebooting 2 times then go ahead and run DDS again and post back both logs.

How is the computer behaving in general now?

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here.
  • Save Autoruns.exe to your desktop and double-click it to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures
  • Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  • When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder you just created to your next reply

Link to post
Share on other sites

  • Root Admin

I'm sorry my mistake. I've not asked you to run that tool yet but suppose now would be a good time to have you run that and have it verify some items too.

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

Link to post
Share on other sites

  • Root Admin

The computer appears to be clean from malware but appears to have a possible memory issue.

05/06/2013 03:09:52, Error: EventLog [6008] - The previous system shutdown at 03:08:37 on 05/06/2013 was unexpected.

05/06/2013 00:47:45, Error: Application Popup [1801] - The hardware has reported an uncorrectable memory error.

You may have a built-in utility to test memory in the BIOS setup screen somewhere such as one of the Function keys.

You can also use a tool like this to test the memory.

http://www.memtest.org/

Link to post
Share on other sites

Hi Ron,

Thanks again for taking the time to run through these tests with me.

I have ran the built-in windows memory diagnostic tool again.

It reported...

Your computer may have a hardware problem. Please contact your computer manufacturer.

Description

The results of running the Windows Memory Diagnostics Tool were submitted to Microsoft for analysis and product improvement

Problem signature

Problem Event Name: MemDiagV1

Range of memory size: 3072

Launch type: Manual

Schedule type: Deferred

Completion type: Fail

Test type: Standard

Failed tests: 95

Range of number of bad pages: 5

Test duration in seconds: 990

OS Version: 6.0.6002.2.2.0.768.3

Locale ID: 2057

Files that help describe the problem

MemDiag.bin

(I tried to open the MemDiag.bin file to have a more detailed look but for some reason it saves it as a VLC media file ?!)

More than likely I have malfuntioning ram card or something of that nature.

I suppose memory failure can often produce symptoms that are similar to a malware problem.

I still have ComboFix, DDS, Autoruns and Mini-Toolbox on my desktop. Is it safe now to remove these ?

Link to post
Share on other sites

  • Root Admin

Yes, please click on START - RUN and type in the following.

Combofix /uninstall

Then click OK and that should remove Combofix.

The other tools and log files you can manually delete.

The good thing is that RAM is actually pretty cheap now days for most computers and you can pick it up from online or from a local repair shop and is also pretty easy to replace for most computers as well.

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.