Possible malware infection

[Andrew6974]

Following on from this thread...

 

http://forums.malwarebytes.org/index.php?showtopic=130668

 

Having run DDS in the previous thread and being advised by 'Firefox' that I have a probable malware infection I have opened this new thread here.

 

I would appreciate it if one of the experts here could "pick up the ball" and give me further help / advice.

 

I feel that I should point out that I reformated my computer (to factory defaults) just a few days ago in a bid to solve my problems.

If it is malware we could be dealing with a nasty that can survive such a reformat.

 

Thank you.

[Psychotic]

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

• Double click the mbar.zip file to open it, then 'Extract all files'.
• Double click the mbar folder to open it, then double click mbar.exe to start the tool.
  

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.

[Andrew6974]

Hi Marius.

 

Thank you for responding.

I already have Mbar installed on my computer. My most recent scan was about 12 hours ago. Please find the logs attached.

 

 

Also here are details of actions I have taken so far...

 

Norton 360 > full scan > clean

Norton Power Eraser > full scan > detected malicious load point
> hkey_local_machine\software\clients\startmenuinternet\firefox.exe\shell\open\command
> quarantined and deleted
> second scan > clean

Malwarebytes PRO (chameleon) > full scan > clean

Malwarebytes Anti-Rootkit > full scan > clean

Super Anti-Spyware (free edition) > full scan > clean

ESET Online Scanner > full scan > clean

Kaspersky Security Scan > full scan > vulnerability detected > C:\Windows\system32\msxml4.dll

Dr. Web Cure It ! > full scan > clean
 

[Psychotic]

There is now malware on your system. The file detected by Kaspersky is a false positive, otherwise it would have been detected by some other scanners, too.

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.

• Run adwcleaner.exe.
• Hit delete.
• When the run is finished, it will open up a text file.
• Please post its contents within your next reply.
• You´ll find the log file at C:\AdwCleaner[s1].txt also.
  

SecurityCheck

Please download SecurityCheck: LINK1 LINK2

• Save it to your desktop, start it and follow the instructions in the window.
• After the scan finished the (checkup.txt) will open. Copy its content to your thread.
  

[Andrew6974]

Ran adw cleaner. Upon restart there was a blue screen crash. Had to reboot again.

 

Here is the log...

 

# AdwCleaner v2.306 - Logfile created 08/09/2013 at 08:40:34
# Updated 19/07/2013 by Xplode
# Operating system : Windows Vista Home Premium Service Pack 2 (32 bits)
# User : Andrew - ANDREW-PC
# Boot Mode : Normal
# Running from : C:\Users\Andrew\Downloads\adwcleaner.exe
# Option [Delete]


***** [services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\o70ez87z.default\searchplugins\safesearch.xml

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16496

[OK] Registry is clean.

-\\ Mozilla Firefox v23.0 (en-US)

File : C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\o70ez87z.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [910 octets] - [09/08/2013 08:40:34]

########## EOF - C:\AdwCleaner[s1].txt - [969 octets] ##########

 

 

I will now run security check.

[Andrew6974]

Security check...

 

 Results of screen317's Security Check version 0.99.72  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
Norton 360    
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Adobe Flash Player     11.8.800.94  
 Adobe Reader 10.1.4 Adobe Reader out of Date!  
 Mozilla Firefox (23.0)
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 Kaspersky Lab Kaspersky Security Scan 2.0 kss.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 60 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

[Psychotic]

Your system is clean now!

 

 

 

Adobe Reader out of date

Your Adobe Reader is outdated. We will fix this.

• Get the actual software from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
• Run setup and follow the instructions.
• Click upon Start-->control panel-->add/remove programs.
• Search for and remove any older reader versions.
  

 

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
3. In any case please download delfix to your desktop.
   
   • Close all other programms and start delfix.
   • Please check all the boxes and run the tool.
   • delfix will now delete all found traces of our removal process
     

[*] If there is still something left please delete it manualy.

 

 

 

How to protect yourself

• System Updates
  Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
  Windows XP | Windows Vista |
  Windows 7 | windows 8
• Protection
  What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
  Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
• Up to date Software
  Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  
  • Secunia Online Software Inspector - Checks if your software has updates available.
  • Filehippo Update Checkere - This tool also scans your computer for outdated software.
  • Mozilla: Check your plugins - The webpage will tell you if you have outdated plugins in your Firefox browser.
    

  [*] Backups
  There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice. [*] Brains
  It's no joke! You really need one of those things. It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.
  

[Andrew6974]

Hi Marius.

 

Thank you for helping. I you don't mind could I please ask a few questions ?

 

Do you know what kind of malware it was and how it got there ?

I performed a complete system reformat just two days ago so I'm a bit concerned about it.

 

Will I be re-infected if I use my external harddrive. It is the only device I have connected since reformatting. I would hate to have to dump it as it has all my music on it !

 

Also - regarding Adobe Reader. Because I am using Windows Vista, version 10.1.4 is the most up to date version I can get. Abobe have chosen not to provide Vista support for version 11 +

Unfortunately there is nothing I can do about it apart from keep the Firefox add-on permanantly disabled.

[Psychotic]

As we don´t have any sample files, nobody could tell what it was, sorry.

To ensure no malware is stored on your external, attach it to your pc and run a scan with ESET online scanner.

checkmark your external and run the scan - it will show you if something is hidden on it.

[Andrew6974]

As we don´t have any sample files, nobody could tell what it was, sorry.

 

If you don't mind me asking. If you don't know what it was how do you know it was there in the first place ?

 

 

Also, I am not a computer / security expert but is this sufficient to stay safe...

 

Keeping Windows Updated.

Keeping Firefox updated and keeping add-ons to a bare minimum (even then I keep them disabled and only manually enable them as and when required).

Keeping Flash up to date and NOT having Java on my system.

 

Using Norton 360 and Malwarebytes PRO.

And regularly running other utilities such as Mbar, Super Anti-Spyware, ESET and KSSS.

 

Being very careful online. I tend to stick to regular trusted sites and am very careful about what I download and where.

[Psychotic]

Be careful with low level scanning tools like MBAR - they may find rootkit techniques, but if you don´t now exactly what you are doing with them when they find something, you may get your computer unbootable.

 

Seek further advice in this case.

 

You formatted your computer and we have a clean file system and a clean MBR. Nobody can tell you if malware was running or what malware it was - there are no traces or leftovers now.

 

How to protect yourself

• System Updates
  Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
  Windows XP | Windows Vista |
  Windows 7 | windows 8
• Protection
  What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
  Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
• Up to date Software
  Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  
  • Secunia Online Software Inspector - Checks if your software has updates available.
  • Filehippo Update Checkere - This tool also scans your computer for outdated software.
  • Mozilla: Check your plugins - The webpage will tell you if you have outdated plugins in your Firefox browser.
    

  [*] Backups
  There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice. [*] Brains
  It's no joke! You really need one of those things. It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.
  

[Andrew6974]

Okay.

 

I shall run fresh scans of my computer today and I will risk checking my external drive later.

 

I'll check back later on and let you know if there are any further problems.

 

Thank you again for your help.

[Andrew6974]

Hello again.

 

I have ran fresh scans of my system and nothing has been detected, also Malwarebytes seems to be running fine in normal mode now.

I have attached my external drive and scanned it with ESET as instructed. Nothing was found so hopefully it is clean.

I have also uninstalled the outdated Adobe Reader as Firefox now has an inbuilt pdf reader so there is no need for me to have it installed on my computer really.

 

If I may ask one more question - do you know of any good programs that will automatically sandbox external drives when connected for increased security ?

 

Thank you.

[Andrew6974]

Hello.

Sorry to trouble you again but I was running a Norton Power Eraser scan in safe mode and I had a blue screen crash in the middle of the scan.

The next time I rebooted the computer in normal mode the desktop was black for a couple of minutes and a small box (also black) appeared with the words system32/cmd.exe before the desktop returned to it's normal appearance. This has never happened before

 

I have also ran TDSS Killer which detected two suspicious objects...

 

Unsigned file: FLEXNet Licensing Service

Unsigned file: RtkAudio Service

[Psychotic]

Why do you run an emergency tool like Norton Power Eraser without being instructed?

Post up the log by TDSS-Killer.

[Andrew6974]

I usually run additional scans with tools such as MPE and MBAR for additional peace of mind.

If threats were detected with these tools I would not remove them without seeking further advice.

 

I hope you don't mind but I have attached the TDSS Killer logs beacuse it is very large and the forum will not allow me to copy and paste it.

[Psychotic]

The detections are legit files.

I don´t know programs to sandbox anything that comes from external devices but you should deactivate the automatic startup of such devices.

If nothing is loaded, nothing can execute malicious code:

 

Instructions

1. • Open the CD/DVD drive and remove any discs from the drive. Do the same for memory card drives.

   • Click "Start" and then "Control Panel." Click the "Change default settings for media or devices" under the AutoPlay heading.

   • Click the box next to "Use AutoPlay for all media and devices" at the top of the page if you want to activate AutoPlay for all digital media and devices on your computer. If not, you can select each item individually by clicking the down arrow on the right side. You can choose which program with which to open an item or select "Take no action" to disable AutoPlay for that item.

   • Click "Save" at the bottom of the window when you have finished making your changes.

 

 

 

 

[Andrew6974]

Hi.

Thank you for the advice.

 

Unfortunately I am still having some problems.

 

The lastest event is that Base Filtering Engine stopped working - when this happened the malicious website blocking component of Malwarebytes stopped functioning.

[Psychotic]

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
    
    
    

  
  [*]Press "Scan". [*]It will create a log (FSS.txt) in the same directory the tool is run. [*]Please copy and paste the log to your reply.
  

[Andrew6974]

Farbar Service Scanner Version: 04-08-2013
Ran by Andrew (administrator) on 13-08-2013 at 10:13:48
Running from "C:\Users\Andrew\Downloads"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

[Andrew6974]

The Base Filtering Engine stopped again, at this point the malicious website blocking in Malwarebytes has stopped funtioning. It will not respond until the system is rebooted then everything appears normal again.

 

Under problem reports and solutions the app crash is listed as 'svchost.exe_BFE' , fault module 'ntdll.dll'

 

At the same time this strange message has started appearing in my norton firewall 'A packet from 0.0.0.0 with an Invalip IP header length of 0 bytes was detected and blocked'

[Psychotic]

System File Check

For Windows XP:

• Press the Windows- and the R-key simultanously.
• Within the text box that jus opened, write cmd and hit Enter.
  

For Windows Vista/7:

• Press the Windows key to open the start menu.
• Don´t highlight anything, just write cmd.
• The start menu will offer you an entry named cmd.
• Right click it and select "run as administrator"
  

Within the opening window, write the following:

sfc /scannow

(See the blank within).

• Hit enter. Your system will be checked for damaged system files.
• Tell me the result of that scan in here (as the tool produces no log).
  

[Andrew6974]

Hi.

It says the following...

 

Windows Resource Protection found some corrupt files but was unable to fix some of them.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log

The system file repair changes will take effect after the next reboot.

C:\Windows\system32>

 

... should I reboot ?
 

[Psychotic]

Reboot and start the procedure again

[Andrew6974]

Hi.

 

I rebooted and repeated the procedure and it is still giving the same message about corrupted files.

Could this be caused by malware ?