Jump to content

Recommended Posts

Hi, yesterday I experienced a weird set of events. Norton said I was alright, but I don’t trust it this time. The machine is a Windows 7 64 bit computer.

  1. The user had been using Internet Explorer.
  2. When the user had been browsing, an unsigned extension asked to be installed.
  3. I exited out of the prompt by right-clicking its taskbar item and hitting “close window.”
  4. “Windows Easy Transfer” asked for UAC permission.
  5. I denied permission.
  6. 5 seconds later, it popped up again. This was a signed file by Microsoft Corporation, but as I had not activated Windows Easy Transfer, I hit “no” again.
  7. 5 seconds later, it popped up again, and continued to do so every 5 seconds. This was weird, so I looked to see where the file was located, and it was located in the user’s AppData\LocalLow directory, under a folder like this {26F-some-more-hex-here}\migwiz.exe
  8. Navigating to the directory, I found the contents were listed as critical system files, and therefore hidden. The folder’s contents were:

          cryptbase.dll (about 120 kb)

          A .vcd file (0 kb)

          Windows Easy Transfer (~160 kb)

          Sorry I can’t give exact details on the files, I’ve been busy so I haven’t had chance to boot up using something else and copy the files.

  1. All files passed all checks on VirusTotal.com and a scan by Norton, and all files shared a unique aspect: Their files were signed using a key that expired in 2011, but their root and secondary root keys were active. Other than that, it seemed safe, so I finally hit “yes” when it popped up for the umpteenth time.
  2. Norton pops up, and says that “cryptbase.dll” is safe, but it’s only been used by 5 people in the Norton community.
  3. That’s a huge red flag for me, so I turn off the computer immediately.
  4. The computer has not been used since.

My question is, is this normal, or should I boot up with some sort of virus scanner and see what’s going on? The files passed all checks on VirusTotal, so I don’t know if using a virus scanner would even find anything. I looked on my Windows 8.1 workstation, and migwiz.exe is installed in System32, not my AppData\LocalLow folder, and I looked at another workstation, and found that migwiz.exe was not in the user’s AppData\LocalLow directory.

If it’s not a virus, why was there a “critical system file” in the AppData folder anyway? Usually, people treat that directory as a temp folder.

 

Thanks, and I'm sorry if I wasted anyone's time.

-kalpow500

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Next,

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
Post back the report which should also be located here:

 

C:\Programdata\RogueKiller\Logs <-------- W7/8

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

 

Let me see those logs....

 

Kevin...

Link to post
Share on other sites

  • 2 weeks later...

Here's the log files now, sorry for the delay.

 

Addition.txt

FRST.txt

RKreport_SCN_11022014_164257.log

 

I ran Norton Bootable Recovery Tool, and it deleted the DLL file in both the user's folder, and another user's folder (!) (must have been infected twice). It also deleted a copy of the DLL from the desktop and from the recycle bin (made by me, not by the virus). That's all it did, though.

 

FRST detected the quarenteened folder when I did it in PE mode, but it doesn't show up in this log set from Safe Mode; do you want me to run it in PE mode again?

 

Thanks for all your help!

Link to post
Share on other sites

Thanks for for the logs, continue please:

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

boot your system to normal mode and continue:

 

Download Malwarebytes Anti-Malware to your desktop.


Double-click mbam-setup and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Launch Malwarebytes Anti-Malware
A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish.
On the Dashboard, click the 'Update Now >>' link
After the update completes Select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Now select > Scan > Threat scan > Scan now
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In most cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.

 


After the restart (If applicable) once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.

 

Next,

 

Read the following link before we continue and run Combofix:

ComboFix usage, Questions, Help? - Look here

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.infospyware.net/antimalware/combofix/

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review



****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

*EXTRA NOTES*


  •    
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
       
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
       
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)



Post the log in next reply please...

Kevin

Fixlist.txt

Link to post
Share on other sites

Here are the logs!

 

Thanks!

 

Fixlog.txt

ComboFix.txt

 

Malwarebytes Anti-Malware

www.malwarebytes.org

Scan Date: 11/4/2014

Scan Time: 3:37:50 PM

Logfile:

Administrator: Yes

 

Version: 2.00.3.1025

Malware Database: v2014.11.04.06

Rootkit Database: v2014.11.01.02

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: Jacob

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 536455

Time Elapsed: 1 hr, 32 min, 41 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 1

PUM.UserWLoad, HKU\S-1-5-21-2599251252-3821983390-1828043331-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|Load, C:\Users\Kathy\AppData\Local\Temp\{22212~1.EXE, Quarantined, [9b0034020f6dc96dc441da93c53ee51b]

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

(end)

Link to post
Share on other sites

Run the following;

 

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

ClearJavaCache::

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

Next,

 

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin.

 

(To run ESET Online Scanner in a browser other than Internet Explorer, you'll need to download ESET SMART  Installer during the process)

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the following options are checked:
 
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
 
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Let me see those two logs, also give an update on any remaining issues or concerns...

 

Kevin....

 

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.