Installshield trojan detection

[newman87]

Hey Guys! I'm pretty sure I've got a virus or something that isnt being detected by kaspersky or MBAM. Ive run both of them and no detections, but through online searches I think i've found a match on the comodo databases.

 

A bit of history: It started when I could not get sketbook pro to install (which I still cannot), and after hours of trying to debug what was wrong I found this error:
 

 

Unable to start a DCOM Server: {8B1670C8-DC4A-4ED4-974B-81737A23826B} as Unavailable/Unavailable. The error:
"740"
Happened while starting this command:
C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe -Embedding

 

 

So after googling I found that it matched some trojan and AdvancedSetup wanted me to start a new topic. Please see my old post if you need to:

 

https://forums.malwarebytes.org/index.php?/topic/164063-help-with-autodesk-install-and-pc-performace-issues/

 

 

 

Ive posted the files requested below, please let me know if you need anything else.

 

Thank you guys as always for your generosity in helping me with this issue

 

 

Comodo link:

 

http://camas.comodo.com/cgi-bin/submit?file=ea38a94d44d5c95e060f1c36fe1b7e343a76252fabf8a8d7a7b2576b25631e43

 

Addition.txt

FRST.txt

[Psychotic]

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

• Download the attached fixlist.txt and save it to the location where FRST is saved to.
• Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
• The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

Full System Scan with Malwarebytes Antimalware

• If not existing, please download Malwarebytes Anti-Malware to your desktop.
• Double-click the downloaded setup file and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
• Click Finish.

If the program is already installed:

• Run Malwarebytes Antimalware
• On the Dashboard, click the 'Update Now >>' link
• After the update completes, click the 'Scan Now >>' button.
• Or, on the Dashboard, click the Scan Now >> button.
• If an update is available, click the Update Now button.
• A Threat Scan will begin.
• When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
• In most cases, a restart will be required.
• Wait for the prompt to restart the computer to appear, then click on Yes.

• After the restart once you are back at your desktop, open MBAM once more.
• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click 'Copy to Clipboard'
• Paste the contents of the clipboard into your reply.

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• If any threats were found, click the 'List of found threats' , then click Export to text file....
• Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

fixlist.txt

[newman87]

Hi Marius! First, Can't thank you enough. Thank you for helping me get my machine cleaned. I read your instructions so im going to post the logs for you one reply at a time, as I do each step. Here is the fixlog file:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
Ran by Michael at 2015-02-02 14:08:41 Run:1
Running from C:\Users\Michael\Desktop
Loaded Profiles: Michael (Available profiles: Michael)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Task: {93BE8B93-CAA0-483B-8DE5-E11F91A46E17} - System32\Tasks\{136ECA48-34EC-468C-83C0-ECC0A4080459} => pcalua.exe -a "C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe" -d "C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32"
C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe" -d "C:\Program Files (x86)\Common Files\InstallShield\Driver

AlternateDataStreams: C:\Users\Michael\AppData\Local\Temp:cUnso0kR9qdmoFwq7tcm9LW4gJd
AlternateDataStreams: C:\Users\Michael\AppData\Local\Temp:kqNzdWk8fSkXEqNQeMKGwg
AlternateDataStreams: C:\Users\Michael\AppData\Local\Temp:nkzMtoUbpyS3kiksgaAbvDDuLO

EmptyTemp:

*****************

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{93BE8B93-CAA0-483B-8DE5-E11F91A46E17}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{93BE8B93-CAA0-483B-8DE5-E11F91A46E17}" => Key deleted successfully.
C:\Windows\System32\Tasks\{136ECA48-34EC-468C-83C0-ECC0A4080459} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{136ECA48-34EC-468C-83C0-ECC0A4080459}" => Key deleted successfully.
"C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe -d "C:\Program Files (x86)\Common Files\InstallShield\Driver" => File/Directory not found.
C:\Users\Michael\AppData\Local\Temp => ":cUnso0kR9qdmoFwq7tcm9LW4gJd" ADS removed successfully.
C:\Users\Michael\AppData\Local\Temp => ":kqNzdWk8fSkXEqNQeMKGwg" ADS removed successfully.
C:\Users\Michael\AppData\Local\Temp => ":nkzMtoUbpyS3kiksgaAbvDDuLO" ADS removed successfully.
EmptyTemp: => Removed 14.4 GB temporary data.


The system needed a reboot.

==== End of Fixlog 14:08:51 ====

[newman87]

Sorry for the delay. Here are the logs from the MBAM scan

 

Malwarebytes Anti-Malware
www.malwarebytes.org


Scan, 2/2/2015 12:58:38 AM, SYSTEM, ULTRAPC, Manual, Start:2/2/2015 12:20:27 AM, Duration:38 min 6 sec, Hyper Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
Scan, 2/2/2015 1:16:38 AM, SYSTEM, ULTRAPC, Manual, Start:2/2/2015 1:14:43 AM, Duration:1 min 53 sec, Hyper Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
Protection, 2/2/2015 1:58:45 PM, SYSTEM, ULTRAPC, Protection, Malware Protection, Starting,
Protection, 2/2/2015 1:58:45 PM, SYSTEM, ULTRAPC, Protection, Malware Protection, Started,
Protection, 2/2/2015 1:58:45 PM, SYSTEM, ULTRAPC, Protection, Malicious Website Protection, Starting,
Protection, 2/2/2015 1:58:46 PM, SYSTEM, ULTRAPC, Protection, Malicious Website Protection, Started,
Protection, 2/2/2015 2:09:48 PM, SYSTEM, ULTRAPC, Protection, Malware Protection, Starting,
Protection, 2/2/2015 2:09:48 PM, SYSTEM, ULTRAPC, Protection, Malware Protection, Started,
Protection, 2/2/2015 2:09:48 PM, SYSTEM, ULTRAPC, Protection, Malicious Website Protection, Starting,
Protection, 2/2/2015 2:09:49 PM, SYSTEM, ULTRAPC, Protection, Malicious Website Protection, Started,
Update, 2/2/2015 2:10:39 PM, SYSTEM, ULTRAPC, Scheduler, Malware Database, 2015.2.1.7, 2015.2.2.5,
Protection, 2/2/2015 2:10:39 PM, SYSTEM, ULTRAPC, Protection, Refresh, Starting,
Protection, 2/2/2015 2:10:39 PM, SYSTEM, ULTRAPC, Protection, Malicious Website Protection, Stopping,
Protection, 2/2/2015 2:10:39 PM, SYSTEM, ULTRAPC, Protection, Malicious Website Protection, Stopped,
Protection, 2/2/2015 2:10:45 PM, SYSTEM, ULTRAPC, Protection, Refresh, Success,
Protection, 2/2/2015 2:10:45 PM, SYSTEM, ULTRAPC, Protection, Malicious Website Protection, Starting,
Protection, 2/2/2015 2:10:45 PM, SYSTEM, ULTRAPC, Protection, Malicious Website Protection, Started,
Scan, 2/2/2015 2:12:44 PM, SYSTEM, ULTRAPC, Manual, Start:2/2/2015 2:10:39 PM, Duration:2 min 2 sec, Hyper Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
Scan, 2/2/2015 2:26:17 PM, SYSTEM, ULTRAPC, Manual, Start:2/2/2015 2:15:32 PM, Duration:10 min 44 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
Scan, 2/2/2015 3:10:41 PM, SYSTEM, ULTRAPC, Manual, Start:2/2/2015 3:08:24 PM, Duration:2 min 15 sec, Hyper Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
Update, 2/2/2015 7:14:56 PM, SYSTEM, ULTRAPC, Scheduler, Failed, Unable to access update server,

(end)

[Psychotic]

This is the protection log - please post the scan log

[newman87]

I'm sorry, my mistake.

 

Here is the log file from the scan

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/3/2015
Scan Time: 1:55:38 AM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.03.02
Rootkit Database: v2015.01.14.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Michael

Scan Type: Hyper Scan
Result: Completed
Objects Scanned: 282469
Time Elapsed: 1 min, 44 sec

Memory: Enabled
Startup: Enabled
Filesystem: Disabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

[newman87]

Marius,

 

I just wanted to let you know, that I ran the online scan and it did not find anything. That's a good thing, but like I said in my first post, I wasnt getting any detections before either - it was only through the comodo database that AdvancedStartup showed me that we figured out I had a virus. Is there a way to deeply run a scan/ check my system just to make sure?

 

Thank you

 

BTW, there were no logs for the online scanner, so I think that is all you needed for now right?

[Psychotic]

I see that I´ve made a mistake...

Please do the following:

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

• Download the attached fixlist.txt and save it to the location where FRST is saved to.
• Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
• The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

fixlist.txt

[newman87]

Here are the Logs that you requested:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
Ran by Michael at 2015-02-04 09:22:55 Run:2
Running from C:\Users\Michael\Desktop
Loaded Profiles: Michael &  (Available profiles: Michael)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\Program Files (x86)\Common Files\InstallShield\Driver\8

EmptyTemp:

*****************

C:\Program Files (x86)\Common Files\InstallShield\Driver\8 => Moved successfully.
EmptyTemp: => Removed 181.6 MB temporary data.


The system needed a reboot.

==== End of Fixlog 09:22:59 ====

[Psychotic]

Use the Windows Error Checking utility (Check Disk), with the options to fix file system errors and scan the disk surface for errors, attempt recovery of data and repair the disk:

• Click the "Windows Orb" Start button, then click Computer.
• Right-click on the drive that you wish to check > Properties > Tools tab
• In the "Error checking" section, click on Check now.
• Place a checkmark in both boxes > Start.
• If the disk you have chosen is the Windows system disk:
• A message will notify you that a restart is necessary ask "Do you want to check for hard disk errors the next time you start your computer?".
• Click Schedule disk check > OK and close all windows.
• Re-start the computer. The disk will be checked when the system boots.
• This will take some time to run and at times may appear stalled but just let it run.
• When the disk check is complete, the system will re-start automatically and load Windows.
  

A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open Event Viewer and view the log:

• Click the "Windows Orb" Start button -> type "eventvwr" without the quotes -> press the key.
• The Event Viewer window will open.
• In the left pane, expand "Windows Logs" and then click on Application.
• In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
• Look in the Source column for "Wininit", with an entry corresponding to the date and time of the disk check.
• Click on that Wininit entry to select it.
• On the top main menu, click Action > Copy > Copy Details as Text.
• Paste the contents into your next reply.
  

 

 

 

System File Check

For Windows XP:

• Press the Windows- and the R-key simultanously.
• Within the text box that jus opened, write cmd and hit Enter.
  

For Windows Vista/7:

• Press the Windows key to open the start menu.
• Don´t highlight anything, just write cmd.
• The start menu will offer you an entry named cmd.
• Right click it and select "run as administrator"
  

Within the opening window, write the following:

sfc /scannow

(See the blank within).

• Hit enter. Your system will be checked for damaged system files.
• Tell me the result of that scan in here (as the tool produces no log).
  

[newman87]

Here is the chkdisk results:

 

Chkdsk was executed in scan mode on a volume snapshot.  

Checking file system on C:

Stage 1: Examining basic file system structure ...
                                                                                       
  861440 file records processed.                                                         File verification completed.
                                                                                       
  7962 large file records processed.                                                                                                                           
  0 bad file records processed.                                      
Stage 2: Examining file name linkage ...
                                                                                       
  1083070 index entries processed.                                                        Index verification completed.
                                                                                                                                                                                
Stage 3: Examining security descriptors ...
Security descriptor verification completed.
                                                                                       
  110816 data files processed.                                            CHKDSK is verifying Usn Journal...
                                                                                       
  38509872 USN bytes processed.                                                            Usn Journal verification completed.

Windows has scanned the file system and found no problems.
No further action is required.

 958011391 KB total disk space.
 511236724 KB in 679367 files.
    369288 KB in 110817 indexes.
    998607 KB in use by the system.
     65536 KB occupied by the log file.
 445406772 KB available on disk.

      4096 bytes in each allocation unit.
 239502847 total allocation units on disk.
 111351693 allocation units available on disk.

----------------------------------------------------------------------


Stage 1: Examining basic file system structure ...

Stage 2: Examining file name linkage ...

Stage 3: Examining security descriptors ...

Windows has scanned the file system and found no problems.
No further action is required.

 

 

I will post the sfc /scannow in another reply

[newman87]

The SFC said "Windows Resource Protection found corrupt files but was unable to fix some of them" "details are included in the cbs.log windir\logs\cbs\cbs.log" "Logging is not supported in offline servicing". The log file is very big, so im not sure if you want me to post it or not.

[Psychotic]

Filter SFC log file

For Windows XP:

• Press the Windows- and the R-key simultanously.
• Within the text box that jus opened, write cmd and hit Enter.
  

For Windows Vista/7:

• Press the Windows key to open the start menu.
• Don´t highlight anything, just write cmd.
• The start menu will offer you an entry named cmd.
• Right click it and select "run as administrator"
  

Within the opening window, write the following:

findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >sfcdetails.txt

• Hit enter. The tool will create a textfile named sfcdetails.txt within the folder where you ran the command, for example C:\windows\system32\.
  Attach this file to your next reply.
  

[newman87]

I types the command in like you had quoted, but the resultant txt file was blank. I went ahead and attached the entire log file, maybe there is another way you know to filter it.

 

Thanks

 

 

CBS.log

[newman87]

Sorry Marius,

 

I still can't get the txt file to produce anything (it ends up blank). Is there another way or different search string to try in the command line? I did use the admin command prompt.

 

Also, If you see anything that might be the reason for the sketchbook pro not installing, do you think it is related to my computer being infected and is there a way to fix it?

 

Thank you for your help!

[Psychotic]

I cannot see anything that is malware related.

Please try to install the software again

[newman87]

Thanks Marius!

 

I was finally able to send a message to the software developers and hopefully they will get back to me. Is there anything else we should do with my computer?

 

Also, where you able to get my cbs logs filtered? I still cannot get anything when I ran that command you posted - it's just a blank document. Im going to image my computer soon, so if there was anything else you felt I should do please let me know.

 

and Thank you!

[Psychotic]

Nothing more to do!

No need to filter this log if you plan to wipe the place.

 

 

Recommendations: How to protect yourself

• System Updates
  Please ensure to have automatic updates activated in your control panel.
  For further information and a tutorial, see this Microsoft Support article.
• Protection
  What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
  Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
  
  • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
    It will filter unwanted advertising out of the website´s content.
  • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
    It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
    In addition, before accessing a dangerous classified web site, a warning screen is displayed.
    

  
  [*]Up to date Software
  Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:
  

  • Secunia Personal Software Inspector - checks if your software has updates available.
  • SecurityCheck (by screen317) - scans your computer for most vulnerable outdated software.
  • Mozilla: Check your plugins - The webpage will tell you if you have outdated plugins running in your Firefox browser.
    

  [*]Backup
  Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system. [*]Behaviour
  The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.
  

  • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
  • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
  • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
    They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
    

  
  
  

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!