TechSpot

Please check my logs - persistent malware re-appearing

By QuasiChameleon
Feb 14, 2010
  1. I've run the 8-steps several times now, and a piece of malware keeps reappearing:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    What more needs to be done to stop this from reoccuring?

    Attached are my logs.

    Kevin
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Kevin, please run the following:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    There are several malware entries in the HijackThis log. Combofix will help with that. Autoruns have also been disabled. Please rescan with HijackThis after Combofix.

    Attach the Combofix report and the new HijackThis log to your next reply.
     
  3. QuasiChameleon

    QuasiChameleon TS Rookie Topic Starter

    Here's my logs for ComboFix and HijackThis again, as requested.

    Kevin
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please reopen HijackThis to 'do system scan only.' Check the following if present: Note: Optional removals are in green.
    Read the Option descriptions before checking

    O2 - BHO: (no name) - AutorunsDisabled - (no file)>>See Option 1
    O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)>> See Option 1
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)>> See Option 1
    O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\>> See Option 1

    ---------
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll>> See Option 2
    O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll
    O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll
    O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\pdfforge Toolbar\SearchSettings.exe


    Option 1: Have you intentionally disabled Autoruns or are you aware that they have been disabled? This can be a potential protocol hijacker. If yes, leave. If not, please check these for removal.

    Option 2: Foistware> Askbar, PDF Toolbar
    Foistware is not a virus or malware. It is installed with another unrelated program without your knowledge or permission. I recommend you remove it.
    The Pdfforge Toolbar installed with PDFCreator - is it considered as PUP/WidgiToolbar (a potentially unwanted program) due to it's questionable privacy policy. But is came with a Trojan so it needs to be removed.

    Close all Windows except HijackThis and click on "Fix Checked."

    If you checked the Askbar and Pdfforge Toolbar for removal:
    Go to Add/Remove programs in the Control Panel and uninstall both.
    Use Windows Explorer> Navigate to C:\Programs and do a right click> Delete on both of the program folders.

    Using Windows Explorer: Windows key + E: Click on to My Computer> double click on the Local Drive (C)> Navigate to> C:\WINDOWS. Right-click on MailSwitch.ocx and select Rename. Please rename it to MailSwitch.vir.

    If you do not see the file: Go to Tools> Folder Options> View tab> Check 'show hidden files & folders'> Uncheck 'hide protected operating system files-Recommended'> Apply> OK

    Exit Windows Explorer and hide the files & Folders.

    Please update and scan again with Malwarebytes.

    Follow with
    Kaspersky Online Scanner in Internet Explorer

    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Please attach logs for both programs to your next reply.
     
  5. QuasiChameleon

    QuasiChameleon TS Rookie Topic Starter

    The Kaspersky options were not as described, and it returned an HTML document for the report.

    I zipped these logs to get the HTML file to upload.

    Thanks!

    Kevin Crosby
     

    Attached Files:

    • log.zip
      File size:
      2.3 KB
      Views:
      3
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Documents and Settings\Owner\Application Data\SpamBayes\Proxy\pop3proxy-spam-cache\1177382499-2		
      C:\Documents and Settings\Owner\Application Data\SpamBayes\Proxy\pop3proxy-spam-cache\1177463384-2		
      C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{B84C0813-2E3D-4E9F-B632-D014A0734A45}\Microsoft\Outlook Express\_Unsure.dbx	
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Kein, please copy the HijackThis log again. The entire middle section is missing. If you compare it to the original log, entries from R1 through 020 are all missing =9.2KB.
     
  7. QuasiChameleon

    QuasiChameleon TS Rookie Topic Starter

    I don't know why my earlier hijackthis.log was so short.

    Here are the new logs from OTM and HijackThis.




    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Documents and Settings\Owner\Application Data\SpamBayes\Proxy\pop3proxy-spam-cache\1177382499-2 moved successfully.
    C:\Documents and Settings\Owner\Application Data\SpamBayes\Proxy\pop3proxy-spam-cache\1177463384-2 moved successfully.
    C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{B84C0813-2E3D-4E9F-B632-D014A0734A45}\Microsoft\Outlook Express\_Unsure.dbx moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->FireFox cache emptied: 3369781 bytes

    User: All Users

    User: Clean
    ->Temp folder emptied: 99191094 bytes
    ->Temporary Internet Files folder emptied: 28267603 bytes
    ->Java cache emptied: 1747918 bytes
    ->FireFox cache emptied: 49264417 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->FireFox cache emptied: 59726333 bytes

    User: LocalService
    ->Temp folder emptied: 65748 bytes
    ->Temporary Internet Files folder emptied: 49286 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Owner
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 294871 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 83543470 bytes
    ->Apple Safari cache emptied: 1510178 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2162283 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 5473 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 4962 bytes

    Total Files Cleaned = 314.00 mb


    OTM by OldTimer - Version 3.1.9.0 log created on 02202010_221515

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Questions:

    1. You are running Blue Coat® K9 Web Protection which is a content filtering allowing you to allow or block some websites.

    2. You also have O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

    3. Are these related security features for your system and did you set them?

    4. You also have this Service running O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe This is for "Cygwin/Redhat run as service" Are you using this?

    5. How is the system running now? Have the original problems been resolved? Are there any new related problems?
     
  9. QuasiChameleon

    QuasiChameleon TS Rookie Topic Starter

    1. Yes. I'm running K9.

    2. I have just deleted the O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file) with HijackThis.

    3. I did not set the O18, but I did install the K9 Web Protection.

    4. I was unaware that a Cygwin server was running. I have deleted this from HijackThis. Cygwin was developed by Redhat to be a UNIX emulator for the PC.

    5. I'm still investigating whether or not the malware is gone for good. Throughout this process, Malwarebytes has intermittently kept coming back with this:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    I'll have to double check that it is gone for sure, as it keeps coming back.

    Will keep you updated.
     
  10. QuasiChameleon

    QuasiChameleon TS Rookie Topic Starter

    Unfortunately, after doing all of that Malwarebytes still occasionally reports

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Furthermore, entries that I previously deleted in HijackThis has reappeared, specifically the O2 and O18 AutorunsDisabled. I have deleted them again.


    Does it matter which Admin account I run these programs from? I have two admin accounts.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Quasi, are you using a flash drive? Or did you use a flash drive before this began?
     
     
  12. QuasiChameleon

    QuasiChameleon TS Rookie Topic Starter

    Although I do own a flash drive, I have not been using it in this computer while trying to fix these problems.

    Also, my O2, O18, and O20 AutorunsDisabled keeps reappearing in my HijackThis scan, after I keep deleting them.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry- didn't get the email that there was a reply.

    About the 2 Administrator accounts. Are you actively using both of these? I would think that could be a problem and also that any changes you want to make are going to have to be done under the account of that particular user.

    Please delete the Combofix log from the desktop, then run Combofixx again.

    Follow with new scan using the Eset online scan, then new HijackThis scan.
    Please include all the reports and logs.
     
  14. QuasiChameleon

    QuasiChameleon TS Rookie Topic Starter

    One admin account is for my regular use, and the second one has a minimal set of programs running upon login. I am in control of both accounts.

    Attached are the Combofix and HijackThis logs. The ESET scanner reported everything was fine, but I did not see where it offered a report. I also ran Kaspersky again, and nothing new, except the quarantined items from Symantec and the trojans that OTM moved from my SPAM filters.

    However, upon running Malwarebytes again, the same thing keeps reappearing about every other login: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter).

    This is the same problem I came to this board for.
     

    Attached Files:

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I advise you to only run one Administrative account. Why do you need a second one set up with fewer programs? Administrative Accounts have higher permissions. Please read the Microsoft Description of User Accounts HERE.

    Administrator does not have all the privileges of root because some (superuser) privileges are assigned to the Local System account in Windows NT. The user may gain access to the Local System account by making Task Scheduler start a command prompt. Since Task Scheduler starts programs as Local System, the user can run any program as Local System.

    Have you checked the security center manually- under both of those accounts?:
    Control Panel> Security Center> check AV, firewall and auto-update settings.

    Local System Account: http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter).

    The LocalSystem account has the following privileges: The service can open the registry key HKEY_LOCAL_MACHINE\SECURITY.

    I believe your problem is using the 2 administrative account.

    Edit: As I mentioned previously, you are running the "Cygwin Run As Service" program. Cygserver is a program which is designed to run as a background service. It provides Cygwin applications with services which require security arbitration or which need to persist while no other cygwin application is running.
    It is still running: To remove it:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\cygwin\bin\cygrunsrv.exe
    Folder::
    
    Registry::
    
    Driver::
    BrlAPI
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.






    http://www.cygwin.com/cygwin-ug-net/using-cygserver.html
     
  16. QuasiChameleon

    QuasiChameleon TS Rookie Topic Starter

    Ok. I've removed Admin privileges to my secondary account, and rescanned with ESET, ComboFix twice (both before and after your script), and HijackThis.

    Logs attached.

    I do think that my secondary admin account wasn't able to access files in my primary admin account.

    After I send this, I'll rescan with Malwarebytes to see if the problem went away for good.

    Kevin
     

    Attached Files:

  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I think the 2 Admins were the problem also. If you do not have Autoruns installed, please download it from here: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

    Look at the screen sot and read through the settings> decide on how you want your set. The entry AutorunsDisabled- no CLSID is still on the HJT log.
    e
    Leave the Mbam log when you're finished. And I'd like you to rescan with the Eset online scanner. Please follow the line: Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

    If they're clean and the problems have been resolved, I'll have you remove the cleaning tools and old restore points.
     
  18. QuasiChameleon

    QuasiChameleon TS Rookie Topic Starter

    Here's the logs from eset and malwarebytes, with the options you mentioned.

    I have deleted the O18 from HijackThis several times, and it keeps coming back.

    I've already been using the autoruns to turn off certain services from loading upon startup, but am unsure what you mean by "installing" it, as it seems to be a stand-alone executable with no installer.
     

    Attached Files:

  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    These logs are both clean. It is most likely that a Windows Update has disabled the autoruns.

    Are you having any problems with the system now> Did you check the Security Center and make sure all three sections are running? Please keep in mind that until recently, your system had 2 'bosses'- Administrators.

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Please let me know of you need help in the future. Understand that the user can disable the Security Center and/or the Service that runs the update section.
     
  20. QuasiChameleon

    QuasiChameleon TS Rookie Topic Starter

    The Eset log did not look clean to me:

    C:\System Volume Information\_restore{111027AC-0595-426C-ACE4-306EAD09DEE0}\RP1123\A0394087.exe a variant of Win32/FenomenGame application
    C:\System Volume Information\_restore{111027AC-0595-426C-ACE4-306EAD09DEE0}\RP1123\A0394088.exe a variant of Win32/ReflexiveArcade application​

    The Malwarebytes has come back with "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter)" about every other login.

    How can I be sure it won't come back this time?

    All three sections in the Security Center are running, with the exception that I purposely disabled my firewall and anti-virus temporarily for the purpose of running the various scanning software programs.

    Thanks for your help.

    Kevin
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Kevin, the reason we have you leave the logs from programs is so we can check what is found and what is removed and in part, where those files are. The System Volume shown in the Eset log are system restore points. Malware can get into these restore points. But when malware is removed from the rest of the system, malware in the restore points is only a threat if you do a system restore and chose a point that happens to have malware.

    System Restore is a protected folder in the operating system. So although 'System Volume' can show up in a scan, the files there will not be removed until end of cleaning, when we have you remove the old restore points and create a new clean one. Keep in mind though that the malware is not active on the system when only found here.

    We do not have you disable the security programs for these preliminary scans> Malwarebytes, Superantispyware and HijackThis. If we ask you to run Combofix,then you are instructed to disable the security.

    It is most likely that what you're seeing is the result of your intentional disabling of the processes when it wasn't required. Please follow the instructions I left for you to remove the cleaning tools and old restore points. Then be sure the parts of the Security Center are enabled. I have my Security Center disabled and when I run Spybot Search & Destroy, it brings up a notice that the Security Center is disabled. (I am not recommending this, only using it for example.)

    Reboot the computer and be sure to Empty the Recycle Bin. And unless you have evidence of malware problems, I suggest you stop using Malwarebytes as a 'checking' program. The last scans do not indicate an active malware on your system.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.