Solved

How Can I Determine The Source of an Infection?

Posted on 2009-05-04
26
402 Views
Last Modified: 2013-11-22
One machine on our network became infected with something I'm still not exactly sure has been identified.  The XP desktop that was infected would not boot at all until after I found an E-E Accepted Solution for question ID 24030581 that recommended the use of ComboFix.  Now the machine is booting up but I'm not convinced all of the infections have been remedied.  In fact, when visiting www.avg.com the page says "18 Trojans detected" and then the browser shuts down.  The MS Windows Updates page is no longer showing an alert and Symantec's Norton Anti-Virus is saying all is well.

Per the How-to-use-combofix instructions I've attached the Combofix.txt log report as well as a Hijackthis log.  Please advise how I can be sure everything is cured on this machine, as well as how I can determine exactly how it got infected.  I'm very concerned that other systems and servers could be affected since this infection was a total surprise!  I logged off at the end of the day with nothing unusual happening and came in the next morning to a machine with all kinds of browser windows and windows explorer windows opened and no explanation.

Thank you!
ComboFix-050109.txt
hijackthis-050409.txt
0
Comment
Question by:sshermankig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 11
  • 2
26 Comments
 
LVL 16

Expert Comment

by:warturtle
ID: 24296368
Please install MalwareBytes Anti-Malware (www.malwarebytes.org) on the PC and reboot the PC in safe mode and do a full scan with that. Its a specialised tool for treating malware and acts like a supplement to existing antiviruses.

I will analyse the logs now.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24296922
HijackThis log analysis:

c:\docume~1\admini~1\locals~1\temp\ntdll64.dll is a Worm. We need to get rid of it.

ComboFix log analysis:

c:\windows\system32\lozobusa.exe - looks like Trojan.Vundo
c:\windows\system32\tototevu.exe - Unknown application
and some more...

Download MalwareBytes as advised before and reboot your PC in safe mode and then do a full scan with that. Then do a full scan with Norton Antivirus. Send the logs to us for inspection. We can finish off everything possible with MalwareBytes and if anything is still left, then we can use ComboFix scripting to finish them off.
0
 

Author Comment

by:sshermankig
ID: 24297133
Acknowledged, working on it now.  Thank you.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:sshermankig
ID: 24298498
Scans are complete (Windows, then Safe Mode for both MBAM and NAV.  Attached are logs from MBAM.
mbam-log-2009-05-04--13-57-46-.txt
mbam-log-2009-05-04--14-39-45-.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24298799
Good, it seems that MalwareBytes has taken down 2 infections. Has Norton antivirus also found infections in your PC??

0
 

Author Comment

by:sshermankig
ID: 24303430
During MalwareBytes' first scan Norton said it detected a Trojan but I did not acknowledge the message because I didn't want to interrupt MalwareBytes.  Before the MBAM completed Norton sent another prompt that it needed a reboot to complete the removal of the risk.  Again I ignored it in favor of MBAM.  However, I did follow your instructions to run a full system scan using NAV after the two MBAM scans were complete and it didn't report any other risks.  I performed to NAV scans (one in Windows and one in Safe Mode), both were clean.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24303442
Can you run ComboFix again and send me the log to examine? We can find out if there is still something left or all threats have been neutralised.
0
 

Author Comment

by:sshermankig
ID: 24303543
Attached is the log from this morning's ComboFix run.
ComboFix-050509.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24303848
Could you please upload these 3 files to www.virustotal.com and let me know, if any antiviruses flagged them as infections?

C:\WINDOWS\java\g2mdlhlpx.exe
c:\windows\system32\emptyregdb.dat
c:\windows\temp\Perflib_Perfdata_124.dat

There are some viruses which have the same filename as legitimate files and in that case virustotal.com can help.
0
 

Author Comment

by:sshermankig
ID: 24304078
The first two files uploaded successfully, however the third one indicates there are zero bytes to upload even though the file's properties reflect a size of 16kb.  I've attached the results of the first two uploads and screen shots of the third.
VirusTotal-Java-g2mdlhlpx.pdf
VirusTotal-System32-emptyregdb.pdf
VirusTotal-AttemptToUpload-Perfl.doc
0
 
LVL 16

Accepted Solution

by:
warturtle earned 500 total points
ID: 24304470
Thanks for sending the reports, so those 3 files are ok.

Please open a Notepad and copy and paste the below lines in it.

File::c:\windows\system32\lozobusa.exec:\windows\system32\tototevu.exe

Then save the file as CFScript.txt in the same folder as ComboFix. Then drag and drop this file on top of the ComboFix executable and that will start ComboFix again and create another log, please post that log to us as well.
0
 

Author Comment

by:sshermankig
ID: 24306010
This process ran successfully, attached is the latest log file.  I noticed earlier that the .exe files mentioned above were tagged (for lack of knowledged of the accurate term) with "--sha-w" in the Find3M Report section of the log.  Also having the "--sha-w" designation is the following file:

c:\windows\Fonts\desktop.ini

Should I be concerned that it remains?
ComboFix-050509b.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24306270
Don't worry about those other files, not every file in that log is a problem. And -shaw is permissions on that file in Windows. According to my observations, the log looks clean. It might be best to do a quick scan with MalwareBytes to finish things.

Let me know, how it goes.
0
 

Author Comment

by:sshermankig
ID: 24307352
Good news, the MBAM scan advises "No malicious items were detected."  So that resolves the issue for the affected PC, thank you!  That brings me back to the original question....how do we know exactly where the infection came from so we can avoid other systems becoming infected?
0
 

Author Comment

by:sshermankig
ID: 24307366
Oops...forgot to attach the lates MBAM log, here you go.
mbam-log-2009-05-05--13-51-49-.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24307532
Infections can come from a couple of sources which can include - websites and external media (USB drives from employees or clients). There might be more sources, but those are the ones I could think of immediately :-).

Its always good to have an enterprise security solution which includes a good antivirus, good firewall and good anti-malware solution (such as MalwareBytes Anti-Malware). As long as you have regular Windows Updates, antivirus definition updates and such, you should be generally safe.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24307539
Emails is another source of infections, by the way.
0
 

Author Comment

by:sshermankig
ID: 24307740
We have a pretty strong filter monitoring our e-mail server and nothing out of the ordinary was received on the day the infection arrived.  Is there a way to pinpoint which website?  I'm sure there were no external devices connected to the machine, no one had access to it after hours.
0
 
LVL 62

Expert Comment

by:gheist
ID: 24307784
Do all scans in safe mode (with network easier) - namely Spybot S&D - update, immunize, scan and clean, download latest symantec updater: ftp://ftp.symantec.com/public/english_us_canada/liveupdate/lusetup.exe , and do updates and scan in safe mode.
Also check Windows updates in same network safe mode.

Viruses tend to kill updaters for popular AVs, less popular AVs do better by updating updater often.

Source of infection is driver or service that installs filesystem filter to hide itself from drivers loaded later like symantec event driver. (Most likely your PC crashed on reboot afer malware installed itself)
0
 

Author Closing Comment

by:sshermankig
ID: 31618504
Thanks so much for walking me through the resolution step by step.  I'm very grateful to be able to return this PC to productivity mode!
0
 

Author Comment

by:sshermankig
ID: 24308002
Thanks gheist for the additional input.  SS
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24308069
Thanks for the feedback and the points.

Its hard to pinpoint what source the viruses came from, its quite possible that the virus had been there for sometime. Trojan.FakeAlert was one of the viruses found on this PC and more information on that is here:

http://www.malwarebytes.org/forums/index.php?showtopic=5033

It can register itself as a fake codec or browser exploit on the victim's computer. Generally, its best to download any codecs from mainstream websites to avoid any such problems and also, have a real-time scanner in the background (you have Symantec in this case) to help with browser exploits. Don't forget to use MalwareBytes on any machines that you think have spyware in them or are behaving strangely.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24308089
You can uninstall ComboFix as follows >

Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter.  This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.
0
 
LVL 62

Expert Comment

by:gheist
ID: 24308100
Update Symantec LiveUpdate - it is not updating otherwise for quite some time.
0
 

Author Comment

by:sshermankig
ID: 24308107
Excellent, will do!  Thanks again, SS
0
 

Author Comment

by:sshermankig
ID: 24308142
Thanks for the heads up about Symantec gheist.  I'm ashamed to admit that this was a new PC that I neglected to put any anti-virus on...in only three weeks an infection managed to find its way in.  I have thoroughly learned my lesson though!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question