How Can I Determine The Source of an Infection?

One machine on our network became infected with something I'm still not exactly sure has been identified.  The XP desktop that was infected would not boot at all until after I found an E-E Accepted Solution for question ID 24030581 that recommended the use of ComboFix.  Now the machine is booting up but I'm not convinced all of the infections have been remedied.  In fact, when visiting the page says "18 Trojans detected" and then the browser shuts down.  The MS Windows Updates page is no longer showing an alert and Symantec's Norton Anti-Virus is saying all is well.

Per the How-to-use-combofix instructions I've attached the Combofix.txt log report as well as a Hijackthis log.  Please advise how I can be sure everything is cured on this machine, as well as how I can determine exactly how it got infected.  I'm very concerned that other systems and servers could be affected since this infection was a total surprise!  I logged off at the end of the day with nothing unusual happening and came in the next morning to a machine with all kinds of browser windows and windows explorer windows opened and no explanation.

Thank you!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Please install MalwareBytes Anti-Malware ( on the PC and reboot the PC in safe mode and do a full scan with that. Its a specialised tool for treating malware and acts like a supplement to existing antiviruses.

I will analyse the logs now.
HijackThis log analysis:

c:\docume~1\admini~1\locals~1\temp\ntdll64.dll is a Worm. We need to get rid of it.

ComboFix log analysis:

c:\windows\system32\lozobusa.exe - looks like Trojan.Vundo
c:\windows\system32\tototevu.exe - Unknown application
and some more...

Download MalwareBytes as advised before and reboot your PC in safe mode and then do a full scan with that. Then do a full scan with Norton Antivirus. Send the logs to us for inspection. We can finish off everything possible with MalwareBytes and if anything is still left, then we can use ComboFix scripting to finish them off.
sshermankigAuthor Commented:
Acknowledged, working on it now.  Thank you.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

sshermankigAuthor Commented:
Scans are complete (Windows, then Safe Mode for both MBAM and NAV.  Attached are logs from MBAM.
Good, it seems that MalwareBytes has taken down 2 infections. Has Norton antivirus also found infections in your PC??

sshermankigAuthor Commented:
During MalwareBytes' first scan Norton said it detected a Trojan but I did not acknowledge the message because I didn't want to interrupt MalwareBytes.  Before the MBAM completed Norton sent another prompt that it needed a reboot to complete the removal of the risk.  Again I ignored it in favor of MBAM.  However, I did follow your instructions to run a full system scan using NAV after the two MBAM scans were complete and it didn't report any other risks.  I performed to NAV scans (one in Windows and one in Safe Mode), both were clean.
Can you run ComboFix again and send me the log to examine? We can find out if there is still something left or all threats have been neutralised.
sshermankigAuthor Commented:
Attached is the log from this morning's ComboFix run.
Could you please upload these 3 files to and let me know, if any antiviruses flagged them as infections?


There are some viruses which have the same filename as legitimate files and in that case can help.
sshermankigAuthor Commented:
The first two files uploaded successfully, however the third one indicates there are zero bytes to upload even though the file's properties reflect a size of 16kb.  I've attached the results of the first two uploads and screen shots of the third.
Thanks for sending the reports, so those 3 files are ok.

Please open a Notepad and copy and paste the below lines in it.


Then save the file as CFScript.txt in the same folder as ComboFix. Then drag and drop this file on top of the ComboFix executable and that will start ComboFix again and create another log, please post that log to us as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sshermankigAuthor Commented:
This process ran successfully, attached is the latest log file.  I noticed earlier that the .exe files mentioned above were tagged (for lack of knowledged of the accurate term) with "--sha-w" in the Find3M Report section of the log.  Also having the "--sha-w" designation is the following file:


Should I be concerned that it remains?
Don't worry about those other files, not every file in that log is a problem. And -shaw is permissions on that file in Windows. According to my observations, the log looks clean. It might be best to do a quick scan with MalwareBytes to finish things.

Let me know, how it goes.
sshermankigAuthor Commented:
Good news, the MBAM scan advises "No malicious items were detected."  So that resolves the issue for the affected PC, thank you!  That brings me back to the original do we know exactly where the infection came from so we can avoid other systems becoming infected?
sshermankigAuthor Commented:
Oops...forgot to attach the lates MBAM log, here you go.
Infections can come from a couple of sources which can include - websites and external media (USB drives from employees or clients). There might be more sources, but those are the ones I could think of immediately :-).

Its always good to have an enterprise security solution which includes a good antivirus, good firewall and good anti-malware solution (such as MalwareBytes Anti-Malware). As long as you have regular Windows Updates, antivirus definition updates and such, you should be generally safe.
Emails is another source of infections, by the way.
sshermankigAuthor Commented:
We have a pretty strong filter monitoring our e-mail server and nothing out of the ordinary was received on the day the infection arrived.  Is there a way to pinpoint which website?  I'm sure there were no external devices connected to the machine, no one had access to it after hours.
Do all scans in safe mode (with network easier) - namely Spybot S&D - update, immunize, scan and clean, download latest symantec updater: , and do updates and scan in safe mode.
Also check Windows updates in same network safe mode.

Viruses tend to kill updaters for popular AVs, less popular AVs do better by updating updater often.

Source of infection is driver or service that installs filesystem filter to hide itself from drivers loaded later like symantec event driver. (Most likely your PC crashed on reboot afer malware installed itself)
sshermankigAuthor Commented:
Thanks so much for walking me through the resolution step by step.  I'm very grateful to be able to return this PC to productivity mode!
sshermankigAuthor Commented:
Thanks gheist for the additional input.  SS
Thanks for the feedback and the points.

Its hard to pinpoint what source the viruses came from, its quite possible that the virus had been there for sometime. Trojan.FakeAlert was one of the viruses found on this PC and more information on that is here:

It can register itself as a fake codec or browser exploit on the victim's computer. Generally, its best to download any codecs from mainstream websites to avoid any such problems and also, have a real-time scanner in the background (you have Symantec in this case) to help with browser exploits. Don't forget to use MalwareBytes on any machines that you think have spyware in them or are behaving strangely.
You can uninstall ComboFix as follows >

Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter.  This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.
Update Symantec LiveUpdate - it is not updating otherwise for quite some time.
sshermankigAuthor Commented:
Excellent, will do!  Thanks again, SS
sshermankigAuthor Commented:
Thanks for the heads up about Symantec gheist.  I'm ashamed to admit that this was a new PC that I neglected to put any anti-virus only three weeks an infection managed to find its way in.  I have thoroughly learned my lesson though!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.