Solved

How Can I Determine The Source of an Infection?

Posted on 2009-05-04
26
395 Views
Last Modified: 2013-11-22
One machine on our network became infected with something I'm still not exactly sure has been identified.  The XP desktop that was infected would not boot at all until after I found an E-E Accepted Solution for question ID 24030581 that recommended the use of ComboFix.  Now the machine is booting up but I'm not convinced all of the infections have been remedied.  In fact, when visiting www.avg.com the page says "18 Trojans detected" and then the browser shuts down.  The MS Windows Updates page is no longer showing an alert and Symantec's Norton Anti-Virus is saying all is well.

Per the How-to-use-combofix instructions I've attached the Combofix.txt log report as well as a Hijackthis log.  Please advise how I can be sure everything is cured on this machine, as well as how I can determine exactly how it got infected.  I'm very concerned that other systems and servers could be affected since this infection was a total surprise!  I logged off at the end of the day with nothing unusual happening and came in the next morning to a machine with all kinds of browser windows and windows explorer windows opened and no explanation.

Thank you!
ComboFix-050109.txt
hijackthis-050409.txt
0
Comment
Question by:sshermankig
  • 13
  • 11
  • 2
26 Comments
 
LVL 16

Expert Comment

by:warturtle
ID: 24296368
Please install MalwareBytes Anti-Malware (www.malwarebytes.org) on the PC and reboot the PC in safe mode and do a full scan with that. Its a specialised tool for treating malware and acts like a supplement to existing antiviruses.

I will analyse the logs now.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24296922
HijackThis log analysis:

c:\docume~1\admini~1\locals~1\temp\ntdll64.dll is a Worm. We need to get rid of it.

ComboFix log analysis:

c:\windows\system32\lozobusa.exe - looks like Trojan.Vundo
c:\windows\system32\tototevu.exe - Unknown application
and some more...

Download MalwareBytes as advised before and reboot your PC in safe mode and then do a full scan with that. Then do a full scan with Norton Antivirus. Send the logs to us for inspection. We can finish off everything possible with MalwareBytes and if anything is still left, then we can use ComboFix scripting to finish them off.
0
 

Author Comment

by:sshermankig
ID: 24297133
Acknowledged, working on it now.  Thank you.
0
 

Author Comment

by:sshermankig
ID: 24298498
Scans are complete (Windows, then Safe Mode for both MBAM and NAV.  Attached are logs from MBAM.
mbam-log-2009-05-04--13-57-46-.txt
mbam-log-2009-05-04--14-39-45-.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24298799
Good, it seems that MalwareBytes has taken down 2 infections. Has Norton antivirus also found infections in your PC??

0
 

Author Comment

by:sshermankig
ID: 24303430
During MalwareBytes' first scan Norton said it detected a Trojan but I did not acknowledge the message because I didn't want to interrupt MalwareBytes.  Before the MBAM completed Norton sent another prompt that it needed a reboot to complete the removal of the risk.  Again I ignored it in favor of MBAM.  However, I did follow your instructions to run a full system scan using NAV after the two MBAM scans were complete and it didn't report any other risks.  I performed to NAV scans (one in Windows and one in Safe Mode), both were clean.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24303442
Can you run ComboFix again and send me the log to examine? We can find out if there is still something left or all threats have been neutralised.
0
 

Author Comment

by:sshermankig
ID: 24303543
Attached is the log from this morning's ComboFix run.
ComboFix-050509.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24303848
Could you please upload these 3 files to www.virustotal.com and let me know, if any antiviruses flagged them as infections?

C:\WINDOWS\java\g2mdlhlpx.exe
c:\windows\system32\emptyregdb.dat
c:\windows\temp\Perflib_Perfdata_124.dat

There are some viruses which have the same filename as legitimate files and in that case virustotal.com can help.
0
 

Author Comment

by:sshermankig
ID: 24304078
The first two files uploaded successfully, however the third one indicates there are zero bytes to upload even though the file's properties reflect a size of 16kb.  I've attached the results of the first two uploads and screen shots of the third.
VirusTotal-Java-g2mdlhlpx.pdf
VirusTotal-System32-emptyregdb.pdf
VirusTotal-AttemptToUpload-Perfl.doc
0
 
LVL 16

Accepted Solution

by:
warturtle earned 500 total points
ID: 24304470
Thanks for sending the reports, so those 3 files are ok.

Please open a Notepad and copy and paste the below lines in it.

File::c:\windows\system32\lozobusa.exec:\windows\system32\tototevu.exe

Then save the file as CFScript.txt in the same folder as ComboFix. Then drag and drop this file on top of the ComboFix executable and that will start ComboFix again and create another log, please post that log to us as well.
0
 

Author Comment

by:sshermankig
ID: 24306010
This process ran successfully, attached is the latest log file.  I noticed earlier that the .exe files mentioned above were tagged (for lack of knowledged of the accurate term) with "--sha-w" in the Find3M Report section of the log.  Also having the "--sha-w" designation is the following file:

c:\windows\Fonts\desktop.ini

Should I be concerned that it remains?
ComboFix-050509b.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24306270
Don't worry about those other files, not every file in that log is a problem. And -shaw is permissions on that file in Windows. According to my observations, the log looks clean. It might be best to do a quick scan with MalwareBytes to finish things.

Let me know, how it goes.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:sshermankig
ID: 24307352
Good news, the MBAM scan advises "No malicious items were detected."  So that resolves the issue for the affected PC, thank you!  That brings me back to the original question....how do we know exactly where the infection came from so we can avoid other systems becoming infected?
0
 

Author Comment

by:sshermankig
ID: 24307366
Oops...forgot to attach the lates MBAM log, here you go.
mbam-log-2009-05-05--13-51-49-.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24307532
Infections can come from a couple of sources which can include - websites and external media (USB drives from employees or clients). There might be more sources, but those are the ones I could think of immediately :-).

Its always good to have an enterprise security solution which includes a good antivirus, good firewall and good anti-malware solution (such as MalwareBytes Anti-Malware). As long as you have regular Windows Updates, antivirus definition updates and such, you should be generally safe.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24307539
Emails is another source of infections, by the way.
0
 

Author Comment

by:sshermankig
ID: 24307740
We have a pretty strong filter monitoring our e-mail server and nothing out of the ordinary was received on the day the infection arrived.  Is there a way to pinpoint which website?  I'm sure there were no external devices connected to the machine, no one had access to it after hours.
0
 
LVL 61

Expert Comment

by:gheist
ID: 24307784
Do all scans in safe mode (with network easier) - namely Spybot S&D - update, immunize, scan and clean, download latest symantec updater: ftp://ftp.symantec.com/public/english_us_canada/liveupdate/lusetup.exe , and do updates and scan in safe mode.
Also check Windows updates in same network safe mode.

Viruses tend to kill updaters for popular AVs, less popular AVs do better by updating updater often.

Source of infection is driver or service that installs filesystem filter to hide itself from drivers loaded later like symantec event driver. (Most likely your PC crashed on reboot afer malware installed itself)
0
 

Author Closing Comment

by:sshermankig
ID: 31618504
Thanks so much for walking me through the resolution step by step.  I'm very grateful to be able to return this PC to productivity mode!
0
 

Author Comment

by:sshermankig
ID: 24308002
Thanks gheist for the additional input.  SS
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24308069
Thanks for the feedback and the points.

Its hard to pinpoint what source the viruses came from, its quite possible that the virus had been there for sometime. Trojan.FakeAlert was one of the viruses found on this PC and more information on that is here:

http://www.malwarebytes.org/forums/index.php?showtopic=5033

It can register itself as a fake codec or browser exploit on the victim's computer. Generally, its best to download any codecs from mainstream websites to avoid any such problems and also, have a real-time scanner in the background (you have Symantec in this case) to help with browser exploits. Don't forget to use MalwareBytes on any machines that you think have spyware in them or are behaving strangely.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24308089
You can uninstall ComboFix as follows >

Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter.  This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.
0
 
LVL 61

Expert Comment

by:gheist
ID: 24308100
Update Symantec LiveUpdate - it is not updating otherwise for quite some time.
0
 

Author Comment

by:sshermankig
ID: 24308107
Excellent, will do!  Thanks again, SS
0
 

Author Comment

by:sshermankig
ID: 24308142
Thanks for the heads up about Symantec gheist.  I'm ashamed to admit that this was a new PC that I neglected to put any anti-virus on...in only three weeks an infection managed to find its way in.  I have thoroughly learned my lesson though!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now