Persistent Trojan "HEUR:Exploit.Script.Generic", Can't seem to get rid of this... Options

[emayer]

Hello Experts, really hope you can help with this. On April 10, a family member sent me a PDF email attachment which she was having trouble opening on her computer. I downloaded it and tried to open it, but Acrobat Reader couldn't make sense of it. Immediately afterward, Microsoft Security Essentials (which I had running at the time; no longer) detected a threat it called "Exploit:Win32/Pdfjsc.RM" (see details here: http://www.microsoft.com/security/portal/T...tid=2147646754), first in the PDF file itself, and then in literally **hundreds** of files in Chrome's cache and the Windows Temp directory. MS Security Essentials tried to deal with these detections, but often reported that it had failed, seemingly because often the files no longer existed. Multiple cleanings and reboots (and a call to MS) didn't help.

I installed Kaspersky Antivirus 2012, and it began detecting things in the Chrome cache as well (screenshots attached). It detected hundreds of infections, all the same, among these cache files. It, too, could only quarantine about half, since the other half spontaneously disappeared. Multiple reboots haven't helped.

The original problematic PDF is available to me on my email account, but I did not attach it here so that I would not infect anyone -- if you'd like me to send it to you for analysis, and you know how I can do that safely, I will be happy to send it along.

Thanks!

GSI log is here

Screenshot:
 Quarantine.jpg ( 290.38K ) Number of downloads: 11


This post has been edited by emayer: 15.04.2012 22:26

[emayer]

Here's the AVZ log:  sysinfo.zip ( 29.33K ) Number of downloads: 2


_{edit: del quote.}

This post has been edited by richbuff: 16.04.2012 05:39

[richbuff]

Welcome. Please clear your Chrome cache: http://support.google.com/chrome/bin/answe...mp;answer=95582

Then scan again with Kaspersky. Any current detections?

[emayer]

Welcome. Please clear your Chrome cache: http://support.google.com/chrome/bin/answe...mp;answer=95582

Then scan again with Kaspersky. Any current detections?

Thanks -- tried that many times already. It works temporarily, but then as soon as I go back to surfing the web and then scan the cache again, it finds the usual number of detections in the cache.

[richbuff]

Scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't remove anything yet, until the log is reviewed.

[emayer]

Scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't remove anything yet, until the log is reviewed.

Here's the log from Malwarebytes' Quick Scan (let me know if I should do a Complete Scan):

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.16.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
emayer :: T61 [administrator]

16/04/2012 8:56 AM
mbam-log-2012-04-16 (08-56-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 228343
Time elapsed: 18 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[emayer]

Right after the MBAM scan above, I had KAV scan the Chrome cache, and it found plenty of Trojans :-(
Screenshots below...

 After_MBAM.jpg ( 40.03K ) Number of downloads: 6


 Quarantine.jpg ( 198.36K ) Number of downloads: 5

[richbuff]

Go ahead and do the full scan with Malwarebytes.

Any detections if you close Chrome, leave the items in the cache (don't delete them), and do a Full Scan with Kaspersky?

[emayer]

Go ahead and do the full scan with Malwarebytes.

Any detections if you close Chrome, leave the items in the cache (don't delete them), and do a Full Scan with Kaspersky?

Full scan with Malwarebytes running so far over 2.5 hours, will post log when done and then do Full Scan w/Kaspersky.
Thx

[emayer]

OK, here's the log from the Full Scan from Malwarebytes:


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.16.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
emayer :: T61 [administrator]

16/04/2012 10:06 AM
mbam-log-2012-04-16 (10-06-36).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 412517
Time elapsed: 3 hour(s), 11 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[richbuff]

The items that Kaspersky detects in the Chrome cache: Please send full details to the Lab, instructions are located in the third important topic located near the top of the Virus section of this forum. And here: http://forum.kaspersky.com/index.php?showtopic=13881

[emayer]

The items that Kaspersky detects in the Chrome cache: Please send full details to the Lab, instructions are located in the third important topic located near the top of the Virus section of this forum. And here: http://forum.kaspersky.com/index.php?showtopic=13881

The Kaspersky Full Scan is currently running (and says it will run for more than 24 hours... hope it speeds up soon), once it finishes I can submit detected files to the Lab. Yesterday, I emailed to the Lab the original PDF file which caused this whole problem -- how soon should I hear back from them? I sent it twice through the submission form, but I received an email telling me that the attached virus did not come through (although I had zipped it with a password), so I sent it directly to the newvirus@kaspersky.com address.

Thx...

[emayer]

Kaspersky Full Scan says it has 2 hrs left -- and has detected 162 threats (none neutralized yet). Did you mean that I should send all 162 files to the Virus Lab or just one?

[emayer]

Kaspersky Full Scan is done -- screenshot of Quarantine below.
It found 162 threats and neutralized 81 (as usual, the other half spontaneously disappeared).

Did you mean that I should send all 162 files to the Virus Lab or just one?

 Quarantine.jpg ( 236.31K ) Number of downloads: 6

[richbuff]

Just a few should suffice sufficiently.

[emayer]

Just a few should suffice sufficiently.

Thanks. When I try to send files from the Quarantine by right-clicking them, Kaspersky locks up and stops responding entirely. So I figured I would manually email some of the files to the Lab. But since the files are in the Quarantine, meaning I can't access them directly, how do I get to them so I can zip them up and email them?

Thx...

[richbuff]

It may be easier to send samples directly form the Chrome cache.

[emayer]

It may be easier to send samples directly form the Chrome cache.

Please forgive me, I didn't get that -- since the detections in the Chrome cache have already been quarantined, doesn't that mean they're not accessible in the cache anymore, meaning I can't send them from there?
Thx

[richbuff]

You can Restore from Kaspersky quarantine (via right click some of the entries in Quarantined) and send those files, and/or run Chrome again and send some of the files to the Lab before Kaspersky scan is done.

If still no go, please contact Virus Tech Support via my kaspersky: https://my.kaspersky.com/en/support/viruslab and inform them of this issue.

This post has been edited by richbuff: 17.04.2012 12:52

[emayer]

You can Restore from Kaspersky quarantine (via right click some of the entries in Quarantined) and send those files, and/or run Chrome again and send some of the files to the Lab before Kaspersky scan is done.

If still no go, please contact Virus Tech Support via my kaspersky: https://my.kaspersky.com/en/support/viruslab and inform them of this issue.

OK, thanks. Yesterday or the day before, I sent the Virus Lab the original PDF which caused the whole problem, and now I've sent them another file with the same detection. Any sense of how long it usually takes for them to get back to me? Thx