IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Persistent Trojan "HEUR:Exploit.Script.Generic", Can't seem to get rid of this...
emayer
post 15.04.2012 22:09
Post #1


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




Hello Experts, really hope you can help with this. On April 10, a family member sent me a PDF email attachment which she was having trouble opening on her computer. I downloaded it and tried to open it, but Acrobat Reader couldn't make sense of it. Immediately afterward, Microsoft Security Essentials (which I had running at the time; no longer) detected a threat it called "Exploit:Win32/Pdfjsc.RM" (see details here: http://www.microsoft.com/security/portal/T...tid=2147646754), first in the PDF file itself, and then in literally **hundreds** of files in Chrome's cache and the Windows Temp directory. MS Security Essentials tried to deal with these detections, but often reported that it had failed, seemingly because often the files no longer existed. Multiple cleanings and reboots (and a call to MS) didn't help.

I installed Kaspersky Antivirus 2012, and it began detecting things in the Chrome cache as well (screenshots attached). It detected hundreds of infections, all the same, among these cache files. It, too, could only quarantine about half, since the other half spontaneously disappeared. Multiple reboots haven't helped.

The original problematic PDF is available to me on my email account, but I did not attach it here so that I would not infect anyone -- if you'd like me to send it to you for analysis, and you know how I can do that safely, I will be happy to send it along.

Thanks!

GSI log is here

Screenshot:
Attached File  Quarantine.jpg ( 290.38K ) Number of downloads: 13


This post has been edited by emayer: 15.04.2012 22:26
Go to the top of the page
 
+Quote Post
emayer
post 15.04.2012 23:59
Post #2


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




Here's the AVZ log: Attached File  sysinfo.zip ( 29.33K ) Number of downloads: 2


edit: del quote.

This post has been edited by richbuff: 16.04.2012 05:39
Go to the top of the page
 
+Quote Post
richbuff
post 16.04.2012 05:46
Post #3


Oldtimer
****************

Group: Moderators
Posts: 47451
Joined: 14.06.2007




Welcome. Please clear your Chrome cache: http://support.google.com/chrome/bin/answe...mp;answer=95582

Then scan again with Kaspersky. Any current detections?


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
emayer
post 16.04.2012 07:57
Post #4


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




QUOTE(richbuff @ 16.04.2012 03:46) *
Welcome. Please clear your Chrome cache: http://support.google.com/chrome/bin/answe...mp;answer=95582

Then scan again with Kaspersky. Any current detections?


Thanks -- tried that many times already. It works temporarily, but then as soon as I go back to surfing the web and then scan the cache again, it finds the usual number of detections in the cache.
Go to the top of the page
 
+Quote Post
richbuff
post 16.04.2012 08:07
Post #5


Oldtimer
****************

Group: Moderators
Posts: 47451
Joined: 14.06.2007




Scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't remove anything yet, until the log is reviewed.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
emayer
post 16.04.2012 10:16
Post #6


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




QUOTE(richbuff @ 16.04.2012 06:07) *
Scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't remove anything yet, until the log is reviewed.


Here's the log from Malwarebytes' Quick Scan (let me know if I should do a Complete Scan):

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.16.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
emayer :: T61 [administrator]

16/04/2012 8:56 AM
mbam-log-2012-04-16 (08-56-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 228343
Time elapsed: 18 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Go to the top of the page
 
+Quote Post
emayer
post 16.04.2012 10:26
Post #7


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




Right after the MBAM scan above, I had KAV scan the Chrome cache, and it found plenty of Trojans :-(
Screenshots below...

Attached File  After_MBAM.jpg ( 40.03K ) Number of downloads: 6


Attached File  Quarantine.jpg ( 198.36K ) Number of downloads: 5
Go to the top of the page
 
+Quote Post
richbuff
post 16.04.2012 10:43
Post #8


Oldtimer
****************

Group: Moderators
Posts: 47451
Joined: 14.06.2007




Go ahead and do the full scan with Malwarebytes.

Any detections if you close Chrome, leave the items in the cache (don't delete them), and do a Full Scan with Kaspersky?


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
emayer
post 16.04.2012 13:42
Post #9


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




QUOTE(richbuff @ 16.04.2012 08:43) *
Go ahead and do the full scan with Malwarebytes.

Any detections if you close Chrome, leave the items in the cache (don't delete them), and do a Full Scan with Kaspersky?


Full scan with Malwarebytes running so far over 2.5 hours, will post log when done and then do Full Scan w/Kaspersky.
Thx
Go to the top of the page
 
+Quote Post
emayer
post 16.04.2012 14:19
Post #10


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




OK, here's the log from the Full Scan from Malwarebytes:


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.16.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
emayer :: T61 [administrator]

16/04/2012 10:06 AM
mbam-log-2012-04-16 (10-06-36).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 412517
Time elapsed: 3 hour(s), 11 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Go to the top of the page
 
+Quote Post
richbuff
post 16.04.2012 14:44
Post #11


Oldtimer
****************

Group: Moderators
Posts: 47451
Joined: 14.06.2007




The items that Kaspersky detects in the Chrome cache: Please send full details to the Lab, instructions are located in the third important topic located near the top of the Virus section of this forum. And here: http://forum.kaspersky.com/index.php?showtopic=13881


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
emayer
post 16.04.2012 15:37
Post #12


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




QUOTE(richbuff @ 16.04.2012 12:44) *
The items that Kaspersky detects in the Chrome cache: Please send full details to the Lab, instructions are located in the third important topic located near the top of the Virus section of this forum. And here: http://forum.kaspersky.com/index.php?showtopic=13881


The Kaspersky Full Scan is currently running (and says it will run for more than 24 hours... hope it speeds up soon), once it finishes I can submit detected files to the Lab. Yesterday, I emailed to the Lab the original PDF file which caused this whole problem -- how soon should I hear back from them? I sent it twice through the submission form, but I received an email telling me that the attached virus did not come through (although I had zipped it with a password), so I sent it directly to the newvirus@kaspersky.com address.

Thx...
Go to the top of the page
 
+Quote Post
emayer
post 16.04.2012 16:48
Post #13


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




Kaspersky Full Scan says it has 2 hrs left -- and has detected 162 threats (none neutralized yet). Did you mean that I should send all 162 files to the Virus Lab or just one?
Go to the top of the page
 
+Quote Post
emayer
post 16.04.2012 17:24
Post #14


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




Kaspersky Full Scan is done -- screenshot of Quarantine below.
It found 162 threats and neutralized 81 (as usual, the other half spontaneously disappeared).

Did you mean that I should send all 162 files to the Virus Lab or just one?

Attached File  Quarantine.jpg ( 236.31K ) Number of downloads: 6

Go to the top of the page
 
+Quote Post
richbuff
post 17.04.2012 04:28
Post #15


Oldtimer
****************

Group: Moderators
Posts: 47451
Joined: 14.06.2007




Just a few should suffice sufficiently.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
emayer
post 17.04.2012 12:14
Post #16


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




QUOTE(richbuff @ 17.04.2012 02:28) *
Just a few should suffice sufficiently.


Thanks. When I try to send files from the Quarantine by right-clicking them, Kaspersky locks up and stops responding entirely. So I figured I would manually email some of the files to the Lab. But since the files are in the Quarantine, meaning I can't access them directly, how do I get to them so I can zip them up and email them?

Thx...
Go to the top of the page
 
+Quote Post
richbuff
post 17.04.2012 12:31
Post #17


Oldtimer
****************

Group: Moderators
Posts: 47451
Joined: 14.06.2007




It may be easier to send samples directly form the Chrome cache.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
emayer
post 17.04.2012 12:44
Post #18


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




QUOTE(richbuff @ 17.04.2012 10:31) *
It may be easier to send samples directly form the Chrome cache.


Please forgive me, I didn't get that -- since the detections in the Chrome cache have already been quarantined, doesn't that mean they're not accessible in the cache anymore, meaning I can't send them from there?
Thx
Go to the top of the page
 
+Quote Post
richbuff
post 17.04.2012 12:51
Post #19


Oldtimer
****************

Group: Moderators
Posts: 47451
Joined: 14.06.2007




You can Restore from Kaspersky quarantine (via right click some of the entries in Quarantined) and send those files, and/or run Chrome again and send some of the files to the Lab before Kaspersky scan is done.

If still no go, please contact Virus Tech Support via my kaspersky: https://my.kaspersky.com/en/support/viruslab and inform them of this issue.

This post has been edited by richbuff: 17.04.2012 12:52


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
emayer
post 17.04.2012 13:12
Post #20


Member
**

Group: Members
Posts: 13
Joined: 15.04.2012




QUOTE(richbuff @ 17.04.2012 10:51) *
You can Restore from Kaspersky quarantine (via right click some of the entries in Quarantined) and send those files, and/or run Chrome again and send some of the files to the Lab before Kaspersky scan is done.

If still no go, please contact Virus Tech Support via my kaspersky: https://my.kaspersky.com/en/support/viruslab and inform them of this issue.


OK, thanks. Yesterday or the day before, I sent the Virus Lab the original PDF which caused the whole problem, and now I've sent them another file with the same detection. Any sense of how long it usually takes for them to get back to me? Thx
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 25.04.2014 09:28