emayer

Persistent Trojan "HEUR:Exploit.Script.Generic"

20 posts in this topic

Hello Experts, really hope you can help with this. On April 10, a family member sent me a PDF email attachment which she was having trouble opening on her computer. I downloaded it and tried to open it, but Acrobat Reader couldn't make sense of it. Immediately afterward, Microsoft Security Essentials (which I had running at the time; no longer) detected a threat it called "Exploit:Win32/Pdfjsc.RM" (see details here: http://www.microsoft.com/security/portal/T...tid=2147646754), first in the PDF file itself, and then in literally **hundreds** of files in Chrome's cache and the Windows Temp directory. MS Security Essentials tried to deal with these detections, but often reported that it had failed, seemingly because often the files no longer existed. Multiple cleanings and reboots (and a call to MS) didn't help.

 

I installed Kaspersky Antivirus 2012, and it began detecting things in the Chrome cache as well (screenshots attached). It detected hundreds of infections, all the same, among these cache files. It, too, could only quarantine about half, since the other half spontaneously disappeared. Multiple reboots haven't helped.

 

The original problematic PDF is available to me on my email account, but I did not attach it here so that I would not infect anyone -- if you'd like me to send it to you for analysis, and you know how I can do that safely, I will be happy to send it along.

 

Thanks!

 

GSI log is here

 

Screenshot:

post-409863-1334514358_thumb.jpg

Edited by emayer

Share this post


Link to post
Share on other sites
Scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't remove anything yet, until the log is reviewed.

 

Here's the log from Malwarebytes' Quick Scan (let me know if I should do a Complete Scan):

 

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

 

Database version: v2012.04.16.01

 

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

emayer :: T61 [administrator]

 

16/04/2012 8:56 AM

mbam-log-2012-04-16 (08-56-51).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 228343

Time elapsed: 18 minute(s), 4 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

Share this post


Link to post
Share on other sites

Right after the MBAM scan above, I had KAV scan the Chrome cache, and it found plenty of Trojans :-(

Screenshots below...

 

post-409863-1334557588_thumb.jpg

 

post-409863-1334557555_thumb.jpg

Share this post


Link to post
Share on other sites

Go ahead and do the full scan with Malwarebytes.

 

Any detections if you close Chrome, leave the items in the cache (don't delete them), and do a Full Scan with Kaspersky?

Share this post


Link to post
Share on other sites
Go ahead and do the full scan with Malwarebytes.

 

Any detections if you close Chrome, leave the items in the cache (don't delete them), and do a Full Scan with Kaspersky?

 

Full scan with Malwarebytes running so far over 2.5 hours, will post log when done and then do Full Scan w/Kaspersky.

Thx

Share this post


Link to post
Share on other sites

OK, here's the log from the Full Scan from Malwarebytes:

 

 

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

 

Database version: v2012.04.16.01

 

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

emayer :: T61 [administrator]

 

16/04/2012 10:06 AM

mbam-log-2012-04-16 (10-06-36).txt

 

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 412517

Time elapsed: 3 hour(s), 11 minute(s), 56 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

Share this post


Link to post
Share on other sites
The items that Kaspersky detects in the Chrome cache: Please send full details to the Lab, instructions are located in the third important topic located near the top of the Virus section of this forum. And here: http://forum.kaspersky.com/index.php?showtopic=13881

 

The Kaspersky Full Scan is currently running (and says it will run for more than 24 hours... hope it speeds up soon), once it finishes I can submit detected files to the Lab. Yesterday, I emailed to the Lab the original PDF file which caused this whole problem -- how soon should I hear back from them? I sent it twice through the submission form, but I received an email telling me that the attached virus did not come through (although I had zipped it with a password), so I sent it directly to the newvirus@kaspersky.com address.

 

Thx...

Share this post


Link to post
Share on other sites

Kaspersky Full Scan says it has 2 hrs left -- and has detected 162 threats (none neutralized yet). Did you mean that I should send all 162 files to the Virus Lab or just one?

Share this post


Link to post
Share on other sites

Kaspersky Full Scan is done -- screenshot of Quarantine below.

It found 162 threats and neutralized 81 (as usual, the other half spontaneously disappeared).

 

Did you mean that I should send all 162 files to the Virus Lab or just one?

 

post-409863-1334582628_thumb.jpg

 

Share this post


Link to post
Share on other sites
Just a few should suffice sufficiently.

 

Thanks. When I try to send files from the Quarantine by right-clicking them, Kaspersky locks up and stops responding entirely. So I figured I would manually email some of the files to the Lab. But since the files are in the Quarantine, meaning I can't access them directly, how do I get to them so I can zip them up and email them?

 

Thx...

Share this post


Link to post
Share on other sites

It may be easier to send samples directly form the Chrome cache.

Share this post


Link to post
Share on other sites
It may be easier to send samples directly form the Chrome cache.

 

Please forgive me, I didn't get that -- since the detections in the Chrome cache have already been quarantined, doesn't that mean they're not accessible in the cache anymore, meaning I can't send them from there?

Thx

Share this post


Link to post
Share on other sites

You can Restore from Kaspersky quarantine (via right click some of the entries in Quarantined) and send those files, and/or run Chrome again and send some of the files to the Lab before Kaspersky scan is done.

 

If still no go, please contact Virus Tech Support via my kaspersky: https://my.kaspersky.com/en/support/viruslab and inform them of this issue.

Edited by richbuff

Share this post


Link to post
Share on other sites
You can Restore from Kaspersky quarantine (via right click some of the entries in Quarantined) and send those files, and/or run Chrome again and send some of the files to the Lab before Kaspersky scan is done.

 

If still no go, please contact Virus Tech Support via my kaspersky: https://my.kaspersky.com/en/support/viruslab and inform them of this issue.

 

OK, thanks. Yesterday or the day before, I sent the Virus Lab the original PDF which caused the whole problem, and now I've sent them another file with the same detection. Any sense of how long it usually takes for them to get back to me? Thx

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now