Vista Security Alert and Generic.dropper1F3 issues

[Mike T]

Oldman,

I tried to see which programs are being blocked but I no longer see the icon in the systray. I'll try to get a full list when I reboot, but I thought it was system security that was blocking the programs. We should know after a reboot.

ESET is still running, this is going to take a while. I did have a chance to look at the quarantine folder size and it is in excess of 450,000 files and somewhere in the vicinity of 2.5+GB. I get the feeling it hasn't been self deleting . The earliest quarantine file starts in 2009, right after the last time this computer had a virus that we cleaned up here on the forum.

I am posting from my laptop while ESET runs om the other computer. The other has been on-line with my wireless router since I woke up and I have not seen any signs of McAfee shutting itself down or any unexplained traffic.

I'll check out the McAfee links while waiting for ESET to complete (it is still stuck at about 34%) and post the log as soon as it is done.

Mike

[Mike T]

Good evening Oldman,

ESET took forever to run, compliments of the quarantine folder, but it finished earlier this evening. Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0f4644fb83c39c4287a68ac8189d9d2c
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-12-30 10:48:57
# local_time=2011-12-30 02:48:57 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5121 16777213 100 75 710395 25657985 0 0
# compatibility_mode=5892 16776638 66 100 52068009 161892851 0 0
# compatibility_mode=8192 67108863 100 0 64716753 64716753 0 0
# scanned=1062
# found=0
# cleaned=0
# scan_time=15
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0f4644fb83c39c4287a68ac8189d9d2c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-12-31 05:31:29
# local_time=2011-12-30 09:31:29 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5121 16777213 100 75 711998 25659588 0 0
# compatibility_mode=5892 16776638 66 100 52069612 161894454 0 0
# compatibility_mode=8192 67108863 100 0 64718356 64718356 0 0
# scanned=1197804
# found=0
# cleaned=0
# scan_time=22563

I have followed the directions posted earlier regarding deleting the quarantine files. Unfortunately I have been unsuccessful in emptying that folder. About the only thing I can do is try deleting one file at a time. Every time I try deleting a block of files, or the select all option the folder stops responding. Also, the delete files option through the McAfee console just gives the working/waiting icon and nothing happens. Of course, I have only let that run for an hour, twice, with no luck. I may try letting it work all night and see if there is any headway in the morning.

Regarding the blocked start up programs, the icon in the system tray is for the Windows System Configuration Utility. A partial list of the programs blocked are:
RAID event monitor
Intel Viv Software
Groove Monitor
Lexmark printer
Fax solutions
NVIDIA
McAfee
Adobe
Quick Time
Itunes
Intellipoint (mouse)
Malwarebytes

Not a complete list but enough to give the idea of what is currently being blocked at start up. I do get the option of enabling these items and wonder if all I have to do is enable them. Suspecting that the rootkit may have changed the setting. Your thoughts?

[oldman960]

Hi Mike T,

Windows System Configuration Utility aka msconfig
http://support.microsoft.com/kb/310560/

It's a windows utility which allows you to control what you want or don't want to start up when you turn on your computer. To access it click Start, type msconfig When the interface opens click the startup tab.

A database of startup items, what they are and if they can be disabled can be found HERE You can find the items by clicking the respective letter for the first letter in the filename. You can find the filename in the msconfig's Command column. You may need to expand the column by using your left mouse button and click and hold the edge of the column at the top and sliding it to the right.

Looking at the list it hard to say if they all should be enabled as some programs have components that do not need to be loaded at startup so you should check the database. I can't say whether it was malware or a person that set them to disabled but if it is the entire list as viewed on the startup tab then it may have been malware related.

Did you try the steps in the McAfee link to empty the quarantined folder by unchecking "Use Access Protection"?

[Mike T]

Oldman,

I believe the blocked start up list is a result of the malware as that icon/message was not present prior to the attack. I'll look through the list at the link you provided and see what I should re-enable.

As for the McAfee deletion problem, yes I foloowed the steps in the prior link. I don't know if it was the sheer size of that file or if the malware caused some issue but nothing worked. I tried deleting the file through the McAfee dashboard and manually throgh the Program Data\mcafee\virus scan\quarantine folder either method simply stalled the computer. When attempting manually, I would wait until all 480,000 files had loaded, then as soon as I would use the "select all" function or select a single file by right clicking the computer would stall and I could not delete any file(s). I believe the McAfee file had been corrupted by the malware, possibly to facilitate the malware shutting down the virus scan and firewall programs.

My work around was to uninstall McAfee then run MPCR to completely remove the McAfee files and folders. That completed last night and I am in the process of re-installing McAfee on the affected computer as I type this from my laptop.

After everything we've done the computer was coming up pretty quick on strat-up, but this morning everything loaded lightning fast. A quick look at the size od the c:drive shows that getting rid of the quarantine folder freed up almost 3GB of drive space.

I'll let you know how my blocked program look compared to the list you referenced.

Mike

[Mike T]

Interesting.

I wanted to double check the list of blocked programs on the affected computer and the icon was not there. I rebooted the system, which usually brought the list up for viewing, and the list is still not there. Bringing up the list manually shows that none of the listed files are disabled. Completely opposite of yesterday.

Mike

[oldman960]

Hi Mike T,

Well your work around would definately be effective .

As far as the blocked list that could have been malware disguised as the legitamate msconfig showing you how well it was "protecting" you.


Looks like everything is ok.


From your desktop, please delete, if present

• any notepads/logs that we created
• DDS.scr
• mbr.zip
• mbr.dat
• aswMBR.exe

Next

Click the Start button, click Run. [Vista users, go Start>"Start search"] Copy and paste the following line into the run box and click OK

Combofix /uninstall


I suggest you keep MBAM. Keep it updated and use it regularly.

You can keep TFC and use it from time to time.


Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. You have those.

You should also use Spyware Blaster to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.


-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.


- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis


- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System > Updates tab


- Keep your antivirus program updated, as well as any other security programs you have.


-More tips and programs can be found HERE

Please post back if you have any problems.

Take care

[Mike T]

I think we've got it beat.

All logs and tools have been removed. I always have MBAM and SBS&D, those and my AV generally keep me free of problems but this one snuck in on two computers. The TFC seems like a nice handy "keep the files in check" tool, glad I can use that one for regular maintenance.

All IE setting are as suggested and the last of the windows updates (new in the last week) are loading now.

Once they're done I can connect the 1TB external drive and get everything backed up and safe.

Have a safe and happy New Year.

Thanks,
Mike

[oldman960]

Hi Mike T,

Glad it worked out. Happy New Year to you.

Take care.

[oldman960]

Since this issue appears to be resolved ... this Topic has been closed.