Somoto-F, Lootor-U and Java virus infection

Hi, I’m infected and need help :slight_smile:

First symptom was Win 7 x64 doesn’t shutdown. Hangs at “Please wait” message. System feels slow.
System scan detected nothing. Boot time scan detected and moved to chest:

Win32:Somoto-F infected bi_downloader[1].exe , nsl8B23.tmp
Elf:Lootor-U infected res\raw\rageagainstthecage
Android:RageCage-G infected classes.dex
Java:Agent-CIG infected hw.class
Java:CVE-2012-0507-SR infected mac.class
Java:CVE-2012-4681-GP infected test.class

There could be others. Screen went blank during boot-time scan, computer stoped responding. Performed hard reset at which point Windows startup failed. System Restore allowed Windows startup but infection persists.

According to sticky I ran AdwCleaner. Log follows:

# AdwCleaner v3.005 - Report created 25/09/2013 at 14:16:38
# Updated 22/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Luis Faim - SPASTARK-3
# Running from : C:\Users\Luis Faim\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Users\Luis Faim\AppData\Roaming\Mozilla\Firefox\Profiles\xlgrt4mx.default\user.js
Folder Found C:\ProgramData\boost_interprocess

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\APN PIP
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
Key Found : HKLM\Software\PIP

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7601.17514


-\\ Mozilla Firefox v8.0 (en-GB)

[ File : C:\Users\Luis Faim\AppData\Roaming\Mozilla\Firefox\Profiles\xlgrt4mx.default\prefs.js ]

Line Found : user_pref("de.soerenrinne.googlebuttons.userlist", "Mail,Web Search,Maps,Calendar,Tasks,News,Translate");
Line Found : user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url(\"I[...]
Line Found : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
Line Found : user_pref("extensions.wrc.SearchRules.rambler.ru.style", ".WRCN {display:none} .search-results .title + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-repeat}");

*************************

AdwCleaner[R0].txt - [1909 octets] - [25/09/2013 14:16:38]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1969 octets] ##########

According to sticky I should now run MBAM. Only analyse or should I allow it to try cleaning?

Clean anything it finds

According to sticky I should now run MBAM. Only analyse or should I allow it to try cleaning?
allow it to clean... then attach logs, also OTL and aswMBR

when you clean with AdwCleaner and MBAM first OTL log will be much smaller bc most of the crap is removed
that also makes the OTL fix smaller … saves the remover lots of work. :wink:

MBAM report follows:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.25.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Luis Faim :: SPASTARK-3 [administrator]

25-09-2013 22:48:42
mbam-log-2013-09-25 (22-48-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200376
Time elapsed: 2 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Luis Faim\AppData\Local\Temp\y0v_G0Em.exe.part (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.
C:\Users\Luis Faim\AppData\Local\Temp\nsb7F4F.tmp\OCSetupHlp.dll (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Luis Faim\Local Settings\Temporary Internet Files\Content.IE5\5W7S1AHP\bi_downloader[1].exe (PUP.Optional.Somoto.A) -> Quarantined and deleted successfully.

(end)

OTL reports attached.

aswMBR report attached.

Apparently no big alarm bells !?
From what info I googled of the virus names none seem to be ‘that’ bad. What do you think?

I’ll reboot now to check if the hanging shutdown problem persists and report back here.

Edit: Hooray! I can shutdown and restart now. Can’t say yet if the machine is more responsive.
Could it be that I’m clean now? What is the word on these reports?

Edit2: Boot time scan still finds Sumoto type virus and android phone rooting related items before it crashes. See:
http://forum.avast.com/index.php?topic=135674.0

Do you see any threats in the reports that could have compromised my homebanking passwords? Keyloggers and the like?
That is what I’m most worried about.

Could it be that I'm clean now? What is the word on these reports?
essexboy is in bed now, so you get the verdict tomorrow afternoon when he is back

somoto and the other PUP detections found by Malwarebytes is some browser hijacker crapware, and lootor seems to be related to android phones, so yea nothing bad but there may be additional files that need removal… you find out tomorrow, then he will also remove the tools used

recomended to keep is Malwarebytes
recomended to add is MCShield USB protector http://mcshield.net/

Looks good to me … Any problems ?

Looks good to me .. Any problems ?

Well, the system doesn’t hang anymore when trying to shutdown and that was the prime symptom.
So if it looks ok and you see no major threats and no further action I am content :slight_smile:

Thank you very much essexboy and Pondus for your help!

you are not done yet … tools need to be removed when essexboy is back. :wink:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run AdwCleaner and press uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

Unfortunately problems are back!

Tried to run AdwCleaner and it wouldn’t start.
Tried to shutdown the computer and it hanged at “Please Wait” message and just before that it showed a message pertaining to AdwCleaner:

“Too many 16bit program are currently in use. Please close…”

I have recently seen this message about other executables that I double-clicked but did not start.

I restarted the computer by cutting power, run AdwCleaner which (like observed earlier about other failed runs) did run this time, scanned again and am attaching its report again.
AdwCleaner only scanned, I never pressed Clean button. Should I?

What is the procedure now? Repeat the MBAM, OTL etc and re-attach reports?

you can click clean…

then follow Essexboys instructions in last post on how to remove the tools…

Well, I’m not sure the infection is resolved but I’ve gone ahead and uninstalled AdwCleaner and OTL.
Haven’t removed Restore Points yet. Only want to do that once I get avast Boot time scan to run to completion and once I’m convinced there’s no infection.

I cleaned temp files (bitool.dll vanished), ran MalwareBytes again and it found no threats.
I’ll keep MalwareBytes, intend to install Trusteer Rapport but not FileHippo.
I’ll update avast engine now.

also recomended if you use removable drives. MCShield. http://mcshield.net/
it is and install and forget, and free