Solved Bamital , Patched-Rp , Smitnyl Trojan infection

Status
Not open for further replies.
Again AVG warning but the program ran. Here is the log:

ComboFix 11-04-08.01 - Utilizador 09-04-2011 22:09:48.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.351.2070.18.1022.637 [GMT 4,5:30]
Executando de: c:\documents and settings\Utilizador\Ambiente de trabalho\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Utilizador\Ambiente de trabalho\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2011-03-09 to 2011-04-09 ))))))))))))))))))))))))))))
.
.
2011-04-08 18:55 . 2011-04-08 18:55 -------- d-----w- C:\_OTL
2011-04-07 14:13 . 2011-02-23 14:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-07 14:13 . 2011-02-23 14:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-07 14:13 . 2011-02-23 14:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-07 14:13 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-07 14:13 . 2011-02-23 14:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-07 14:13 . 2011-02-23 14:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-04-07 14:13 . 2011-02-23 14:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-04-07 14:13 . 2011-02-23 14:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-04-07 14:13 . 2011-02-23 15:04 40648 ----a-w- c:\windows\avastSS.scr
2011-04-07 14:13 . 2011-02-23 15:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-07 14:12 . 2011-04-07 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-07 13:55 . 2011-04-07 19:33 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-07 13:55 . 2011-04-07 13:55 -------- d-----w- c:\programas\Hitman Pro 3.5
2011-04-07 13:54 . 2011-04-07 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-07 12:57 . 2011-04-07 12:57 -------- d-----w- c:\programas\ESET
2011-04-07 12:25 . 2011-04-07 12:25 -------- d-----w- c:\programas\AVAST Software
2011-04-07 09:41 . 2010-12-20 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 09:41 . 2011-04-07 09:41 -------- d-----w- c:\programas\Malwarebytes' Anti-Malware
2011-04-07 09:38 . 2010-12-20 13:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 09:20 . 2011-04-07 09:20 -------- d-----w- c:\documents and settings\Utilizador\Application Data\Malwarebytes
2011-04-07 08:37 . 2011-04-07 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-07 07:43 . 2011-04-07 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-04-07 07:43 . 2011-04-07 07:43 -------- d-----w- c:\programas\Alwil Software
2011-04-06 18:37 . 2011-04-07 08:22 -------- d-----w- c:\documents and settings\Administrador
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
.
[-] 2009-02-27 . 1F39C7BDBA4C5F3F01C4EABF7EDBF4B3 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2009-02-27 . 7847E2A6B90729DE0ADC71033F2BE590 . 1572352 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\programas\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\programas\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"avast"="c:\programas\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
"GrooveMonitor"="c:\programas\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Utilizador\Menu Iniciar\Programas\Arranque\
Inicia‡Æo R*pida do Microsoft Office OneNote 2007.lnk - c:\programas\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Öndice do OneNote.onetoc2 [2010-8-31 3656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^PC Health.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Arranque\PC Health.lnk
backup=c:\windows\pss\PC Health.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^RAMASST.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Arranque\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-15 11:00 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programas\\Bonjour\\mDNSResponder.exe"=
"c:\\Programas\\iTunes\\iTunes.exe"=
"c:\\Programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programas\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programas\\Java\\jre6\\bin\\java.exe"=
"c:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [07-04-2011 18:43 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [07-04-2011 18:43 301528]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.SYS [21-05-2009 12:31 5888]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [07-04-2011 18:43 19544]
S2 Tmesrv;Tmesrv3;c:\programas\TOSHIBA\TME3\TMESRV31.EXE [21-05-2009 12:31 118784]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [21-05-2009 11:35 1684736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 00:02 128512 ----a-w- c:\windows\system32\advpack.dll
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2011-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:04]
.
2011-04-09 c:\windows\Tasks\User_Feed_Synchronization-{1BB5BD40-03C6-418F-95E6-5D2A018F5870}.job
- c:\windows\system32\msfeedssync.exe [2009-02-27 00:01]
.
.
------- Scan Suplementar -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-09 22:16
Windows 5.1.2600 Service Pack 3 NTFS
.
Procurando processos ocultos ...
.
Procurando entradas auto inicializáveis ocultas ...
.
Procurando ficheiros/arquivos ocultos ...
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
.
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
.
- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(3192)
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Tempo para conclusão: 2011-04-09 22:20:01
ComboFix-quarantined-files.txt 2011-04-09 17:49
.
Pré-execução: 50.029.883.392 bytes livres
Pós execução: 50.027.892.736 bytes livres
.
- - End Of File - - 2589CC4DBDE7D342B04B92B8F0EBABB1
 
Well done :)

Any current issues?

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
Well no more messages about explorer dll missing and it seems no more IE windows popping up... That's really good!

I also did a quick HJ checkup to see if something else popped up my eye (Just check, no attempt to fix) and I see references to a esnips toolbar. Is this safe or spyware/malware?

SecurityCheck LOG:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

avast! Free Antivirus
ESET Online Scanner v3
(On Access scanning disabled!)
Error obtaining update status for antivirus!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java(TM) 6 Update 13
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9.1.1 - Português
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
``````````End of Log````````````


TFC Run ok

ESET log

C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Smitnyl.A trojan
C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Win32/Bamital.EC trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir a variant of Win32/Smitnyl.A trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Win32/Bamital.EC trojan
C:\System Volume Information\_restore{6DF804AD-64B5-4065-A561-5DB917B1C7B4}\RP2\A0000237.exe a variant of Win32/Smitnyl.A trojan
C:\System Volume Information\_restore{6DF804AD-64B5-4065-A561-5DB917B1C7B4}\RP5\A0000772.exe a variant of Win32/Smitnyl.A trojan
C:\System Volume Information\_restore{6DF804AD-64B5-4065-A561-5DB917B1C7B4}\RP5\A0001829.exe Win32/Bamital.EC trojan
C:\System Volume Information\_restore{6DF804AD-64B5-4065-A561-5DB917B1C7B4}\RP5\A0001836.exe Win32/Bamital.EC trojan
 
I see references to a esnips toolbar
If you don't use it, uninstall it.

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

======================================================================

All Eset findings will be removed in our next, last steps....

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.
 
Ooops. After running STep 2 the logs created were deleted so I had to redo Step 1.
The computer looks great. No signs of infection!
I'm going to keep an eye for the next 48 Hours to see if everything is fine before returning the laptop to the original owner though, I also decided to uninstall eSnips toolbar as I didn't found any use to it.

I will do one last report Monday though. Either way thank you so much for helping me out.

OTL last log:

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrador
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Utilizador
->Temp folder emptied: 18888 bytes
->Temporary Internet Files folder emptied: 4967516 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 5,00 mb


[EMPTYFLASH]

User: Administrador
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Utilizador
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.22.3 log created on 04102011_150255

Files\Folders moved on Reboot...
C:\Documents and Settings\Utilizador\Definições locais\Temporary Internet Files\Content.IE5\NEVAY73F\signin[1].htm moved successfully.
C:\Documents and Settings\Utilizador\Definições locais\Temporary Internet Files\Content.IE5\GEHBZUEX\ads[3].htm moved successfully.
C:\Documents and Settings\Utilizador\Definições locais\Temporary Internet Files\Content.IE5\GEHBZUEX\sh38[1].html moved successfully.
C:\Documents and Settings\Utilizador\Definições locais\Temporary Internet Files\Content.IE5\G1PTIUF5\topic163520-2[2].html moved successfully.
C:\Documents and Settings\Utilizador\Definições locais\Temporary Internet Files\Content.IE5\3AGWFS35\crosspixel-dest[1].htm moved successfully.
C:\Documents and Settings\Utilizador\Definições locais\Temporary Internet Files\Content.IE5\3AGWFS35\i[1].htm moved successfully.

Registry entries deleted on Reboot...
 
Way to go!!
p4193510.gif

Good luck and stay safe :)
 
All right, after 72 Hours the computer is working fine, Anti-Virus/Anti-Malware shows no signs of infection ;)
Excelent job in here. I'm going to return the computer and this thread can be closed now ;)

Thank you so much! :)
 
Status
Not open for further replies.
Back