Argh! Murder My Smitfraud

[Eaterlover]

I surfed onto a very bad website two days ago and ended up with a variation of the smitfraud virus on my machine. I have eTrust Anti-Virus on my machine since it is a work computer and I immediately started manually deleting the files that the eTrust labeled as dangerous. Most of these files were located at c:\WINDOWS\DRIVERS\WIN32.

I've been trying to find a cure on several forums, so my attempted fix chronology does not follow topic58138 , I hope this won't be too much of an issues.

I installed AVG Anti-Virus, but it failed to delete many of the labeled, pernicious files.

I found the Smitfraudfix.exe (via SiRi) first and I execute this file from safe mode. I have also attached the log from this attempt. Everything seemed to go smoothly.

Next, I read about Combofix.exe and I executed this file from safe mode, and it seemed to go well too.

However, my computer startup is significantly slower than before my virus infection and I suspect that there might be a few things I am missing. I have attached the HJT log file from my most recent scan.

Can anyone tell me if my problems are truly fixed? and what my next steps should be?

Thank you so much ahead of time.

 

[Blind Dragon]

Hi Eaterlover,

Welcome to Techspot!

My name is Blind Dragon and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.

Still quite a bit on there!!!!

--------------------------------------------------------------------------

Please only use 1 anti-virus - either uninstall AVG or uninstall Etrust

--------------------------------------------------------------------------

What does this mean to you? I don't want to suggest removing things that you use for your work

Computer Sciences Corporation
3170 Fairview Park Drive M/C 700
Falls Church, VA 22042 US
------------------------------

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

---------------------------------------------------------------

Download and Install SDFix

• Download SDFix and save it to your Desktop.
• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

After both of those run a fresh hijackthis for me

Attach here:
1) mbam log
2) Report.txt
3) Fresh Hijackthis

 

[Eaterlover]

Thank you!

Hi Blind Dragon, thanks for helping me out.

Yes, the below section is part of my corporate computer:

Computer Sciences Corporation
3170 Fairview Park Drive M/C 700
Falls Church, VA 22042 US
------------------------------

I am going to uninstall AVG and try your instructions step by step.

Thanks again!

 

[Eaterlover]

Some results

I was able to follow all of your steps Blind Dragon.

First, I uninstalled AVG from my computer.

I installed the Malwarebyte's fix and ran it successfully. However, upon restart, the desktop refused to appear and I had to hard-reboot the machine.

I installed the SDFix next and it ran succesfully. I have attached all the reports from these installs, can you let me know the next steps forward?

Thank you!

 

[Blind Dragon]

This is right in the sdfix log

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer


I suggest we scan with anti rootkit
http://www.free-av.com/en/tools/4/avira_antirootkit_tool.html <-Avira Anti Rootkit

 

[Eaterlover]

Hmmm, no XP disk

Blind Dragon,

I don't have an XP disk to restart the computer with, is there another option to this? I performed the Avira scan and I have attached the logs below.

Thank you!

 

[Blind Dragon]

Were you able to quarantine the registry entry that it found?

 

[Eaterlover]

HKEY_LOCAL_MACHINE\Software\DeterministicNetworks\DNE\Parameters -> symboliclinkvalue

HKEY_LOCAL_MACHINE\Software\DeterministicNetworks\DNE\Parameters -> symboliclinkvalue

I was not able to quarantine this item with Avira (the option was grayed out). Is there another way to do this?

Thanks!

 

[Blind Dragon]

Well, I wanted to test how the system would react with the file quarantined, to see what exactly it belonged to - but after talking with a friend -

Cisco's VPN Client are responsible for inserting this hidden registry value

So we should be safe there seeing that you use this software. Apparently it is a known problem, that it is detected as a rootkit and listed on Cisco's site FAQ/

----------------------------------------------------------------------

Let's do an online scan and go from there.

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

-----------------------------------

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[Eaterlover]

Stuck again

My IE is crap, I'm not sure when it happened, but I think it happened around the time of getting infected by smitfraud. I can seem to get the browser to go anywhere even though I have downloaded and installed V 7 twice. I'm not sure how to get around this here.

I was however, able to run the first steps and used ATF to clean out everything.

Thanks again!

 

[Blind Dragon]

Well let's see take a look, you can launch IE but have problems connecting to sites?

Open notepad and copy and paste next bold in it:

regedit /e peek.txt "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present"
type peek.txt >> look.txt
del peek.txt
start notepad look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.

It should look like this on your desktop:

Doubleclick look.bat
Notepad will open with some txt in it. Copy and paste the contents in your next reply.

 

[Eaterlover]

Look.bat

Hmmm, I tried this step and the notebook keeps coming back blank with no text?

Do you have a suggestion on what I might be doing wrong?

Thanks!

 

[Blind Dragon]

Please attach a new Hijackthis

 

[Eaterlover]

New HJT file

Thanks Blind Dragon!

 

[Blind Dragon]

Ok, I was missing some things for some reason, maybe trying to do too many logs. You may want to copy down the files I ask you to look for and delete while in safe mode.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {41045A8E-B676-4141-B9BC-F620E7147A9A} - C:\WINDOWS\system32\byXnNExW.dll (file missing)
O2 - BHO: (no name) - {EAF3F6AE-7ABB-4A9E-A462-330081EE6083} - C:\WINDOWS\system32\efcCvVlk.dll (file missing)
O4 - HKLM\..\Run: [lphc9naj0e1ct] C:\WINDOWS\system32\lphc9naj0e1ct.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Viewpoint Manager Service

Please note any other programs that you don't recognize in that list in your next response.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\lphc9naj0e1ct.exe
C:\WINDOWS\system32\efcCvVlk.dll
C:\WINDOWS\system32\byXnNExW.dll

After that, Reboot, and post a new HijackThis log here in a reply

------------------------------------------------------------------------

Update your Java Runtime Environment

• Click the following link
  Java Runtime Environment 6 Update 6
• The 5th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

------------------------------------------------------------------------------

 

[Eaterlover]

I did everything as followed and here is my new HJT Log.

Thanks again! (I hope for a clean bill of health this time

 

[Blind Dragon]

good !

Can you go on IE now? if so please run kaspersky scanner and attach log

 

[Eaterlover]

My Ie

My IE still refuses to work. Even though the IE install seems to be fine, when I open the browser, it goes to a microsoft.com link and then freezes. I'm not sure how to fix this problem

Thanks Blind Dragon

 

[Blind Dragon]

Your Java still appears way out of date.

 

[Eaterlover]

IE problem

Blind Dragon,

I've updated to the latest version of Java from java.com, but my IE still appears to freeze once I open it. Any other thoughts?

Thank you!

 

[Blind Dragon]

hi,

I am not familiar with your firewall - black ice - make sure IE is set as an allowed program

When you launch IE can you click on the tools menu or does it lock up and not let you click anything