Helper.sig trojan, completed 8 steps

[mikeb]

My daughter has gotten the helper.sig trojan. I ran throught the 8 steps. Two of the programs recognized and removed problems, but the common folder with the file _hlper.sig still come up at startup. She is wireless and has very intermitent internet access (but this could be because a windows 7 computer was added to the network) I have attached the 3 logs. Any ideas would be appreciated.

Mike

 

[Tmagic650]

Okay mikeb,
Sorry for the delay. You have some things that should be deleted or fixed in the Hijackthis log:
O18 - Filter hijack: text/html - {18c96237-af4e-4e69-94a1-efb913c411f7} - C:\WINDOWS\system32\mst123.dll
O8 - Extra context menu item: &Search - ?p=ZCYYYYYYYYUS
O4 - HKCU\..\Run: [14624723344339427209374086480193] C:\Program Files\Antivirus 2009\av2009.exe
R3 - URLSearchHook: (no name) - - (no file)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE

O2 - BHO: (no name) - {60F11B98-829C-447E-B841-F02A3A3F7B09} - (no file)

Do you know what these are?
O4 - HKUS\S-1-5-20\..\Run: [hasebibina] Rundll32.exe "C:\WINDOWS\system32\fazokara.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [hasebibina] Rundll32.exe "C:\WINDOWS\system32\fazokara.dll",s (User 'LOCAL SERVICE')
If not, "fix" these lines too

After taking care of these, run this on-line scanner:
ESET ON-Line Scanner

 

[Bobbye]

The member has a Vundo malware infection. Combofix should be run.

 

[Tmagic650]

Please download ComboFix HERE:
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

Important! Save the renamed download to your desktop.
Double click on Combo-Fix.exe to run and follow the prompts.
(Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
Wait for the scan to be completed.
If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

TFC (Temp File Cleaner)

Download TFC to your desktop: TFC Download
Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Empty the Recycle Bin

Follow with a new HijackThis scan.
Attach Combofix report and new HJT log to your next reply.

 

[mikeb]

Thank you for your reply. I have deleted the common folder, rerun the programs and reinstalled the WUSB54G driver since it was intermitent. I thought I was good, but looks like there is more going on.

I will run combo fix momentarily.

When I followed your link to get TFC from geekstogo.com, Norton listed the site as unsafe - it found W32.IRCBot

I found a "safe" copy at //software.addpcs.com
Should I download this version instead?
Is Norton's assement of geekstogo correct?

Again thank you very much.

 

[Bobbye]

When I followed your link to get TFC from geekstogo.com, Norton listed the site as unsafe - it found W32.IRCBot

This link is good and safe to use: I just rechecked it to make sure.
http://www.geekstogo.com/forum/TFC-Temp-File-Cleaner-OldTimer-file187.html

Is Norton's assement of geekstogo correct?

No, it is not. It's giving you a False Positive.

 

[mikeb]

I have runcombofix and TFC and attached the logs as requested. It seems to be running much better. I am cautiously optimistic

 

[kritius]

Bobbye asked that I look at this.

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  • c:\windows\system32\termsrv.dll
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

 

[mikeb]

here are the results of the scan:

VirSCAN.org Scanned Report :
Scanned time : 2010/01/12 19:54:50 (EST)
Scanner results: 16% Scanner(s) (6/37) found malware!
File Name : termsrv.dll
File Size : 295424 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 63999d0abd8dabfd76a9c07f6e104868
SHA1 : 509689ba3edd2cfad361773708b72dc35f1c77b8
Online report : http://virscan.org/report/41a19e9f968109f6c13cd032185a09ff.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100113073154 2010-01-13 13.65 Riskware.Win32.Ursnif!IK
AhnLab V3 2010.01.13.00 2010.01.13 2010-01-13 1.08 -
AntiVir 8.2.1.134 7.10.2.175 2010-01-12 0.31 -
Antiy 2.0.18 20100112.3695772 2010-01-12 0.12 -
Arcavir 2009 201001121607 2010-01-12 0.06 -
Authentium 5.1.1 201001121407 2010-01-12 2.87 -
AVAST! 4.7.4 100112-0 2010-01-12 0.02 -
AVG 8.5.288 270.14.137/2617 2010-01-13 0.35 -
BitDefender 7.81008.4855000 7.29850 2010-01-13 4.14 -
CA (VET) 35.1.0 7232 2010-01-11 6.52 -
ClamAV 0.95.2 10288 2010-01-13 0.06 -
Comodo 3.13.579 3409 2010-01-12 0.90 UnclassifiedMalware
CP Secure 1.3.0.5 2010.01.12 2010-01-12 0.08 -
Dr.Web 4.44.0.9170 2010.01.12 2010-01-12 8.50 -
F-Prot 4.4.4.56 20100112 2010-01-12 2.73 -
F-Secure 7.02.73807 2010.01.12.14 2010-01-12 0.16 -
Fortinet 11.366- 11.366 2010-01-12 0.23 W32/Patched.E!tr
GData 19.9937/19.672 20100113 2010-01-13 5.83 -
ViRobot 20100112 2010.01.12 2010-01-12 0.41 -
Ikarus T3.1.01.80 2010.01.12.74951 2010-01-12 4.33 VirTool.Win32.Ursnif
JiangMin 13.0.900 2010.01.12 2010-01-12 8.43 -
Kaspersky 5.5.10 2010.01.12 2010-01-12 0.07 -
KingSoft 2009.2.5.15 2010.1.12.21 2010-01-12 0.63 -
McAfee 5.3.00 5859 2010-01-12 3.40 -
Microsoft 1.5302 2010.01.13 2010-01-13 7.89 VirTool:Win32/Ursnif.B
Norman 6.01.09 6.01.00 2010-01-12 4.00 -
Panda 9.05.01 2010.01.12 2010-01-12 1.83 -
Trend Micro 9.120-1004 6.764.10 2010-01-12 0.03 -
Quick Heal 10.00 2010.01.12 2010-01-12 1.39 -
Rising 20.0 22.30.01.03 2010-01-12 0.97 -
Sophos 3.03.0 4.49 2010-01-13 3.03 -
Sunbelt 3.9.2389.2 5613 2010-01-12 2.77 -
Symantec 1.3.0.24 20100112.005 2010-01-12 0.07 -
nProtect 20100112.02 6856615 2010-01-12 4.51 -
The Hacker 6.5.0.3 v00148 2010-01-12 0.80 -
VBA32 3.12.12.1 20100111.2153 2010-01-11 4.36 Win32.Spy.Ursnif.A
VirusBuster 4.5.11.10 10.119.2/2015017 2010-01-12 2.51 -

 

[kritius]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

FCopy::
c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\system32\termsrv.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

[mikeb]

Done as instructed. ComboFix log attached

 

[kritius]

Update Malwarebytes, run a quick scan and then post the log.

 

[mikeb]

Malwarebytes log attached. Could we be done !?

 

[Bobbye]

Looks good. Please run this online scan. If it's clean, I'll have you remove the cleaning tools and old restore points.
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I notice that Norton was enabled when you did the script, so possibly that might be an issue.

Please attach Eset log to next reply.

 

[mikeb]

Not reporting clean $%# !
Log attached.
In previous run Norton antivirus was turned off, but smart firewall was left on.

 

[Bobbye]

Not to worry! There are 2 files in Spybot backups with malware that I'll have you move. The 'Qoobox' entries are Combofix quarantines and will be removed when I have you uninstall it. The last group, System Volume is restore points. I have you drop those when through clean. (Don't use System Restore now).

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip	
  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch2.zip	
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
---------------------------------------
Rerun the Eset scan after this to make sure they got moved-(leave log) THEN we'll finish up, so stay out of trouble please!

 

[mikeb]

Here is the log from OTM


All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip moved successfully.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch2.zip moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kimmy

User: LocalService

User: NetworkService

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Windows Temp folder emptied: 148500 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb


OTM by OldTimer - Version 3.1.6.0 log created on 01222010_175233

 

[Bobbye]

Looks good! Are you having any more of the original problem?

 

[mikeb]

No sign of problems. The eset log was a bit disappointing, but I believe you explained those away in a previous response.

 

[Bobbye]

I'd like you to rescan with Eset- AFTER running the cleanup below- leave new log. If it's clean, proceed with the following:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

NOW do the Eset rescan. All the Qoobox and System Restore entries should be gone.

Summary:
Run Combofix Uninstall
Run OTCleanIT
Remove the old restore points
Rescan with Eset- leave new log.

If you have any questions, please let me know.

 

[mikeb]

Directions followed.
ESET scan log attached

 

[Bobbye]

I missed one entry when you ran Eset before- it is not new. Sorry:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\WINDOWS\usuharusaneyulex.dll	
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the problems have been resolved, you can remove the cleaning tools:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

That should do it! Let me know if you have any more problems.

 

[mikeb]

ESET scan clean !
OTM log follows.

Bobbye, kritius and Tmagic650
THANK YOU !!!!!!!!!!!!!!!!!



All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\usuharusaneyulex.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kimmy
->Temp folder emptied: 365095 bytes
->Temporary Internet Files folder emptied: 128866218 bytes
->Java cache emptied: 25802292 bytes
->Apple Safari cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 34289 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 148512 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 560 bytes

Total Files Cleaned = 148.00 mb


OTM by OldTimer - Version 3.1.7.0 log created on 01282010_182226

Files moved on Reboot...
File C:\WINDOWS\temp\JET4958.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_194.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_2e8.dat moved successfully.

Registry entries deleted on Reboot...

 

[Bobbye]

You're welcome Mike.

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide

2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently.
  You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use

• ATF Cleaner by Atribune or
• TFC

5. Use an AntiVirus Software(only one)

• This can save you a lot of trouble with malware in the future.It should be kept updated and used to scan regularly.
• See This link for a listing of some online & their stand-alone antivirus programs:
  Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall)
See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security

• Spywareblaster:
• SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
• This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.