Thread: Suspected Virus/trojan/worm
View Single Post
Old 11-25-2006, 09:43 PM   #9 (permalink)
dorts
Analyst, Security Team
 
dorts's Avatar
 
Join Date: Mar 2006
Location: Singapore
Posts: 1,599
OS: Windows XP SP2

My System

Ok. Great work! Now for round 2.

Before starting, I want some samples from you. I need the following files and folders:

D:\Program Files\Internet Explorer\PLUGINS\sb.dll
D:\WINDOWS\Logo1_.exe
D:\WINDOWS\system32\XpIcfOpt.dll
D:\WINDOWS\system32\interest.exe
D:\WINDOWS\system32\wao.exe
D:\WINDOWS\system32\drivers\cq4.sys
D:\WINDOWS\rxdll.dll
D:\WINDOWS\uninstall
D:\WINDOWS\down


Please zip the files and folders up and send it to my email which I would PM you.
If you don’t know how to zip, follow the instructions here. It is easier to copy/paste them onto the desktop and zipping them altogether.


Downloads and others

Please download ATF Cleaner - http://www.atribune.org/ccount/click.php?id=1


Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"


  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.


Please download the attached smfix.zip the bottom of this post. Double click on the zip file and then double click on the file named smfix.reg within it. When prompt, click yes to allow it to merge into the registry. This should allow you to boot into safe mode.


Download and KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175) Save it to your desktop. DO NOT run it yet.


Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.


Safe Mode
  • Restart your computer.
  • Before the Windows logo appear, tap F8 repeatedly. In some systems, this may be the F5 key.
  • A menu should appear, select Safe Mode from the menu using your arrow keys and then hit Enter on your keyboard.
  • This will take a while than usual, so just wait.
  • After it loads, Login on your usual account.

If you are still unable to boot into safe mode, please continue the fix in normal mode.


Uninstall

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):
  • PPMate
  • PPStream

Fixes with SREng

Open SREng and click on “Boot Items”(clock). Under the Registry tab, find the following file names and click delete on each of them.

NiceMs
Microsoft WindowsUpdaters



Killbox




Select the following option - delete on Reboot
Use your mouse to select all the filenames listed below & then right-click & select Copy

D:\WINDOWS\system32\schost.exe
D:\WINDOWS\system32\WSD_SOCK32.dll
D:\WINDOWS\SERVICES.EXE
D:\WINDOWS\system32\XpIcfOpt.dll
D:\WINDOWS\system32\interest.exe
D:\WINDOWS\system32\wao.exe
D:\WINDOWS\system32\drivers\cq4.sys
D:\WINDOWS\system32\test3.exe
D:\WINDOWS\rxdll.dll
D:\WINDOWS\RichDll.dll
D:\WINDOWS\system32\bqzkkteezqn.exe
D:\WINDOWS\system32\sgldxwmikif.exe
D:\WINDOWS\system32\xgmusmximki.exe
D:\WINDOWS\system32\winupdaters.exe
D:\WINDOWS\system32\xreglib.dll
D:\WINDOWS\iun6002.exe
D:\WINDOWS\soft.exe
D:\WINDOWS\EliottEU2.exe
D:\Program Files\Internet Explorer\PLUGINS\temp.exe
D:\WINDOWS\System32\r1ft7.dll
D:\Program Files\Internet Explorer\PLUGINS\sb.dll
D:\WINDOWS\Logo1_.exe
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click NO at the 'Pending Operations prompt'. (Do not reboot yet)

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.


Folders Deletion

Delete the following Folders indicated in BLUE if they still exist.


D:\Program Files\test
D:\WINDOWS\uninstall
D:\WINDOWS\down
D:\ppmaterecord
D:\Documents and Settings\Nic\Application Data\PPMate
D:\Documents and Settings\Nic\Application Data\PPStream
D:\Program Files\PPMate
D:\Program Files PPStream



ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


AVG Anti-Spyware

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).


SmitfraudFix - Option #1

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!


ComboFix

1. Run combofix again by clicking on combofix.exe on your desktop.

2. When finished, it shall produce a log for you. It will be located at D:\combofix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.



You may now reboot back to normal mode




Online Scan

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Logs

Please post the following logs in your next reply...
  • AVG Anti-Spyware's Log
  • SmitfraudFix’s log
  • D:\combofix.txt
  • Kaspersky’s Online Scan Log
  • A New SREng Log
  • A New HijackThis Log
Attached Files
File Type: zip smfix.zip (1.2 KB, 4 views)
__________________




If you think TSF have helped you, please kindly donate to TSF and help keep this site free to all.
Last edited by sUBs; 11-25-2006 at 11:48 PM.
dorts is offline