BAGLE (and Smitfraud); Logs

Hello,

I have a Toshiba laptop with OEM Vista Home Premium.
I had Avast, SpywareSearch&Destroy, PCTools Firewall, SpywareBlaster, ComodoBOClean.

After I got I got infected on Thursday (by BAGLE/winupgro, I think) , seeing that my AV, AS etc. seemed to cause problems, I uninstalled them (and cut the internet connection).

I followed your procedures, except that, in the first steps:
- SP1 isn't installed. (The installation had failed once for no apparent reason when I first tried it a while ago, and failed a second time because I didn't have enough space left on C: More on this below.)
- I didn't defragment, last defrag was one or two months ago, and most of my partitions are pretty full anyway.

I couldn't instal SAS ("SuperAntiSpyware.exe is not a valid Win32 application"), no workaround worked.
- Malwarebytes: BSOD during the scans (tried twice)
- ComboFix: couldn't install, no workaround worked.
- MGTools: worked.

I then found your "Remove BAGLE" thread, and followed the instructions, FindyKill seems to have solved the problem.

The PC seems to work fine, apart from a warning in the tray regarding startup programs that don't launch. (I did what you said about MSControl/CCleaner regarding starting procedures today; I will get into HJT for my startup once I know the PC is clean), so I re installed Avast, SpybotS&D, SPywareBlaster, ComodoBOClean, PCToolsFirewall.
In the meantime I did some cleaning up of the SoftwareInstall/Download cache.
Flashback: in the first steps (basic PC maintenance), I also used Windows "Clean Up" tool, and click some more stuff to clean thn the default, and I think it erased the restore points. I made a new restore point.)
I tried to install SP1, but it failed again.
At various stages of the process i uninstalled various programs though the Control Center.

I'd like to make sure the PC is clean, so I went though the cleaning procedures again.
SAS found a Smitfraud with ~30 threats (-> should I follow your procedures fo SmitfraudFix?). After SAS did its job, I unchecked in Preferences->General & Start Up, "Start SAS when Windows starts", "Integrate with Vista Security Center"). The idea is to keep it on the PC instead of uninstalling it (as per instructions in the How to Protect Yourself From Malware advising to have only one antispyware tool running). Is it ok?
After ComboFix did its job, I reactivated my AV (Avast), Firewall (PCTools) and AS (Comodo BOClean) before running MGTools.
I didn t uninstall then reinstall MGTools for this second run.

I think that's about, do not hesitate to ask any question that might help.

Thanks in advance!

 

the other logs, from after FindyKill apparently got rid of BAGLE/winupgro, and I thus could run the general malware Removal procedure.
SAS found Smitfraud.

 

fwiw: I've just logged of the admin account from which i did all the removal procedures, back to my user account account (to watch a movie, not to do anything dangerous), and there was a pop up window titled "Task Manager" that said 'Invalid history file, now re-create it'!. I didn't click the OK button but close the window. Then another popup window said "Init Task manager failed". I thought I'd mention it because it's not the first time I see them since I got infected on thursday.

 

Thank you for coming back to me!

Code:

2009-03-19 05:14 . 2008-01-17 04:00 68,232 --a------ c:\windows\UnDeployV.exe

No idea. Google says it might be a virus...

Code:

2009-03-19 05:14 . 2008-01-17 04:00 68,232 --a------ c:\windows\UnDeployV.exe
2009-03-07 04:29 . 2009-03-11 05:02 <REP> d-------- c:\program files\eweiqi
2009-03-05 06:34 . 2009-03-05 06:34 <REP> d-------- c:\program files\uligo03

- uligo3 is a legit program for the asian game of Go. it might also act as a client for the Go server IGS, which uses a telnet protocol, but I've never used it that way.
- eweiqi is a legit chinese client for Go server. I haven't used it yet because the registering procedures are in Chinese and I haven't gotten around them yet. It is widely used in the Go community, and I haven't heard people say that it's 'crapware' (unlike the chinese 'download accelerator' Thunder, more on this below).

Code:

"C:\Windows\System32\"
cid_st~1.dat   5 Apr 2009         888  "cid_store.dat"
pub_st~1.dat   4 Feb 2009          20  "pub_store.dat"
xlhcc.dat      5 Apr 2009          26  "xlhcc.dat"

I don't know. However, for cid, google points to malware fora help threads whose HJT logs contain references to Thunder.
For pub, nothing significant.
For xlhcc, same thing as cid, except that the pages linked to are in Chinese...

If they are indeed related to Thunder, well, I hate Thunder myself, as it's horribly intrusive, but my chinese girlfriend keeps insisting on it, as it gives access to xanxan.xunlei, a website that streams the latest movies in HD...

I got the success message. (I ran it from my user account ("Kyudo"), not from the admin account ("Compass"))

Nothing big:

I still have the two popups described in the preceding post every time I log in (usually after a fresh boot).

And it seems that when utorrent is running, the appearance of the windows of some programs, such as notepad, is changed (a bit like after Realplayer says that some color stuff wasn t found on the PC): the title bar isn't the default transparent areo theme anymore, but an XPish solid lightblue instead, and the windows for eg. saving files are all messed up.

Oro20.exe from orobaduk doesn't run anymore (it's the English client for a Korean server of Go, but their English client has always been an afterthought). I ought to reinstall it, it will probably solve the problem.

Other than that, everything seems to run normally.

I noticed than in the task manager, csrss.exe and winlogon.exe don't have a description (but this is also true of Ati2evxx.exe, which is for the grpahics card, I presume).

 

I've just rebooted. When logging in, the Init task Manager pop ups showed up at login, and I had forgotten to mention one thing: when logging in, BOCleaner updater tells me, in a popup window, that probably because of mermissions, something couldn't be done, and says to visit www.nscleancom/supdoc.html and follow the instructions at the bottom of the page. The link redirects there http://www.comodo.com/boclean/boclean.html , COMODO's page for BOClean, apparently.
NB: I left the UAC disabled.



Something else: I've noticed that when I run CCLeaner NOT everything that is analysed gets cleaned up, there s always some files left over that don't get removed. Here they are:

Code:

ANALYSIS COMPLETE - (0.417 secs)
------------------------------------------------------------------------------------------
3,01MB to be removed. (Approximate size)
------------------------------------------------------------------------------------------

Details of files to be deleted (Note: No files have been deleted yet)
------------------------------------------------------------------------------------------
Marked for deletion: C:\Users\Kyudo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
Marked for deletion: C:\Users\Kyudo\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
Marked for deletion: C:\Users\Kyudo\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012009041120090412\index.dat
C:\Windows\TEMP\000041238653746645.WMV 0,64MB
C:\Windows\TEMP\000041238664530183.wmv 2,06MB
C:\Windows\TEMP\Compass.bmp 31,09KB
C:\Windows\TEMP\daps\movie.cfg 8 bytes
C:\Windows\TEMP\IpAdrSet.log 19,21KB
C:\Windows\TEMP\jusched.log 1,91KB
C:\Windows\TEMP\lpksetup-20090406-111941-0.log 23,98KB
C:\Windows\TEMP\lpksetup-20090406-111959-0.log 622 bytes
C:\Windows\TEMP\lpksetup-20090406-120154-0.log 23,98KB
C:\Windows\TEMP\lpksetup-20090406-120212-0.log 622 bytes
C:\Windows\TEMP\lpksetup-20090406-200143-0.log 23,98KB
C:\Windows\TEMP\lpksetup-20090406-200205-0.log 622 bytes
C:\Windows\TEMP\lpksetup-20090407-124258-0.log 23,98KB
C:\Windows\TEMP\lpksetup-20090407-124319-0.log 622 bytes
C:\Windows\TEMP\lpksetup-20090409-205433-0.log 23,98KB
C:\Windows\TEMP\lpksetup-20090409-205452-0.log 622 bytes
C:\Windows\TEMP\lpksetup-20090410-114826-0.log 23,98KB
C:\Windows\TEMP\lpksetup-20090410-114845-0.log 622 bytes
C:\Windows\TEMP\tddcdat\active.update.time.1000 0 bytes
C:\Windows\TEMP\tddcdat\active.update.time.700 0 bytes
C:\Windows\TEMP\tddcdat\index1.dat.1000 30 bytes
C:\Windows\TEMP\tddcdat\index1.dat.700 30 bytes
C:\Windows\TEMP\{72F87E7C-EFC8-455c-B68A-8BEB82D7D771}.dat 21 bytes
C:\Windows\TEMP\~DF1E3.tmp 32,00KB
C:\Windows\TEMP\~DF7F42.tmp 32,00KB
C:\Windows\TEMP\~DFDADF.tmp 32,00KB
C:\Windows\TEMP\~tpEE7A.tmp 24,00KB
------------------------------------------------------------------------------------------

A remark: nothing new, but when logging in, it doesn't seem logical to me that the internet connection is etablished *before* the firewall, avast and BOClean are launched.

 

Ok;
- HJT: there was only the .exe file left, Add/Remove told me. Removed it.
- After flushing the system restore, on reboot I had this message "C:\Windows\system32\config\systemprofile\Desktop is not accessible. Access denied" (translated from the french); and on the desktop there was only the Bin icon and another icon.
I rebooted again and the desktop looked normal, both on the admin account and the user account, except that the wallpaper had gone (and the normal way to set up a new wallpaper doesn't work).

I know these are not malware issues, just mentionning them anyway!


Thanks for all your help, and have a nice week!