Symantec Endpoint Protection: HTTP Infostealer Snifula.B Activity detected

Important Notice: A new version of SUPERAntiSpyware is available.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this log later.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

c:\windows\system32\MpSitend.dll.vir
c:\windows\system32\MpSitend.dll
c:\windows\system32\Fxxplfnt.tmp

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now rename MGTools.exe to Kestrel.com and then try and run it again, preferably in normal mode, but in safe mode if you have issues running in normal mode.

Attach the C:\Mglogs.zip if successful, we really need to see those logs in order to provide you with a complete fix. Also attach the new log from running the updated version of SAS.

 

Let's try again:

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
c:\windows\system32\MpSitend.dll
c:\windows\system32\Fxxplfnt.tmp
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
"diskfpmp"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Let's do this and then see how things are running.


Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

If you are not set up to use the following proxy then please include this in our fixables below.

After clicking Fix exit HJT.

Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

I am not sure.

Let's try it this way first.

Now download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now use windows explorer to see if the file really was deleted by avenger or not. If not, then you can try renaming it to Fxxplfnt.tmp.old delete it yourself manually, reboot, and again check for the file's presence.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

C:\Windows\system32\wocaffe <--- What is inside of this directory? I suspect it is legit but I want to be sure.

Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

Let me know about that folder, and very soon I will be giving you final steps.

 

Stubborn huh?

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the area. Do not include the word Code.

Code:

:Files
C:\Windows\system32\wocaffe 
C:\Windows\System32\Fxxplfnt.tmp

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Now run this:

GMER - running with a random name

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Uninstall/delete all other copies of any form of FireFox. ( we are deleting D:\PortableApps\xxFirefoxPortablexx\App\Firefox\firefox.exe with combofix) Reinstall only after verifying that Symantec is not complaining about FireFox files anymore.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
D:\PortableApps\xxFirefoxPortablexx\App\Firefox\firefox.exe

DirLook::
c:\windows\system32\x64

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Remember incoming blocking is what a firewall is supposed to do.

 

I mean this statement you made:

Reviewing your logs now.

 

Have you now reinstalled FireFox? ( I am assuming you are not having problems with IE ). What is on your D: drive? Is this a partition on your hard drive or a thumb drive?

 

Re-run MBAM again and this time do a complete scan ( not a quick scan ) and include the D: partition in the scan. Let's see what that finds.

Also, what is symantec now reporting as the source of these attacks?

Have you also checked your router settings for any changes?

 

Yes, I do. So to check, I would bypass the router and see if the problem still persists. If it does, then you may need to contact your ISP to get a new modem. If it stops, then some setting in your router is causing the problem. I would just reset it to factory settings first and see if it continues, as a trouble shooting method.

 

192.168.1.1 is the IP of one of your other computers, I believe. You can get me a new MGLogs.zip to check your IP settings. But it is not something to be concerned with.

 

I can't answer that. Perhaps you should ask that in the networking forum.