Possible Smitfraud-C?

:cry

I'm back with another possible Smitfraud infection and it's been less than a month. I apologize for the length and for any grammar errors: I'm very tired and stressed out (and disheartened I'm back here so soon) and I want to be as thorough for you as possible. Please read below if you can since I think some information might help you figure out what's going on.

What Happened/Symptoms:
I am a safe surfer and always keep my malware programs up to date and scan daily, but since maybe about a month before my last infection, my computer has been running a little iffy. The login screen toggles between lasting between 5-50 seconds (sometimes it's fast, sometimes slow) after I click my username and my desktop takes about 4 minutes to load up my programs even when I've managed which ones I want running at startup with Spybot. If I try to click any programs before the red shield with the "x" in it pops up and then goes away in the taskbar, my computer completely freezes up. (The red shield has always appeared and disappeared quickly before everything is loaded since I bought the computer, and it was brand new, so that in itself shouldn't be a problem. It goes away right away as long as it detects that my AntiVirus and FireWall are enabled. It's just a pain waiting for what's now 4 minutes until it appears and disappears.) I'm not sure if the problem is malware-related or not, it could even be because AVG is set to update and scan on bootup. It used to be incredibly fast but it could be something else I guess.

Anyway, since my internet browsers, especially FireFox, were also taking about about a minute or so to load up after booting I decided to do some research on it. Less than 5 minutes later while I was researching and on a website, SpyBot informed me that it encountered SmitFraud-C.gp in C:Windows\System32\a.exe. I terminated/deleted the process and stopped it from trying to sneak in. But, my FireWall was now turned off by it and the red shield with the "x" appeared in the task bar informing me about it. I also noticed that the Java icon was now in the taskbar as well. I turned the firewall back on and immediately searched for any suspicious processes in the Task Manager. Right away I noticed "AcroRd.32.exe." I don't recall seeing it there ever before, although it could have been. I'm not sure what it is, but it seemed to be using a bit too much cpu usage, roughly 40%. That is a lot considering I have 4GB of RAM and had only programs running that never take up that much together. I did research but couldn't find a definite answer if it is a safe/legit process or not. I deleted the pf file of a.exe from the Prefetch folder, cleaned out all my temporary files, cookies etc., and restarted my computer. While restarting I got an error message telling me there was a problem with AcroRd.32.exe and if I wanted to terminate it. I didn't click anything. About 20 seconds later it disappeared and my computer restarted. I'm wondering if the AcroRd32 giving me an error was a total coincidence since some people believe it's a legit program, but it's not in my process list anymore so it might have been related. Anyway, I then finished rebooting and completed the steps in the sticky post above.

Other Important information:
As mentioned above, a month back my computer got very infected, but I completed the steps at this site and was clean (Thanks Tim. ). I think it's important to mention that my computer last month had Smitfrad which made me think - maybe it never *completely* left and tried to re-infect me after time? I am usually very careful when I browse the web since last time and try not to click on websites I haven't heard of before. When SpyBot detected Smitfraud attempting to sneak in tonight, I *believe* I was on TechSpot.com at the time (I could be very wrong! I went to more than one site.) and I've been there before with no problems. My computer also started acting slow at startup a few days before it was detected just like last time. This is why I suspect that it could possibly be hiding on my system and isn't being detected and it attempted to reinfect me or maybe actually did a little. I think some files were quarantined by ComboFix. The thread I started last time is located here:
http://forums.majorgeeks.com/showthread.php?t=175477
It was about 5-10 minutes of browsing last time also when a problem was very randomly detected by one of my malware programs. Maybe it's another coincidence?

I think SpyBot killed most of it before it got in completely, but I think MGTools and ComboFix found a few files but I'm not sure.

My logs are attached. My last log will be in a new post. Thank you very very much for reading!

-Misuzu Kamio
V!

 

Attached to this post is my MGTools log.

 

I do remember reading when AVG 8 came out that the updates for 7.5 would stop sometime in December. I have been finding updates daily still and downloading. Is it actually not updating like I had thought? Sorry I didn't do it sooner. I will uninstall AVG and take one from that list you gave me ASAP (I will be gone all day tomorrow and probably won't get on much if at all on Christmas).

Hooray, I wasn't attacked again! I escaped you this time, stupid Smitfraud!

For the time being, the problem has calmed down a lot, but if it starts up again I will try that and if it doesn't help I will be posting the the software section.

That's actually quite strange: I downloaded MSN right around the time my computer acted funny and I also started up Windows Messenger that week. Hm... I wonder... :confused

Will looking up "viewpoint" in the windows search program work or are there more hidden files? The only thing I found when looking up "viewpoint" in a search is a viewpoint folder located in C:\Documents And Settings\All Users\Application Data. Is that the only thing that should be deleted?

And finally, should I proceed with removing ComboFix, MGTools, etc. since there is no malware?

Thanks a lot for replying, especially so close to the Holidays!

Merry Christmas! *Gives you a box of yummy Christmas cookies*

 

I ran the "Disable/Remove Windows Messenger.exe" that you linked me and it said it was successfully removed. But I now have both "MSN" and "Windows Live Messenger" listed under add/remove programs. Windows Live Messenger is actually the new MSN and not Windows Messenger right? I'd like to know if it's safe to have "Windows Live Messenger" installed.

I will uninstall the tools now. I will skip deleting the system restore points since there was luckily no malware!

Thanks for the quick reply!

 

I thought something was seriously wrong: I restarted my computer after removing Combofix and MGTools/HijackThis and enabling SpyBot's TeaTimer but after restarting my internet wouldn't work, my windows update icon wasn't showing (For SP3 that I am reluctant to install) and my firewall was turned off! I knew because that red shield with the "x" wasn't going away like normal. I tried turning the firewall back on but got an error message that said I wasn't able to. When trying to restart I got an error message that NsAppShell wasn't responding. I had to shutdown with the power button because Windows wouldn't restart all the way, but after restart everything is A-ok! I restarted again to make sure. I think NsAppShell just glitched. :confused

Anyway, thank you for all your help again! You are always a great help, Tim.

Merry Christmas and Happy New Year!

 

Aww, I guess something did go a little screwy... for some reason when I type in "msconfig" in Start>Run I get the error message "Windows cannot find 'msconfig.' Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

:confused

Should I be concerned and is there a way to fix it?

While looking it up, it can be caused by viruses, but we just checked for them. Maybe ComboFix removed crucial files? I am so unlucky lately...

 

It worked! The file was there and the path was already correct, except the "c:\windows\" part was missing. THANK YOU!

Do you think this is normal behavior after uninstalling ComboFix or could I have done something wrong while uninstalling ComboFix or MGTools? First my firewall was disabled, and then msconfig messed up! =O And these things didn't happen the first time...

I probably should stop asking questions so many questions now, sorry, lol! I tend to do that when I am stressed out or worried. *Adds your name to her signature for your copious amounts of help in both threads*

Edit: I just noticed your second post above about posting this in the software section. I will post about it in the software section if I continue to have problems. Sorry for taking up so much of your time especially when the majority of this was software-related and not malware related!

 

Sorry it's taken me so long to reply. A lot of things happened!

Unfortunately, I don't have a Windows XP CD. I think I might buy one though, since it's coming up a lot for me lately. I MIGHT be wiping out my other (older) computer completely since I stupidly downloaded eAcceleration's rogue Stop Sign program on it and it's running awful. I will need an XP disk for that. If I do decide to not wipe it though, I'll be posting here again for that computer. I got a router for Christmas and I was going to hook them up together, but not until my old computer is cleaned first! The last thing I want is for that mess to spread to this one too (I think that's possible?).

Thank you. I hope you had a wonderful Christmas.