Smart Fortress and friends - silly me

Discussion in 'Malware Help (A Specialist Will Reply)' started by outbackmum, May 16, 2012.

  1. outbackmum

    outbackmum Private E-2

    Hello,
    My machine was infected yesterday by Smart Fortress, though I suspect it may have been more than that. Initially I was unable to complete most of the procedures in the READ ME First thread, and also tried Rogue Kill but didn't fix the problem. A friend suggested running the free security safety virus scanner from Microsoft, and that removed 12 nasties and returned most functionality to the machine - then I was able to run the READ ME things. (Malware bytes foundd two more nasties).
    Combofix didn't run - it looked like it was unpacking, then it didn't do anything else and nothing seemed to be in Task Manager for it. Skipped root repeal as this is a 64 bit system. I still am unable to open Trend Micro, and I actually suspect that it hasn't been running for a while and I didn't notice. Would you please check my logs and advise if my machine is now clean?
    Cheers
    Sara
     

    Attached Files:

    outbackmum, May 16, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do the below so that we can boot to System Recovery Options to run a scan.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
    chaslang, May 16, 2012
    #2
  3. outbackmum

    outbackmum Private E-2

    Thank you for your very prompt reply Chaslang.
    This is all good until I try to find the flash drive in the "Open" window of Notepad. It is not there. I've tried a restart, switched usb ports. When windows is open you can find the flash drive just fine.

    Should I download the tool direct on to the desktop of the infected machine?

    Cheers
    Sara
     
    outbackmum, May 17, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    I suggest that you try again because we have not seen one case where they do not show after booting into the Recovery Environment.

    If you still have not luck then do the below instead from normal Windows.


    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
/md5start
afd.sys
atapi.sys
csrss.exe
dhcpcsvc.dll
explorer.exe
lsass.exe
nsiproxy.sys
regedit.exe
services.exe
svchost.exe
tcpip.sys
tdx.sys
userinit.exe
winlogon.exe
/md5stop
%systemdrive%\*.*
%systemdrive%\MGtools\*.*
%systemroot%\*. /mp /s
%systemroot%\system32\*.sys /90
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%windir%\assembly\GAC\*.ini
%windir%\assembly\GAC_MSIL\*.ini
%windir%\assembly\gac_32\*.ini
%windir%\assembly\gac_64\*.ini
%windir%\assembly\temp\*.ini
%windir%\assembly\tmp\u /s
%allusersprofile%\application data\*.exe
hklm\system\currentcontrolset\services\dhcp
hklm\system\currentcontrolset\services\afd
hklm\system\currentcontrolset\services\tdx
hklm\system\currentcontrolset\services\tcpip
hklm\system\currentcontrolset\services\nsiproxy
hklm\software\microsoft\windows\currentversion\run
hklm\software\microsoft\windows\currentversion\runonce
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
     
    chaslang, May 17, 2012
    #4
  5. outbackmum

    outbackmum Private E-2

    Thank you Chaslang. Still couldn't find the flash drive. Maybe I've done something really stupid and obviously wrong, so I took a photo to attach here and you can tell me if I've embarrassed myself somehow.... The flash drive only has 4GB and when you unplug it and put it back in in that recovery mode it doesn't make that little sound it normally does when windows is running normally.
    So I ran old timer. Logs attached.

    Cheers
    Sara
     

    Attached Files:

    outbackmum, May 17, 2012
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Code:
    :OTL
O3:[B]64bit:[/B] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: []  File not found
[2012/05/16 14:25:45 | 000,000,000 | ---D | C] -- C:\Users\All\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Smart Fortress 2012
[2012/05/16 14:23:33 | 000,000,000 | ---D | C] -- C:\ProgramData\B7E858A7000023C10000224DB4EB2331
 
:Files
C:\Windows\tasks\SystemToolsDailyTest.job
C:\Users\All\AppData\Local\Temp\2A4A.tmp
C:\Users\All\AppData\Local\Temp\36B8.tmp
C:\Users\All\AppData\Local\Temp\3D7C.tmp
 C:\Users\All\AppData\Local\Temp\3E66.tmp
C:\Users\All\AppData\Local\Temp\3F7F.tmp
C:\Users\All\AppData\Local\Temp\424C.tmp
C:\Users\All\AppData\Local\Temp\425C.tmp
C:\Users\All\AppData\Local\Temp\4662.tmp
C:\Users\All\AppData\Local\Temp\4920.tmp
C:\Users\All\AppData\Local\Temp\559E.tmp
C:\Users\All\AppData\Local\Temp\All.bmp
C:\Users\All\AppData\Local\Temp\bapodp.dll
C:\Users\All\AppData\Local\Temp\FDCE.tmp
C:\Users\All\AppData\Local\Temp\PCWDDC0.tmp
C:\Users\All\AppData\Local\Temp\PCWDDC0.xml
C:\Users\All\AppData\Local\Temp\pubF441.tmp
C:\Users\All\AppData\Local\Temp\VGX4970.tmp
C:\Users\All\AppData\Local\Temp\VGX8958.tmp
C:\Users\All\AppData\Local\Temp\~!#43F7.tmp
C:\Users\All\AppData\Local\Temp\~DF0C3D9B23ACEE8958.TMP
C:\Users\All\AppData\Local\Temp\~DF31B4F29AB444D3A5.TMP
C:\Users\All\AppData\Local\Temp\~DF3692C7DD7610CB8A.TMP
C:\Users\All\AppData\Local\Temp\~DF4D218F8CF6C7328C.TMP
C:\Users\All\AppData\Local\Temp\~DF6C107192E642262A.TMP
C:\Users\All\AppData\Local\Temp\~DF70CD7272530B0A6D.TMP
C:\Users\All\AppData\Local\Temp\~DF7747B45FE79ED5A4.TMP
C:\Users\All\AppData\Local\Temp\~DF7DAB4DD4E3C6BDD3.TMP
C:\Users\All\AppData\Local\Temp\~DF85736E9DD5011CAC.TMP
C:\Users\All\AppData\Local\Temp\~DF89DAD489151FB355.TMP
C:\Users\All\AppData\Local\Temp\~DF91296AF23F332CAD.TMP
C:\Users\All\AppData\Local\Temp\~DFAFF1DD53ACC262F5.TMP
C:\Users\All\AppData\Local\Temp\~DFB88C3AC06EEE9E42.TMP
C:\Users\All\AppData\Local\Temp\~DFFA3A191C47BFB2A5.TMP
C:\Users\All\AppData\Local\Temp\nsn465.tmp
C:\Users\All\AppData\Local\Temp\nssEF7E.tmp
C:\Users\All\AppData\Local\Temp\{7a2f4df0-8ca4-4530-a282-b372ff6a991a}
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]
    • Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 17, 2012
    #6
  7. outbackmum

    outbackmum Private E-2

    Hello Chaslang, and thanks again. Computer seems mostly to be running fine, though I am still unable to open Trend Micro. I tried through control pannel too, but that didn't work either. Possibly my subscription has expired, but I would have thought it would just tell me that and direct me to pay them some money, rather than just refuse to run at all.

    Process error running MGtools Getlogs.bat

    ProcessDll.exe
    Application has generated an exception that could not be handled.

    Process id = 0x1520 (5408), Thread id = 0x1680 (5760).
    I clicked OK to cancel and the tool finished.

    logs attached.

    Possibly Trend Micro hasn't been running for a while and I hadn't noticed. It is the Titanium one. I think from now on I'd prefer a daily confirmation that the virus and firewall protections are running and have a current update. trend Micro took a bit of a "set and forget" approach, which I now think is dangerous.

    Cheers
    Sara
     

    Attached Files:

    outbackmum, May 18, 2012
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're logs are clean.

    For your issues with TrendMicro, you will have to investigate uninstalling and reinstalling. Also you need to verify if your subscription has expired as you suspected. This is not something I can tell you since I don't have that information.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, May 18, 2012
    #8
  9. outbackmum

    outbackmum Private E-2

    Thank you for your help Chaslang.
    I've finished everything up and uninstalled and reinstalled Trend Micro, and everything seems to be running smoothly - and quicker.
    I also read through the recommended protecting yourself from spyware post and will implement some better safeguards as per the recommendations.

    Major Geeks provides such a valuable service here, particularly to people like me, in remote areas, where local expertise just doesn't exist. I'd like to give you a shout out on facebook, if that's ok.

    Thanks again.
    Sara
     
    outbackmum, May 20, 2012
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, May 21, 2012
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds