Smitfraud, VirusBursters, still infected?

Hi I followed all the preminary instructions for removal and log posting, so lets get that out of the way first. I did not attach the Counterspy scan as it found nothing and had no useful info at all that I could see.

 

more logs

 

Proceeding a bit further on my own with guidance from this previous thread, I went ahead and downloaded SmitFraud fix (I was getting the same pop-up balloon as this person). I scanned, rebooted to Safe Mode, cleaned, rebooted again to Safe Mode, then rebooted to Normal mode. Here I've attached the two rapport.txt logs.

 

Now I'm in normal mode and I repeated the GetRunKey and ShowNew logs, and alos did another HijackThis log, I hope I don't get yelled at for this, but this is exactly what you told the guy in the other thread to do. I've attached those new logs here.

 

Now I'm still noticing my firewall (Outpost Pro) is alerting me of SVChost trying to communicate with the internet, and I find all of these suspicious and coming out of nowhere and I have blocked all of the attempts. These seem to have quieted down for now. Not sure if they are all gone or not.

Also previously, I got notifications about Internet Explorer requesting to change a bunch of default URLs, like search pages and stuff. I actually allowed a couple and denied a few as well, not know what to think of this.

The annoying balloon alert screenshot posted in the thread I referred to has gone away now, but as I said I have gotten these suspicious SVChost alerts from my firewall. I'll grab a screenshot next time I get one.

Any help is much appreciated, and I hope I haven't done anything you wouldn't have recommended anyway!

 

Looks like you got most of the infection.

Download
- Pocket Killbox

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop.

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Poast fresh GetRunKey and ShowNew logs.

 

Did all that, I've attached new logs as you instructed. I did get the PendingFileRenameOperations prompt, and the only file that was displayed by Killbox when I pasted from the clipboard was the last one, vaxsetup.844.exe

I've noticed my system takes a lot longer to load everything on startup, and in Safe mode in particular now, it seems to be pretty much unresponsive for about the first 1-2 minutes after I get to the desktop. I'm guessing this is due to some of the extra software I've had to install and run to get rid of the malware, as my computer was actually just fine in this regard when I was infected! Any thought as to the culprit? I notice a hell of a lot of entries made by Bitdefender in particular.

 

I forgot another reason for the slowdown may be the normal startup in msconfig. I won't change it back to selective yet until we have killed this thing for good though

 

MSCONFIG is not used to disable startup items, it is purely a diagnostic tool. To prevent items from running at startup delete the registry key responsible for starting the program; this can be done with HijackThis.

Delete the following:
C:\!KillBox\vaxsetup.844.exe
C:\Documents and Settings\Linda\Local Settings\Temp\2F49CE31.TMP
C:\Documents and Settings\Linda\Local Settings\Temp\4cj5nyfv.exe
C:\Documents and Settings\Linda\Local Settings\Temp\Adobelm_Cleanup.0001
C:\Documents and Settings\Linda\Local Settings\Temp\bmc184F.tmp
C:\Documents and Settings\Linda\Local Settings\Temp\control.xml
C:\Documents and Settings\Linda\Local Settings\Temp\CopyFileList
C:\Documents and Settings\Linda\Local Settings\Temp\ff_temp
C:\Documents and Settings\Linda\Local Settings\Temp\h2r117D.tmp
C:\Documents and Settings\Linda\Local Settings\Temp\i261383.tmp
C:\Documents and Settings\Linda\Local Settings\Temp\InstMsp
C:\Documents and Settings\Linda\Local Settings\Temp\is-9Q2EL.tmp
C:\Documents and Settings\Linda\Local Settings\Temp\is12.tmp
C:\Documents and Settings\Linda\Local Settings\Temp\isF.tmp"
C:\Documents and Settings\Linda\Local Settings\Temp\Microsoft Office 2003 Setup(0001).txt
C:\Documents and Settings\Linda\Local Settings\Temp\Microsoft Office 2003 Setup(0001)_Task(0001).txt
C:\Documents and Settings\Linda\Local Settings\Temp\msohtml
C:\Documents and Settings\Linda\Local Settings\Temp\msohtml1
C:\Documents and Settings\Linda\Local Settings\Temp\nsh1407.tmp
C:\Documents and Settings\Linda\Local Settings\Temp\nsx38E.tmp
C:\Documents and Settings\Linda\Local Settings\Temp\ocy9d29f.exe
C:\Documents and Settings\Linda\Local Settings\Temp\offcln11.log
C:\Documents and Settings\Linda\Local Settings\Temp\OfficeUpdate
C:\Documents and Settings\Linda\Local Settings\Temp\phone_list_051906_alpha.xls
C:\Documents and Settings\Linda\Local Settings\Temp\Picasa2
C:\Documents and Settings\Linda\Local Settings\Temp\QTInstallCode.log
C:\Documents and Settings\Linda\Local Settings\Temp\qtplugin.log
C:\Documents and Settings\Linda\Local Settings\Temp\r2h117C.tmp
C:\Documents and Settings\Linda\Local Settings\Temp\rcsC44.tmp
C:\Documents and Settings\Linda\Local Settings\Temp\StuffIt Dlx 8.5.0.136 ENG
C:\Documents and Settings\Linda\Local Settings\Temp\tmp.xpi
C:\Documents and Settings\Linda\Local Settings\Temp\TWAIN.LOG
C:\Documents and Settings\Linda\Local Settings\Temp\Twain001.Mtx
C:\Documents and Settings\Linda\Local Settings\Temp\Twunk001.MTX
C:\Documents and Settings\Linda\Local Settings\Temp\Twunk002.MTX
C:\Documents and Settings\Linda\Local Settings\Temp\ueaipyv9.exe
C:\Documents and Settings\Linda\Local Settings\Temp\ufl16D3.tmp
C:\Documents and Settings\Linda\Local Settings\Temp\VBE
C:\Documents and Settings\Linda\Local Settings\Temp\wl8fpvwf.exe
C:\Documents and Settings\Linda\Local Settings\Temp\{236BB7C4-4419-42FD-0409-1E257A25E34D}
C:\Documents and Settings\Linda\Local Settings\Temp\{C5EC81D0-3DED-435D-A46E-E3F60F7DC8AD}
C:\Documents and Settings\Linda\Local Settings\Temp\{E89D78B8-28F7-412F-8B26-C684739CBBDC}
C:\Documents and Settings\Linda\Local Settings\Temp\~nsu.tmp

Empty the Recycle Bin
Run CCleaner

Reboot

How is your computer running now?

 

I and a ton of people use it for just this purpose, although I see your point, however its nice to have the option to re-activate the startup of some items at a later time if you choose, and this is easiest through msconfig rather than recreating deleted registry keys, at least I think it is.

My computer is running fine as I can tell at this point. No more suspicious things going on since I used killbox. Does it matter that some of the files you initially mentioned were not found or deleted by Killbox? I just hope there isn't some rogue .tmp file lurking on my hard drive waiting for my parents to let it run wild. This is my parents' computer and unfortunately they were victims of this malware.

One more thing, could you take a peek at my last HijackThis.log (attached) and tell me what I should delete that might speed things up but not cause problems? I know a few already, but I'm hesitant on a few as well.

Thank you so much for all your help, on Christmas Eve of all times! This is where I always come when I have a malware problem, keep it up, everyone really appreciates the effort you guys put out. Happy New Year!

 

The following are not necessary and can be fixed with HijackThis:
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "p:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "P:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

If this is not the retail version then you can remove this item as well. If it is the retail version then fixing is optional.
O4 - HKLM\..\Run: [SunServer] P:\Program Files\Counterspy\sunserver.exe

There is nothing wrong with using MsConfig to temporaryily disable start up items, but to long term disable a staretup item it is best to delete the registry entry responsible for stating the item.

Yes, I know tons of people use MsConfig the way you are, but is not the intended use.

 

Thanks Shadow_Puter_Dude. To clarify, my system should be ok even though Killbox did not find or delete three of the files you mentioned?

Thanks again,

Andrew

 

If the files weren't found by Killbox then they weren't present. The instructions we use are redundant. Often another tool will say the file was deleted but we add it to the Killbox instructions just to be safe.

 

Thanks again, have a nice holiday.

 

If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

 

will do, thanks again mate