New malware from Windows startup

[cbkuck]

Here's all the logs. Please note that I'm going out of town today and won't be back until late Sunday night (April 18th), so I won't be able to try anything until Monday the 19th. Thanks in advance for your analysis and help, and hopefully this can be added to the database.

-- Carl

Attach.zip

DDS.txt

mbam_log_2010_04_13__06_47_11_.txt

[Blade81]

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
2. Click Yes to allow ComboFix to continue scanning for malware.
   

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[cbkuck]

Snip...

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

Looks good! No more funky stuff getting launched, the item that started this whole thing is no longer in the registry and the DLL is no longer on the machine. Still, like my OS teacher in college used to say, the question is not whether or not you are paranoid; the questions is are you paranoid enough?

Thanks, Carl

Attach.zip

DDS.txt

ComboFix.txt

[cbkuck]

Aargh... Spoke too soon. The bogus XP Security window appeared again.

[Blade81]

Hi,

Not ready just yet.

Upload c:\windows\system32\winlogon.exe file to http://www.virustotal.com (reanalyze if the file has been scanned before) and post back the results.

Run GMER by having "sections" option enabled. Post back the report.

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\Tlobu.bin
c:\windows\Hvoqavadeju.dat
c:\windows\system32\lnrqgea

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Shockwave player and get the fresh one here if needed.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Uninstall these old Javas:

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

J2SE Runtime Environment 5.0 Update 6

J2SE Runtime Environment 5.0 Update 9

Java 2 Runtime Environment, SE v1.4.2_03

Java 6 Update 3

Java 6 Update 5

Java 6 Update 7

Java SE Runtime Environment 6 Update 1

Download ATF (Atribune Temp File) Cleaner

[cbkuck]

Whew, what a process! After the GMER scan (which took well over 2 hours to run), I had to re-boot the machine in Safe Mode as any attempt to run anything was blocked with a bogus popup. The requested files are attached.

Attach.zip

ComboFix.txt

DDS.txt

kas.txt

winlogon_vtotal.txt

[Blade81]

Hi again,

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

• Run Spybot-S&D in Advanced Mode
  
• If it is not already set to do this, go to the Mode menu
  select
  Advanced Mode
  
  
• On the left hand side, click on Tools
  
• Then click on the Resident icon in the list
  
• Uncheck
  Resident TeaTimer
  and OK any prompts.
  
• Restart your computer
  

Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe|C:\WINDOWS\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\winlogon.exe|C:\WINDOWS\system32\dllcache\winlogon.exe
File::
C:\Documents and Settings\Carl\Application Data\Sun\Java\Deployment\cache\6.0\8\36851408-149306e2
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\5c244c96-39a4d840
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\19\2aec6bd3-739ac525
c:\windows\system32\bcradllje.dat
Folder::
C:\Documents and Settings\NetworkService\Local Settings\Application Data\cmwgltdtm
DDS::
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: {78E16D86-03AF-5059-29E7-126261F755BE} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TDL::
c:\windows\system32\drivers\intelide.sys

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows, disable protection software and refering to the picture above, drag CFScript into ComboFix.exe. Let ComboFix update itself.

Then post the resultant log & fresh dds.txt log.

[cbkuck]

Ran ComboFix (which indeed updated itself), followed by DDS. Here are the results. Thanks!

-- Carl

Attach.zip

ComboFix.txt

DDS.txt

[Blade81]

Good. Please run Kaspersky online scanner now again and post back its log.

Update MBAM and run a quick scan letting it delete possible findings. Post back the report.

[cbkuck]

I ran both, logs are attached. Unfortunately I forgot to update MBAM before running it, so I updated it and ran it a 2nd time. The 2nd run looked clean, and the output from KAS seems to have everything in quarantine or in an _restore directory. Light at the end of the tunnel, and it's not the headlight of an approaching train?

KAS.txt

mbam_log_2010_04_22__12_30_06_.txt

mbam_log_2010_04_22__12_42_05_.txt

[Blade81]

Kaspersky findings will be removed after ComboFix is uninstalled and system restore resetted (instructions below). Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

• Click START then RUN
  
• Now copy-paste Combofix /uninstall in the runbox and click OK
  

Please download OTC and save it to desktop.

• Double-click OTC.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it by yourself.
  

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• hosts file:
  
  • Every version of windows has a hosts file as part of them.
    
  • In a very basic sense, they are used to locate webpages.
    
  • We can customize a hosts file so that it blocks certain webpages.
    
  • However, it can slow down certain computers.
    
  • This is why using a hosts file is optional!!
    

  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:

  1. 
     
     
  2. Click the start button (at the lower left hand corner of your screen)
     
  3. Click run
     
  4. In the dialog box, type services.msc
     
  5. hit enter, then locate dns client
     
  6. Highlight it, then double-click it.
     
  7. On the dropdown box, change the setting from automatic to manual.
     
  8. Click ok
     

  [*]Run Secunia vulnerability check here and fix its findings.

  [*]Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:

  Antivir

  Avast!

  Good commercial ones are from:

  Kaspersky and

  ESET

  [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.

  If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.

Just a final reminder for you. I am trying to stress these two points.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.

Make sure all of your security programs are up to date.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,

Blade

[cbkuck]

Done! No more problems, I'm also now running Kaspersky Internet Security 2010. First thing I did after installing that was to update the DBs. There's one item in quarantine (dvdupgrrd.exe), but a full scan of the machine came back OK. I've moved as much data (i.e. non-executable files like photos) to a 2nd drive, and uninstalled everything I don't need/use. I have been running behind a Linksys firewall/router, is that considered sufficient? Also, is OTC something I can run on a regular basis? It seems pretty handy for reducing the amount of junk that a scan has to examine.

I also made sure everything was updated according to MS and Secunia. One thing I would like to get rid of is Outlook Express, since I'm running Office 2003 Pro and never use Express.

Thanks again for all your help, MBAM Pro is on the list of tools to get.

-- Carl

[Blade81]

You're welcome

I have been running behind a Linksys firewall/router, is that considered sufficient?

Yes.

Also, is OTC something I can run on a regular basis? It seems pretty handy for reducing the amount of junk that a scan has to examine.

I'd recommend ATF Cleaner for cleaning not needed stuff.