Whitesmoke removal problems

[negster22]

Hi effa,

That CF log was key because this item shows that Combofix removed a Master Boot Record (MBR) rootkit and restored your MBR here:

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

What you had was TDL4, not TDL3 and that is why your latest CF log did not show that any drivers had been replaced.

Your last log was clean.

However, I am wondering if you use the Dell Networking Program described here, because it maintains two open ports as these two items in your Combofix log indicate:

:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

and it is running as this item in your Combofix log indicates:

c:\program files\Dell Network Assistant\ezi_hnm2.exe

It may come been pre-installed with your Dell Computer.

http://www.techspot.com/vb/topic136929.html

SingleClick has been making management systems for small LANs for several years, and Dell began including its software on selected PCs as Dell Network Assistant in 2005, according to Zarkiewicz. Customers can view, monitor and repair their networks with the software and designate one computer as the network's media server, then install special software on it. Any system on the network can then access multimedia content from that server.

==========

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

Important Note: Do NOT choose the option to automatically uninstall or the ESET Scan log will be deleted!!

http://www.eset.com/onlinescan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
  
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  
• Check the "Yes, I accept the terms of use" box.
  
• Click "Start"
  
• Approve the installation of the ActiveX control that's required to enable scanning
  
• Make sure the box to
  • Remove found threats. is CHECKED!!
    
  • Click "Start"
    

  [*]Allow the definition data base to install

  [*]Click "Scan"

When the scan is done:

• Do NOT choose the option to uninstall the ESET Online Scanner with all its components because you need to retain the scan log for posting.
  
• Please post the scan report in your next reply. It can be found in this location:
  C:\Program Files\EsetOnlineScanner\log.txt
  
• You can remove the ESET Online Scanner using the Windows Control Panel - Add/Remove Programs feature
  

Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:

Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

[effa]

Hi negster22,

The Dell Network Assistant was indeed pre-installed on my computer. It still pops up (e.g. when my computer starts up), but at the same time it says that has expired. I have been using it some years ago, but was kind of ignoring it these days. I actually opened it today, more or less by accident, as I was trying to resolve my wireless connection problems (I am on LAN now), but that was after the last scan.

Shall I just remove this program?

I am anyway going for the ESET scan. Curious what that will tell us.

[negster22]

You might as well remove the The Dell Network Assistant since it has expired. Then you can see if removing it also removes those two open ports.

I predict ESET will find no active threats and only malware that has already been quarantined or is safely locked away in system volume information. BTW, at the end of the clean-up we'll purge any threats that are located System Volume Information so there is no need to worry about them - just don't do a System Restore (until after we do that - not that You need to in any way).

[effa]

There we go, the ESET log. It didn't find anything.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=dbc0dbda47efbd4f9a20477711105e2b

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-02-05 08:04:09

# local_time=2011-02-05 03:04:09 (-0500, Eastern Standard Time)

# country="Belgium"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5121 16777189 100 75 0 26085485 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=154863

# found=0

# cleaned=0

# scan_time=4886

[negster22]

That ESET scan report is as good as it gets, and Excellent job, effa!

Your scans are all coming up clean now and the rootkit that was causing your redirect problems been disinfected.

We have a few steps to finish up now!!

You can check your currently installed JRE version here.

If you find you need to update to the Java Runtime Environment (JRE) 6 Update 23, then follow these steps:

1. Download the latest JRE version clicking the "Agree and Start Free Download" button.

2. Save the installer to your desktop.

3. Close any programs you may have running - especially your web browser.

4. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

5. Reboot your system

6. Then from your desktop double-click on jxpiinstall.exe to install the newest version of the Sun Java Platform

7. "Install the Yahoo Toolbar' is prechecked by default, so be sure to UNCHECK it, if you do not care to have it, or You already have it installed - it is NOT part of the JRE install and it is NOT required for any Java applications.

8. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

--------------------

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
  
• Next, click on the Delete Files button
  
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    
  • Trace and Log Files
    

  [*]Click OK on Delete Temporary Files Window

  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  [*] Click OK to leave the Temporary Files Window

  [*]Click OK to leave the Java Control Panel.

As Java Cache can be an infection repository, You can quickly scan it periodically for infectious elements, by right-clicking the following folder and selecting the "Scan with <Your antivirus>" option:

The location of this folder usually is:

In XP:

C:\Documents and Settings\<user_name>\Application Data\Sun\Java\Deployment\cache\

In Vista and Windows 7:

C:\Users\<user_name>\AppData\LocalLow\Sun\Java\Deployment\cache\

==

If I asked you to download and run an ARK (Antirootkit program) such as Gmer, Rootkit Unhooker, or Root Repeal, then please uninstall it by doing the following:

• Delete the contents of the[ b]C:\ARK folder (or whatever folder you chose to install the antirootkit in)
  
• Delete the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
  

If I asked You to download OTL, TDSSKiller, MBRCheck or mbr.exe, please delete these programs from your Desktop (or their download location).

To remove Combofix and it's quarantine folder:

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

"%userprofile%\desktop\combofix.exe" /uninstall

This will do the following:

• Uninstall Combofix and all its associated files and folders.
  
• Flush your system restore points and create a new restore point.
  
• Rehide your system files and folders
  
• Reset your system clock
  
• Disable autorun to protect against USB infections (you can still access all devices through Windows Explorer (Windows Key + E or "My Computer"))
  

--

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

[effa]

Hi negster22,

I am very happy to see that it seems to turn out fine after all. I will definitively take some time to read through all the info you've provided, after the final cleaning up of course.

Just a little question so far. Which anti-virus or full protection software would you advice? My McAfee licence is expiring this month and I don't feel like financially supporting this commercial giant anymore.

Thanks you so much for your time and help!

Effa

[negster22]

I hear you!!!

I have been using ESET first their NOD32 Antivirus and now their ESET Smart Security Suite (for six years in total) and I have no complaints! It is a techie favorite!

http://www.eset.com/home/smart-security

There's a free 30 day trial here:

http://www.eset.com/download/free-trial/smart-security

I also use MBAM and WinPatrol - normal version (not the cloud one).

[effa]

Hi negster22,

So I was finishing the last steps of the clean-up process right now. But when I tried to do this:

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

"%userprofile%\desktop\combofix.exe" /uninstall

I received the message that the file "combofix.exe" couldn't be found. Moreover, when I looked a bitter at my desktop, the combofix picture isn't on anymore. I have no idea when that dissapeared.

I have just deleted OTL etc. from my desktop and eventhough it is early morning I don't think I touched Combofix there. What to do?

I also noted a folder called _OTL on C:. Can I remove that one as well?

[effa]

Okay, I think the malware just jumped over and started to infect me as well . I wanted to write "when I looked a bit better at my desktop..." in the above post.

Concerning Combofix:

• I also quickly checked the litter bin, where all other scans were visible, but definitively not Combofix. The folder Qoobox is still on my C:
  
• You asked me to rename Combofix.exe to iexplorer.exe, don't know if that has anything to do with combofix.exe not being found.
  

Concerning mbam:

On C:, I found an mbam log with the following message:

An error has occurred. Please report this error code to our support team.

MBAM_ERROR_NOT_REGISTERED (0, 0)

[negster22]

Hi effa,

Please disable all anti-malware programs.

Next, please redownload Combofix from one of these locations & save it to your desktop (do NOT rename it):

HERE or HERE

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

combofix /uninstall

Exit the command prompt.

Re: that MBAM error is that from a recent log? If you are not getting it now (post-infection), I would not worry about it.

[effa]

As for the MBAM error. It's an old report, just posted it as it kind of said to do so.

[negster22]

If it's old don't worry about it because newer MBAM version releases may have corrected it, or it may have been caused by your infection.

I made this to illustrate the above removal procedure for Combofix:

It could be the renaming made a difference, and you can remove the _OTL folder.

[effa]

Hi negster22,

The installation and consequent removal of combofix worked out this time . I hope my computer is malware-free right now. I will definitively continue cleaning it up.

Now that I am being suspicious about almost everything, just a little question if I may. I have an icon called "UNWISE" on C: and I am not sure what it is (I quickly googled, but I don't really find a clear explanation). I cannot remember anymore if it was there before, I just find it weird, because it says that it is created in 2010, but modifief in 2001.

Thanks a million for your advice and patience!!

[negster22]

Hi effa,

I have an icon called "UNWISE" on C: and I am not sure what it is (I quickly googled, but I don't really find a clear explanation). I cannot remember anymore if it was there before, I just find it weird, because it says that it is created in 2010, but modifief in 2001.

"UNWISE" is normally just an uninstaller (WISE is the company that provides this software package). Even though threats can adopt innocuous sounding names in an attempt to disguise, I doubt it is malicious because:

1. It was not shown to be running in your logs

2. You logs show no start-up or load point for unwise

3. It is a well known static name with a "normally" innocent purpose.

However, when in doubt You can always upload the file to VirusTotal to have nearly 30 individual scanners cast their verdict on whether the file is considered a risk.

If the icon is just a short-cut, you will have to right-click the UNWISE icon, select Properties, and inspect the Target field to find the location (path) of the executable that the shortcut launches. The EXE file is what would have to be scanned. The PATH is another indicator of whether the file should be considered malicious.

Yes, it IS weird that the file creation date is 9 years later that the last modified date! That is something that raises a red-flag but it has to be considered along with all other parameters, and in and by itself it is not enough to classify the file as malicious.

And you're welcome. It was a pleasure working with you, effa!!

[negster22]

Please see my last reply above and I found this for you regarding unwise.exe:

http://www.threatexpert.com/files/unwise.exe.html

[effa]

This is what VT had to say - after I chose the option to read the report, as the file had been analysed already:

"0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. "

I think I'll just go and believe that my computer is okay now.

Thanks for all the info by the way. It helps me with my goal to become a bit more computer litterate .

[negster22]

Good news and you're welcome!!!

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!