BleepingComputer.com: Vista Securty 2011 - need to verify removal

Hello, I'm new to this forum and wish I'd known about it earlier today! Short summary: I had a Vista Security 2011 infection that I believe is removed, just wanting some verification.

I had an infection by Vista Security 2011 yesterday, 3/30/2011 at about 4:35 PM. I am running FireFox 4.0 and Java 6.0.22 was enabled. I visited a website, saw a brief flash of the Java Console window, and got a UAC prompt asking to install software. I clicked cancel, but was infected anyway. My system is Vista SP1, 32-bit.

I took the following steps:

- Immediately powered off the machine
- Reboot in Safe Mode
- Ended process "hns.exe"
- Followed instructions here: http://www.precisesecurity.com/rogue/vista-home-security-2011/
- Deleted relevant files, deleted registry keys
- Searched registry for any keys mentioning "hns.exe" and removed them
- Windows search for any files created on 3/30/2011 - cleared Prefetch and Temp folders
- Ran msconfig - set Selective Startup and rebooted with most services disabled.

The infection seemed to be gone, didn't notice any "unfamiliar" processes in Task Manager or Process Explorer. No more popups, fake warnings. But -- the registry keys I cleared removed the .exe association for executable files. Trying to run programs resulted in error: "This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel." I was able to restore the registry keys using this file:

http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

From this forum post:

http://www.techsupportforum.com/forums/f10/solved-exe-woes-this-file-does-not-have-a-program-associated-with-it-for-performin-470159.html

Everything seems ok now... to verify the cleaning, I took these steps:

1. Installed, Updated, and Ran MBAM -- Quick scan found nothing actively running.
2. Ran MBAM full scan -- identified Trojan.Agent in:
---> C:\Users\Randolph\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\1e758e5a-2683707b
Initial point of infection??? Not actively running, was deleted.
3. Ran MBAM full scan again -- found nothing.
4. Ran Kaspersky TDSSkiller -- found nothing.
5. Ran GMER --- bluescreened after about 30 seconds, seemed to find nothing until then.
6. Ran DDS -- log pasted below.

I've since disabled the Java plugin in FireFox and installed NoScript and AdBlock (which my idiot self should have had anyway). I'm also now installing MS Security Essentials, will update with results of that scan.

Anyway, just wondering if there is anything suspicious in the DDS log. Thanks so much for the wonderful resource this forum provides!


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Randolph at 2:21:40.14 on Thu 03/31/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2046.1074 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\alg.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\lxdicoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Programs\Logitech\SetPoint\SetPoint.exe
D:\Programs\SpeedFan\speedfan.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Randolph\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Randolph\Desktop\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: InlineSearchHandleHotKeys Class: {b6ffe2ae-4d12-451f-b457-fe6125ffb1cf} - d:\programs\ieforge\inline search\InlineSearch.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)" -"http://www.pennmedicine.org/encyclopedia/em_DisplayAnimation.aspx?gcid=000058&ptid=17"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "d:\programs\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\randolph\appdata\roaming\micros~1\windows\startm~1\programs\startup\speedfan.lnk - d:\programs\speedfan\speedfan.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - d:\programs\logitech\setpoint\SetPoint.exe
uPolicies-explorer: DisableThumbsDBOnNetworkFolders = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - d:\programs\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - d:\programs\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://d:\programs\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://d:\programs\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://d:\programs\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://d:\programs\iespell\iespell.dll/SPELLOPTION.HTM
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: ethz.ch\n
Trusted Zone: webex.com
Trusted Zone: webex.com\digipen
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://digipen.webex.com/client/T27LB/training/ieatgpc1.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: eNetHook.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - d:\programs\qualcomm\eudora\EuShlExt.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\randolph\appdata\roaming\mozilla\firefox\profiles\u8wrvbpl.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\randolph\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\randolph\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - plugin: d:\programs\firefox\plugins\npatgpc.dll
FF - plugin: d:\programs\firefox\plugins\npdeployJava1.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin7.dll
FF - plugin: d:\programs\real alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\programs\real alternative\browser\plugins\nprpjplug.dll
.
============= SERVICES / DRIVERS ===============
.
R1 GizmoDrv;Gizmo Device Driver;c:\windows\system32\drivers\gizmodrv.sys [2010-1-22 23624]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-6-30 4497704]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-3-2 113448]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-2-8 179712]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-6-30 15656]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-28 43008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [2009-11-24 38604]
S3 Gizmo Central;Gizmo Central;d:\programs\gizmo\gservice.exe [2010-1-22 31856]
S3 PPTVH;PPTVH;c:\users\randolph\appdata\local\temp\pptvh.exe --> c:\users\randolph\appdata\local\temp\PPTVH.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]
.
=============== Created Last 30 ================
.
2011-03-31 00:41:22 -------- d-----w- c:\users\randolph\appdata\roaming\Malwarebytes
2011-03-31 00:41:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-31 00:41:16 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-31 00:41:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-31 00:37:37 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{a780498c-c602-4fdb-b284-71b1f896d64c}\mpengine.dll
2011-03-24 06:18:41 -------- d-----w- c:\progra~2\WinZipSE
2011-03-18 18:10:58 -------- d-----w- c:\users\randolph\.netbeans
2011-03-17 04:08:35 -------- d-----w- c:\program files\CMake 2.8
2011-03-09 04:06:50 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 04:06:50 323072 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 04:06:50 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 04:06:50 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 04:06:31 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 04:06:30 677888 ----a-w- c:\windows\system32\mstsc.exe
.
==================== Find3M ====================
.
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-08 07:50:00 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 05:57:10 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:25:17 2038784 ----a-w- c:\windows\system32\win32k.sys
2003-03-21 17:45:22 250544 ----a-w- c:\program files\common files\keyhelp.ocx
.
============= FINISH: 2:22:19.70 ===============

Ah, last thing -- noticed "Trusted Zone: ethz.ch\n" in the DDS log. I hardly ever use IE (just for one particular site - webex.com) but I did remove that from the Trusted Sites.

Edit:
Also this file from the DDS log:

c:\users\randolph\appdata\local\temp\PPTVH.exe

Is now gone... was just checking, I won't make any changes w/o your advice, just letting you know it's not there anymore.

Hehe, after making this post I went to Google and searched PPTVH.exe. Google found this thread -- that's some fast indexing

EDIT: Posts merged ~BP

This post has been edited by Budapest: 31 March 2011 - 04:38 PM

Hello ,
And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
• A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

Hello and thanks for the reply! Since Wednesday I've been using my computer with Microsoft Security Essentials and it *did* detect several possible exploit trojans, but only in the Java cache folder which were deleted (and I had relatively up-to-date Java 6.0.22). I disabled Java completely in FireFox and run NoScript now. I've kept an eye on TCPView as well and don't see any weird connections.

Unless there is anything dangerous in my original DDS log, you may close this thread . Thank you for taking the time to look!

I see no malware in your original DDS log, so I'll close this topic.

Happy computing!