Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't remove Smart Fortress 2012


  • This topic is locked This topic is locked
7 replies to this topic

#1 keeko

keeko

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 27 March 2012 - 09:55 PM

Hi, my laptop is infected with the Smart Fortress 2012 and I've followed the guide in this forum which would supposedly remove it, but it didn't work. Here's the post I've made about it with all the details: http://www.bleepingcomputer.com/forums/topic447845.html/page__gopid__2645030#entry2645030

So here's this extra info, with DDS, attach.txt and ark.txt and I hope it helps. Thanks in advance

I could only run the dds while logged in as administrator as it kept closing itself when I tried running it on my infected user, it just closed right away like iExplorer.exe and MBAM did... I can only get a glimpse at the cmd window. Hope there's nothing wrong with that

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Administrador at 12:10:42,67 on 17-03-2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.351.2070.18.3069.2726 [GMT 0:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrador.FJ\Ambiente de trabalho\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programas\ficheiros comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\programas\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programas\ficheiros comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programas\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\programas\windows live\messenger\msnmsgr.exe" /background
mRun: [SynTPStart] c:\programas\synaptics\syntp\SynTPStart.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\programas\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\programas\microsoft office\office12\GrooveMonitor.exe"
mRun: [BisonHK] c:\windows\bisoncam\BisonHK.exe
mRun: [DeLay] c:\windows\bisoncam\DeLay.exe
mRun: [SunJavaUpdateSched] "c:\programas\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\programas\quicktime\qttask.exe" -atboottime
mRun: [AVP] "c:\programas\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
mRun: [WinampAgent] c:\programas\winamp\winampa.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\programas\pokerstars\PokerStarsUpdate.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programas\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\programas\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247576810234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {26306BB6-4A53-46E4-A9DD-2B071324051F} = 128.1.0.69
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\programas\microsoft office\office12\GrooveSystemServices.dll
Notify: klogon - c:\windows\system32\klogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\programas\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\programas\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-4-4 24344]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-7-18 288000]
S0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 112144]
S1 klif;Klif;c:\windows\system32\drivers\klif.sys [2010-3-16 194320]
S2 Automatic CDROM Monitor;Automatic CDROM Monitor;c:\windows\system32\supportapppt\ztemon_cd.exe [2009-8-5 86016]
S2 AVP;Kaspersky Anti-Virus 7.0;c:\programas\kaspersky lab\kaspersky anti-virus 7.0\avp.exe [2010-3-14 218376]
S2 gupdate;Servišo Google Update (gupdate);c:\programas\google\update\GoogleUpdate.exe [2009-9-3 133104]
S2 Iprip;RIP com espera;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S3 GarenaPEngine;GarenaPEngine;c:\docume~1\f&j\defini~1\temp\NMLAC.tmp [2010-2-14 25616]

=============== Created Last 30 ================

2010-03-17 02:03:35 0 d-----w- c:\documents and settings\administrador.fj\Tracing
2010-03-17 02:03:08 0 d-sh--w- c:\documents and settings\administrador.fj\PrivacIE
2010-03-17 02:01:04 0 d-sh--w- c:\documents and settings\administrador.fj\IETldCache
2010-03-17 01:53:29 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-17 01:52:16 0 d-----w- c:\programas\Sierra
2010-03-16 14:00:36 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-16 14:00:36 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-16 13:58:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-03-11 13:32:54 0 d-----w- c:\windows\pss
2010-03-07 18:36:42 0 d-----w- c:\programas\Portal
2010-03-02 15:16:19 0 d-----w- c:\programas\IndieVolume
2010-02-17 17:03:28 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-17 16:39:46 0 d-----w- c:\programas\DAEMON Tools Lite
2010-02-15 20:18:37 0 d-----w- c:\programas\URUSoft

==================== Find3M ====================

2010-03-17 12:05:29 82794 ----a-w- c:\windows\system32\perfc016.dat
2010-03-17 12:05:29 486148 ----a-w- c:\windows\system32\perfh016.dat
2010-02-17 16:39:53 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-21 19:06:32 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 12:11:49,98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 30 March 2012 - 09:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Try to run this tool in Safe Mode with Internet Connectivity.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

If unable to run or the log is not generated run this tool.

  • Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    proquota.exe
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
===

Post the log(s) for my review.

#3 keeko

keeko
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 30 March 2012 - 05:16 PM

Thank you for the relpy, it's all done. here is the log attached

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 31 March 2012 - 07:54 AM

The ComboFix log is clean.

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Any remaining issues with this computer?

#5 keeko

keeko
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 31 March 2012 - 08:22 AM

I didn't even try logging in on normal mode, but I can now. Smart Fortress doesn't open anymore. I tried deleting its shortcut on my desktop (should I not have done anything? :x) and it took a while for it to disappear and my antivirus Microsoft Security Essentials popped up saying a threat was found and deleted - the name of the 2 entries that appeared on the history were Rogue:Win32/Winwebsec (both of them) and there files were: file:C:\Documents and Settings\All Users\Application Data\F4D55F3E00001CC20003ABDBD151FC4E\F4D55F3E00001CC20003ABDBD151FC4E.exe and file:C:\Documents and Settings\All Users\Application Data\F4D55F3E00001CC20003ABDBD151FC4E\F4D55F3E00001CC20003ABDBD151FC4E.exe
regkey:HKCU@S-1-5-21-1757981266-1979792683-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Smart Fortress 2012
uninstall:HKCU@S-1-5-21-1757981266-1979792683-1801674531-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Smart Fortress 2012

So I'm guessing that had to do with me removing it... Anyway, I tried running Security check on safe mode and on normal mode and it doesn't work. It just keeps saying "the system can't locate the specified path" and then "file not found - INSTALL.EXE" over and over and a couple of times "PROCESS.TXT". Finally, the log comes up blank. Answering your question, I think everything's fine with the computer now. Thank you!

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 31 March 2012 - 01:23 PM

Looking at your Extra.txt log I suggest you execute this.

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


xxxxxxx


===

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.10 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Secunia Personal Software Inspector (PSI)
http://secunia.com/vulnerability_scanning/personal/
Secunia PSI is a security scanner which identifies programs that are insecure and need updates.
If interested in security I would download the tool and run it.
<<<>>>

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#7 keeko

keeko
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 31 March 2012 - 08:54 PM

Thank you so much for your help nasdaq, this forum is great. I did everything you told me to and all seems well with my computer. Thank you again!

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 06 April 2012 - 09:54 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users