Hijacked by "File Recovery" malware sales program

[SuperDave]

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
**************************************************
Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  DirLook::
  
  C:\.Trash-999
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

[an8el]

I didn't realize that you had to remove old java versions... I did clean up some of them previously, but hadn't realized they weren't disabled once an update had been installed. Thanks for the utility to do that.

It appears that the trash-999 folder was genuinely connected to the trash, because the files in it were empty folders that I recently deleted on purpose.

Here's what ComboFix spit out this time:

ComboFix 12-07-21.01 - Franis 07/22/2012  15:35:39.2.1 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2812.1809 [GMT -10:00]
Running from: c:\users\Franis\Desktop\ComboFixAlso.exe
Command switches used :: c:\users\Franis\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2012-06-23 to 2012-07-23  )))))))))))))))))))))))))))))))
.
.
2012-07-23 01:45 . 2012-07-23 01:45   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2012-07-23 01:45 . 2012-07-23 01:45   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-07-23 01:45 . 2012-07-23 01:45   --------   d-----w-   c:\users\Certainly\AppData\Local\temp
2012-07-23 00:25 . 2012-07-23 00:25   476976   ----a-w-   c:\windows\SysWow64\npdeployJava1.dll
2012-07-18 09:57 . 2012-07-18 09:57   --------   d-----w-   c:\users\Franis\AppData\Roaming\SUPERAntiSpyware.com
2012-07-18 09:57 . 2012-07-18 09:57   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-07-18 09:57 . 2012-07-18 09:57   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2012-07-15 20:29 . 2012-07-15 20:29   --------   d---a-w-   C:\.Trash-999
2012-07-11 22:32 . 2012-07-11 22:32   --------   d-----w-   c:\program files (x86)\Malwarebitey
2012-07-11 22:32 . 2012-04-05 01:56   24904   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-07-11 16:38 . 2012-07-11 16:38   --------   d-----w-   c:\program files (x86)\Mozilla Maintenance Service
2012-07-11 16:38 . 2012-07-11 16:38   421200   ----a-w-   c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-07-11 16:38 . 2012-07-11 16:38   770384   ----a-w-   c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-11 16:04 . 2012-06-12 03:08   3148800   ----a-w-   c:\windows\system32\win32k.sys
2012-07-11 15:48 . 2012-06-02 12:01   173056   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-07-11 14:50 . 2012-06-06 06:06   2004480   ----a-w-   c:\windows\system32\msxml6.dll
2012-07-11 14:50 . 2012-06-06 06:06   1881600   ----a-w-   c:\windows\system32\msxml3.dll
2012-07-11 14:50 . 2012-06-06 05:05   1390080   ----a-w-   c:\windows\SysWow64\msxml6.dll
2012-07-11 14:50 . 2012-06-06 05:05   1236992   ----a-w-   c:\windows\SysWow64\msxml3.dll
2012-07-11 14:50 . 2010-06-26 03:55   2048   ----a-w-   c:\windows\system32\msxml3r.dll
2012-07-11 14:50 . 2010-06-26 03:24   2048   ----a-w-   c:\windows\SysWow64\msxml3r.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-23 00:25 . 2010-06-07 12:18   472880   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2012-07-13 10:14 . 2012-04-04 20:32   426184   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-13 10:14 . 2011-05-31 10:12   70344   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 15:52 . 2009-11-21 06:43   59701280   ----a-w-   c:\windows\system32\MRT.exe
2012-06-03 01:19 . 2012-06-22 06:48   186752   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-03 01:15 . 2012-06-22 06:48   36864   ----a-w-   c:\windows\system32\wuapp.exe
2012-06-02 22:19 . 2012-06-22 06:49   38424   ----a-w-   c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 06:50   2428952   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 06:50   57880   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 06:50   44056   ----a-w-   c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 06:49   701976   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 06:50   2622464   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 06:49   99840   ----a-w-   c:\windows\system32\wudriver.dll
2012-05-20 06:36 . 2012-05-16 21:14   98848   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2012-05-20 06:36 . 2012-05-16 21:14   132832   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2012-05-04 11:06 . 2012-06-14 09:50   5559664   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-14 09:50   3968368   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-14 09:50   3913072   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40 . 2012-06-14 09:50   209920   ----a-w-   c:\windows\system32\profsvc.dll
2012-04-28 03:55 . 2012-06-14 09:50   210944   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-04-26 05:41 . 2012-06-14 09:50   77312   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-04-26 05:41 . 2012-06-14 09:50   149504   ----a-w-   c:\windows\system32\rdpcorekmts.dll
2012-04-26 05:34 . 2012-06-14 09:50   9216   ----a-w-   c:\windows\system32\rdrmemptylst.exe
2012-04-24 05:37 . 2012-06-14 09:49   184320   ----a-w-   c:\windows\system32\cryptsvc.dll
2012-04-24 05:37 . 2012-06-14 09:49   140288   ----a-w-   c:\windows\system32\cryptnet.dll
2012-04-24 05:37 . 2012-06-14 09:49   1462272   ----a-w-   c:\windows\system32\crypt32.dll
2012-04-24 04:36 . 2012-06-14 09:49   1158656   ----a-w-   c:\windows\SysWow64\crypt32.dll
2012-04-24 04:36 . 2012-06-14 09:49   140288   ----a-w-   c:\windows\SysWow64\cryptsvc.dll
2012-04-24 04:36 . 2012-06-14 09:49   103936   ----a-w-   c:\windows\SysWow64\cryptnet.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\.Trash-999 ----
.
2012-07-15 22:14 . 2012-07-15 22:14   111   ----a-w-   c:\.trash-999\info\Out4improv.trashinfo
2012-07-15 22:13 . 2012-07-15 22:13   105   ----a-w-   c:\.trash-999\info\Text.trashinfo
2012-07-15 20:52 . 2012-07-15 20:52   102   ----a-w-   c:\.trash-999\info\video clips.trashinfo
2012-07-15 20:34 . 2012-07-15 20:34   108   ----a-w-   c:\.trash-999\info\Hula-at-Volcano on SAT-July14th.txt.trashinfo
2012-07-15 20:29 . 2012-07-15 20:29   98   ----a-w-   c:\.trash-999\info\malware_File_Recovery.lnk.trashinfo
2012-07-14 08:10 . 2012-07-14 08:10   659   ----a-w-   c:\.trash-999\files\malware_File_Recovery.lnk
2012-07-08 17:04 . 2012-07-08 17:04   1494   ----a-w-   c:\.trash-999\files\Hula-at-Volcano on SAT-July14th.txt
.
.

[SuperDave]

Please download Rooter and Save it to your desktop.

• Double click it to start the tool.Vista and Windows7 run as administrator.
• Click Scan.
  
• Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
  

[an8el]

The ones I don't recognize as programs I use are:
Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe (2924) -
Deluxe\PlayMovie\PMVService.exe (3216)
C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe (3216)
C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe (1612)

(these may have been part of the bloatware that came originally with the computer, even though I don't use them)

Programs that I do use and recognize are:
C:\Program Files (x86)\Yuna Software\Messenger Plus! for Skype\MsgPlusForSkypeService.exe (1584)
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (1440)
C:\Users\Franis\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (2388)
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (2260)
C:\Windows\Tasks\GlaryInitialize.job


I'm curious about what the rest of this scan means, if you care to educate me a bit.

Here is the Rooter scan results:


Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 Home Edition (6.1.7601) Service Pack 1
[32_bits] - AMD64 Family 15 Model 124 Stepping 2, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
.
Internet Explorer 9.0.8112.16421
Mozilla Firefox 13.0.1 (en-US)
.
C:\  [Fixed-NTFS] .. ( Total:136 Go - Free:76 Go )
D:\  [CD_Rom]
.
Scan : 02:39.14
Path : C:\Users\Franis\Desktop\Rooter.exe
User : Franis ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ ? (260)
______ ? (400)
______ ? (472)
______ ? (484)
______ ? (532)
______ ? (540)
______ ? (548)
______ ? (604)
______ ? (700)
______ ? (772)
______ ? (820)
______ ? (940)
______ ? (984)
______ ? (100)
______ C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe (308)
______ ? (716)
______ ? (1080)
______ ? (1108)
______ ? (1252)
______ C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (1292)
______ ? (1312)
______ ? (1420)
______ C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (1440)
______ ? (1492)
______ C:\Program Files (x86)\Acer\Registration\GregHSRW.exe (1536)
______ C:\Program Files (x86)\Yuna Software\Messenger Plus! for Skype\MsgPlusForSkypeService.exe (1584)
______ C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe (1612)
______ C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe (1660)
______ ? (1760)
______ C:\Program Files\Acer\Acer Updater\UpdaterService.exe (1824)
______ ? (1864)
______ ? (1988)
______ ? (2144)
______ ? (2152)
______ ? (2516)
______ ? (2608)
______ ? (2648)
______ ? (2856)
______ ? (2868)
______ ? (2896)
______ C:\Users\Franis\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (2388)
______ ? (140)
______ C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe (960)
______ ? (1324)
______ ? (1956)
______ C:\Program Files (x86)\Launch Manager\LManager.exe (2940)
______ C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe (2924)
______ C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (2260)
______ ? (904)
______ C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe (2384)
______ C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe (3216)
______ ? (3232)
______ C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe (3268)
______ C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (3308)
______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (3444)
______ ? (3484)
______ ? (2404)
______ ? (2364)
______ ? (3968)
______ ? (4104)
______ ? (4992)
Locked audiodg.exe (4524)
______ C:\Users\Franis\Desktop\Rooter.exe (4600)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:12888981504)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:12889013760 | Length:106928640)
\Device\Harddisk0\Partition3 (Start_Offset:12995942400 | Length:147044894720)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Adobe Flash Player Updater.job
C:\Windows\Tasks\GlaryInitialize.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1109757479-377625319-1456128612-1000Core.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1109757479-377625319-1456128612-1000UA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 02:39.26
.
C:\Rooter$\Rooter_3.txt - (24/07/2012 | 02:39.26)

[SuperDave]

The ones I don't recognize as programs I use are:
Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe (2924) -
Deluxe\PlayMovie\PMVService.exe (3216)
C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe (3216)
C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe (1612)

They probably were install when your computer was loaded or by another program. If you don't use them, uninstall them.

I'm curious about what the rest of this scan means, if you care to educate me a bit.

I don't wish to go into too much detail in an open forum but it is a scanner looking for Rootkits.
How is your computer working now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[an8el]

OK, that scan (which took twelve hours!) found a couple of objections... The computer seems to be running normally, even before these two little problems were found.

Is there any cleanup that I should do to uninstall some of these programs we've used to scour these bugs away? These programs you recommended to use in this process seem pretty tiny - is there any danger of leaving them installed?


Here's the log file from the online scan:

C:\Users\Franis\Documents\THINKGS\src\browsers\newerChrome\chromupdater_exe.exe   a variant of Win32/InstallCore.D application   cleaned by deleting - quarantined
C:\Users\Franis\Documents\THINKGS\src\skype\recording messenger svs\Setup-SkypePlus-1.2.exe   a variant of Win32/MessengerPlus.A application   deleted - quarantined

[SuperDave]

Is there any cleanup that I should do to uninstall some of these programs we've used to scour these bugs away? These programs you recommended to use in this process seem pretty tiny - is there any danger of leaving them installed?

Yes, we can do some cleanup. You can keep SAS and MBAM on your computer, if you wish. Update them and run them on a regular basis as they are not full-time scanners.

Download this program and run it Uninstall ComboFix .It will remove ComboFix for you.

***************************************************
To set a new Restore Point.

Click Start button , click Control Panel, click System and Maintenance, and then clicking System. In the left pane, click System Protection.  If you are prompted for an administrator password or confirmation, type the password or provide confirmation. To turn off System Protection for a hard disk, clear the check box next to the disk, and then click OK. Reboot to Normal Mode.
Click the Start button , click Control Panel, click System and Maintenance, and then click System.
In the left pane, click System Protection.  If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
To turn on System Protection for a hard disk, select the check box next to the disk, and then click OK.
This will give you a new, clean Restore Point.
***************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
**************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[an8el]

Yes, I appreciate the reminder to do a new restore point again and the other things to do you suggested to beef up my protection levels. I'm considering also using Comodor for my firewall too, because I heard that the default one I have been using wasn't really adequate.

I have a few more clueless questions.
When I ran the uninstall to Combofix, it didn't disappear the .exe file that was on my desktop where I'd downloaded it. So does that mean the uninstall program uninstalled ComboFix, but left the original file that installed ComboFix alone... and if I clicked on the .exe file of ComboFix I would reinstall it again?

Another one of the things that changed because of the attack was how the list of currently running programs is displayed on my task bar. These currently running programs used to be in a menu that took up a half an inch of space on my lower right corner. Since the attack, these programs are in a line, taking up three inches instead of a half inch. Also, I imagine I can replace the icons that used to be next to my "start" button by dragging them onto the task bar on the other side, but there used to be an icon there signifying "show desktop" that I'd like to have back too. I think that I'm remembering this change happened when I ran the "unhide" program.

[SuperDave]

When I ran the uninstall to Combofix, it didn't disappear the .exe file that was on my desktop where I'd downloaded it. So does that mean the uninstall program uninstalled ComboFix, but left the original file that installed ComboFix alone... and if I clicked on the .exe file of ComboFix I would reinstall it again?

It's probably just something left over. You can check for ComboFix on C: Combofix. If it's still there please run the uninstall program. I've never tried that uninstall program so I'm unsure how it works.

Another one of the things that changed because of the attack was how the list of currently running programs is displayed on my task bar. These currently running programs used to be in a menu that took up a half an inch of space on my lower right corner. Since the attack, these programs are in a line, taking up three inches instead of a half inch. Also, I imagine I can replace the icons that used to be next to my "start" button by dragging them onto the task bar on the other side, but there used to be an icon there signifying "show desktop" that I'd like to have back too. I think that I'm remembering this change happened when I ran the "unhide" program.

I'm not sure what you mean. Could you provide a screenprint?
How to post screenshots or images

[an8el]

OK, here's a screen shot of what I mean... I was about wrote a little note on the picture itself.
(Hope the typeface isn't too small to see... but if it is, it says: Here's a screenprint. these icons you see below used to not be located in a line as they are now. They used to be in a menu, (which did not take up more than an eighth of the space here) After clicking on the menu, each icon was displayed and could be interacted with in the same way, but they were displayed in a menu box rather than in a line as they appear here. )

[SuperDave]

That looks normal but here's more information about the icons.