Expert: Brian Benosky - 9/15/2010

Question
QUESTION: Hi Brian, it seems I asked too many questions, so AllExperts asked me to raise a new question! Here's the Kaspersky Log. Looks like most of the threats have been isolated.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 14, 2010
Operating system: Microsoft Windows Vista Business Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 13, 2010 19:01:44
Records in database: 4214112
--------------------------------------------------------------------------------

Scan settings:
  scan using the following database: extended
  Scan archives: yes
  Scan e-mail databases: yes

Scan area - My Computer:
  C:\
  D:\
  E:\
  Z:\

Scan statistics:
  Objects scanned: 179834
  Threats found: 2
  Infected objects found: 7
  Suspicious objects found: 0
  Scan duration: 04:08:25


File name / Threat / Threats count
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\0FCC0001\4FFD31F0.VBN   Infected: Trojan.Win32.Hrup.bbv   1
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\0FCC0002\4FFFD556.VBN   Infected: Trojan.Win32.Hrup.bbv   1
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\0FCC0003\4FFE782E.VBN   Infected: Trojan.Win32.Hrup.bbv   1
C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\0FCC0001\4FFD31F0.VBN   Infected: Trojan.Win32.Hrup.bbv   1
C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\0FCC0002\4FFFD556.VBN   Infected: Trojan.Win32.Hrup.bbv   1
C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\0FCC0003\4FFE782E.VBN   Infected: Trojan.Win32.Hrup.bbv   1
C:\Users\user\AppData\Local\Microsoft\Outlook\archive.pst   Infected: Worm.Win32.Mabezat.b   1

Selected area has been scanned.




ANSWER: Hi Brian

Six of the infections are under quarantine by Symantec, so they pose no risk to your system.  MS Outlook's PST or Personal STore is a single file that contains your email, contacts, etc.... Unfortunately, it only tells us where the emails are located, and not the name of the actual email. You will have to find and delete it manually. It is likely an  email with an attachment. To remove it, I would first make sure Symantec is updated, then configure it to scan:
C:\Users\user\AppData\Local\Microsoft\Outlook\archive.pst
Hopefully, Symantec will detect and quarantine the file.  If not, as I said, go through your email and delete generously.  Scan again with Kaspersky until the threat no longer appears.
Other than that, we should be finished.  You can uninstall any of the programs we used by going into your Control Panel and clicking Programs and Features.  ComboFix can be removed as follows:
Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /u

If you have further problems or questions, just let me know.  Cheers!

Brian


---------- FOLLOW-UP ----------

QUESTION: Many, many thanks. All seems to be OK now. Symantec reports a tracking cookie (deleted) as the only suspicious object in the archive.pst file. Is there any way to track back where I picked up this infection?

On a different issue, my laptop sometimes runs very slowly after resuming from standby or hibernation. A process called SMManager.exe is hogging around 50% of CPU resource, and I have to restart to get it back to normal. There have been many posts about this on DELL forums, with no apparent resolution of the issue, and no response from DELL. Do you have any ideas?

Finally how do i make some contribution to the excellent service provided here?

Answer
Hi Brian

I really can't say where the infection began, but most likely it came from an email attachment.  Usually, once the attachment is opened, the malicious file is executed and your computer becomes infected.  That one infection also can download other viruses.  Seems to be what happened here.  
SMManager.exe is linked to Dell ControlPoint software.  Have a look at the link below:
http://support.dell.com/support/topics/global.aspx/support/dsn/document?c=us&l=e
Go to Issue #4 to check for the latest software version for your laptop.  Hopefully, Dell has recognized this bug in the software and released an update for your hardware.  If there is no update, or the issue persists, then adding more RAM can take the load off of the CPU.  Look into boosting the memory.
Lastly, the only payment required is a few minutes to rate the answers and the expert.  It really helps when other people need to choose an expert.  And I do appreciate the ratings and comments you have already made.  Cheers!

Brian