Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Help removing smitfraud

  1. #11
    Junior Member
    Join Date
    Mar 2012
    Posts
    12

    Default

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-16 15:10:05
    -----------------------------
    15:10:05.386 OS Version: Windows x64 6.1.7601 Service Pack 1
    15:10:05.387 Number of processors: 2 586 0x2A07
    15:10:05.387 ComputerName: OWNER-PC UserName: owner
    15:10:07.367 Initialize success
    15:10:14.661 AVAST engine defs: 12031600
    15:10:37.900 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    15:10:37.902 Disk 0 Vendor: TOSHIBA_ GT00 Size: 305245MB BusType: 3
    15:10:37.904 Device \Driver\iaStor -> MajorFunction fffffa8005ddb5c4
    15:10:37.917 Disk 0 MBR read successfully
    15:10:37.919 Disk 0 MBR scan
    15:10:37.926 Disk 0 Windows VISTA default MBR code
    15:10:37.952 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
    15:10:37.975 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 289747 MB offset 3074048
    15:10:38.022 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 13997 MB offset 596475904
    15:10:38.083 Disk 0 scanning C:\windows\system32\drivers
    15:10:48.512 Service scanning
    15:11:27.905 Modules scanning
    15:11:27.913 Disk 0 trace - called modules:
    15:11:27.927 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8005ddb5c4]<<
    15:11:27.931 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800578b490]
    15:11:27.935 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8003fe1050]
    15:11:27.940 \Driver\iaStor[0xfffffa8005c47da0] -> IRP_MJ_CREATE -> 0xfffffa8005ddb5c4
    15:11:32.465 AVAST engine scan C:\
    16:08:01.720 Scan finished successfully
    16:20:49.180 Disk 0 MBR has been saved successfully to "C:\Users\owner\Desktop\MBR.dat"
    16:20:49.180 The log file has been saved successfully to "C:\Users\owner\Desktop\aswMBR.txt"


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-29 23:34:08
    -----------------------------
    23:34:08.037 OS Version: Windows x64 6.1.7601 Service Pack 1
    23:34:08.037 Number of processors: 2 586 0x2A07
    23:34:08.038 ComputerName: OWNER-PC UserName: owner
    23:34:08.949 Initialize success
    23:34:58.785 AVAST engine defs: 12033000
    23:35:17.222 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    23:35:17.227 Disk 0 Vendor: TOSHIBA_ GT00 Size: 305245MB BusType: 3
    23:35:17.371 Disk 0 MBR read successfully
    23:35:17.376 Disk 0 MBR scan
    23:35:17.385 Disk 0 Windows VISTA default MBR code
    23:35:17.427 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
    23:35:17.449 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 289747 MB offset 3074048
    23:35:17.486 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 13997 MB offset 596475904
    23:35:17.539 Disk 0 scanning C:\windows\system32\drivers
    23:35:25.809 Service scanning
    23:36:01.563 Modules scanning
    23:36:01.579 Disk 0 trace - called modules:
    23:36:01.608 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
    23:36:01.950 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004f17420]
    23:36:01.961 3 CLASSPNP.SYS[fffff880018ae43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004a33050]
    23:36:02.695 AVAST engine scan C:\windows
    23:36:06.003 AVAST engine scan C:\windows\system32
    23:38:16.542 AVAST engine scan C:\windows\system32\drivers
    23:38:24.832 AVAST engine scan C:\Users\owner
    23:39:15.015 AVAST engine scan C:\ProgramData
    23:39:53.581 Scan finished successfully
    23:40:47.426 Disk 0 MBR has been saved successfully to "C:\Users\owner\Desktop\MBR.dat"
    23:40:47.431 The log file has been saved successfully to "C:\Users\owner\Desktop\aswMBR.txt"

  2. #12
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi spaceycayce,

    Let's get you down to one antivirus.

    Click on the Start button > Control Panel

    Depending on your setings, either
    • click on the Uninstall a program option under the Programs category.
    • If you are using the Classic View of the Control Panel, then you would double-click on the Programs and Features icon instead.
    Uninstall the following program

    Microsoft Security Essentials

    Next

    Your java is out of date. Go to Start > Control Panel , switch to Classic View if it isn't already.
    • Locate the Java icon (it looks like a coffee cup)
    • double click it to open it
    • click the Update tab
    • Click update now


    Next

    Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean


    Next

    Download and save to your desktop Malwarebytes Anti-Malware

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


    Please post back with
    • MBAM log
    How's the computer?
    Last edited by oldman960; 2012-04-03 at 05:34.
    Member of UNITE and ASAP

  3. #13
    Junior Member
    Join Date
    Mar 2012
    Posts
    12

    Default

    The computer is good.

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.04.02.03

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    owner :: OWNER-PC [administrator]

    4/2/2012 12:24:26 AM
    mbam-log-2012-04-02 (00-24-26).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 196814
    Time elapsed: 4 minute(s), 11 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

  4. #14
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi spaceycayce


    Looks good so far. Let's check for stragglers.



    As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
    • Do not use this instance of your browser for anything besides doing this scan
    • When the scan is complete and the results saved, close that instance of your browser
    • Open a new one the usual way and post the results in this topic.



    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



    Go here to run an online scannner from
    ESET

    (Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
    • Click Scan.
    • Wait for the scan to finish.
    • When the scan completes, click List of found threats
    • click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
    • Include the contents of this report in your next reply

      Note - when ESET doesn't find any threats, no report will be created.
    • Push the back button.
    • Push Finish
    • Re-enable your Antivirus software.


    Please post the ESET log if there is one.
    Member of UNITE and ASAP

  5. #15
    Junior Member
    Join Date
    Mar 2012
    Posts
    12

    Default

    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_00.24.03\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_00.24.03\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AD trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_00.24.03\mbr0000\tdlfs0000\tsk0002.dta Win32/Olmarik.AYH trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_00.24.03\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AG trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_00.24.03\mbr0000\tdlfs0000\tsk0004.dta a variant of Win32/Rootkit.Kryptik.KB trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_00.24.03\mbr0000\tdlfs0000\tsk0005.dta Win64/Olmarik.AF trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_00.24.03\mbr0000\tdlfs0000\tsk0009.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_00.24.03\mbr0000\tdlfs0000\tsk0010.dta Win64/Olmarik.X trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_23.30.56\tdlfs0000\tsk0000.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_23.30.56\tdlfs0000\tsk0001.dta Win64/Olmarik.AD trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_23.30.56\tdlfs0000\tsk0002.dta Win32/Olmarik.AYH trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_23.30.56\tdlfs0000\tsk0003.dta Win64/Olmarik.AG trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_23.30.56\tdlfs0000\tsk0004.dta a variant of Win32/Rootkit.Kryptik.KB trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_23.30.56\tdlfs0000\tsk0005.dta Win64/Olmarik.AF trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_23.30.56\tdlfs0000\tsk0009.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\29.03.2012_23.30.56\tdlfs0000\tsk0010.dta Win64/Olmarik.X trojan cleaned by deleting - quarantined

  6. #16
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi spaceycayce,

    Everything looks good so we'll remove the tools. The ESET detections were files we have quarantined.

    From your desktop, please delete, if present
    • any notepads/logs that we created
    • aswMBR
    • mbr.dat
    • mbr.zip
    • TDSSKiller
    • DDS.scr

    You can also delete from the C:\ drive the file called TDSSKiller_* (* denotes version & date) and C:\TDSSKiller_Quarantine

    Next

    Click the Start button,in the search box type Run. At the top click run

    Copy and paste the following line into the run box and click OK

    Combofix /uninstall



    Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.


    I suggest you keep MBAM. Keep it updated and use it regularly.


    Some Recommendations and prevention tips

    Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Those you have now provided you are using a firewall. Windows 7 has a built in firewall which is pretty good when set up. You can find some very good information HERE .


    You should also use Spyware Blaster to help immunize your computer.

    - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    OR

    A guide to understanding and using the hosts file.

    Learn how your Hosts file can protect you and how you can protect it.
    Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
    HOSTS

    Please read the info on disabling the DNS Client before installing a custom hosts file.


    -Secure your Internet Explorer

    From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


    - Make sure you have reset Windows Updates to your chosen option. Click your start button > Control Panel > System > Windows updates (lower left) > change settings


    - Keep your antivirus program updated, as well as any other security programs you have.


    -More tips and programs can be found HERE

    Please post back if you have any problems.
    Member of UNITE and ASAP

  7. #17
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Since this issue appears to be resolved ... this Topic has been closed.
    Last edited by tashi; 2012-04-13 at 20:50. Reason: Thank you oldman960 -)
    Member of UNITE and ASAP

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •