Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: Particularly nasty Smitfraud-c.gp infection

  1. #11
    Junior Member
    Join Date
    Apr 2012
    Posts
    14

    Default

    It's definitely booting a bit quicker, but I won't really be able to put it through its paces until I get home and connect it to my home network. For obvious reasons, I'm not sure connecting a possibly still infected laptop to the network at the office is a "good idea"

    Here's the new log file
    Attached Files Attached Files

  2. #12
    Security Expert oldman960's Avatar
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi spetrarca,

    Something is holding that file. Please rerun TDSSKiller with the same settings as before so we can make sure it did it's job. Please post the log.

    Thanks
    Member of UNITE and ASAP
    Threads will be closed if no response after 5 days.

  3. #13
    Junior Member
    Join Date
    Apr 2012
    Posts
    14

    Default

    Hi there,

    I've attached the latest TDSS log.

    Thanks!

  4. #14
    Junior Member
    Join Date
    Apr 2012
    Posts
    14

    Default

    At least, I thought I did - sorry!
    Attached Files Attached Files

  5. #15
    Security Expert oldman960's Avatar
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi spetrarca,

    Please rerun TDSSKiller. When you are present with these lines:

    13:27:01.0333 4752 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
    13:27:01.0333 4752 \Device\Harddisk0\DR0 - detected TDSS File System (1)
    use the drop down menu and select delete.


    Next

    Please follow all previous instructions regarding security programs.

    Open a new Notepad session
    • Click the Start button, click run
    • in the run box type notepad
    • click ok
    • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
    • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE


    Code:
    KillAll::
    
    RootKit::
    c:\windows\svchost.exe
    In the notepad
    • Click File, Save as..., and set the Save in to your Desktop
    • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
    • Click save

    Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

    This will start ComboFix again.Close all browser/windows first.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



    Please post the TDSSKiller log and the combofix log.

    How's the computer?
    Member of UNITE and ASAP
    Threads will be closed if no response after 5 days.

  6. #16
    Junior Member
    Join Date
    Apr 2012
    Posts
    14

    Default

    Here's the logs - seems to be running pretty smooth so far!!
    Attached Files Attached Files

  7. #17
    Security Expert oldman960's Avatar
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi spetrarca,

    We seem to have a file that just won't go away.


    Download aswMBR.exe to your desktop.

    Double click the aswMBR.exe to run it. If asked to download Avast's database please do so.

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply


    There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    Member of UNITE and ASAP
    Threads will be closed if no response after 5 days.

  8. #18
    Junior Member
    Join Date
    Apr 2012
    Posts
    14

    Default

    Just letting you know I haven't abandoned the thread - been an exceptionally busy couple of days. I should have the updated logs later this afternoon. Thanks!

  9. #19
    Security Expert oldman960's Avatar
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi spetrarca,

    Member of UNITE and ASAP
    Threads will be closed if no response after 5 days.

  10. #20
    Junior Member
    Join Date
    Apr 2012
    Posts
    14

    Default

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-05-01 12:24:25
    -----------------------------
    12:24:25.731 OS Version: Windows x64 6.1.7601 Service Pack 1
    12:24:25.731 Number of processors: 2 586 0x100
    12:24:25.731 ComputerName: ROB-PC UserName: Rob
    12:24:29.865 Initialize success
    19:46:58.741 AVAST engine defs: 12050101
    19:49:23.245 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000006c
    19:49:23.261 Disk 0 Vendor: TOSHIBA_ GH10 Size: 305245MB BusType: 11
    19:49:23.276 Disk 0 MBR read successfully
    19:49:23.292 Disk 0 MBR scan
    19:49:23.354 Disk 0 Windows VISTA default MBR code
    19:49:23.370 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
    19:49:23.401 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 292137 MB offset 3074048
    19:49:23.448 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 11607 MB offset 601370624
    19:49:23.510 Disk 0 scanning C:\windows\system32\drivers
    19:49:37.977 Service scanning
    19:50:39.994 Modules scanning
    19:50:40.010 Disk 0 trace - called modules:
    19:50:40.026
    19:50:41.679 AVAST engine scan C:\windows
    19:50:47.248 AVAST engine scan C:\windows\system32
    19:54:55.808 AVAST engine scan C:\windows\system32\drivers
    19:55:20.023 AVAST engine scan C:\Users\Rob
    19:57:50.379 AVAST engine scan C:\ProgramData
    19:59:03.845 Scan finished successfully
    20:08:20.024 Disk 0 MBR has been saved successfully to "C:\Users\Rob\Desktop\MBR.dat"
    20:08:20.040 The log file has been saved successfully to "C:\Users\Rob\Desktop\aswMBR.txt"


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-05-01 12:24:25
    -----------------------------
    12:24:25.731 OS Version: Windows x64 6.1.7601 Service Pack 1
    12:24:25.731 Number of processors: 2 586 0x100
    12:24:25.731 ComputerName: ROB-PC UserName: Rob
    12:24:29.865 Initialize success
    19:46:58.741 AVAST engine defs: 12050101
    19:49:23.245 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000006c
    19:49:23.261 Disk 0 Vendor: TOSHIBA_ GH10 Size: 305245MB BusType: 11
    19:49:23.276 Disk 0 MBR read successfully
    19:49:23.292 Disk 0 MBR scan
    19:49:23.354 Disk 0 Windows VISTA default MBR code
    19:49:23.370 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
    19:49:23.401 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 292137 MB offset 3074048
    19:49:23.448 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 11607 MB offset 601370624
    19:49:23.510 Disk 0 scanning C:\windows\system32\drivers
    19:49:37.977 Service scanning
    19:50:39.994 Modules scanning
    19:50:40.010 Disk 0 trace - called modules:
    19:50:40.026
    19:50:41.679 AVAST engine scan C:\windows
    19:50:47.248 AVAST engine scan C:\windows\system32
    19:54:55.808 AVAST engine scan C:\windows\system32\drivers
    19:55:20.023 AVAST engine scan C:\Users\Rob
    19:57:50.379 AVAST engine scan C:\ProgramData
    19:59:03.845 Scan finished successfully
    20:08:20.024 Disk 0 MBR has been saved successfully to "C:\Users\Rob\Desktop\MBR.dat"
    20:08:20.040 The log file has been saved successfully to "C:\Users\Rob\Desktop\aswMBR.txt"
    20:08:54.110 Disk 0 MBR has been saved successfully to "C:\Users\Rob\Desktop\MBR.dat"
    20:08:54.126 The log file has been saved successfully to "C:\Users\Rob\Desktop\aswMBR.txt"
    Attached Files Attached Files

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •