PDA

View Full Version : DeepDive,Smitfraud-C.,etc...



BALLZ@JY
2007-09-10, 08:07
Hi there,
My pc is infected with viruses or malware and i cant fix it by myself :(
Please help me :)

this is my kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 10, 2007 10:48:44 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 10/09/2007
Kaspersky Anti-Virus database records: 410661
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 106626
Number of viruses found: 10
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 01:35:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Xzyte\Application Data\Mozilla\Firefox\Profiles\af2c9o1q.default\cert8.db Object is locked skipped
C:\Documents and Settings\Xzyte\Application Data\Mozilla\Firefox\Profiles\af2c9o1q.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Xzyte\Application Data\Mozilla\Firefox\Profiles\af2c9o1q.default\history.dat Object is locked skipped
C:\Documents and Settings\Xzyte\Application Data\Mozilla\Firefox\Profiles\af2c9o1q.default\key3.db Object is locked skipped
C:\Documents and Settings\Xzyte\Application Data\Mozilla\Firefox\Profiles\af2c9o1q.default\parent.lock Object is locked skipped
C:\Documents and Settings\Xzyte\Application Data\Mozilla\Firefox\Profiles\af2c9o1q.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Xzyte\Application Data\Mozilla\Firefox\Profiles\af2c9o1q.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Xzyte\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Xzyte\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Xzyte\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Xzyte\Local Settings\Application Data\Mozilla\Firefox\Profiles\af2c9o1q.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Xzyte\Local Settings\Application Data\Mozilla\Firefox\Profiles\af2c9o1q.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Xzyte\Local Settings\Application Data\Mozilla\Firefox\Profiles\af2c9o1q.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Xzyte\Local Settings\Application Data\Mozilla\Firefox\Profiles\af2c9o1q.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Xzyte\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Xzyte\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Xzyte\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Xzyte\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\2TN5KRDA.NQF Infected: not-virus:Hoax.Win32.Renos.he skipped
C:\Program Files\ESET\infected\AM4LBGAA.NQF Infected: not-virus:Hoax.Win32.Renos.gk skipped
C:\Program Files\ESET\infected\DBUVQBDA.NQF Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped
C:\Program Files\ESET\infected\FUO5JNBA.NQF Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\Program Files\ESET\infected\HDAS4ACA.NQF Infected: not-virus:Hoax.Win32.Renos.he skipped
C:\Program Files\ESET\infected\P3NW5HBA.NQF Infected: Trojan.Win32.DNSChanger.hd skipped
C:\Program Files\ESET\infected\RVT41RBA.NQF Infected: Backdoor.Win32.Agent.ark skipped
C:\Program Files\ESET\infected\SEZBN1BA.NQF Infected: not-virus:Hoax.Win32.Renos.he skipped
C:\Program Files\ESET\infected\T5UVQSAA.NQF Infected: Trojan.Win32.DNSChanger.hd skipped
C:\Program Files\ESET\infected\XN40PVBA.NQF Infected: not-virus:Hoax.Win32.Renos.he skipped
C:\Program Files\ESET\infected\XYG0AUAA.NQF Infected: Trojan.Win32.DNSChanger.hd skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\qoobox\Quarantine\C\DOCUME~1\Xzyte\APPLIC~1\install_en[1].exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.z skipped
C:\qoobox\Quarantine\C\WINDOWS\main_uninstaller.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.gy skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6AE57F70-3C45-4CA9-BD23-7BC904FCFBC0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070907-034042.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\systems.txt Infected: not-virus:Hoax.Win32.Renos.jh skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

BALLZ@JY
2007-09-10, 08:09
and this is HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:00, on 10/9/2550
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} -
O21 - SSODL: msmdev - {787D9048-9424-4643-871C-76D971A6C848} - (no file)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2460 bytes


Thank you so much for your help

Blade81
2007-09-10, 23:18
Hi


Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

http://siri.urz.free.fr/Fix/Bitmaps/Folder.png

______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

http://siri.urz.free.fr/Fix/Bitmaps/Fix01b.jpg

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a RiskTool; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between good and malicious use of such programs, therefore they may alert the user.

Please post:
C:\rapport.txt

BALLZ@JY
2007-09-11, 04:48
Thank you very much for your help :) Blade81
I'm appreciated :)

I followed your steps and here is rapport.txt

SmitFraudFix v2.221

Scan done at 8:43:43.85, Tue 09/11/2007
Run from C:\downloads\smitfraudfix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

ปปปปปปปปปปปปปปปปปปปปปปปป Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

ปปปปปปปปปปปปปปปปปปปปปปปป hosts


ปปปปปปปปปปปปปปปปปปปปปปปป C:\


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\system


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\Web


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\system32


ปปปปปปปปปปปปปปปปปปปปปปปป C:\Documents and Settings\Xzyte


ปปปปปปปปปปปปปปปปปปปปปปปป C:\Documents and Settings\Xzyte\Application Data


ปปปปปปปปปปปปปปปปปปปปปปปป Start Menu


ปปปปปปปปปปปปปปปปปปปปปปปป C:\DOCUME~1\Xzyte\FAVORI~1


ปปปปปปปปปปปปปปปปปปปปปปปป Desktop


ปปปปปปปปปปปปปปปปปปปปปปปป C:\Program Files


ปปปปปปปปปปปปปปปปปปปปปปปป Corrupted keys


ปปปปปปปปปปปปปปปปปปปปปปปป Desktop Components



ปปปปปปปปปปปปปปปปปปปปปปปป Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


ปปปปปปปปปปปปปปปปปปปปปปปป AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


ปปปปปปปปปปปปปปปปปปปปปปปป Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


ปปปปปปปปปปปปปปปปปปปปปปปป Rustock



ปปปปปปปปปปปปปปปปปปปปปปปป DNS



ปปปปปปปปปปปปปปปปปปปปปปปป Scanning for wininet.dll infection


ปปปปปปปปปปปปปปปปปปปปปปปป End

Blade81
2007-09-11, 08:24
Hi

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop. Don't run ATF yet. Will do it a bit later.


Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Start hjt, click do a system scan only, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O21 - SSODL: msmdev - {787D9048-9424-4643-871C-76D971A6C848} - (no file)

Close browsers & other windows before clicking fix checked.



Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Clear Nod's quarantined items and delete c:\qoobox folder.


Delete following files if found:
C:\WINDOWS\system32\drivers\etc\hosts.20070907-034042.backup
C:\WINDOWS\system32\systems.txt


Running temp cleaner & AVG Anti-Spyware
---------------------------------------



Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Don't select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the
Save Scan Report
button before you did hit the
Apply all Actions
button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot.


Post
-AVG Anti-Spyware log
-a fresh HJT log.

tashi
2007-09-18, 23:06
:scratch:

Due to lack of a response to helper this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.