PDA

View Full Version : Infected with Smitfraud-c.gp


snbzk
2010-05-08, 21:51
Today morning i got this malware and i can't remove it:
http://img401.imageshack.us/img401/2500/infect.png (http://img401.imageshack.us/i/infect.png/)

Uploaded with ImageShack.us (http://imageshack.us)

after reading a bit i saw that i can get some help there, so thanks for reading and i hope some help in order to fix this issue :)


Dds logs on attachments.

DDS (Ver_10-03-17.01) - NTFSx86
Run by JoĘo at 19:45:54,29 on 08-05-2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.351.2070.18.3070.2317 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\svchost.exe
C:\Windows\System32\rpcnetp.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Joćo\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Auxiliar de Conexćo do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\joo~1\appdata\roaming\mozilla\firefox\profiles\ub9qnsac.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npOGPPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-11-14 34176]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 PowerManager;Power Manager;c:\windows\svchost.exe [2001-8-24 36352]
R3 netw5v32;Controlador de Placa de Ligaēćo WiFi Intel(R) Sem Fios 5000 Series para Windows Vista de 32 Bits;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
R3 yukonw7;Controlador Miniport NDIS6.2 para Controlador Ethernet Marvell Yukon;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
RUnknown rpcnetp;rpcnetp; [x]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2010-05-08 22:09:38 0 d-----w- c:\windows\Panther
2010-05-08 22:09:09 0 d-----w- c:\windows\system32\OEM
2010-05-08 17:54:36 0 d-----w- c:\users\joćo\Tracing
2010-05-08 17:49:04 0 d-----w- c:\program files\Microsoft
2010-05-08 17:48:22 0 d-----w- c:\program files\Windows Live SkyDrive
2010-05-08 17:47:25 0 d-----w- c:\windows\PCHEALTH
2010-05-08 17:47:17 0 d-sh--w- c:\windows\Installer
2010-05-08 17:42:02 0 d-----w- c:\program files\common files\Windows Live
2010-05-08 17:30:02 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-05-08 17:28:17 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-05-08 16:53:47 271768 ----a-w- c:\windows\system32\OGPIEPlugin.ocx
2010-05-08 16:49:27 0 d-----w- c:\program files\OGPlanet
2010-05-08 15:25:12 0 d-----w- c:\program files\uTorrent
2010-05-08 15:24:39 0 d-----w- c:\users\joo~1\appdata\roaming\uTorrent
2010-05-08 13:49:07 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-08 13:47:47 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-08 13:47:46 465408 ----a-w- c:\windows\system32\psisdecd.dll
2010-05-08 13:47:46 417792 ----a-w- c:\windows\system32\msdri.dll
2010-05-08 13:47:46 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-05-08 13:47:38 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-08 13:43:05 217984 ------w- c:\windows\system32\MpSigStub.exe
2010-05-08 13:29:40 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-08 13:29:40 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-08 13:27:42 1513210 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-05-08 13:27:19 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-05-08 13:27:15 0 d-----w- c:\windows\system32\wbem\Performance
2010-05-08 13:27:13 132608 ----a-w- c:\windows\system32\cabview.dll
2010-05-08 13:20:33 0 d-----r- c:\users\joćo\Searches
2010-05-08 13:20:22 0 d-----r- c:\users\joćo\Contacts
2010-05-08 13:17:30 0 d-sh--we c:\programdata\Modelos
2010-05-08 13:17:30 0 d-sh--we c:\programdata\Menu Iniciar
2010-05-08 13:17:30 0 d-sh--we c:\programdata\Favoritos
2010-05-08 13:17:30 0 d-sh--we c:\programdata\Documentos
2010-05-08 13:17:30 0 d-sh--we c:\programdata\Ambiente de trabalho
2010-05-08 13:17:30 0 d-sh--we C:\Programas
2010-05-08 13:17:30 0 d-sh--we c:\program files\Ficheiros comuns
2010-05-08 13:17:30 0 d-sh--we c:\program files\common files\Sistema
2010-05-08 13:17:30 0 d-sh--w- C:\Recovery
2010-05-08 13:12:57 0 ----a-w- c:\windows\ativpsrm.bin
2010-05-08 13:11:12 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-05-08 13:10:18 17408 ----a-w- c:\windows\system32\rpcnetp.exe

==================== Find3M ====================

2010-05-08 18:41:28 786432 --sha-w- c:\users\joćo\NTUSER.DAT
2010-05-08 17:44:24 670084 ----a-w- c:\windows\system32\prfh0816.dat
2010-05-08 17:44:24 130586 ----a-w- c:\windows\system32\prfc0816.dat
2010-05-08 13:51:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-03-08 21:33:56 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-02-27 12:07:48 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-27 12:07:48 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-23 07:56:00 977920 ----a-w- c:\windows\system32\wininet.dll
2009-07-27 05:40:17 40548 ----a-w- c:\windows\inf\perflib\0816\perfd.dat
2009-07-27 05:40:17 40548 ----a-w- c:\windows\inf\perflib\0816\perfc.dat
2009-07-27 05:40:17 336656 ----a-w- c:\windows\inf\perflib\0816\perfi.dat
2009-07-27 05:40:17 336656 ----a-w- c:\windows\inf\perflib\0816\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 19:46:00,25 ===============
Blade81
2010-05-14, 23:05
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Programs and Features and uninstall the programs listed above (in red).


* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is not checked.
Click Scan
Wait for the scan to finish
Post back the results.
Blade81
2010-05-21, 21:52
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.