Another smitfruad-c problem with others

[micahr14]

here tis. seems the copy/paste function on apple doesn't work so i may have to put it in manually or attach the log if you don't mind

Again this is the one in question from march

The infection found is called:

[B]C

[micahr14]

The infection is

Hijacker.Costrat.l

File where found is
c:\Windows\lzx32.sys

Also says file was cleaned but I wonder if remnants are still hanging around.

[micahr14]

SmitFraudFix v2.186

Scan done at 19:40:49.60, 2007-05-24
Run from C:\Documents and Settings\BTN USER\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

ªªªªªªªªªªªªªªªªªªªªªªªª SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="acheweed"


ªªªªªªªªªªªªªªªªªªªªªªªª Killing process


ªªªªªªªªªªªªªªªªªªªªªªªª hosts



ªªªªªªªªªªªªªªªªªªªªªªªª Generic Renos Fix

GenericRenosFix by S!Ri


ªªªªªªªªªªªªªªªªªªªªªªªª Deleting infected files


ªªªªªªªªªªªªªªªªªªªªªªªª DNS



ªªªªªªªªªªªªªªªªªªªªªªªª Deleting Temp Files


ªªªªªªªªªªªªªªªªªªªªªªªª Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


ªªªªªªªªªªªªªªªªªªªªªªªª Registry Cleaning

Registry Cleaning done.

ªªªªªªªªªªªªªªªªªªªªªªªª SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


ªªªªªªªªªªªªªªªªªªªªªªªª End

[shelf life]

hi micahr14,

ok thanks for all the info.

this:
lzx32.sys is a rootkit that can arrive with smitfraud. thats from a avg scan from march? it will show in a smitfraud log and combofix log, but they dont remove it. you can do this to be sure:

1. Download - rustbfix.exe ...and save it to your desktop:

http://www.uploads.ejvindh.net/rustbfix.exe

2. Double click on rustbfix.exe to run the tool.
1. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
2. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log.

shelf life

[micahr14]

Ok, there were no rootkits found. HJT log on the way as soon as I can get it. I've spent 3 straight days at work trying to fix our satellite feed from the syndicated network. We have an underground cable gone bad and digging it all up to get to that one area. May not post for a couple of days.
Mic

[shelf life]

hi micahr14,

ok good no rootkits. just post back whenever you get a chance.

shelf life