BleepingComputer.com: Smitfraud and others.

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

Smitfraud and others. Digital Petri Dish of P2P Swill

#1 User is offline   JEBwebs 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 65
  • Joined: 21-February 11
  • Gender:Male

Posted 25 March 2011 - 03:03 AM

Was handed a laptop the other day and informed, " I loaned it to my brother-in-law and this is how it came back."

It had a number of P2P apps installed on it and has had zero maintenance for months. Here's how I proceeded.

Steps followed:

1. Installed Malwarebytes but the program failed to when an update was attempted. Was able to get it installed and run. No corrections made.
2. Ran Vipre - Lots and LOTS of red lines on the log screen.
3. Installed Spybot S&D and ran. No corrections made.
SmitFraud-C identified,
At 'C:\' found 'FSQWR.BMP' a picture of an NTFS.SYS BSOD at address: 0x00000050 (0xFD3094C2)) & FSQWR.LNK, (Remove System Tool Virus retained)
'Gen-Gullo' found in Restore point,
'TrafficNinjaBiz' found in Restore point.

4. Uninstalled Norton 360 (subscription expired 90+ days ago) and Installed and Ran AVG anti-all freeware.
Found and fixed two (2) 'corrupted items'.
C:\Documents & Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\QXGR83DG\BitComet_1.26_setup(2).exe
C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\kp.lproj\QuickTimeAudioSupportLocvalized.dll


Ok, about this time I felt I was not dealing with a deep infection but the system had a spectrum of other problems. Also realized I wanted to resolve the matter up without having to spend an lot of time at doing it.
As the system was still functional and not to bogged down to operate, I want ahead and;

5. P2P software uninstalled without difficulty: Limewire, Napster & Morphus.
6. Ran Windows Update. First installed was SP3, followed by 41 others.
7. Once updated I disabled 'RESTORE' and rebooted to clean the infections identified in the Restore file system, then restarted Restore.

Reviewed the Registry and found oddly noted entries. Have a JPG of the oddity and will pass it to you when you want to see it.

8. Updated and ran Spybot S&D and found no infection.
9. Ran HijackThis - Saved log file but made no changes.
10.Ran Vipre and a bunch of infected elements were found. Have log XML & CSV files.
11. Tried to run Root Repeal and errored out immediately with the error message:
FOPS - Device Control Error
Error Code = 0xc000001
Extended Info (0x00000a0)
Device Control Error
Error Code 0x1e7

12. Ran SmithfraudFix and cleaned the infection.
13. Ran Defogger.exe and disabled CD emulation software.
14. Ran DDS Tool (DDS.txt attached - holding attach.txt until requested. Each file was under 17kb.)
15. Ran GMER and it failed immediately with the error message:
LoadDriver( "C:\Docume~1\Bri\Local~1\Temp\fwrdapod.sys" ) error 0x000010E: Cannot create a stable subkey under a volatile parent key.

16. At this moment I am waiting for the second run of GMER to complete.

OTHER things noticed:

\Temporary Internet Files\Content.IE5 was loaded with about 25 folders each looked to have the same style and format of randomly created names like this; QXGR83DG


DDS.txt Contents:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Bri at 0:19:19.35 on Fri 03/25/2011
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.345 [GMT -7:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\Bri\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {EF56413F-9398-4DF5-BC88-6FC3B227D5C5} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
uRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
mExplorerRun: [mscover] c:\docume~1\bri\locals~1\temp\mscover.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Transfer by Image Converter 2 Plus - c:\program files\sony\image converter 2\menu.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: trymedia.com
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-3-24 18816]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-14 1174664]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-8-10 226304]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 CWMonitor;Symantec Crimeware Protection Driver;\??\c:\program files\common files\symantec shared\coshared\cw\1.0\monitor.sys --> c:\program files\common files\symantec shared\coshared\cw\1.0\Monitor.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-1 136176]
S3 JYSZZLHSIHQ;JYSZZLHSIHQ;c:\docume~1\bri\locals~1\temp\jyszzlhsihq.exe --> c:\docume~1\bri\locals~1\temp\JYSZZLHSIHQ.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\f.tmp --> c:\windows\system32\F.tmp [?]

=============== Created Last 30 ================

2011-03-25 05:32:51 -------- d-sh--r- C:\cmdcons
2011-03-25 05:30:41 -------- d-----w- c:\windows\setup.pss
2011-03-25 04:29:59 -------- d-----w- c:\program files\ProcessExplorer
2011-03-25 03:46:34 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-03-25 02:59:23 -------- d-----w- c:\program files\Sophos
2011-03-24 20:33:15 -------- d-----w- C:\Retrreivced my Docs fromNortonBackup
2011-03-24 20:11:11 -------- d-----w- c:\program files\common files\L&H
2011-03-24 20:10:47 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-24 20:09:11 -------- d-----w- c:\windows\SHELLNEW
2011-03-24 18:25:41 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-03-24 18:25:30 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-03-24 18:24:43 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-03-24 18:24:43 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2011-03-24 18:24:43 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-03-24 18:24:15 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-03-24 17:42:35 -------- d-----w- c:\windows\system32\scripting
2011-03-24 17:42:28 -------- d-----w- c:\windows\l2schemas
2011-03-24 17:42:26 -------- d-----w- c:\windows\system32\en
2011-03-24 17:42:26 -------- d-----w- c:\windows\system32\bits
2011-03-24 15:46:13 69120 ------w- c:\windows\system32\wlanapi.dll
2011-03-24 15:46:05 25471 ------w- c:\windows\system32\drivers\watv10nt.sys
2011-03-24 15:46:05 22271 ------w- c:\windows\system32\drivers\watv06nt.sys
2011-03-24 15:46:05 14208 ------w- c:\windows\system32\drivers\wacompen.sys
2011-03-24 15:46:05 11935 ------w- c:\windows\system32\drivers\wadv11nt.sys
2011-03-24 15:46:05 11871 ------w- c:\windows\system32\drivers\wadv09nt.sys
2011-03-24 15:46:05 11807 ------w- c:\windows\system32\drivers\wadv07nt.sys
2011-03-24 15:46:05 11295 ------w- c:\windows\system32\drivers\wadv08nt.sys
2011-03-24 15:46:01 42240 ------w- c:\windows\system32\drivers\viaagp.sys
2011-03-24 15:46:01 28672 ------w- c:\windows\system32\vidcap.ax
2011-03-24 15:46:01 11325 ------w- c:\windows\system32\drivers\vchnt5.dll
2011-03-24 15:44:55 397056 ------w- c:\windows\system32\s3gnb.dll
2011-03-24 15:43:58 1327320 ------w- c:\program files\msn\msncorefiles\install\msnsusii.exe
2011-03-24 15:43:51 11053008 ------w- c:\program files\msn\msncorefiles\install\msn9components\msncli.exe
2011-03-24 15:43:25 397312 ------w- c:\windows\system32\mmcex.dll
2011-03-24 15:43:25 33792 ------w- c:\windows\system32\mmcperf.exe
2011-03-24 15:43:25 106496 ------w- c:\windows\system32\mmcfxcommon.dll
2011-03-24 15:43:24 184320 ------w- c:\windows\system32\microsoft.managementconsole.dll
2011-03-24 15:42:50 37376 ------w- c:\windows\system32\l2gpstore.dll
2011-03-24 15:42:42 61440 ------w- c:\windows\system32\kmsvc.dll
2011-03-24 15:42:40 6144 ------w- c:\windows\system32\kbdpash.dll
2011-03-24 15:42:40 6144 ------w- c:\windows\system32\kbdnepr.dll
2011-03-24 15:42:40 6144 ------w- c:\windows\system32\kbdiultn.dll
2011-03-24 15:42:39 6144 ------w- c:\windows\system32\kbdbhc.dll
2011-03-24 15:42:05 10752 ------w- c:\windows\system32\smtpapi.dll
2011-03-24 15:42:04 9728 ------w- c:\windows\system32\rwnh.dll
2011-03-24 15:40:49 12800 ------w- c:\windows\system32\credssp.dll
2011-03-24 15:39:59 136192 ------w- c:\windows\system32\aaclient.dll
2011-03-24 15:08:51 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-03-24 07:19:19 -------- d--h--w- C:\$AVG
2011-03-24 06:38:55 -------- d-----w- c:\docume~1\bri\applic~1\AVG10
2011-03-24 06:37:16 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-03-24 06:34:58 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-24 06:34:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-03-24 06:34:13 -------- d-----w- c:\program files\AVG
2011-03-24 06:30:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-24 03:07:38 -------- d-----w- c:\docume~1\bri\applic~1\SUPERAntiSpyware.com
2011-03-24 03:07:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-24 03:07:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-24 02:21:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-24 02:21:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-23 15:39:42 -------- d-----w- c:\docume~1\bri\applic~1\Malwarebytes
2011-03-23 15:39:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-23 15:39:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-23 15:39:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-23 15:39:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-05 05:18:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\dOkKmBi06510
2011-02-28 01:01:49 -------- d-----w- c:\program files\Search Toolbar
2011-02-28 01:01:48 -------- d-----w- c:\program files\FoxTabVideoConverter

==================== Find3M ====================

2011-03-25 06:29:19 2996 ----a-w- c:\windows\system32\tmp.reg
2011-02-05 01:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 0:21:02.34 ===============



Lastly, Thanks for taking the time to review the posting. I'll await your reply.
JEBwebs

Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing had happened. Winston Churchill

#2 User is offline   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,520
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 31 March 2011 - 07:09 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
safebootminimal
activex
drivers32
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
wininit.exe
hlp.dat
/md5stop

  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized


In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#3 User is offline   JEBwebs 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 65
  • Joined: 21-February 11
  • Gender:Male

Posted 31 March 2011 - 08:57 AM

Myrti,

Thank you for your assistance in clearing up this problem. After starting out at #104 in the queue, I realized you all need some warm bodies to help out. Hence my email to the powers that be at Bleeping asking to be given the first available seat in training classes so I can payback in kind. This is a specific skill set I've been meaning to acquire for a while now anyway. So, I do understand it takes time to wade all the other problems in the world, before it's my turn, :) and YES, I still have a problem. :)

Will also apologize for omitting the System and OS specs on the system, here they are:

Make: Sony,
Model: VAIO VGN-C140G,
32bit or 64bit: It is a 32bit system
OS: Windows XP, Media Center Edition SP3 - This system has been successfully updated to Service Pack 3, and ALL subsequent updates from Microsoft.

To give you a better idea of the laptops current state: After stripping off the peer 2 peer software clogging the system, the laptop began operating as I would expect a system of this hardware class and age.

Will post this reply for you now before proceeding with the balance of the process you outlined.

I'll get back to you within the hour after running OTL and sending you the report.

Joe
JEBwebs

Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing had happened. Winston Churchill

#4 User is offline   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,520
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 31 March 2011 - 09:07 AM

Hi,

thanks for detailed update :) If you still have it, please also post the log from the second gmer run. If gmer is crashing/failing, let me know and we'll use an alternate utility.

Happy to see that you want to join the ranks, I'm sure we'll meet again in that case. :wink:

One of the conditions you need to fullfill before being able to apply, is a counter of 20posts. This is purely FYI, just don't want you waiting unnecessarily.

regards myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#5 User is offline   JEBwebs 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 65
  • Joined: 21-February 11
  • Gender:Male

Posted 31 March 2011 - 10:12 AM

Myrti,

Sorry about the delay,

Ran OTL, report attached.

Am having to run GMER again and actually generate a set of reports. GMER is not playing nicely this morning, so it'll be a few minutes till the reports are ready to send.

Thanks for the tip on the postings. I'l get going on that at once.

Joe
JEBwebs

Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing had happened. Winston Churchill

#6 User is offline   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,520
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 31 March 2011 - 10:35 AM

Hi,

the log isn't attached. After you browsed to the file you also need to click on "attach this file" to upload it.

regards myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#7 User is offline   JEBwebs 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 65
  • Joined: 21-February 11
  • Gender:Male

Posted 31 March 2011 - 10:48 AM

Well, lets move from Chrome to Firefox4 and see if this can be addressed.

For the record, the earlier file attach was done using the 'basic uploader'. Am using the advanced now.

Attached File(s)

  • Attached File  otl.txt (137.98K)
    Number of downloads: 2

JEBwebs

Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing had happened. Winston Churchill

#8 User is offline   JEBwebs 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 65
  • Joined: 21-February 11
  • Gender:Male

Posted 31 March 2011 - 10:55 AM

On the other front... Laptop BSOD'd twice so the GMER report run has been delayed a few minutes. GMER is running as I type and the reports will be passed along as soon as it finishes.
JEBwebs

Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing had happened. Winston Churchill

#9 User is offline   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,520
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 31 March 2011 - 10:56 AM

Hi,

I'm seeing some leftovers but no active infection. We will address those after checking for rootkits.

If gmer continues to give you trouble, please run rootkit unhooker instead:

Please download Rootkit Unhooker from one of the following links and save it to your desktop. In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.
  • Double-click on RKUnhookerLE.exe to start the program. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

regards myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#10 User is offline   JEBwebs 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 65
  • Joined: 21-February 11
  • Gender:Male

Posted 31 March 2011 - 11:30 AM

Myrti,

The GMER scan is still running. Would you like me to kill the process and move on to the steps you just passed along, or would you like to have the GMER reports as well?

Either way works for me.
JEBwebs

Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing had happened. Winston Churchill

#11 User is offline   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,520
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 31 March 2011 - 11:44 AM

Hi,

I don't really have a preference both are excellent rootkit scanners. As it is likely that Gmer is causing the BSODs I would suggest that, should the laptop crash again, you try RkU instead.

regards myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#12 User is offline   JEBwebs 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 65
  • Joined: 21-February 11
  • Gender:Male

Posted 31 March 2011 - 11:48 AM

Agreed.

As GMER's been running for good period of time, am going to let it finish its run. Pass its reports to you and begin running the Rootkit Unhooker process.
JEBwebs

Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing had happened. Winston Churchill

#13 User is offline   JEBwebs 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 65
  • Joined: 21-February 11
  • Gender:Male

Posted 31 March 2011 - 12:03 PM

GMER Report: ARK.TXT attached.

Proceeding with Rootkit Unhooker.

Attached File(s)

  • Attached File  ark.txt (2.54K)
    Number of downloads: 2

JEBwebs

Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing had happened. Winston Churchill

#14 User is offline   JEBwebs 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 65
  • Joined: 21-February 11
  • Gender:Male

Posted 31 March 2011 - 12:18 PM

Rootkit Unhooker Report attached.

Attached File(s)


JEBwebs

Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing had happened. Winston Churchill

#15 User is offline   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,520
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 31 March 2011 - 12:39 PM

Hi,

the rootkit scans are clean, so I'll have you remove the leftovers with OTL. The PC is still behaving as it should?

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :otl
[2006/12/19 22:15:03 | 000,000,151 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\internaldb2751.dat
[2006/12/19 16:29:14 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\internaldb431.dat
[2006/12/15 00:37:19 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\internaldb6334.dat
[2006/12/15 00:37:18 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\internaldb8467.dat
[2006/12/15 00:37:18 | 000,000,049 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\internaldb41.dat
[2006/12/15 00:36:25 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\internaldb4604.dat
[2006/12/15 00:36:25 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\internaldb3902.dat
[2006/12/15 00:36:25 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\internaldb153.dat
[2006/12/15 00:36:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\internaldb5436.dat
[2006/12/15 00:36:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\internaldb2391.dat
[2006/12/15 00:36:23 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\internaldb4827.dat
[2006/12/15 00:36:20 | 000,000,333 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\internaldb1942.dat
[2006/12/15 00:36:20 | 000,000,023 | ---- | C] () -- C:\Documents and Settings\Bri\Application Data\inifile41.ini
:files
C:\Windows\tasks\at*.job

  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
    If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.


Please also upload the following file to virustotal:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the file listed below in bold, then click Submit. Y

C:\WINDOWS\System32\lpykrp.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

regards myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

Share this topic:


  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users