Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Logs Can Someone Please Check These


  • This topic is locked This topic is locked
1 reply to this topic

#1 Joshstork

Joshstork

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 07 September 2007 - 02:20 PM

These are logs that someone needed i think his name was something like RichieUK or something or rather from the Team so here you go you asked for and can u be asap about it becuase i still have the same malware problem they keep popping up.




this is the Smitfraudfix log;



SmitFraudFix v2.219

Scan done at 15:35:22.06, Wed 09/05/2007
Run from C:\Documents and Settings\Neil Storkey\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\privacy_danger\ Deleted
C:\WINDOWS\Tasks\At?.job Deleted
C:\DOCUME~1\NEILST~1\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\NEILST~1\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\NEILST~1\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\NEILST~1\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\NEILST~1\FAVORI~1\Privacy Protector.url Deleted

DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1302F2E7-A8C5-4D6B-ABAA-B18C5861B6AE}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AF8349D7-E130-426A-9058-E1408B6C25A1}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFAC90F1-1F8D-432A-977B-C9EA71D1DE1E}: DhcpNameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1302F2E7-A8C5-4D6B-ABAA-B18C5861B6AE}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AF8349D7-E130-426A-9058-E1408B6C25A1}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EFAC90F1-1F8D-432A-977B-C9EA71D1DE1E}: DhcpNameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1302F2E7-A8C5-4D6B-ABAA-B18C5861B6AE}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AF8349D7-E130-426A-9058-E1408B6C25A1}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EFAC90F1-1F8D-432A-977B-C9EA71D1DE1E}: DhcpNameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.114.60 85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.114.60 85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.114.60 85.255.112.226


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End



----------------------------------------------------------------------------------------------------------------------------------------------
Thats the end of that log

This log is the fixwareout log;

Username "Neil Storkey" - 09/05/2007 15:45:24 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.114.60 85.255.112.226" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1302F2E7-A8C5-4D6B-ABAA-B18C5861B6AE}
"nameserver"="85.255.114.60,85.255.112.226" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9D4602F5-F1ED-40FA-881D-E11817F40576}
"nameserver"="85.255.114.60,85.255.112.226" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{AF8349D7-E130-426A-9058-E1408B6C25A1}
"nameserver"="85.255.114.60,85.255.112.226" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{EFAC90F1-1F8D-432A-977B-C9EA71D1DE1E}
"DhcpNameServer"="85.255.114.60,85.255.112.226" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"kgsystray"="C:\\Program Files\\Kuma Games\\kgsystray\\Kuma_tray.exe"
"C2K"="C:\\WINDOWS\\Cyb2k.exe"
"BearFlix"="\"C:\\Program Files\\BearFlix\\BearFlix.exe\" /pause"
"VX3000"="C:\\WINDOWS\\vVX3000.exe"
"CAVRID"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVRID.exe\""
"LifeCam"="\"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"cctray"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\cctray\\cctray.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"Roai"="\"C:\\WINDOWS\\system32\\SSTEM3~1\\tracert.exe\" -vt yazb"
"Idzfongz"="\"C:\\WINDOWS\\system32\\?ppPatch\\l?gonui.exe\" 99001122"
"EA Core"="\"C:\\Program Files\\Electronic Arts\\EA Link\\Core.exe\" -silent"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

----------------------------------------------------------------------------------------------------------------------------------------------

Now this is the SDFix log ;


SDFix: Version 1.100

Run by Neil Storkey on Wed 09/05/2007 at 04:00 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\system32\web.dat - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:HP Network Device Rediscovery Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\Microsoft Works Suite 2006\Setup\MNYINSTA.DLL
C:\Program Files\Microsoft Works Suite 2006\Setup\SETUPLNG.DLL
C:\Program Files\Microsoft Works Suite 2006\Setup\LAUNCHER.EXE
C:\Program Files\Microsoft Works Suite 2006\Setup\RMVSUITE.EXE
C:\Program Files\Microsoft Works Suite 2006\Setup\UNREGWTR.EXE
C:\Program Files\InterActual\InterActual Player\itiD8.tmp

Finished

Ok thats it

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 07 September 2007 - 02:54 PM

Hi,

Not sure why you started a new thread since you already posted above log here as well where Richie was already helping you:
http://www.bleepingcomputer.com/forums/ind...mp;#entry606017

I guess you're confused about the HijackThislog, because no one instructed you to use HijackThis.

So,

* Download Trend Micro Hijack This
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in the thread here where Richie is already helping you. :thumbsup:

I am going to close this thread in order to prevent confusion.

Edited by miekiemoes, 07 September 2007 - 02:55 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users