Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c, I Can't Seen To Get Rid Of The Malware.


  • This topic is locked This topic is locked
18 replies to this topic

#1 thymel

thymel

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 30 April 2008 - 02:17 PM

Task manager and rededit are disabled. I've run SmitfraudFix in Safe mode and when I boot back to Normal mode the applications are locked again. Attached is a HijackThis log run under Normal mode.

Any help would be greatly appreciated.

Attached Files


Edited by thymel, 30 April 2008 - 03:15 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:58 PM

Posted 30 April 2008 - 04:51 PM

Hello thymel,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 thymel

thymel
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 01 May 2008 - 10:12 AM

Attached are the files requested. Thank you for your help!

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:58 PM

Posted 01 May 2008 - 02:26 PM

Hello,

I'd like to be sure about something, please:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 thymel

thymel
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 01 May 2008 - 03:33 PM

The file named gmer_scan_040108 is a copy of the scan that GMER performed when I clicked on the application. Once the scan was complete, a message appeared stating that GMER found system modifications which might have been caused by ROOTKIT activity and would I like to perform a full scan. The file named gmer_full_scan_040108 is a GMER full scan of the computer.

Thanks again for your assistance.

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:58 PM

Posted 01 May 2008 - 04:17 PM

Hello,

That's what I thought. I just had to be sure.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Driver::
clbdriver

Folder::
C:\WINDOWS\system32\pnVes06
C:\Temp\zvebs14
C:\Temp

File::
C:\WINDOWS\system32\cbXNdabA.dll
C:\WINDOWS\system32\drivers\clbdriver.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15D94F77-2B37-4544-B6DC-BA4B38D7DBB2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxXRkj]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 thymel

thymel
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 01 May 2008 - 04:23 PM

Will do, the system is still running slow but the pop ups have disappeared and task manager and regedit are working again.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:58 PM

Posted 01 May 2008 - 04:25 PM

Improvement is always good! :thumbsup: Post when you're ready. :blink:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 thymel

thymel
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 01 May 2008 - 04:43 PM

Attached are the files requested.

Thanks again.

Attached Files



#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:58 PM

Posted 01 May 2008 - 05:11 PM

Hello,

Did you set this entry yourself?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html If so, we'll leave it alone. :thumbsup:

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 thymel

thymel
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 01 May 2008 - 06:05 PM

The scan seemed to come back clean. I'm having trouble accessing the Internet with the inflected pc so I could not update the version of Malwarebytes that was downloaded.

Thanks

Attached Files



#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:58 PM

Posted 01 May 2008 - 06:26 PM

Hello,

You never answered my question about those entries. :thumbsup: Have you had trouble throughout this time with the internet, or is this something that just now started?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 thymel

thymel
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 02 May 2008 - 06:28 AM

I did not add the entry in R0 and the Internet access issue just recently started.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:58 PM

Posted 02 May 2008 - 09:29 AM

Hello,

Thanks. :thumbsup:

Go to Start > Run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
hit enter.

REBOOT!!

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Is it still slow? And, are you still having trouble with the internet connection?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 thymel

thymel
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 02 May 2008 - 10:54 AM

Seems like the system is back to normal. The bootup speed is great and now I can access the Internet. Any steps I can take to prevent this from occurring again?

Thank you very much for your time and effort in resolving this issue.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users