Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Security Center Windows & Icon


  • Please log in to reply
21 replies to this topic

#16 ndyounkin

ndyounkin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 08 May 2008 - 01:00 PM

Here is the Log for SmitFraudFix in Safe Mode.


SmitFraudFix v2.319

Scan done at 10:48:12.37, Thu 05/08/2008
Run from C:\Documents and Settings\Nate Younkin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Windows\System32\mcres.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Nate Younkin


C:\Documents and Settings\Nate Younkin\Application Data


Start Menu


C:\DOCUME~1\NATEYO~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{02DBE061-3411-414D-B007-38DDE15B02DB}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{02DBE061-3411-414D-B007-38DDE15B02DB}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{02DBE061-3411-414D-B007-38DDE15B02DB}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12


Scanning for wininet.dll infection


End

BC AdBot (Login to Remove)

 


#17 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:46 AM

Posted 08 May 2008 - 04:00 PM

http://www.motioncomputing.com/

I guess you have this software installed?
it's rare is why I ask

run a update and quick scan with MBAM

Edited by DaChew, 08 May 2008 - 04:00 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#18 ndyounkin

ndyounkin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 08 May 2008 - 07:26 PM

digging the tablet PC..

Here is the MBAM log

Malwarebytes' Anti-Malware 1.12
Database version: 732

Scan type: Quick Scan
Objects scanned: 40569
Time elapsed: 14 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#19 ndyounkin

ndyounkin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 10 May 2008 - 05:53 AM

I am wondering if the Virus issue could be based from a networked computer? I havent seen the "pop up" for about a day now, but dont feel like its removed. I do have my Tablet PC networked to my home computer. Any chance there might be a connection?

Thanks
Nate

#20 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:46 AM

Posted 10 May 2008 - 07:19 AM

It's best to isolate all computers in a lan when any one of them becomes infected, and run scans on all of them


I learned a lesson on this long ago and far away

Edited by DaChew, 10 May 2008 - 07:21 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#21 ndyounkin

ndyounkin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 18 May 2008 - 03:21 PM

Sorry for my delay in repsonding.

So.. based on your expierience, should i disconnect the lan, and start the entire process i have run through from the forums assitance with the tablet pc (the one showing the pop up). And then should i do the same for the other networked pc? Do i need to post the logs again?

#22 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:46 AM

Posted 18 May 2008 - 03:49 PM

When I am trying to clean up a lan, I only have one computer on at a time, if I have downloaded a scanner or fix and running it I will physically disconnect that computer if I need to take another online

You have the tools down now, run until the scans come up clean, no need for a log unless you feel those tools aren't killing the infection, we will be here if you need any more help.


You often have to repeat or change a sequence of tools to remove an infection, and that's not counting if it's updating or reinstalling from the wan or lan
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users