Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Win32.agent


  • Please log in to reply
23 replies to this topic

#1 robotmachine

robotmachine

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 10 September 2008 - 12:33 AM

Hi all, I've been having problems with trojans lately, I'm pretty sure I already got rid of Crypt, OnlineGames, Vundo, Antivirus XP, Lineage, Virtumonde, and some other stuff, but now I am stuck with a very stubborn trojan win32.Agent.
I get process aNb2D65b.exe, and while several programs have found it and "cleaned" it, it comes back. A Kasperspy scan found these also:

C:\Documents and Settings\Owner\Local Settings\temp\2SPjR10n.exe Infected: Trojan-Downloader.Win32.Agent.afua 1
C:\Documents and Settings\Owner\Local Settings\temp\k5Xg7yr6.exe Infected: Trojan-Downloader.Win32.Agent.afua 1

other symptoms are popups by accuquote.com, lan.screensaver.com, gunggo.com, hcpc.org, bbbs.org, go.webrewardsstream.com, and others, plus a sound ad contratulating me on winning a free Nintendo Wii or something.

my HJT log looks clean to me, and I've ran adaware, spybot, malwarebytes' anti-malware, super antispyware, combofix, so now I turn to you for some advice. I hope someone can help me out. :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:01 PM

Posted 10 September 2008 - 12:54 AM

http://www.bleepingcomputer.com/forums/ind...st&p=939877

Would you run atf cleaner and SAS from safe mode then after rebooting into normal mode run a quick scan with your updated MBAM

Post both logs and we can proceed from there
Chewy

No. Try not. Do... or do not. There is no try.

#3 robotmachine

robotmachine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 10 September 2008 - 01:47 AM

OK, (thanks for the reply), here are the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/09/2008 at 11:32 PM

Application Version : 4.15.1000

Core Rules Database Version : 3561
Trace Rules Database Version: 1549

Scan type : Complete Scan
Total Scan Time : 00:31:26

Memory items scanned : 161
Memory threats detected : 0
Registry items scanned : 6626
Registry threats detected : 0
File items scanned : 66001
File threats detected : 0



Malwarebytes' Anti-Malware 1.27
Database version: 1131
Windows 5.1.2600 Service Pack 3

9/9/2008 11:39:37 PM
mbam-log-2008-09-09 (23-39-37).txt

Scan type: Quick Scan
Objects scanned: 48393
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\aNb2D65b.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.



(you probably know this but I really doubt that it was quarantined and deleted successfully)

Oh, and I forgot to mention, I haven't been able to access System Restore, it says "System Restore is not able to protect your computer. Please restart your computer, then run System Restore again." I don't know if it's a related problem or what, but I thought I thould mention it.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:01 PM

Posted 10 September 2008 - 05:55 AM

http://www.bleepingcomputer.com/forums/ind...st&p=916491

Let's give DrWebCureit a shot next
Chewy

No. Try not. Do... or do not. There is no try.

#5 robotmachine

robotmachine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 10 September 2008 - 05:38 PM

Alright Chew, lets see what you think, here's what it gave me:

data002\data015;C:\System Volume Information\_restore{240503E1-60EC-4709-A5C5-E01AE88E3835}\RP111\A0011863.exe\data002;Program.mIRC.623;;
data002;C:\System Volume Information\_restore{240503E1-60EC-4709-A5C5-E01AE88E3835}\RP111\A0011863.exe;Archive contains infected objects;;
A0011863.exe;C:\System Volume Information\_restore{240503E1-60EC-4709-A5C5-E01AE88E3835}\RP111;Archive contains infected objects;Moved.;
A0019230.mfl;C:\System Volume Information\_restore{240503E1-60EC-4709-A5C5-E01AE88E3835}\RP158;Modification of Trojan.FormatAll;Moved.;
A0021159.reg;C:\System Volume Information\_restore{240503E1-60EC-4709-A5C5-E01AE88E3835}\RP179;Trojan.StartPage.1505;Deleted.;
A0021212.dll;C:\System Volume Information\_restore{240503E1-60EC-4709-A5C5-E01AE88E3835}\RP179;Trojan.Virtumod.448;Deleted.;
A0021302.dll;C:\System Volume Information\_restore{240503E1-60EC-4709-A5C5-E01AE88E3835}\RP180;Trojan.PWS.Gamania.11456;Deleted.;
A0021307.dll;C:\System Volume Information\_restore{240503E1-60EC-4709-A5C5-E01AE88E3835}\RP180;Trojan.PWS.Wsgame.5940;Deleted.;
A0021308.dll;C:\System Volume Information\_restore{240503E1-60EC-4709-A5C5-E01AE88E3835}\RP180;Trojan.PWS.Gamania.11223;Deleted.;
A0021309.dll;C:\System Volume Information\_restore{240503E1-60EC-4709-A5C5-E01AE88E3835}\RP180;Trojan.Virtumod.448;Deleted.;
aim553595.exe\data038;E:\INSTALLERS\aim553595.exe;Adware.Aws;;
aim553595.exe;E:\INSTALLERS;Archive contains infected objects;Moved.;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;E:\INSTALLERS\Spy Tools\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;E:\INSTALLERS\Spy Tools;Archive contains infected objects;Moved.;
smitRem.exe\smitRem/Process.exe;E:\INSTALLERS\Spy Tools\smitRem.exe;Tool.Prockill;;
smitRem.exe\smitRem/pv.exe;E:\INSTALLERS\Spy Tools\smitRem.exe;Program.PrcView.3741;;
smitRem.exe;E:\INSTALLERS\Spy Tools;Archive contains infected objects;Moved.;


and I ran another Kasperspy scan overnight before this, it found one file:
C:\WINDOWS\system32\6L1T5MR0.exe Infected:
Trojan-Downloader.Win32.Firu.xw 1

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:01 PM

Posted 10 September 2008 - 06:50 PM

It's always best to get a little help with these infections if you can, then we can at least warn you about the temp files and infections in restore points and combofix

http://www.bleepingcomputer.com/forums/ind...st&p=929733

Let's see what MBAM picks up after an updated quick scan

Edited by DaChew, 10 September 2008 - 06:54 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 robotmachine

robotmachine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 10 September 2008 - 08:12 PM

here it is:


Malwarebytes' Anti-Malware 1.28
Database version: 1137
Windows 5.1.2600 Service Pack 3

9/10/2008 6:10:34 PM
mbam-log-2008-09-10 (18-10-34).txt

Scan type: Quick Scan
Objects scanned: 52102
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\aNb2D65b.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:01 PM

Posted 10 September 2008 - 08:51 PM

I was hoping super(SAS) or cureit from safe mode to help MBAM a little more

Would you try SDFix next

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
Chewy

No. Try not. Do... or do not. There is no try.

#9 robotmachine

robotmachine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 10 September 2008 - 09:23 PM

Okay, here's what I got:



SDFix: Version 1.223
Run by Owner on Wed 09/10/2008 at 07:08 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found




Folder C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-10 19:11:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:79,92,7f,e5,b4,6b,f3,6b,b8,b4,42,29,b9,b5,37,f8,77,79,04,df,68,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,6c,a8,88,6b,9c,4d,e3,22,04,2f,28,6a,30,04,78,08,a2,..
"khjeh"=hex:5e,59,c0,e7,6e,94,9a,5a,15,c3,5d,46,43,19,0e,f9,a6,c5,03,30,4c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:07,3d,cc,35,d3,e8,19,c8,0f,92,27,e8,e9,8d,a0,e2,f7,74,20,25,b7,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:80,ce,97,e4,2f,e0,f4,98,72,2e,ff,f8,a8,64,a8,99,03,04,2f,3e,1a,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:79,92,7f,e5,b4,6b,f3,6b,b8,b4,42,29,b9,b5,37,f8,77,79,04,df,68,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,6c,a8,88,6b,9c,4d,e3,22,04,2f,28,6a,30,04,78,08,a2,..
"khjeh"=hex:5e,59,c0,e7,6e,94,9a,5a,15,c3,5d,46,43,19,0e,f9,a6,c5,03,30,4c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:8d,fa,06,23,3e,27,be,1a,1a,7f,d6,b7,fa,aa,c5,4b,36,c9,f3,d7,ff,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:80,ce,97,e4,2f,e0,f4,98,72,2e,ff,f8,a8,64,a8,99,03,04,2f,3e,1a,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:79,92,7f,e5,b4,6b,f3,6b,b8,b4,42,29,b9,b5,37,f8,77,79,04,df,68,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,6c,a8,88,6b,9c,4d,e3,22,04,2f,28,6a,30,04,78,08,a2,..
"khjeh"=hex:5e,59,c0,e7,6e,94,9a,5a,15,c3,5d,46,43,19,0e,f9,a6,c5,03,30,4c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:07,3d,cc,35,d3,e8,19,c8,0f,92,27,e8,e9,8d,a0,e2,f7,74,20,25,b7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:80,ce,97,e4,2f,e0,f4,98,72,2e,ff,f8,a8,64,a8,99,03,04,2f,3e,1a,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Wed 30 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Wed 30 Jul 2008 1,829,712 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 3 May 2006 163,328 A.SHR --- "C:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007 31,232 A.SHR --- "C:\WINDOWS\system32\msfDX.dll"
Mon 17 Dec 2007 27,648 A.SH. --- "C:\WINDOWS\system32\Smab0.dll"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Tue 27 May 2008 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Wed 5 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 3 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Mon 3 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Mon 9 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Mon 9 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Mon 3 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Mon 9 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Mon 9 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Mon 9 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Mon 9 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sat 3 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Mon 9 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Mon 9 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Mon 9 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Mon 9 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Mon 9 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Mon 9 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Thu 20 Mar 2008 5,632 ..SHR --- "C:\Program Files\eRightSoft\SUPER\spk\1stRun.exe"
Tue 23 Oct 2007 3,350,528 A..H. --- "C:\Documents and Settings\Owner\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:01 PM

Posted 10 September 2008 - 09:39 PM

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!


**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.after downloading but before running the smitfraudfix scan, would you reboot your computer into normal mode and then run the scan

Edited by DaChew, 10 September 2008 - 09:43 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#11 robotmachine

robotmachine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 10 September 2008 - 09:53 PM

SmitFraudFix v2.348

Scan done at 19:48:26.48, Wed 09/10/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Echovoice\Gamer Statistics\G15 Echovoice Gamer Statistics.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3F283081-4095-4D76-8385-C6E88229DC93}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3F283081-4095-4D76-8385-C6E88229DC93}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3F283081-4095-4D76-8385-C6E88229DC93}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3F283081-4095-4D76-8385-C6E88229DC93}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:01 PM

Posted 10 September 2008 - 10:52 PM

Wed 30 Jul 2008 1,829,712 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"


was teatimer ever running resident during any of this cleaning process?

you wouldn't believe how many security programs have broken super over the last few years, it's easily fixed tho

Smab0.dll ran me a merry chase

half the links said it was dangerous, the others unsafe

Edited by DaChew, 10 September 2008 - 11:01 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#13 robotmachine

robotmachine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 10 September 2008 - 11:38 PM

no, I keep teatimer off, and it says its off, so I don't know why that showed up

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:01 PM

Posted 11 September 2008 - 06:04 AM

I was just making sure that teatimer had not interfered with any malware removal, a side note, I was doing some dvd burning tests trying to isolate a problem, and installed daemon tools, over a year later I ran into an error I was getting with safe mode boot.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001


durn rootkit, legitimate tho


let me ask about your problem, you might need to kick this upstairs to the Hijackthis forum
Chewy

No. Try not. Do... or do not. There is no try.

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:01 PM

Posted 11 September 2008 - 06:12 AM

http://www.bleepingcomputer.com/forums/ind...st&p=784291

in this thread and post smitfraudfix is run in cleaning mode to remove this infector

C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !


Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users