Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix, SVV, and Smearware


  • Please log in to reply
6 replies to this topic

#1 WebDawg

WebDawg

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 02 September 2009 - 10:34 AM

OKAY

I have edited this post.

when i run sysinternals rootkit revealer i get a bunch of reg keys with smearware in them.

What is smearware. I can only find it on like 1 google search result?

Someone mentioned that it could be linked with combofix?

I dont think this computer has a rootkit but I would like to be sure.


I have run svv.exe and i get a deepred? But i have also done this on a clean machine and get the same thing. Whats the deal. Does the utility need updated or something?

I really need help with this its driving me crazy.

Please Help

Edited by WebDawg, 02 September 2009 - 11:04 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 PM

Posted 02 September 2009 - 11:31 AM

Hello, I am going to move this from XP to the Am I INfected forum ,just in case.
Are yoou running Spyware Docytor or another AV program?
It probably blocked the unistall of these d segments of ComboFix.
Disabling the AV an d rerunning should remove them.

While we're there. please run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 WebDawg

WebDawg
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 02 September 2009 - 11:38 AM

i did all this.

The problem is that no av detects the kernel deal as a virus. Malwarebytes doesn't find anything.

Is this just part of combofix?

The system works great.

I can find the keys manually in the registry


I know all this. Im usually the person tha tells them how to fix.

BUT.

all i really want to know about is SVV.exe

i mean their are legitimate kernel hooks right?

#4 WebDawg

WebDawg
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 02 September 2009 - 11:44 AM

http://www.softpedia.com/progDownload/Root...load-36691.html


aight


i think imma use this.

Its called something else now.

I will report back

smearware. I still want to know WHAT it is. not how to remove it.

NirCMD? Does that mean that combofix didnt remove itself all the way?

#5 WebDawg

WebDawg
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 02 September 2009 - 11:56 AM

okay

splo.sys

sp8**.sys
is usually daemon tools


it was daemon tools.

but i have another computer without daemon tools on it with the same kernel hook.

I will check and reprt that.

#6 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:58 AM

Posted 02 September 2009 - 11:59 AM

There is a very good chance that Combofix did not uninstall completely, and that can be caused by other apps running at the same time. Combofix requires all A/V's to be disabled during the run.
You might try to download Combofix again and then use the uninstall function again (with all A/V programs stopped). There may be some leftover keys that might have to be manually removed.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#7 WebDawg

WebDawg
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 23 September 2009 - 11:38 AM

YES. IT SEEMS LIKE COMBOFIX LEAVES STUFF AND OBJECTS AND STUFF

THAT IS ALL.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users