TechSpot

Accidentally got smitfraud, fixes not working

By Frostbrand
Apr 9, 2008
  1. Yeah I just got it a few hours ago. Researched it, got the latest fix for it, ran it in safe mode and it seems to have helped but it's still there. Here's my log, any help would be appreciated..



    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 8:17:01 PM, on 4/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\All Users\Application Data\upkratqh\olwfctyt.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Documents and Settings\Patrick\cftmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Documents and Settings\Patrick\Desktop\HiJackThis_v2.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    O2 - BHO: (no name) - {14c6cf56-ae83-4dc6-ac56-9a5c3cc01561} - C:\WINDOWS\system32\xxyvtrop.dll
    O2 - BHO: (no name) - {24e9519b-3f70-429b-99bc-4b2b49b96f66} - C:\WINDOWS\system32\byXNdcYq.dll
    O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
    O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Patrick\LOCALS~1\Temp\winlogan.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Patrick\cftmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Patrick\cftmon.exe
    O4 - HKLM\..\Policies\Explorer\Run: [csvEQGKwHc] C:\Documents and Settings\All Users\Application Data\upkratqh\olwfctyt.exe
    O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: byxndcyq - C:\WINDOWS\SYSTEM32\byXNdcYq.dll
    O21 - SSODL: SysCheck - {025e2dcd-0f33-499c-946c-338bbcf45df9} - C:\WINDOWS\Resources\SysCheck.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: FCI (fci) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

    --
    End of file - 4169 bytes
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Looks like you have more than just smitfraud. But lets start at the beginning.

    Please go to Add/remove programs and uninstall Hijackthis and follow below

    Incorrect HJT version installed or wrong folder
    • Please uninstall your current version of HJT (This can be done through Control Panel => add/remove programs icon => highlight HJT => select change/uninstall button)
    • The LATEST version of HJT (currently v2.0.0.2) can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory. If HijackThis is used from a temp folder it is in danger of being accidentally deleted by Disk Cleanup or similar tools. If you run Hijackthis from the desktop, the files it removes will not be backed up properly.
    • Please close the HJT until after the following step.
    • Open your Program Files folder and rename hijackthis.exe to something.exe, this is because some malware can hide from highjackthis.exe Right click the HijackThis.exe file and choose rename to do this.
    • Now you are ready to run HJT, Open it using the icon on your desktop and select Scan now and save a log
    • After the scan is complete please attach your log onto the forums.
      ***Under no circumstances should you add any items to the HJT ignore list. Under no circumstances should you change the directory that highjackthis downloads to. Under no circumstances should you Fix anything without specific instruction to do so***
     
  3. Frostbrand

    Frostbrand TS Rookie Topic Starter

    I ran MBAM and had it remove what it found and let it reboot but teatimer is still going off so I believe that the smitfraud is still there, but I don't see how to send the log.Thanks for your help, I updated my HJT, here is the new log.


    --------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:07:53 PM, on 4/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\Frostbrand.exe

    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Patrick\LOCALS~1\Temp\winlogan.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O21 - SSODL: SysCheck - {025e2dcd-0f33-499c-946c-338bbcf45df9} - C:\WINDOWS\Resources\SysCheck.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

    --
    End of file - 2513 bytes
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    To attach MBAM
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Is that the whole Hijackthis log, seems small. Did you already fix entries?
    --------------------------------------------------------------------------------------------------------
    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.
    -----------------------------------------------------------------------------------------------

    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  5. Frostbrand

    Frostbrand TS Rookie Topic Starter

    I only fixed what MBAM had selected, and strangely enough it still doesnt seem to be creating a log in that folder, like it doesn't exist. Anyway, here is the logs after running Combofix,MBAM,ATF Cleaner and HJT. I had to remove the first 3 entries of the HJT log because the forum settings don't allow me to post links but they seemed to be from internet explorer and irrelevant anyway. Thanks for your time. --Scratch that. I now have 5 posts and can post the full HJT log. Full log as follows.



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:48:54 PM, on 4/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\Frostbrand.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Patrick\cftmon.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

    --
    End of file - 2662 bytes
     
  6. Frostbrand

    Frostbrand TS Rookie Topic Starter

    ComboFix 08-04-09.8 - Patrick 2008-04-09 21:29:07.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.702 [GMT -7:00]
    Running from: C:\Documents and Settings\Patrick\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\system32\aJkmonpo.ini
    C:\WINDOWS\system32\aJkmonpo.ini2
    C:\WINDOWS\system32\byXNdcYq.dll
    C:\WINDOWS\system32\urqRKAPJ.dll
    C:\WINDOWS\system32\xxyvtrop.dll

    ----- BITS: Possible infected sites -----

    hxxp://flyvideonetwork.com
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_FCI


    ((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
    .

    2008-04-09 21:00 . 2008-04-09 21:00 <DIR> d-------- C:\Program Files\Trend Micro
    2008-04-09 20:37 . 2008-04-09 20:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-04-09 20:37 . 2008-04-09 20:37 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\Malwarebytes
    2008-04-09 20:37 . 2008-04-09 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-04-09 19:47 . 2008-04-09 20:07 <DIR> d-------- C:\Program Files\Norton AntiVirus
    2008-04-09 19:29 . 2008-04-09 19:29 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\Symantec
    2008-04-09 19:29 . 2008-04-09 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
    2008-04-09 19:00 . 2008-04-09 19:00 <DIR> d-------- C:\WINDOWS\resources
    2008-04-09 18:53 . 2008-03-29 00:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
    2008-04-09 18:53 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-04-09 18:13 . 2008-04-09 18:14 153 --a------ C:\WINDOWS\wininit.ini
    2008-04-09 16:23 . 2008-04-09 18:56 1,464 --a------ C:\WINDOWS\system32\tmp.reg
    2008-04-09 16:22 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-04-09 16:22 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-04-09 16:22 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-04-09 16:22 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-04-09 16:22 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-04-09 16:15 . 2008-04-09 16:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
    2008-04-09 14:56 . 2008-04-09 14:56 <DIR> d-------- C:\Program Files\RegCleaner
    2008-04-09 14:43 . 2008-04-09 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\upkratqh
    2008-04-09 14:41 . 2008-04-09 21:03 10,000 --------- C:\WINDOWS\system32\jfiehayd.dll
    2008-04-09 14:41 . 2008-04-09 19:42 49 --a------ C:\smp.bat
    2008-04-09 14:41 . 2008-04-09 14:41 2 --a------ C:\-58967882
    2008-04-09 14:25 . 2008-04-09 14:25 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
    2008-04-09 13:55 . 2008-04-09 13:55 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\DAEMON Tools
    2008-04-09 13:55 . 2008-04-09 13:55 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
    2008-04-09 13:52 . 2003-03-16 00:15 90,112 --a------ C:\WINDOWS\unvise32.exe
    2008-04-09 12:50 . 2008-04-09 14:37 <DIR> d-------- C:\Program Files\SoldnerSecretWars
    2008-04-08 18:40 . 2008-04-08 19:18 <DIR> d-------- C:\Program Files\WarRock
    2008-04-08 18:40 . 2008-04-08 18:40 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\InstallShield
    2008-04-08 05:33 . 2008-04-08 05:34 <DIR> d-------- C:\Program Files\WinAce
    2008-04-07 18:06 . 2008-04-07 18:06 <DIR> dr-h----- C:\Documents and Settings\Patrick\Application Data\SecuROM
    2008-04-07 18:06 . 2008-04-07 18:06 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2008-04-07 17:58 . 2008-04-07 17:58 <DIR> d-------- C:\Program Files\CAPCOM
    2008-04-07 02:00 . 2005-02-24 20:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
    2008-04-06 02:35 . 2008-04-06 02:35 <DIR> d-------- C:\Program Files\OGPlanet
    2008-04-04 22:10 . 2008-04-04 22:10 1,167 --a------ C:\WINDOWS\mozver.dat
    2008-04-04 20:16 . 2008-04-04 20:16 0 --a------ C:\WINDOWS\ativpsrm.bin
    2008-04-04 19:48 . 2008-04-04 19:51 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-04-04 19:20 . 2008-04-04 19:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-04-04 19:20 . 2008-04-04 20:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-04-04 19:16 . 2008-04-04 19:16 <DIR> d-------- C:\Program Files\ATI Technologies
    2008-04-04 19:16 . 2008-01-22 15:42 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
    2008-04-04 19:12 . 2008-04-04 19:12 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\Talkback
    2008-04-04 19:12 . 2008-04-04 19:12 0 --a------ C:\WINDOWS\nsreg.dat
    2008-04-04 19:07 . 2008-04-06 01:31 <DIR> d-------- C:\Program Files\Winamp
    2008-04-04 19:00 . 2008-04-04 19:12 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2008-04-04 18:58 . 2008-04-04 18:59 <DIR> d-------- C:\Program Files\QuickTime
    2008-04-04 18:58 . 2008-04-04 18:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-04-04 18:58 . 2008-04-08 20:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-04-04 18:58 . 2008-04-04 18:58 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-04-04 18:51 . 2008-04-04 18:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles
    2008-04-04 18:51 . 2008-04-08 19:01 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
    2008-04-04 18:51 . 2008-04-08 05:34 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
    2008-04-04 18:51 . 2008-04-08 19:01 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-04-04 18:51 . 2008-04-04 18:51 22,328 --------- C:\Documents and Settings\Patrick\Application Data\PnkBstrK.sys
    2008-04-04 18:51 . 2008-04-04 18:51 319 --a------ C:\WINDOWS\game.ini
    2008-04-04 18:41 . 2008-04-04 18:41 <DIR> d-------- C:\Program Files\Activision
    2008-04-04 18:37 . 2008-04-04 18:37 <DIR> d--hs---- C:\WINDOWS\ftpcache
    2008-04-04 18:36 . 2008-04-04 18:36 <DIR> d-------- C:\Program Files\CyberLink
    2008-04-04 18:36 . 2008-04-04 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-04-04 18:27 . 2008-04-09 21:30 4,958,588 --------- C:\WINDOWS\{00000002-00000000-00000004-00001102-00000008-10011102}.BAK
    2008-04-04 18:27 . 2008-04-09 21:30 30,624 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000004-00001102-00000008-10011102}.rfx
    2008-04-04 18:27 . 2008-04-09 21:30 30,624 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-00000004-00001102-00000008-10011102}.rfx
    2008-04-04 18:27 . 2008-04-09 21:30 29,772 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-00000004-00001102-00000008-10011102}.rfx
    2008-04-04 18:27 . 2008-04-09 21:30 29,772 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-00000004-00001102-00000008-10011102}.rfx
    2008-04-04 18:27 . 2008-04-09 21:30 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000004-00001102-00000008-10011102}.rfx
    2008-04-04 18:27 . 2008-04-09 21:30 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
    2008-04-04 18:27 . 2008-04-09 21:30 1,080 --a------ C:\WINDOWS\system32\settings.sfm
    2008-04-04 18:24 . 2008-04-04 18:24 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\Creative
    2008-04-04 18:23 . 2008-04-04 18:24 <DIR> d-------- C:\WINDOWS\system32\Data
    2008-04-04 18:23 . 2008-04-04 18:26 <DIR> d-------- C:\Program Files\Creative
    2008-04-04 18:23 . 2006-08-11 16:14 86,446 --a------ C:\WINDOWS\system32\instwdm.ini
    2008-04-04 18:23 . 2006-08-11 15:57 11,776 --a------ C:\WINDOWS\INRES.DLL
    2008-04-04 18:23 . 2006-08-11 15:55 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
    2008-04-04 18:23 . 2006-08-11 15:56 3,072 --a------ C:\WINDOWS\CTXFIRES.DLL
    2008-04-04 18:23 . 2006-08-11 15:32 191 --a------ C:\WINDOWS\system32\ctzapxx.ini
    2008-04-04 18:09 . 1998-10-02 20:00 327,168 --a------ C:\WINDOWS\IsUninst.exe
    2008-04-04 18:09 . 2001-09-06 01:00 86,330 --a------ C:\WINDOWS\system32\drivers\IdeChnDr.sys
    2008-04-04 18:09 . 2001-09-06 01:00 41,022 --a------ C:\WINDOWS\system32\IPrtCnst.dll
    2008-04-04 18:09 . 2001-09-06 01:00 13,366 --a------ C:\WINDOWS\system32\drivers\IdeBusDr.sys
    2008-04-04 18:07 . 2008-04-04 18:09 <DIR> d-------- C:\Program Files\Intel
    2008-04-04 18:07 . 2008-04-08 18:40 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
    2008-04-04 18:07 . 2008-04-04 18:58 <DIR> d-------- C:\Program Files\Common Files\InstallShield
    2008-04-04 18:04 . 2008-04-04 18:04 13,588 --a------ C:\WINDOWS\system32\wpa.bak
    2008-04-04 18:02 . 2008-04-04 18:02 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
    2008-04-04 18:02 . 2008-04-04 18:02 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-05 00:58 --------- d-----w C:\Program Files\microsoft frontpage
    .
     
  7. Frostbrand

    Frostbrand TS Rookie Topic Starter

    and the rest of the combofix log
     
  8. Frostbrand

    Frostbrand TS Rookie Topic Starter

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
    "DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 02:39 486856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
    "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-04 18:58 282624]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "SysCheck"= {025e2dcd-0f33-499c-946c-338bbcf45df9} - C:\WINDOWS\Resources\SysCheck.dll [ ]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

    S1 zeqbqwp;zeqbqwp;C:\WINDOWS\zeqbqwp.sys []

    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-09 21:31:36
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-09 21:33:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-10 04:33:52
    Pre-Run: 56,684,195,840 bytes free
    Post-Run: 56,617,791,488 bytes free
    .
    2008-04-07 09:00:29 --- E O F ---
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Can you get me the combofix log as an attachment

    when you click Reply -> click the paperclip icon and navigate to C:\Combofix.txt
     
  10. Frostbrand

    Frostbrand TS Rookie Topic Starter

    Here is the combofix log.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    It looks like a lot of things have been removed from your registry


    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.



    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.



    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...