Smitfraud Virus also

Status
Not open for further replies.
I did not have a system folder in C:\windows\system32, also I had a rbj35v46.ini but no .exe file , did you want me to delete the ini file? Attached is my hjt log.
 
Show hidden files through windows explorer
  • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
  • On the Tools menu in Windows Explorer, click Folder Options.
  • Click the View tab.
  • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Now try to navigate to and delete:
C:\WINDOWS\SYSTEM32\system\chkdsk.exe <-Should be at the bottom of system folder out of alhpa order - right click to check properties (Not Microsoft file)
 
I was allready set to Show hidden files and folders and Turn Hide protected operating system files off. Double checked and still can not see a system folder in windows\system32.
 
It came up with 3 areas that had chkdsk.exe

c:\I386
c:\windows\system32
c:\windows\system32\dllcache <--in blue text
 
Upload a File to Virustotal
Please visit Virustotal found HERE
  • Click the Browse... button
  • Navigate to the file c:\windows\system32\dllcache\chkdsk.exe
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.
 
Here are the results:







Antivirus Version Last Update Result
AhnLab-V3 2008.5.3.0 2008.05.02 -
AntiVir 7.8.0.11 2008.05.05 -
Authentium 4.93.8 2008.05.05 -
Avast 4.8.1169.0 2008.05.05 -
AVG 7.5.0.516 2008.05.05 -
BitDefender 7.2 2008.05.06 -
CAT-QuickHeal 9.50 2008.05.05 -
ClamAV 0.92.1 2008.05.06 -
DrWeb 4.44.0.09170 2008.05.05 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5760 2008.05.05 -
Ewido 4.0 2008.05.05 -
F-Prot 4.4.2.54 2008.05.05 -
F-Secure 6.70.13260.0 2008.05.05 -
Fortinet 3.14.0.0 2008.05.05 -
Ikarus T3.1.1.26 2008.05.06 -
Kaspersky 7.0.0.125 2008.05.06 -
McAfee 5288 2008.05.05 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3076 2008.05.05 -
Norman 5.80.02 2008.05.05 -
Panda 9.0.0.4 2008.05.05 -
Prevx1 V2 2008.05.06 -
Rising 20.43.02.00 2008.05.05 -
Sophos 4.29.0 2008.05.05 -
Sunbelt 3.0.1097.0 2008.05.03 -
Symantec 10 2008.05.05 -
TheHacker 6.2.92.300 2008.05.03 -
VBA32 3.12.6.5 2008.05.05 -
VirusBuster 4.3.26:9 2008.05.05 -
Webwasher-Gateway 6.6.2 2008.05.05 -
Additional information
File size: 11776 bytes
MD5...: 5f7eaaf5d10e2a715d5e305ac992b2a7
SHA1..: 4c30315b9c16106b542f088921888d83d3f185f7
SHA256: d83493f0c69719cb3c50599081851185a5b4846ac7a3c7ccd4e73da2ed68bd50
SHA512: 309f484cc02794f44140869112a743c5444a16f245a82dfd5c704bcf24feb8a0
b43626afa7d339563bbdc54b2fd933b648fc702dcfc444586d303cdc2880daa7
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100257e
timedatestamp.....: 0x3b7d8420 (Fri Aug 17 20:52:48 2001)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2268 0x2400 6.06 ee548eaecacdea04897d17f6a085f67c
.data 0x4000 0x20 0x200 0.02 9475a59226943a3ad422e18169989f66
.rsrc 0x5000 0x3d8 0x400 3.27 89bcbd8e89f2582f9479224d4b0e99b2

( 5 imports )
> ulib.dll: _Initialize@PATH_ARGUMENT@@QAEEPADE@Z, _Initialize@STRING_ARGUMENT@@QAEEPAD@Z, _Initialize@LONG_ARGUMENT@@QAEEPAD@Z, _Initialize@FLAG_ARGUMENT@@QAEEPAD@Z, _Initialize@ARGUMENT_LEXEMIZER@@QAEEPAVARRAY@@@Z, _Initialize@ARRAY@@QAEEKK@Z, _Initialize@WSTRING@@QAEEPBDK@Z, _Initialize@CHKDSK_MESSAGE@@QAEEPAVSTREAM@@00@Z, _Get_Standard_Output_Stream@@YGPAVSTREAM@@XZ, _Get_Standard_Input_Stream@@YGPAVSTREAM@@XZ, _IsValueSet@ARGUMENT@@QAEEXZ, __0CHKDSK_MESSAGE@@QAE@XZ, __0PATH_ARGUMENT@@QAE@XZ, _SetCaseSensitive@ARGUMENT_LEXEMIZER@@QAEXE@Z, __0LONG_ARGUMENT@@QAE@XZ, __0FLAG_ARGUMENT@@QAE@XZ, __0ARRAY@@QAE@XZ, __0ARGUMENT_LEXEMIZER@@QAE@XZ, __0FSTRING@@QAE@XZ, __0DSTRING@@QAE@XZ, _QueryCurrentDosDriveName@SYSTEM@@SGEPAVWSTRING@@@Z, _Initialize@PATH@@QAEEPBVWSTRING@@E@Z, _AnalyzePath@PATH@@QAE_AW4PATH_ANALYZE_CODE@@PAVWSTRING@@PAV1@0@Z, _IsDrive@PATH@@QBEEXZ, _IsGuidVolName@PATH@@QAEEXZ, _Initialize@WSTRING@@QAEEPBV1@KK@Z, _Put@ARRAY@@UAEEPAVOBJECT@@@Z, _PrepareToParse@ARGUMENT_LEXEMIZER@@QAEEPAVWSTRING@@@Z, _Set@CHKDSK_MESSAGE@@UAEEKW4MESSAGE_TYPE@@K@Z, _DoParsing@ARGUMENT_LEXEMIZER@@QAEEPAVARRAY@@@Z, __0STRING_ARGUMENT@@QAE@XZ, _QueryInvalidArgument@ARGUMENT_LEXEMIZER@@QAEPAVWSTRING@@XZ, _AppendString@PATH@@QAEEPBVWSTRING@@@Z, _QueryDriveType@SYSTEM@@SG_AW4DRIVE_TYPE@@PBVWSTRING@@@Z, _Log@MESSAGE@@QAAEPBDZZ, _Strcat@WSTRING@@QAEEPBV1@@Z, _Initialize@FSTRING@@QAEPAVWSTRING@@PAGK@Z, _QueryLibraryEntryPoint@SYSTEM@@SGP6GHXZPBVWSTRING@@0PAPAX@Z, _EnableBreakHandling@KEYBOARD@@SGEXZ, _FreeLibraryHandle@SYSTEM@@SGXPAX@Z, _DisableBreakHandling@KEYBOARD@@SGEXZ, __1PATH@@UAE@XZ, __1CHKDSK_MESSAGE@@UAE@XZ, __1PATH_ARGUMENT@@UAE@XZ, __1STRING_ARGUMENT@@UAE@XZ, __1ARRAY@@UAE@XZ, __1ARGUMENT_LEXEMIZER@@UAE@XZ, __1DSTRING@@UAE@XZ, __1FSTRING@@UAE@XZ, __1OBJECT@@UAE@XZ, __0PATH@@QAE@XZ, _Display@MESSAGE@@QAAEPBDZZ
> ifsutil.dll: __1DP_DRIVE@@UAE@XZ, __0DP_DRIVE@@QAE@XZ, _QueryFileSystemName@IFS_SYSTEM@@SGEPBVWSTRING@@PAV2@PAJ1@Z, _DosDriveNameToNtDriveName@IFS_SYSTEM@@SGEPBVWSTRING@@PAV2@@Z, _Initialize@DP_DRIVE@@QAEEPBVWSTRING@@PAVMESSAGE@@EEG@Z
> ntdll.dll: RtlUnwind, _wcsupr, _wcsicmp
> msvcrt.dll: _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p__commode, exit, _cexit, _XcptFilter, _exit, _c_exit, __p__fmode, __set_app_type, _controlfp, __initenv
> KERNEL32.dll: SetErrorMode, GetModuleHandleA

( 0 exports )
 
Good Deal.

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

-------------------------------------------------------------------

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
Combofix actually quarantined the file that we were looking for.

Launch Spybot S&D -> Click on the recovery Icon -> Highlight everything and select Purge All

------------------------------------------------------------

Run Avenger (May say invalid script, let it run)
  • Open the Avenger folder and double click Avenger.exe to launch the programme.
  • Copy the text in the code box below and Paste it into the Input script here: box.
Code:
Files to delete:
C:\WINDOWS\SYSTEM32\i2q432ui.ini
C:\WINDOWS\SYSTEM32\IEDFix.exe

Folders to delete:
C:\QooBox

  • Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Ensure the following:
    • Scan for Rootkits is checked.
    • Automatically disable any rootkits found is Unchecked.
  • Press the Execute key.
  • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
  • Attach the log back here please. (it can also be found at C:\avenger.txt)
 
Took me a few times to figure out it needed to be just as you wrote it in your message and not one long sentence.It only rebooted once, the file is attached.


I ran it again with only:

Folders to delete:
C:\QooBox

in the script box, it looks like it deleted it the second time around, Avenger2.txt is the log from the second attempt.
 
Lets clean up a bit, set a new restore point, then run one more kaspersky scan

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2


Set correct settings for files
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please check Hide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK

clear system restore points

  • This is a good time to clear your existing system restore points and establish a new clean restore point:
    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    This will remove all restore points except the new one you just created.


Run Kaspersky again, it should be a little bit faster. If its all clean we can finish up
 
Kaspersky log attached, it did not find anything. What about the rundll error at boot...says "error loading ptmg1v.dll the specified module could not be found? This started happening after one of the instructions I followed.
 
Launch Hijackthis and scan show me the log, but if the following entry is there you can go ahead and fix it.

O4-HKLM\..\Run: [PTRGMYGK] rundll32.exe ptmg1v.dll,DllRunMain
 
Attached is the hjt log, and as you guessed it was there and I checked it and pressed fix, after reboot it has not come up again. So...are we done now or is there more I need to do? I really appreciate you working with me on this.
 
You should be good, unless you have any more questions or problems.

You have a nice clean restore point set, and from what I can see you are clean.

Regards,

BD
 
Status
Not open for further replies.
Back