Accidentally got smitfraud, fixes not working

Status
Not open for further replies.
F

Frostbrand

Posts: 7   +0
Yeah I just got it a few hours ago. Researched it, got the latest fix for it, ran it in safe mode and it seems to have helped but it's still there. Here's my log, any help would be appreciated..



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:17:01 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\upkratqh\olwfctyt.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Patrick\cftmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Patrick\Desktop\HiJackThis_v2.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: (no name) - {14c6cf56-ae83-4dc6-ac56-9a5c3cc01561} - C:\WINDOWS\system32\xxyvtrop.dll
O2 - BHO: (no name) - {24e9519b-3f70-429b-99bc-4b2b49b96f66} - C:\WINDOWS\system32\byXNdcYq.dll
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Patrick\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Patrick\cftmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Patrick\cftmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [csvEQGKwHc] C:\Documents and Settings\All Users\Application Data\upkratqh\olwfctyt.exe
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: byxndcyq - C:\WINDOWS\SYSTEM32\byXNdcYq.dll
O21 - SSODL: SysCheck - {025e2dcd-0f33-499c-946c-338bbcf45df9} - C:\WINDOWS\Resources\SysCheck.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FCI (fci) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

--
End of file - 4169 bytes
 
Looks like you have more than just smitfraud. But lets start at the beginning.

Please go to Add/remove programs and uninstall Hijackthis and follow below

Incorrect HJT version installed or wrong folder
  • Please uninstall your current version of HJT (This can be done through Control Panel => add/remove programs icon => highlight HJT => select change/uninstall button)
  • The LATEST version of HJT (currently v2.0.0.2) can be downloaded from HERE
  • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory. If HijackThis is used from a temp folder it is in danger of being accidentally deleted by Disk Cleanup or similar tools. If you run Hijackthis from the desktop, the files it removes will not be backed up properly.
  • Please close the HJT until after the following step.
  • Open your Program Files folder and rename hijackthis.exe to something.exe, this is because some malware can hide from highjackthis.exe Right click the HijackThis.exe file and choose rename to do this.
  • Now you are ready to run HJT, Open it using the icon on your desktop and select Scan now and save a log
  • After the scan is complete please attach your log onto the forums.
    ***Under no circumstances should you add any items to the HJT ignore list. Under no circumstances should you change the directory that highjackthis downloads to. Under no circumstances should you Fix anything without specific instruction to do so***
 
I ran MBAM and had it remove what it found and let it reboot but teatimer is still going off so I believe that the smitfraud is still there, but I don't see how to send the log.Thanks for your help, I updated my HJT, here is the new log.


--------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:53 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Frostbrand.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Patrick\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: SysCheck - {025e2dcd-0f33-499c-946c-338bbcf45df9} - C:\WINDOWS\Resources\SysCheck.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 2513 bytes
 
To attach MBAM
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Is that the whole Hijackthis log, seems small. Did you already fix entries?
--------------------------------------------------------------------------------------------------------
Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.
-----------------------------------------------------------------------------------------------

Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt
 
I only fixed what MBAM had selected, and strangely enough it still doesnt seem to be creating a log in that folder, like it doesn't exist. Anyway, here is the logs after running Combofix,MBAM,ATF Cleaner and HJT. I had to remove the first 3 entries of the HJT log because the forum settings don't allow me to post links but they seemed to be from internet explorer and irrelevant anyway. Thanks for your time. --Scratch that. I now have 5 posts and can post the full HJT log. Full log as follows.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:54 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Frostbrand.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Patrick\cftmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 2662 bytes
 
ComboFix 08-04-09.8 - Patrick 2008-04-09 21:29:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.702 [GMT -7:00]
Running from: C:\Documents and Settings\Patrick\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\aJkmonpo.ini
C:\WINDOWS\system32\aJkmonpo.ini2
C:\WINDOWS\system32\byXNdcYq.dll
C:\WINDOWS\system32\urqRKAPJ.dll
C:\WINDOWS\system32\xxyvtrop.dll

----- BITS: Possible infected sites -----

hxxp://flyvideonetwork.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI


((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-09 21:00 . 2008-04-09 21:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 20:37 . 2008-04-09 20:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-09 20:37 . 2008-04-09 20:37 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\Malwarebytes
2008-04-09 20:37 . 2008-04-09 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-09 19:47 . 2008-04-09 20:07 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-04-09 19:29 . 2008-04-09 19:29 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\Symantec
2008-04-09 19:29 . 2008-04-09 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-09 19:00 . 2008-04-09 19:00 <DIR> d-------- C:\WINDOWS\resources
2008-04-09 18:53 . 2008-03-29 00:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-09 18:53 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-09 18:13 . 2008-04-09 18:14 153 --a------ C:\WINDOWS\wininit.ini
2008-04-09 16:23 . 2008-04-09 18:56 1,464 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-09 16:22 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-09 16:22 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-09 16:22 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-09 16:22 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-09 16:22 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-09 16:15 . 2008-04-09 16:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-09 14:56 . 2008-04-09 14:56 <DIR> d-------- C:\Program Files\RegCleaner
2008-04-09 14:43 . 2008-04-09 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\upkratqh
2008-04-09 14:41 . 2008-04-09 21:03 10,000 --------- C:\WINDOWS\system32\jfiehayd.dll
2008-04-09 14:41 . 2008-04-09 19:42 49 --a------ C:\smp.bat
2008-04-09 14:41 . 2008-04-09 14:41 2 --a------ C:\-58967882
2008-04-09 14:25 . 2008-04-09 14:25 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-04-09 13:55 . 2008-04-09 13:55 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\DAEMON Tools
2008-04-09 13:55 . 2008-04-09 13:55 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-09 13:52 . 2003-03-16 00:15 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-04-09 12:50 . 2008-04-09 14:37 <DIR> d-------- C:\Program Files\SoldnerSecretWars
2008-04-08 18:40 . 2008-04-08 19:18 <DIR> d-------- C:\Program Files\WarRock
2008-04-08 18:40 . 2008-04-08 18:40 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\InstallShield
2008-04-08 05:33 . 2008-04-08 05:34 <DIR> d-------- C:\Program Files\WinAce
2008-04-07 18:06 . 2008-04-07 18:06 <DIR> dr-h----- C:\Documents and Settings\Patrick\Application Data\SecuROM
2008-04-07 18:06 . 2008-04-07 18:06 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-04-07 17:58 . 2008-04-07 17:58 <DIR> d-------- C:\Program Files\CAPCOM
2008-04-07 02:00 . 2005-02-24 20:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-06 02:35 . 2008-04-06 02:35 <DIR> d-------- C:\Program Files\OGPlanet
2008-04-04 22:10 . 2008-04-04 22:10 1,167 --a------ C:\WINDOWS\mozver.dat
2008-04-04 20:16 . 2008-04-04 20:16 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-04-04 19:48 . 2008-04-04 19:51 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-04 19:20 . 2008-04-04 19:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-04 19:20 . 2008-04-04 20:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-04 19:16 . 2008-04-04 19:16 <DIR> d-------- C:\Program Files\ATI Technologies
2008-04-04 19:16 . 2008-01-22 15:42 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-04-04 19:12 . 2008-04-04 19:12 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\Talkback
2008-04-04 19:12 . 2008-04-04 19:12 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-04 19:07 . 2008-04-06 01:31 <DIR> d-------- C:\Program Files\Winamp
2008-04-04 19:00 . 2008-04-04 19:12 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-04 18:58 . 2008-04-04 18:59 <DIR> d-------- C:\Program Files\QuickTime
2008-04-04 18:58 . 2008-04-04 18:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-04 18:58 . 2008-04-08 20:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-04 18:58 . 2008-04-04 18:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-04 18:51 . 2008-04-04 18:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-04 18:51 . 2008-04-08 19:01 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-04-04 18:51 . 2008-04-08 05:34 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-04-04 18:51 . 2008-04-08 19:01 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-04 18:51 . 2008-04-04 18:51 22,328 --------- C:\Documents and Settings\Patrick\Application Data\PnkBstrK.sys
2008-04-04 18:51 . 2008-04-04 18:51 319 --a------ C:\WINDOWS\game.ini
2008-04-04 18:41 . 2008-04-04 18:41 <DIR> d-------- C:\Program Files\Activision
2008-04-04 18:37 . 2008-04-04 18:37 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-04 18:36 . 2008-04-04 18:36 <DIR> d-------- C:\Program Files\CyberLink
2008-04-04 18:36 . 2008-04-04 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-04-04 18:27 . 2008-04-09 21:30 4,958,588 --------- C:\WINDOWS\{00000002-00000000-00000004-00001102-00000008-10011102}.BAK
2008-04-04 18:27 . 2008-04-09 21:30 30,624 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000004-00001102-00000008-10011102}.rfx
2008-04-04 18:27 . 2008-04-09 21:30 30,624 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-00000004-00001102-00000008-10011102}.rfx
2008-04-04 18:27 . 2008-04-09 21:30 29,772 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-00000004-00001102-00000008-10011102}.rfx
2008-04-04 18:27 . 2008-04-09 21:30 29,772 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-00000004-00001102-00000008-10011102}.rfx
2008-04-04 18:27 . 2008-04-09 21:30 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000004-00001102-00000008-10011102}.rfx
2008-04-04 18:27 . 2008-04-09 21:30 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-04-04 18:27 . 2008-04-09 21:30 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-04-04 18:24 . 2008-04-04 18:24 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\Creative
2008-04-04 18:23 . 2008-04-04 18:24 <DIR> d-------- C:\WINDOWS\system32\Data
2008-04-04 18:23 . 2008-04-04 18:26 <DIR> d-------- C:\Program Files\Creative
2008-04-04 18:23 . 2006-08-11 16:14 86,446 --a------ C:\WINDOWS\system32\instwdm.ini
2008-04-04 18:23 . 2006-08-11 15:57 11,776 --a------ C:\WINDOWS\INRES.DLL
2008-04-04 18:23 . 2006-08-11 15:55 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2008-04-04 18:23 . 2006-08-11 15:56 3,072 --a------ C:\WINDOWS\CTXFIRES.DLL
2008-04-04 18:23 . 2006-08-11 15:32 191 --a------ C:\WINDOWS\system32\ctzapxx.ini
2008-04-04 18:09 . 1998-10-02 20:00 327,168 --a------ C:\WINDOWS\IsUninst.exe
2008-04-04 18:09 . 2001-09-06 01:00 86,330 --a------ C:\WINDOWS\system32\drivers\IdeChnDr.sys
2008-04-04 18:09 . 2001-09-06 01:00 41,022 --a------ C:\WINDOWS\system32\IPrtCnst.dll
2008-04-04 18:09 . 2001-09-06 01:00 13,366 --a------ C:\WINDOWS\system32\drivers\IdeBusDr.sys
2008-04-04 18:07 . 2008-04-04 18:09 <DIR> d-------- C:\Program Files\Intel
2008-04-04 18:07 . 2008-04-08 18:40 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-04 18:07 . 2008-04-04 18:58 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-04 18:04 . 2008-04-04 18:04 13,588 --a------ C:\WINDOWS\system32\wpa.bak
2008-04-04 18:02 . 2008-04-04 18:02 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-04 18:02 . 2008-04-04 18:02 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 00:58 --------- d-----w C:\Program Files\microsoft frontpage
.
 
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 02:39 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-04 18:58 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysCheck"= {025e2dcd-0f33-499c-946c-338bbcf45df9} - C:\WINDOWS\Resources\SysCheck.dll [ ]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

S1 zeqbqwp;zeqbqwp;C:\WINDOWS\zeqbqwp.sys []

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 21:31:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-09 21:33:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-10 04:33:52
Pre-Run: 56,684,195,840 bytes free
Post-Run: 56,617,791,488 bytes free
.
2008-04-07 09:00:29 --- E O F ---
 
Can you get me the combofix log as an attachment

when you click Reply -> click the paperclip icon and navigate to C:\Combofix.txt
 
It looks like a lot of things have been removed from your registry


CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\jfiehayd.dll

Folder::
C:\-58967882
C:\Documents and Settings\All Users\Application Data\upkratqh
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.



Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
Status
Not open for further replies.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
liltxkg
Inactive Cleanup Help - File Explorer Freezing
Replies
6
Views
2K
Broni
Broni

Latest posts

Back