Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby motoaaron » October 21st, 2008, 10:52 pm

No one's admittin it, but someone had to get on bit toreent because it's in HJT log. My Mom learned from here a little about HJT logs. She said smitfraud is over her head. It all started last night when my Dad did a google search and a popup maybe from windows, not 'net, said we had a virus. He doesn't know about computers, he closed it. Then today, Spybot popped up and said Smitfraud was quarantened. Then the right lower part of the screen had a red heart I guess with a white X and it said we were infected. Malwarebytes showed Trojan fake alert, backdoor, and rootkit. Malwarebytes couldn't clean everything. My Mom saw that the firewall was missing and installed Commodo. It scanned and found the 2 win32.small.gjm files I guess. I don't know if it fixed them or not. Then a gray box in the middle of the screen says that some of the files Windows needs have been altered. lots of alerts that I denied change in Spybot. I canceled the gray box and restarted. updated and ran spybot and it seems clean. My Mom isn't so sure, so that's why I'm here and we're all in trouble for bit torrent until someone confesses. Oh and she saiys the F3 is bad news, too. Thanx for the help. motoaaron

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:42 PM, on 10/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run=
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8148 bytes
motoaaron
Regular Member
 
Posts: 17
Joined: October 21st, 2008, 10:19 pm
Advertisement
Register to Remove

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby muuli » October 22nd, 2008, 5:45 am

Hi,

Welcome to the MWR forums. My name is muuli. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic. Please stay at one forum for help.
3. Please continue reading posts until I give the All Clear. It is important to note this, as a clean looking HijackThis is not always a sign your system is clean.

Note: I am still in training here at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby muuli » October 22nd, 2008, 10:18 am

Hi,

Step 1

Disable Teatimer...
  1. Right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  2. Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  3. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  4. Click on Mode > Advanced Mode. When it prompts you, click Yes.
  5. On the left hand side, click on Tools.
  6. Check (tick) this box if it is not yet ticked: Resident.
  7. You will notice that Resident is now added under Tools. Click on Resident.
  8. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  9. Exit Spybot Search & Destroy.
  10. Restart your computer for the changes to take effect.

Step 2

With reference to Malware Removal's P2P Programs Policy, please uninstall the following programs before we continue:

  1. Click on Start > Control Panel and double click on Add/Remove Programs.
  2. Locate BitTorrent DNA and click on the Change/Remove button to uninstall it.
  3. Close Add/Remove Programs and Control Panel when done.

Open HijackThis, press Do a system scan only, checkmark following entry:
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
Close all other windows including browser and press Fix checked.

Press Start -> My Computer -> Local Disk (C)
Locate the following folder using the path below. If found please delete.
C:\Program Files\DNA

If you can't delete that folder, please reboot the computer and try again.

Step 3

Please produce uninstall list:
  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.

Step 4

Please post a fresh HijackThis log and uninstall list.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby motoaaron » October 22nd, 2008, 1:13 pm

Thanx for the help. Thats whats so weird. We went to Program files and there isn't a bit torrent or dna bit torrent. I have my hidden files showing too. In add or remove programs it isn't listed either. We keep telling my mom that we didn't go there. I was thinkin that maybe something I did in TuneUp utilities 2007 could have found some kinda ref to bit torrent back when my brother used it (it was uninstalled a year or so ago when he got caught getting songs). but it wasn't a dna bit torrent that got removed, it was some other kind of torrent, maybe comet or something, so the dna part seems like it would be new and recent. What do I do since its not there to uninstall?

So I go to do step 1 and there is no teatimer thing in the tray either. What do I need to do about that? i think my mom uninstalled spybot last night and reinstalled. oh, she said that it wouldn't update. It got half way through update and then would say there are no new updates. Didn't trust it so uninstalled and reinstalled. Now it updates right.

Do you want to me to do the other things since I can't do the first 2? does it matter about what order? oh, and malware bytes has the files all in quarantine and avg's daily scan shows trojan horse.agentAACZ and adware generic3.yjg in temp files in the virus vault with today's date.

thanx hey here is an hjt log since we're sure you need that again. I didn't do anything on step 1 or 2 except look in program files and add or remove programs, so it looks like i ended up doing steps 3 and 4 I guess you'll let me know if I messed up. thanx

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop Elements 2.0
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
AnswerWorks 4.0 Runtime - English
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
ATI Display Driver (Omega 2.6.87)
AVG Free 8.0
Bonjour
COMODO Firewall Pro
COMODO SafeSurf
DAEMON Tools
Diskeeper Professional Premier Edition
DivX Converter
DivX Player
DivX Web Player
EA Download Manager
EA SPORTS online 2007
FLV Player 2.0, build 24
Google Earth
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
iTunes
Java DB 10.2.2.0
Java(TM) 6 Update 3
Java(TM) SE Development Kit 6 Update 3
Kaspersky Online Scanner
LimeWire 4.16.6
Madden NFL 07
Malwarebytes' Anti-Malware
Math Blaster Algebra
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Millie's Math House (Remove only)
Mozilla Firefox (3.0.3)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
Musicmatch® Jukebox
NVIDIA nForce Drivers
OpenOffice.org 2.0
PCI Audio Driver
Picasa 3
Power Tab Editor 1.7
QuickTime
Radeon Omega Drivers v2.6.87 Setup Files and Tools
RealPlayer
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Sniper Elite Demo
Snoopy vs. The Red Baron(TM)
Spybot - Search & Destroy
SpywareBlaster 4.1
Star Wars Jedi Knight Jedi Academy
Star Wars Jedi Knight Jedi Academy Demo
Star Wars JK II Jedi Outcast
TrainPlayer 3.1
TuneUp Utilities 2007
TurboTax Basic 2007
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WingMan Software
WinPcap 4.0
WM Recorder 11.3
Wolfenstein - Enemy Territory
ZipGenius 6 (6.0.2.1041)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:54 PM, on 10/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run=
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8143 bytes

I gotta get back to school (lunch). Thanx for all the help man.
motoaaron
Regular Member
 
Posts: 17
Joined: October 21st, 2008, 10:19 pm

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby muuli » October 24th, 2008, 4:26 am

Hi,

motoaaron wrote:What do I do since its not there to uninstall?

Looks like that BitTorrent DNA is uninstalled from your computer... there's only one HjT entry about it.

motoaaron wrote:So I go to do step 1 and there is no teatimer thing in the tray either. What do I need to do about that?

You don't need to do anything yet, Teatimer isn't running now.

You have also Limewire(P2P software).

  1. Click on Start > Control Panel and double click on Add/Remove Programs.
  2. Locate LimeWire 4.16.6 and click on the Change/Remove button to uninstall it.
  3. Close Add/Remove Programs and Control Panel when done.

Please fix following entry...
Open HijackThis, press Do a system scan only, checkmark following entry:
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
Close all other windows including browser and press Fix checked.

Please post a fresh HijackThis log.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby motoaaron » October 24th, 2008, 7:55 pm

I can't delete it yet. We want to know if there is a way we can find out when it was installed. If we delete it, we lose the evidence. And is there any way to make a computer P2P immune ie it won't be able to go to P2P places and install? House rules are no P2P, and it keeps gettin installed by someone every so many months or once a year etc etc etc etc thanx

edit: someone confessed

OK, I deleted limewire. I would still like to know about blocking p2p sites. AVG caught Trojan horse GEneric 11BIJJ and dropper.bravix.j (3 times). Heres the hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:45 AM, on 10/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DfrgNTFS.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run=
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8216 bytes
motoaaron
Regular Member
 
Posts: 17
Joined: October 21st, 2008, 10:19 pm

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby muuli » October 28th, 2008, 1:15 am

Hi,

motoaaron wrote:And is there any way to make a computer P2P immune ie it won't be able to go to P2P places and install?

I'm sorry but I don't know any program which can do that... But you can produce more user accounts in the windows and sets lower priviledges for them, this means that admin can install softwares etc. but those other accounts can't. Please check this link, http://support.microsoft.com/kb/279783

If you already have Smitfraudfix, please delete this copy and download it again as it's being updated regularly.

Please download SmitFraudFix.exe by S!Ri and save it to the desktop.

If you can't download it, please download it from these alternative sites:

From Geekstogo
From Security Cadets
From Zebulon

  1. Double click on SmitfraudFix.exe.
  2. Press 1 then hit the Enter key.
  3. It will create a report named rapport.txt, usually at C drive.
  4. Please post back this log in your next reply.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Read more here
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby motoaaron » October 28th, 2008, 11:55 pm

I'm running it right now. It is really, really SLOW and access was denied when scanning IEDFix. Was my firewall supposed to be off? It's alerting on tons of things. I don't know what I'm allowing. swreg.exe is constantly coming up now. I'm thinkin it aint gonna make it throug this. My commmodo window quit responding (I'm on here on another computer). Let me know if I'm messing up. If it makes it through without stalling / crashing, I will edit this with the rapport.txt Thanks for the help.

It finished. After that commodo quit responding to anything. I had to restart and then start commodo again by clicking it in programs. I noticed that in the virus vault there is a new virus from this morning's scan - Win32Cryptor I also notice after the restart that I have spybot down in the tray now. Should I close spybot and should I clean out the virus vault of AVG? Also cmdagent (commodo) show it taking about 11,000 K now, but during the Smitfraud fix run it was over 10 times that size and it was running constantly. Do I need to reinstall it or do you think it's alrigh now? This computer is so SLOW right now. Does it mean that the other computers on the network are infected, too? Thnx for the help. Here's the log:

SmitFraudFix v2.368

Scan done at 22:06:15.73, Tue 10/28/2008
Run from C:\Documents and Settings\Aaron Morgan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DfrgNTFS.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 http://www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Aaron Morgan


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Aaron Morgan\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\AARONM~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\karna.dat"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="c:\\windows\\system32\\userinit.exe"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK

xpdt detected, use a Rootkit scanner
huy32 detected, use a Rootkit scanner


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce MCP Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CE720297-240C-48AA-A46A-657689230769}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CE720297-240C-48AA-A46A-657689230769}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CE720297-240C-48AA-A46A-657689230769}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

edit, edit: thanx for the info about user accounts, but with the little kiddies around here yo yo pops keeps the password. User accounts let you see/change the pw. we have deleted history now, what would happen then? thanx tho.

I've been thinking. If there are two rootkits installed, shouldn't I reformat and reinstall windows? How can we know if I am clean when we're done? Thanks again.
motoaaron
Regular Member
 
Posts: 17
Joined: October 21st, 2008, 10:19 pm

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby muuli » October 30th, 2008, 7:58 am

Hi,

motoaaron wrote:Should I close spybot and should I clean out the virus vault of AVG?

We will disable Spybot teatimer, and when computer is clean, then we re-enable it.
motoaaron wrote:Do I need to reinstall it or do you think it's alrigh now?

It is alright, you don't need to reinstall it.
motoaaron wrote:Does it mean that the other computers on the network are infected, too?

No, it doesn't mean that.
motoaaron wrote:If there are two rootkits installed, shouldn't I reformat and reinstall windows?

Yep, you have rootkit... and it is you decision that do you want to reformat and reinstall windows. Let me know your decision... if you want to continue, run RustBFix below and post the logs.

Step 1

  1. Right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  2. Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  3. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  4. Click on Mode > Advanced Mode. When it prompts you, click Yes.
  5. On the left hand side, click on Tools.
  6. Check (tick) this box if it is not yet ticked: Resident.
  7. You will notice that Resident is now added under Tools. Click on Resident.
  8. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  9. Exit Spybot Search & Destroy.
  10. Restart your computer for the changes to take effect.

Step 2

Download RustBFix from one of the following locations...

http://www.uploads.ejvindh.net/rustbfix.exe

http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe

...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles here.

Step 3

Please post RustBFix logs and a fresh HijackThis log.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby motoaaron » October 30th, 2008, 10:52 pm

I did what you said about Spybot, but it still looks the same. When I right click it, it doesn't have a check by it. I'm continuing on the list now. Thanx for the help.

OK, I restarted and downloaded the Rust one. Here is the log:

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
Thu 10/30/2008 22:12:41.00

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:58, on 10/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\motoaaron.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run=
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7885 bytes

That 20 line is the problem, isn't it? Also after I restarted, immediately the firewall wanted to update. I didn't let it. Also windows said it was updating! I'm thinkin everyting is a rootkit controlled thing right now. its got me paranoid. My Mom won't let me delete the stuff in AVG virus vault, what do you think? It's got all round bad buys like trojans and viruses in there. My thinking is to don't let them hang around the computer. Her thinking is keep them until we are clean since we know what the name is.

Are you still with me? The computer is extremely slow and getting slower all the time. I'm concerned that it's wrecking my computer. Thanks for your help.
Last edited by motoaaron on November 4th, 2008, 1:01 am, edited 1 time in total.
motoaaron
Regular Member
 
Posts: 17
Joined: October 21st, 2008, 10:19 pm

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby muuli » November 4th, 2008, 12:59 am

Hi,

motoaaron wrote:That 20 line is the problem, isn't it?

Yes, it's one problem... but looks like that it doesn't the worst problem at this time.

motoaaron wrote:My Mom won't let me delete the stuff in AVG virus vault, what do you think?

I think that you shouldn't remove them.

  1. Please download gmer.zip and save it to your desktop.
  2. Right click on gmer.zip and select Extract All....
  3. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  4. Click on the Browse button. Click on Desktop. Then click OK.
  5. Click Next. It will start extracting.
  6. Once done, check (tick) the Show extracted files box and click Finish.
  7. Double click on gmer.exe to run it.
  8. It will start scanning. Please be patient.
  9. Select Rootkit/Malware tab.
  10. On your right, check (tick) all the boxes and click Scan.
  11. This will start a deep scan. Please be patient.
  12. Click on Save... to save a log to a convenient location.
  13. Click OK to exit.
  14. Post that log in your next reply.

After Gmer has exited, please open Command Prompt (Start > Run and enter in cmd.exe)

Type in net stop gmer and press Enter. If you receive an error, please ignore it. This means that Gmer has unloaded itself.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby motoaaron » November 5th, 2008, 3:40 am

Thanks for gettin back with me. None of it worked like the instructions. There wasn't an extract all, so I unzipped regular to the desktop, and then all I could do was click the unzipped file. It immediately started scanning and then told me that my files were altered would I like to scan. I clicked yes and it started scanning again. All the boxes are checked to the side, but they don't line up with Show Extracted Files. Here is the log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-05 01:42:35
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xBAFEB7B6]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF7520818]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xBAFEAD16]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xBAFEB372]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xBAFEBF80]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF7514A20]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xBAFEAA70]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xBAFECC70]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xBAFEB99C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xBAFEA646]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xBAFEBBEA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xBAFEBD9A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xBAFEA4F8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF75152A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF7520910]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xBAFEC8F2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xBAFEAF5C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xBAFEB5AA]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF7520794]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xBAFEA228]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xBAFEB1EC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xBAFEA3A0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF75152C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF7520866]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xBAFEC346]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xBAFEAB8E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xBAFEC6AA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xBAFECAA0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF75200B0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xBAFEC146]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xBAFEAEF6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xBAFEB0E0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xBAFEA93A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xBAFEA808]

INT 0x62 ? 88B6CBF8
INT 0x63 ? 888A0BF8
INT 0x73 ? 888A0BF8
INT 0x82 ? 88B6CBF8
INT 0x83 ? 888A0BF8

---- Kernel code sections - GMER 1.0.14 ----

? spzr.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F72738AC 5 Bytes JMP 888A01D8

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 88BDB2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F758293C] spzr.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7582990] spzr.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 888A02D8
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7562D92] spzr.sys
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 88BD71F8

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\cmdHlp \Device\CFPTcpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbohci \Device\USBPDO-0 8885C1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 88BD91F8
Device \Driver\dmio \Device\DmControl\DmConfig 88BD91F8
Device \Driver\dmio \Device\DmControl\DmPnP 88BD91F8
Device \Driver\dmio \Device\DmControl\DmInfo 88BD91F8
Device \Driver\usbohci \Device\USBPDO-1 8885C1F8
Device \Driver\usbehci \Device\USBPDO-2 888E71F8
Device \Driver\cmdHlp \Device\CFPRawFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdHlp \Device\CFPUdpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 88B6D1F8
Device \Driver\Cdrom \Device\CdRom0 887E3620
Device \FileSystem\Rdbss \Device\FsWrap 886D4948
Device \Driver\Cdrom \Device\CdRom1 887E3620
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 887E3728
Device \Driver\atapi \Device\Ide\IdePort0 887E3728
Device \Driver\atapi \Device\Ide\IdePort1 887E3728
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 887E3728
Device \Driver\NetBT \Device\NetBt_Wins_Export 88466500
Device \Driver\NetBT \Device\NetbiosSmb 88466500
Device \FileSystem\Srv \Device\LanmanServer 88950C68

AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\cmdHlp \Device\cmdhlp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbohci \Device\USBFDO-0 8885C1F8
Device \Driver\usbohci \Device\USBFDO-1 8885C1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88465500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 886D1B80
Device \Driver\cmdHlp \Device\CFPIpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbehci \Device\USBFDO-2 888E71F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88465500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 886D1B80
Device \FileSystem\Npfs \Device\NamedPipe 886B7B88
Device \Driver\Ftdisk \Device\FtControl 88B6D1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CE720297-240C-48AA-A46A-657689230769} 88466500
Device \FileSystem\Msfs \Device\Mailslot 886BBE90
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 88751790
Device \Driver\d347prt \Device\Scsi\d347prt1 88751790
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 888FD030
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 888FD030
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 888FD030
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 888FD030
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 888FD030
Device \FileSystem\Cdfs \Cdfs 887691F8
Device \FileSystem\Cdfs \Cdfs 88931AD8

---- Modules - GMER 1.0.14 ----

Module _________ F7477000-F748F000 (98304 bytes)

---- Services - GMER 1.0.14 ----

Service system32\drivers\TDSSxxou.sys (*** hidden *** ) [SYSTEM] TDSSserv <-- ROOTKIT !!!
Service system32\drivers\TDSSpqxt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys) <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0x93 0xF3 0x64 0x28 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 46235088
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -743653309
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSxxou.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules@TDSSserv \systemroot\system32\drivers\TDSSxxou.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules@TDSSl \systemroot\system32\TDSSktpo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules@tdssservers \systemroot\system32\TDSSwupe.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules@tdssmain \systemroot\system32\TDSSirxy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules@tdsslog \systemroot\system32\TDSSyavu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules@tdssadw \systemroot\system32\TDSSacun.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules@tdssinit \systemroot\system32\TDSSqqcn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules@tdssserf \systemroot\system32\TDSSehys.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules@tdsserrors \systemroot\system32\TDSSwghd.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv\modules@TDSSproc \systemroot\system32\TDSSlubs.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys)@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys)@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys)@imagepath \systemroot\system32\drivers\TDSSpqxt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys)\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys)\modules@TDSSserv \systemroot\system32\drivers\TDSSpqxt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys)\modules@TDSSl \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSxxou.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@TDSSserv \systemroot\system32\drivers\TDSSxxou.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@TDSSl \systemroot\system32\TDSSktpo.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdssservers \systemroot\system32\TDSSwupe.dat
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdssmain \systemroot\system32\TDSSirxy.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdsslog \systemroot\system32\TDSSyavu.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdssadw \systemroot\system32\TDSSacun.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdssinit \systemroot\system32\TDSSqqcn.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdssserf \systemroot\system32\TDSSehys.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdsserrors \systemroot\system32\TDSSwghd.log
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@TDSSproc \systemroot\system32\TDSSlubs.log
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys)@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys)@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys)@imagepath \systemroot\system32\drivers\TDSSpqxt.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys)\modules
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys)\modules@TDSSserv \systemroot\system32\drivers\TDSSpqxt.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys)\modules@TDSSl \systemroot\system32\TDSSoiqh.dll

---- EOF - GMER 1.0.14 ----
motoaaron
Regular Member
 
Posts: 17
Joined: October 21st, 2008, 10:19 pm

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby muuli » November 12th, 2008, 11:01 am

Hi,

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
muuli
Regular Member
 
Posts: 690
Joined: February 8th, 2007, 4:01 pm
Location: Finland

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby motoaaron » November 12th, 2008, 9:11 pm

Hey, should I disconnect the cable to the internet while I'm doing all this? It seems like it would be safer when I disable all the real time protection. I printed out the bleeping computer information to read over. Then I'll do the scan after isee what you say about disconnecting. Thanx for the help.

Welllll, i'm back. i couldn't wait. i read the instructions and dl'ed combofix and dl'ed the windows recovery. I followed the instructions to the T, and I'm very frustrated. I drug it over the combofix icon on the desktop and it tried to open combofix. I did this twice. I did not get some kind of window installing thing. So I disabled AVG Resident Shield via the instructions on the link, but I couldn't figure out how to disable AVG antivirus. I disabled the commodo firewall and then I clicked Run on the "could not be verified window." Then it popped up windows out of order from the instructions. Very frustrating. It said that it didn't have the console installed, so I clicked yes to install. So, after it was trying in the blue screen to access the internet, the 2nd time I got up from the computer. In less than a few minutes, I looked at the screen and the computer had restarted. After getting the password typed in, commodo pops up and starts alerting (I guess after the restart it restarted). The screen said that it was doing a log report and not to start anything. I turned off commodo and closed commodo safe surf window. Then the combofix window said access denied. It eventually closed, and when I looked in the c: for a log, suprise suprise there wasn't one. I am very frustrated right now. What else should I have done? I do appreciate your help.
motoaaron
Regular Member
 
Posts: 17
Joined: October 21st, 2008, 10:19 pm

Re: Smitfraud Trojan.fake alert Backdoor.Win32.Small.gjm Rootkit

Unread postby motoaaron » November 13th, 2008, 12:56 pm

This is motoaaron's Mom. I found the log file, I think. The instructions at bleeping computer need to be rewritten to be more clear. I think they are outdated. If this is the log file, it was not in C: (Even so, we appreciate you guys & bleeping computer. You are the good guys.)

ComboFix 08-11-11.01 - Aaron Morgan 2008-11-12 19:59:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.730 [GMT -6:00]
Running from: C:\Documents and Settings\Aaron Morgan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aaron Morgan\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
C:\setup.exe
C:\WINDOWS\system32\TDSSwupe.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Legacy_VFILT
-------\Service_TDSSserv
-------\Service_TDSSserv.sys)


((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.

2008-11-12 12:50 . 2008-10-24 05:21 455,296 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-11-12 12:48 . 2008-09-04 11:15 1,106,944 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-11-05 01:27 . 2008-11-05 01:30 250 --a------ C:\WINDOWS\gmer.ini
2008-10-30 21:12 . 2008-10-30 21:12 <DIR> d-------- C:\Rustbfix
2008-10-28 21:07 . 2008-10-28 21:07 2,720 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-28 21:04 . 2008-10-10 06:58 82,944 --a------ C:\WINDOWS\system32\o4Patch.exe
2008-10-28 21:04 . 2008-10-10 06:58 82,944 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-10-28 21:03 . 2008-09-08 21:38 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-10-28 21:03 . 2008-10-01 13:51 87,552 --a------ C:\WINDOWS\system32\VACFix.exe
2008-10-28 21:03 . 2008-05-18 19:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-10-28 21:03 . 2008-08-18 10:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-10-28 21:02 . 2007-09-05 22:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-10-28 21:02 . 2004-07-31 16:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-10-28 21:02 . 2007-10-03 22:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-10-28 21:01 . 2006-04-27 15:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-10-28 21:00 . 2003-06-05 19:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-10-24 00:58 . 2008-10-15 10:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-23 18:18 . 2008-10-23 18:18 2,302,017 --a------ C:\WINDOWS\system32\GPhotos.scr
2008-10-21 16:59 . 2008-10-21 16:59 <DIR> d-------- C:\Program Files\AskSBar
2008-10-21 16:59 . 2008-10-21 16:59 249,592 --a------ C:\WINDOWS\system32\cssdll32.dll
2008-10-21 16:58 . 2008-10-21 16:59 <DIR> d-------- C:\Program Files\COMODO
2008-10-21 16:58 . 2008-10-21 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-10-21 16:58 . 2008-10-21 16:58 <DIR> d-------- C:\Documents and Settings\Aaron Morgan\Application Data\Comodo
2008-10-21 16:58 . 2008-10-30 22:47 143,096 --a------ C:\WINDOWS\system32\guard32.dll
2008-10-21 16:58 . 2008-10-30 22:47 99,856 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-10-21 16:58 . 2008-10-30 22:47 31,504 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-10-15 22:21 . 2008-09-15 06:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 22:21 . 2008-09-08 04:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 22:20 . 2008-08-14 04:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 22:20 . 2008-08-14 04:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 22:20 . 2008-08-14 03:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 22:20 . 2008-08-14 03:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.

Are you still with me? I think it's been about a week, so I'm just checking. Thanks for the help.
Last edited by motoaaron on November 20th, 2008, 8:14 pm, edited 1 time in total.
motoaaron
Regular Member
 
Posts: 17
Joined: October 21st, 2008, 10:19 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 48 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware