Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

smitfraud-c


  • This topic is locked This topic is locked

#1
sharvool

sharvool

    New Member

  • Member
  • Pip
  • 3 posts
hello everyone ! :)
I want to start by congratulating you for this wonderful forum and the wonderful things you do here.

The plot :couple days ago i got this msg saying ''critical system error" and a fake windows update icon on system tray.
i try using the smitfraud fix but no luck.try nod32 scan and nothing,spybot however was not able to preform it want start. I then decieded to restore my system using ''system restore''.i chose a point that goes back about 2 days and windows came up clean,the window that i used to get was gone .ran the above mentioned apps again and this time both nod32 and spybot got somthing :spybot got smitfraud-c and nod32 got some trojan and deleted it.
at this point i try going back to the original point ,before the ''system restore'',i cant restore it. i redownloaded window updates and got here. i dont have the window saying ''critical system error" anymore but i do have the infected files and every time i reboot i get the ''c:\windows\system32\spywarewarning.mht'' as my homepage.

i went over the ''must read first" section and did everything it says. i hopei have all the logs you need .i hope i do a good job posting them here . :)

o.k here we go, these are the logs for Malwarebytes,SUPERAntiSpyware and panda active scan
the hijackthis and uninstall_list will be on the next post (i hope its o.k)
-------------------------------------------------
Malwarebytes' Anti-Malware 1.19
Database version: 918
Windows 5.1.2600 Service Pack 2

08:53:10 03/07/2008
mbam-log-7-3-2008 (08-53-10).txt

Scan type: Quick Scan
Objects scanned: 38250
Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (C:\WINDOWS\system32\spywarewarning.mht) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--------------------------------------------------------------
SUPERAntiSpyware Scan Log
Generated 07/03/2008 at 09:52 AM

Application Version : 3.6.1000

Core Rules Database Version : 3496
Trace Rules Database Version: 1487

Scan type : Complete Scan
Total Scan Time : 00:49:50

Memory items scanned : 289
Memory threats detected : 0
Registry items scanned : 4834
Registry threats detected : 0
File items scanned : 34317
File threats detected : 0
--------------------------------------------------------------
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-07-03 11:40:02
PROTECTIONS: 1
MALWARE: 12
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Eset NOD32 antivirus system 2.51 2.51 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{4F2F4B5B-8A29-481A-9CAC-B1DB28047786}\RP15\A0003636.exe
00167704 Cookie/Xiti TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\[email protected][1].txt
00167738 Cookie/fe.lea.lycos TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\[email protected][1].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\[email protected][1].txt
00171633 Cookie/Cgi-bin TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\[email protected][5].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\[email protected][1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\[email protected][1].txt
00286738 Cookie/Cgi-bin TrackingCookie No 0 Yes No D:\גיבוי מחשב אבא\Documents and Settings\XP\Cookies\[email protected][1].txt
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{4F2F4B5B-8A29-481A-9CAC-B1DB28047786}\RP15\A0003635.exe
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\XP0XVGCA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\1ZBLKWCA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\MOYPETDA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\UCCFX5DA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\A3Z5RNAA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\PETBWHDA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\KPQAAIDA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\RMMG1QAA.NQF
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Program Files\Eset\infected\BGZCWVCA.NQF
03184163 Trj/Agent.DPE Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{4F2F4B5B-8A29-481A-9CAC-B1DB28047786}\RP15\A0007247.dll
03184483 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{4F2F4B5B-8A29-481A-9CAC-B1DB28047786}\RP15\A0004465.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location m
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description m
;===============================================================================
=================================================================================
===================
182048 HIGH MS07-069 m
182043 HIGH MS07-064 m
176382 HIGH MS07-057 m
170907 HIGH MS07-046 m
170906 HIGH MS07-045 m
170904 HIGH MS07-043 m
164913 HIGH MS07-033 m
160623 HIGH MS07-027 m
150253 HIGH MS07-016 m
141030 HIGH MS06-072 m
137568 HIGH MS06-067 m
129976 MEDIUM MS06-052 m
126083 HIGH MS06-042 m
120814 HIGH MS06-021 m
114664 HIGH MS06-013 m
93394 HIGH MS05-050 m
;===============================================================================
=================================================================================
===================
  • 0

Advertisements


#2
sharvool

sharvool

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
o.k here are the uninstall_list and hijackthis logs. thx alot guys.the gibrish means ''security update for'' .
this is the uninstall log

Ad-Aware SE Professional
Codec Pack - All In 1 6.0.3.0
HijackThis 2.0.2
Malwarebytes' Anti-Malware
Microsoft Office Professional Edition 2003
MSXML 4.0 SP2 (KB936181)
Nero 8
neroxml
NOD32 antivirus system
Panda ActiveScan 2.0
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
VCRedistSetup
VIA Audio Driver Setup Program
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
עדכון אבטחה עבור Windows Media Player‏ (KB911564)
עדכון אבטחה עבור Windows Media Player 6.4‏ (KB925398)
עדכון אבטחה עבור Windows Media Player 9‏ (KB936782)
עדכון אבטחה עבור Windows XP (KB890046)‎
עדכון אבטחה עבור Windows XP (KB893756)‎
עדכון אבטחה עבור Windows XP (KB896358)‎
עדכון אבטחה עבור Windows XP (KB896423)‎
עדכון אבטחה עבור Windows XP (KB896428)‎
עדכון אבטחה עבור Windows XP (KB899587)‎
עדכון אבטחה עבור Windows XP (KB899591)‎
עדכון אבטחה עבור Windows XP (KB900725)‎
עדכון אבטחה עבור Windows XP (KB901017)‎
עדכון אבטחה עבור Windows XP (KB901214)‎
עדכון אבטחה עבור Windows XP (KB902400)‎
עדכון אבטחה עבור Windows XP (KB905414)‎
עדכון אבטחה עבור Windows XP (KB905749)‎
עדכון אבטחה עבור Windows XP (KB908519)‎
עדכון אבטחה עבור Windows XP (KB911562)‎
עדכון אבטחה עבור Windows XP (KB911927)‎
עדכון אבטחה עבור Windows XP (KB913580)‎
עדכון אבטחה עבור Windows XP (KB914388)‎
עדכון אבטחה עבור Windows XP (KB914389)‎
עדכון אבטחה עבור Windows XP (KB918118)‎
עדכון אבטחה עבור Windows XP (KB918439)‎
עדכון אבטחה עבור Windows XP (KB920213)‎
עדכון אבטחה עבור Windows XP (KB920670)‎
עדכון אבטחה עבור Windows XP (KB920683)‎
עדכון אבטחה עבור Windows XP (KB920685)‎
עדכון אבטחה עבור Windows XP (KB922819)‎
עדכון אבטחה עבור Windows XP (KB923191)‎
עדכון אבטחה עבור Windows XP (KB923414)‎
עדכון אבטחה עבור Windows XP‏ (KB923689)
עדכון אבטחה עבור Windows XP (KB923789)‎
עדכון אבטחה עבור Windows XP (KB923980)‎
עדכון אבטחה עבור Windows XP (KB924270)‎
עדכון אבטחה עבור Windows XP (KB924496)‎
עדכון אבטחה עבור Windows XP (KB924667)‎
עדכון אבטחה עבור Windows XP (KB925902)‎
עדכון אבטחה עבור Windows XP (KB926255)‎
עדכון אבטחה עבור Windows XP (KB926436)‎
עדכון אבטחה עבור Windows XP (KB927779)‎
עדכון אבטחה עבור Windows XP (KB927802)‎
עדכון אבטחה עבור Windows XP (KB928255)‎
עדכון אבטחה עבור Windows XP (KB928843)‎
עדכון אבטחה עבור Windows XP (KB929123)‎
עדכון אבטחה עבור Windows XP (KB930178)‎
עדכון אבטחה עבור Windows XP (KB931261)‎
עדכון אבטחה עבור Windows XP (KB931784)‎
עדכון אבטחה עבור Windows XP (KB932168)‎
עדכון אבטחה עבור Windows XP (KB933729)‎
עדכון אבטחה עבור Windows XP (KB935839)‎
עדכון אבטחה עבור Windows XP (KB935840)‎
עדכון אבטחה עבור Windows XP (KB936021)‎
עדכון אבטחה עבור Windows XP (KB937894)‎
עדכון אבטחה עבור Windows XP (KB938127)‎
עדכון אבטחה עבור Windows XP (KB941202)‎
עדכון אבטחה עבור Windows XP‏ (KB941569)
עדכון אבטחה עבור Windows XP (KB941644)‎
עדכון אבטחה עבור Windows XP (KB941693)‎
עדכון אבטחה עבור Windows XP (KB943055)‎
עדכון אבטחה עבור Windows XP (KB943460)‎
עדכון אבטחה עבור Windows XP (KB943485)‎
עדכון אבטחה עבור Windows XP (KB944338)‎
עדכון אבטחה עבור Windows XP (KB944653)‎
עדכון אבטחה עבור Windows XP (KB945553)‎
עדכון אבטחה עבור Windows XP (KB946026)‎
עדכון אבטחה עבור Windows XP (KB948590)‎
עדכון אבטחה עבור Windows XP (KB950749)‎
עדכון אבטחה עבור Windows XP (KB950759)‎
עדכון אבטחה עבור Windows XP (KB950760)‎
עדכון אבטחה עבור Windows XP (KB950762)‎
עדכון אבטחה עבור Windows XP (KB951376-v2)‎
עדכון אבטחה עבור Windows XP (KB951698)‎
עדכון עבור Windows XP (KB894391)‎
עדכון עבור Windows XP (KB898461)‎
עדכון עבור Windows XP (KB900485)‎
עדכון עבור Windows XP (KB908531)‎
עדכון עבור Windows XP (KB910437)‎
עדכון עבור Windows XP (KB911280)‎
עדכון עבור Windows XP (KB916595)‎
עדכון עבור Windows XP (KB920872)‎
עדכון עבור Windows XP (KB922582)‎
עדכון עבור Windows XP (KB927891)‎
עדכון עבור Windows XP (KB930916)‎
עדכון עבור Windows XP (KB936357)‎
עדכון עבור Windows XP (KB938828)‎
עדכון עבור Windows XP (KB942763)‎
--------------------------------------------------------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:54, on 03/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TPPOLL] C:\Program Files\TOPRO\TPPOLL.EXE
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\apcupsx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\apcupsx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\apcupsx.exe
O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\apcupsx.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 3917 bytes
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,959 posts
Hi sharvool,

I know you stated you already tried SmitFraudFix, but there has been an update and I'd like to see the log.

Please download the latest version of SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,959 posts
Oh and do me afavor and upload one file following the instructiosn here:

http://thespykiller..../topic,5.0.html

The file I want is:
C:\WINDOWS\system32\apcupsx.exe

Thanks,
  • 0

#5
sharvool

sharvool

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
hi Metallica .tnx alot for taking the time to look at my logs and for your will to help .this is much appriciated .
I have decided to format my drive since i had no time to wait .i work with that machine and needed it up and working real fast.
would of been nice to know how to really deal with it though .

tnx again Metallica(big fan),for your time and effort .
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,959 posts
Too bad you decided to format.

Especially since I was really curious about that file.

I'll close this one, but do have a look at the red link in my signature. It might help to avoid future accidents. :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP