Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Smitfraud-C.generic [Closed]


  • This topic is locked This topic is locked

#31
James Brady

James Brady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Yeah, it's still there in "C://windows/svchost.exe".

Should I also run TdssKiller again to make sure that "Rootkit.Boot.Pihar.b" is dead?
  • 0

Advertisements


#32
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Hi,

Pihar is dead, you can run TDSSKiller again.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit.

C:/windows/svchost.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

regards myrti
  • 0

#33
James Brady

James Brady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
hmm, Jetti says things are all right, here's a screenshot.

Jetti.jpg
  • 0

#34
James Brady

James Brady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
-Double post-

Edited by James Brady, 19 January 2012 - 06:44 AM.

  • 0

#35
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
So you found the files in C:\windows not in C:\windows\system32?

regards myrti
  • 0

#36
James Brady

James Brady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Correct, but I also found a "svchost.exe" in the system 32 folder, just not the one that Spybot was complaining about.

Edited by James Brady, 19 January 2012 - 12:10 PM.

  • 0

#37
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Hi,

could you please run a scan with aswmbr:
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

As well as a scan with RkU:
Please download Rootkit Unhooker from one of the following links and save it to your desktop. Link 1 (.exe file) Link 2 (zipped file) Link 3 (.rar file) In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.
  • Double-click on RKUnhookerLE.exe to start the program. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
  • 0

#38
James Brady

James Brady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hello, I got a log from aswMRB, but RkU wouldn't run, I got a file that poppud up on the desktop logging the error though.

Attached File  aswMBR.txt   1.5KB   34 downloads

Attached File  rku_error_log_275996.txt   206bytes   28 downloads
  • 0

#39
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Hi,

ok. Could you please try to run TDSSKiller again in that case?

Do you have a log from spybot of the latest detections that you can attach?

regards myrti
  • 0

#40
James Brady

James Brady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hello, here's the log from TDSSKiller, it didn't find anything:



And I generated a log w/ spybot, It should include:
-axtive X
-System info
-BHO list
-process list
  • 0

Advertisements


#41
James Brady

James Brady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hmm, i don't see my attachment from he last post so herre's the spybot log:

Attached File  SpybotSD.Report.txt   16.37KB   141 downloads

And from TSSD:

Attached File  TDSSKiller.2.7.6.0_22.01.2012_12.08.26_log.txt   73.58KB   30 downloads

I also wanted to mention that I don't see the virus "Smitfraud" in spybot anymore!!!

but I see like 5 cookies that won't stay away...
-BurstMedia
-DoubleClick
-FastClick
-Right Media
-Zedo

they come up everytime, should I re-install comodo firewall?
or maybe avg free?
  • 0

#42
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Hi,

could you please get me an offline mbr dump:
Try this please. You will need a USB drive.

Download http://unetbootin.so...dows-latest.exe & http://noahdfear.net.../xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK and make sure to select the downloaded ISO file as source and don't let the installer get the linux from th internet.
  • It will install a little bootable OS on your USB
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • You will see a list of folders: sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB, please open that and confirm it's your flash drive.
  • If it is your flash drive press Tool at the top
  • Choose Open Terminal
  • Type in: dd if=/dev/sda of=MBRbackup.zip bs=512 count=1 and hit Enter.

MBRbackup.zip should be created on your flash drive, please attach it to your next reply.

Regarding those cookies, that are ad-providers that you will see on almost every site. So it is not surprising you see those recreated essentially every time you go online. I'm not seeing the reference to C:\windows\svchost.exe in there.
  • 0

#43
James Brady

James Brady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hello, I've tried a few times and it doesn't seem to be working, I get the welcome screen, select English, then after loading a few things it turns to a dark screen and stays there.

I noticed one of the files on the drive was syslinux.cfg, does this mean I got the wrong one?

the last screen I see before it goes dark is a black screen with white text; about 95% periods, and I see..

loading opt/media

Read/y

I also notices it flashing to another whole screen of white text for just half a second, not long enough to identify any of the words on it.
  • 0

#44
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Hi,

hmm that's odd.

How is your internet connection? Would you be willing to try the same steps on an ubuntu live-disk?

The download would be about 700Mb (10 times what xpud was).

regards myrti
  • 0

#45
James Brady

James Brady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Sure, sounds like a good idea.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP