This topic is lockedShould I also run TdssKiller again to make sure that "Rootkit.Boot.Pihar.b" is dead?
Smitfraud-C.generic [Closed]
Started by
James Brady
, Dec 28 2011 03:33 PM
#31
Posted 18 January 2012 - 08:41 PM
James Brady
- Topic Starter
-
- Member
-
- 32 posts
Member
Should I also run TdssKiller again to make sure that "Rootkit.Boot.Pihar.b" is dead?
#32
Posted 19 January 2012 - 06:00 AM
myrti
-
- Expert
-
- 2,580 posts
Expert
Hi,
Pihar is dead, you can run TDSSKiller again.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Please click this link-->Jotti
When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit.
C:/windows/svchost.exe
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
regards myrti
Pihar is dead, you can run TDSSKiller again.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Please click this link-->Jotti
When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit.
C:/windows/svchost.exe
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
regards myrti
#33
Posted 19 January 2012 - 06:39 AM
James Brady
- Topic Starter
-
- Member
-
- 32 posts
Member
hmm, Jetti says things are all right, here's a screenshot.
#34
Posted 19 January 2012 - 06:43 AM
James Brady
- Topic Starter
-
- Member
-
- 32 posts
Member
-Double post-
Edited by James Brady, 19 January 2012 - 06:44 AM.
#35
Posted 19 January 2012 - 06:53 AM
myrti
-
- Expert
-
- 2,580 posts
Expert
So you found the files in C:\windows not in C:\windows\system32?
regards myrti
regards myrti
#36
Posted 19 January 2012 - 12:07 PM
James Brady
- Topic Starter
-
- Member
-
- 32 posts
Member
Correct, but I also found a "svchost.exe" in the system 32 folder, just not the one that Spybot was complaining about.
Edited by James Brady, 19 January 2012 - 12:10 PM.
#37
Posted 21 January 2012 - 03:33 AM
myrti
-
- Expert
-
- 2,580 posts
Expert
Hi,
could you please run a scan with aswmbr:
Please download aswMBR ( 511KB ) to your desktop.
As well as a scan with RkU:
Please download Rootkit Unhooker from one of the following links and save it to your desktop. Link 1 (.exe file) Link 2 (zipped file) Link 3 (.rar file) In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.
could you please run a scan with aswmbr:
Please download aswMBR ( 511KB ) to your desktop.
- Double click the aswMBR.exe icon to run it
- Click the Scan button to start the scan
- On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
As well as a scan with RkU:
Please download Rootkit Unhooker from one of the following links and save it to your desktop. Link 1 (.exe file) Link 2 (zipped file) Link 3 (.rar file) In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.
- Double-click on RKUnhookerLE.exe to start the program. Vista/Windows 7 users right-click and select Run As Administrator.
- Click the Report tab, then click Scan.
- Check Drivers, Stealth, and uncheck the rest.
- Click OK.
- Wait until it's finished and then go to File > Save Report.
- Save the report to your Desktop.
- Copy and paste the contents of the report into your next reply.
#38
Posted 21 January 2012 - 10:44 AM
James Brady
- Topic Starter
-
- Member
-
- 32 posts
Member
Hello, I got a log from aswMRB, but RkU wouldn't run, I got a file that poppud up on the desktop logging the error though.
aswMBR.txt 1.5KB
117 downloads
rku_error_log_275996.txt 206bytes
108 downloads
aswMBR.txt 1.5KB
117 downloads
rku_error_log_275996.txt 206bytes
108 downloads
#39
Posted 22 January 2012 - 01:09 PM
myrti
-
- Expert
-
- 2,580 posts
Expert
Hi,
ok. Could you please try to run TDSSKiller again in that case?
Do you have a log from spybot of the latest detections that you can attach?
regards myrti
ok. Could you please try to run TDSSKiller again in that case?
Do you have a log from spybot of the latest detections that you can attach?
regards myrti
#40
Posted 26 January 2012 - 07:48 PM
James Brady
- Topic Starter
-
- Member
-
- 32 posts
Member
Hello, here's the log from TDSSKiller, it didn't find anything:
And I generated a log w/ spybot, It should include:
-axtive X
-System info
-BHO list
-process list
And I generated a log w/ spybot, It should include:
-axtive X
-System info
-BHO list
-process list
#41
Posted 26 January 2012 - 07:52 PM
James Brady
- Topic Starter
-
- Member
-
- 32 posts
Member
Hmm, i don't see my attachment from he last post so herre's the spybot log:
SpybotSD.Report.txt 16.37KB
264 downloads
And from TSSD:
TDSSKiller.2.7.6.0_22.01.2012_12.08.26_log.txt 73.58KB
119 downloads
I also wanted to mention that I don't see the virus "Smitfraud" in spybot anymore!!!
but I see like 5 cookies that won't stay away...
-BurstMedia
-DoubleClick
-FastClick
-Right Media
-Zedo
they come up everytime, should I re-install comodo firewall?
or maybe avg free?
SpybotSD.Report.txt 16.37KB
264 downloadsAnd from TSSD:
TDSSKiller.2.7.6.0_22.01.2012_12.08.26_log.txt 73.58KB
119 downloadsI also wanted to mention that I don't see the virus "Smitfraud" in spybot anymore!!!
but I see like 5 cookies that won't stay away...
-BurstMedia
-DoubleClick
-FastClick
-Right Media
-Zedo
they come up everytime, should I re-install comodo firewall?
or maybe avg free?
#42
Posted 27 January 2012 - 07:46 AM
myrti
-
- Expert
-
- 2,580 posts
Expert
Hi,
could you please get me an offline mbr dump:
Try this please. You will need a USB drive.
Download http://unetbootin.so...dows-latest.exe & http://noahdfear.net.../xpud-0.9.2.iso to the desktop of your clean computer
MBRbackup.zip should be created on your flash drive, please attach it to your next reply.
Regarding those cookies, that are ad-providers that you will see on almost every site. So it is not surprising you see those recreated essentially every time you go online. I'm not seeing the reference to C:\windows\svchost.exe in there.
could you please get me an offline mbr dump:
Try this please. You will need a USB drive.
Download http://unetbootin.so...dows-latest.exe & http://noahdfear.net.../xpud-0.9.2.iso to the desktop of your clean computer
- Insert your USB drive
- Press Start > My Computer > right click your USB drive > choose Format > Quick format
- Double click the unetbootin-xpud-windows-387.exe that you just downloaded
- Press Run then OK and make sure to select the downloaded ISO file as source and don't let the installer get the linux from th internet.
- It will install a little bootable OS on your USB
- After it has completed do not choose to reboot the clean computer simply close the installer
- Remove the USB and insert it in the sick computer
- Boot the Sick computer
- Press F12 and choose to boot from the USB
- Follow the prompts
- A Welcome to xPUD screen will appear
- Press File
- Expand mnt
- You will see a list of folders: sda1,2...usually corresponds to your HDD
- sdb1 is likely your USB, please open that and confirm it's your flash drive.
- If it is your flash drive press Tool at the top
- Choose Open Terminal
- Type in: dd if=/dev/sda of=MBRbackup.zip bs=512 count=1 and hit Enter.
MBRbackup.zip should be created on your flash drive, please attach it to your next reply.
Regarding those cookies, that are ad-providers that you will see on almost every site. So it is not surprising you see those recreated essentially every time you go online. I'm not seeing the reference to C:\windows\svchost.exe in there.
#43
Posted 28 January 2012 - 11:35 AM
James Brady
- Topic Starter
-
- Member
-
- 32 posts
Member
Hello, I've tried a few times and it doesn't seem to be working, I get the welcome screen, select English, then after loading a few things it turns to a dark screen and stays there.
I noticed one of the files on the drive was syslinux.cfg, does this mean I got the wrong one?
the last screen I see before it goes dark is a black screen with white text; about 95% periods, and I see..
loading opt/media
Read/y
I also notices it flashing to another whole screen of white text for just half a second, not long enough to identify any of the words on it.
I noticed one of the files on the drive was syslinux.cfg, does this mean I got the wrong one?
the last screen I see before it goes dark is a black screen with white text; about 95% periods, and I see..
loading opt/media
Read/y
I also notices it flashing to another whole screen of white text for just half a second, not long enough to identify any of the words on it.
#44
Posted 28 January 2012 - 12:38 PM
myrti
-
- Expert
-
- 2,580 posts
Expert
Hi,
hmm that's odd.
How is your internet connection? Would you be willing to try the same steps on an ubuntu live-disk?
The download would be about 700Mb (10 times what xpud was).
regards myrti
hmm that's odd.
How is your internet connection? Would you be willing to try the same steps on an ubuntu live-disk?
The download would be about 700Mb (10 times what xpud was).
regards myrti
#45
Posted 28 January 2012 - 11:35 PM
James Brady
- Topic Starter
-
- Member
-
- 32 posts
Member
Sure, sounds like a good idea.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
