What the hell is wrong with my computer?

[TylerDurdin]

Ran my SAS pro came back clean. scanned again with avast found 1 infection a win32 trojan spy, scanned later with ad-aware found 4 win32 monder iu's, just for the hell of it I ran malwarebytes found

Malwarebytes' Anti-Malware 1.34

Database version: 1830

Windows 5.1.2600 Service Pack 2

3/10/2009 12:40:28 AM

mbam-log-2009-03-10 (00-40-28).txt

Scan type: Full Scan (C:\|)

Objects scanned: 107613

Time elapsed: 22 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Settings (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\rs.dat (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log\2009 Feb 10 - 01_47_58 PM_515.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log\2009 Feb 10 - 01_54_06 PM_781.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log\2009 Feb 10 - 12_31_27 PM_312.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log\2009 Feb 10 - 12_42_37 PM_062.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log\2009 Feb 11 - 06_59_33 PM_000.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log\2009 Feb 17 - 08_24_50 PM_670.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Settings\ScanResults.pie (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

Why were these not found before?

[siliconman01]

Well, you apparently downloaded and ran SmitFraudFix Tool which is rogue software and is not the same as SmitFraudFix for fixing SmitFraud infections. These are completely different items.

If you google SmitFraudFix Tool, you will see that it is rogue and is NOT related to the good guy SmitFraudFix. Cybercriminals are crafty, doing anything innovative and creative to infect and steal.

If you still have the SmitFraudFix Tool file, I recommend that you submit it SAS for their review.

[TylerDurdin]

Actually A friend thought he could help me out when my computer first became infected a couple of months ago, I also thought he had the real guy after the attempt I realized he did more of a dis-service than anything, my 4 year old son could have helped me mess it more if that was my intention, but shame on me. As for the fix tool files or anything else I thought they were all gone until today. No other scans by anything found this many issues except for the first time I ran SAS.

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 03/06/2009 at 00:51 AM

Application Version : 4.25.1014

Core Rules Database Version : 3786

Trace Rules Database Version: 1743

Scan type : Complete Scan

Total Scan Time : 00:38:02

Memory items scanned : 215

Memory threats detected : 2

Registry items scanned : 5944

Registry threats detected : 60

File items scanned : 11273

File threats detected : 20

Trojan.Downloader-NewJuan/VM

C:\WINDOWS\SYSTEM32\JOASUQ.DLL

C:\WINDOWS\SYSTEM32\JOASUQ.DLL

C:\WINDOWS\SYSTEM32\GZICEP.DLL

C:\WINDOWS\SYSTEM32\GZICEP.DLL

Unclassified.Unknown Origin

HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\OPNMJDVP.DLL

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

HKU\S-1-5-21-1060284298-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

Rootkit.Agent/Gen-DP_PROT

HKLM\system\controlset001\services\iarrwigr

C:\WINDOWS\SYSTEM32\DRIVERS\LURUVCXJ.SYS

HKLM\system\controlset002\services\iarrwigr

Adware.Tracking Cookie

C:\Documents and Settings\Wilkins\Cookies\wilkins@clickbank[1].txt

Adware.Vundo Variant/Rel

HKLM\SOFTWARE\Microsoft\FCOVM

HKLM\SOFTWARE\Microsoft\RemoveRP

HKLM\SOFTWARE\Microsoft\MS Juan

HKLM\SOFTWARE\Microsoft\MS Juan#RID

HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO

HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM

HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY

HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT

HKLM\SOFTWARE\Microsoft\MS Juan\JKWL

HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\hotmail

HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\hotmail#LU

HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\hotmail#CT

HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\hotmail#LT

HKLM\SOFTWARE\Microsoft\MS Juan\me

HKLM\SOFTWARE\Microsoft\MS Juan\me#LTM

HKLM\SOFTWARE\Microsoft\MS Juan\me#CDY

HKLM\SOFTWARE\Microsoft\MS Juan\me#CNT

HKLM\SOFTWARE\Microsoft\MS Juan\me#LBL

HKLM\SOFTWARE\Microsoft\MS Juan\me#MN

HKLM\SOFTWARE\Microsoft\MS Juan\mm

HKLM\SOFTWARE\Microsoft\MS Juan\mm#LTM

HKLM\SOFTWARE\Microsoft\MS Juan\mm#CDY

HKLM\SOFTWARE\Microsoft\MS Juan\mm#CNT

HKLM\SOFTWARE\Microsoft\MS Juan\s4

HKLM\SOFTWARE\Microsoft\MS Juan\s4#LTM

HKLM\SOFTWARE\Microsoft\MS Juan\s4#CDY

HKLM\SOFTWARE\Microsoft\MS Juan\s4#CNT

HKLM\SOFTWARE\Microsoft\MS Juan\se

HKLM\SOFTWARE\Microsoft\MS Juan\se#LTM

HKLM\SOFTWARE\Microsoft\MS Juan\se#CDY

HKLM\SOFTWARE\Microsoft\MS Juan\se#CNT

HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan

HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM

HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY

HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT

HKLM\SOFTWARE\Microsoft\contim

HKLM\SOFTWARE\Microsoft\contim#SysShell

HKLM\SOFTWARE\Microsoft\MS Track System

HKLM\SOFTWARE\Microsoft\MS Track System#Uid

HKLM\SOFTWARE\Microsoft\MS Track System#Shows

HKLM\SOFTWARE\Microsoft\rdfa

HKLM\SOFTWARE\Microsoft\rdfa#F

HKLM\SOFTWARE\Microsoft\rdfa#N

Rogue.Component/Trace

HKLM\Software\Microsoft\E4EA95E5

HKLM\Software\Microsoft\E4EA95E5#e4ea95e5

HKLM\Software\Microsoft\E4EA95E5#Version

HKLM\Software\Microsoft\E4EA95E5#e4ea3865

HKLM\Software\Microsoft\E4EA95E5#e4ea5180

HKU\S-1-5-21-1060284298-606747145-725345543-1004\Software\Microsoft\CS41275

HKU\S-1-5-21-1060284298-606747145-725345543-1004\Software\Microsoft\FIAS4052N

Trojan.Agent/Gen-Simple

C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20090217-223403-718.DLL

C:\WINDOWS\SYSTEM32\IEIUWUUL.DLL

C:\WINDOWS\SYSTEM32\LNNBZS.DLL

Adware.Vundo Variant

C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20090217-223403-932.DLL

Adware.Vundo/Variant-AdobeFake

C:\WINDOWS\SYSTEM32\GNEWCYMG.DLL

C:\WINDOWS\SYSTEM32\NXFVSBQO.DLL

C:\WINDOWS\SYSTEM32\OOFUSK.DLL

C:\WINDOWS\SYSTEM32\QRUDCRUU.DLL

C:\WINDOWS\SYSTEM32\QYJHCGGN.DLL

C:\WINDOWS\SYSTEM32\UKUROOUL.DLL

Adware.Prun-A

C:\WINDOWS\SYSTEM32\PRUNNET.EXE

Trojan.Vundo-Variant/Packed-GEN

C:\WINDOWS\SYSTEM32\RQRKASQQ.DLL

Trace.Known Threat Sources

C:\Documents and Settings\Wilkins\Local Settings\Temporary Internet Files\Content.IE5\NHO4N2WQ\l.s.bg1z[1].gif

C:\Documents and Settings\Wilkins\Local Settings\Temporary Internet Files\Content.IE5\NHO4N2WQ\l.s.bg2z[1].gif

C:\Documents and Settings\Wilkins\Local Settings\Temporary Internet Files\Content.IE5\A9BMGKKY\favicon[1].ico

[siliconman01]

I assume that you let SAS quarantine all of the items above. The rootkit below is a bit disturbing to find on a system.

Rootkit.Agent/Gen-DP_PROT

HKLM\system\controlset001\services\iarrwigr

C:\WINDOWS\SYSTEM32\DRIVERS\LURUVCXJ.SYS

HKLM\system\controlset002\services\iarrwigr

I recommend that you update SAS to the latest core/trace definitions and then reboot your computer into SAFE MODE. Run a complete scan of your system with SAS. Let it quarantine what it finds. Then boot back into normal mode.

[TylerDurdin]

Ran a scan in safe mode SAS found 0 infections.

[siliconman01]

So is your computer running okay now?

[TylerDurdin]

Yes, my only concern is that a day ago I ran SAS it said I was clean, than malwarebytes found a whole bunch of smitfraud fix tool stuff that I believed to be history,it is only because of the fact that my wife does online banking a bill paying that I am even concerned. I also have to question why SAS did not find these, dont get me wrong I do believe this program is everything it claims to be. My machine was a day away from being completely re-installed, I ran this program and my pc ran as good as the day I got it. the malwarebytes scan in my first post is after SAS said I had 0 infections, I am just puzzled. BTW just started getting some paretologic rundll eror, I use crap cleaner for my registry it aways seemed to be fine, could this be virus related? all scans by all tools come back clean now. Avast, ad-aware,malwarebytes and SAS.

[siliconman01]

I am just puzzled. BTW just started getting some paretologic rundll eror,

I do not know what the above error is from without you stating the exact error message. At any rate, I feel it is best that you create a customer support ticket so that the gurus of SAS can assist you directly and quickly. They will provide you some diagnostics to run on your system if necessary. The rundll error is probably a registry key that needs to be repair and is hanging from the infection removals.

https://www.superantispyware.com/precreateticket.html

In the support ticket request, provide a link to this forum post as well. During the support request, explain the MBAM findings. Detection of rouge software such as SmithFraudFix Tool must have slipped under the SAS radar screen. They can fix that with no problems once they know that SAS is missing it.

[TylerDurdin]

Thanks for your advise siliconman, it took me forever to get that diagnostic done for some reason my firefox browser would not let me connect, so I actually had to make IE7 my home page just to get it done. For the first time after all this crap I hope my machine has more viruses than a, well you know. Once again thanx and I'll keep you posted whether your interested or not. thanx alot

BTW error loading C:\PpogramFiles\CommonFiles\Paretologic\UUS2\UUS.dll