TylerDurdin Posted March 10, 2009 Ran my SAS pro came back clean. scanned again with avast found 1 infection a win32 trojan spy, scanned later with ad-aware found 4 win32 monder iu's, just for the hell of it I ran malwarebytes found Malwarebytes' Anti-Malware 1.34 Database version: 1830 Windows 5.1.2600 Service Pack 2 3/10/2009 12:40:28 AM mbam-log-2009-03-10 (00-40-28).txt Scan type: Full Scan (C:\|) Objects scanned: 107613 Time elapsed: 22 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 3 Files Infected: 9 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Settings (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\rs.dat (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log\2009 Feb 10 - 01_47_58 PM_515.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log\2009 Feb 10 - 01_54_06 PM_781.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log\2009 Feb 10 - 12_31_27 PM_312.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log\2009 Feb 10 - 12_42_37 PM_062.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log\2009 Feb 11 - 06_59_33 PM_000.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Log\2009 Feb 17 - 08_24_50 PM_670.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Wilkins\Application Data\SmitFraudFixTool\Settings\ScanResults.pie (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully. Why were these not found before? Share this post Link to post Share on other sites
siliconman01 Posted March 10, 2009 Well, you apparently downloaded and ran SmitFraudFix Tool which is rogue software and is not the same as SmitFraudFix for fixing SmitFraud infections. These are completely different items. If you google SmitFraudFix Tool, you will see that it is rogue and is NOT related to the good guy SmitFraudFix. Cybercriminals are crafty, doing anything innovative and creative to infect and steal. If you still have the SmitFraudFix Tool file, I recommend that you submit it SAS for their review. Share this post Link to post Share on other sites
TylerDurdin Posted March 10, 2009 Actually A friend thought he could help me out when my computer first became infected a couple of months ago, I also thought he had the real guy after the attempt I realized he did more of a dis-service than anything, my 4 year old son could have helped me mess it more if that was my intention, but shame on me. As for the fix tool files or anything else I thought they were all gone until today. No other scans by anything found this many issues except for the first time I ran SAS. SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 03/06/2009 at 00:51 AM Application Version : 4.25.1014 Core Rules Database Version : 3786 Trace Rules Database Version: 1743 Scan type : Complete Scan Total Scan Time : 00:38:02 Memory items scanned : 215 Memory threats detected : 2 Registry items scanned : 5944 Registry threats detected : 60 File items scanned : 11273 File threats detected : 20 Trojan.Downloader-NewJuan/VM C:\WINDOWS\SYSTEM32\JOASUQ.DLL C:\WINDOWS\SYSTEM32\JOASUQ.DLL C:\WINDOWS\SYSTEM32\GZICEP.DLL C:\WINDOWS\SYSTEM32\GZICEP.DLL Unclassified.Unknown Origin HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C} HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32 HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel C:\WINDOWS\SYSTEM32\OPNMJDVP.DLL HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C} HKU\S-1-5-21-1060284298-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C} HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C} HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C} Rootkit.Agent/Gen-DP_PROT HKLM\system\controlset001\services\iarrwigr C:\WINDOWS\SYSTEM32\DRIVERS\LURUVCXJ.SYS HKLM\system\controlset002\services\iarrwigr Adware.Tracking Cookie C:\Documents and Settings\Wilkins\Cookies\wilkins@clickbank[1].txt Adware.Vundo Variant/Rel HKLM\SOFTWARE\Microsoft\FCOVM HKLM\SOFTWARE\Microsoft\RemoveRP HKLM\SOFTWARE\Microsoft\MS Juan HKLM\SOFTWARE\Microsoft\MS Juan#RID HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT HKLM\SOFTWARE\Microsoft\MS Juan\JKWL HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\hotmail HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\hotmail#LU HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\hotmail#CT HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\hotmail#LT HKLM\SOFTWARE\Microsoft\MS Juan\me HKLM\SOFTWARE\Microsoft\MS Juan\me#LTM HKLM\SOFTWARE\Microsoft\MS Juan\me#CDY HKLM\SOFTWARE\Microsoft\MS Juan\me#CNT HKLM\SOFTWARE\Microsoft\MS Juan\me#LBL HKLM\SOFTWARE\Microsoft\MS Juan\me#MN HKLM\SOFTWARE\Microsoft\MS Juan\mm HKLM\SOFTWARE\Microsoft\MS Juan\mm#LTM HKLM\SOFTWARE\Microsoft\MS Juan\mm#CDY HKLM\SOFTWARE\Microsoft\MS Juan\mm#CNT HKLM\SOFTWARE\Microsoft\MS Juan\s4 HKLM\SOFTWARE\Microsoft\MS Juan\s4#LTM HKLM\SOFTWARE\Microsoft\MS Juan\s4#CDY HKLM\SOFTWARE\Microsoft\MS Juan\s4#CNT HKLM\SOFTWARE\Microsoft\MS Juan\se HKLM\SOFTWARE\Microsoft\MS Juan\se#LTM HKLM\SOFTWARE\Microsoft\MS Juan\se#CDY HKLM\SOFTWARE\Microsoft\MS Juan\se#CNT HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT HKLM\SOFTWARE\Microsoft\contim HKLM\SOFTWARE\Microsoft\contim#SysShell HKLM\SOFTWARE\Microsoft\MS Track System HKLM\SOFTWARE\Microsoft\MS Track System#Uid HKLM\SOFTWARE\Microsoft\MS Track System#Shows HKLM\SOFTWARE\Microsoft\rdfa HKLM\SOFTWARE\Microsoft\rdfa#F HKLM\SOFTWARE\Microsoft\rdfa#N Rogue.Component/Trace HKLM\Software\Microsoft\E4EA95E5 HKLM\Software\Microsoft\E4EA95E5#e4ea95e5 HKLM\Software\Microsoft\E4EA95E5#Version HKLM\Software\Microsoft\E4EA95E5#e4ea3865 HKLM\Software\Microsoft\E4EA95E5#e4ea5180 HKU\S-1-5-21-1060284298-606747145-725345543-1004\Software\Microsoft\CS41275 HKU\S-1-5-21-1060284298-606747145-725345543-1004\Software\Microsoft\FIAS4052N Trojan.Agent/Gen-Simple C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20090217-223403-718.DLL C:\WINDOWS\SYSTEM32\IEIUWUUL.DLL C:\WINDOWS\SYSTEM32\LNNBZS.DLL Adware.Vundo Variant C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20090217-223403-932.DLL Adware.Vundo/Variant-AdobeFake C:\WINDOWS\SYSTEM32\GNEWCYMG.DLL C:\WINDOWS\SYSTEM32\NXFVSBQO.DLL C:\WINDOWS\SYSTEM32\OOFUSK.DLL C:\WINDOWS\SYSTEM32\QRUDCRUU.DLL C:\WINDOWS\SYSTEM32\QYJHCGGN.DLL C:\WINDOWS\SYSTEM32\UKUROOUL.DLL Adware.Prun-A C:\WINDOWS\SYSTEM32\PRUNNET.EXE Trojan.Vundo-Variant/Packed-GEN C:\WINDOWS\SYSTEM32\RQRKASQQ.DLL Trace.Known Threat Sources C:\Documents and Settings\Wilkins\Local Settings\Temporary Internet Files\Content.IE5\NHO4N2WQ\l.s.bg1z[1].gif C:\Documents and Settings\Wilkins\Local Settings\Temporary Internet Files\Content.IE5\NHO4N2WQ\l.s.bg2z[1].gif C:\Documents and Settings\Wilkins\Local Settings\Temporary Internet Files\Content.IE5\A9BMGKKY\favicon[1].ico Share this post Link to post Share on other sites
siliconman01 Posted March 10, 2009 I assume that you let SAS quarantine all of the items above. The rootkit below is a bit disturbing to find on a system. Rootkit.Agent/Gen-DP_PROTHKLM\system\controlset001\services\iarrwigr C:\WINDOWS\SYSTEM32\DRIVERS\LURUVCXJ.SYS HKLM\system\controlset002\services\iarrwigr I recommend that you update SAS to the latest core/trace definitions and then reboot your computer into SAFE MODE. Run a complete scan of your system with SAS. Let it quarantine what it finds. Then boot back into normal mode. Share this post Link to post Share on other sites
TylerDurdin Posted March 11, 2009 Ran a scan in safe mode SAS found 0 infections. Share this post Link to post Share on other sites
siliconman01 Posted March 11, 2009 So is your computer running okay now? Share this post Link to post Share on other sites
TylerDurdin Posted March 11, 2009 Yes, my only concern is that a day ago I ran SAS it said I was clean, than malwarebytes found a whole bunch of smitfraud fix tool stuff that I believed to be history,it is only because of the fact that my wife does online banking a bill paying that I am even concerned. I also have to question why SAS did not find these, dont get me wrong I do believe this program is everything it claims to be. My machine was a day away from being completely re-installed, I ran this program and my pc ran as good as the day I got it. the malwarebytes scan in my first post is after SAS said I had 0 infections, I am just puzzled. BTW just started getting some paretologic rundll eror, I use crap cleaner for my registry it aways seemed to be fine, could this be virus related? all scans by all tools come back clean now. Avast, ad-aware,malwarebytes and SAS. Share this post Link to post Share on other sites
siliconman01 Posted March 12, 2009 I am just puzzled. BTW just started getting some paretologic rundll eror, I do not know what the above error is from without you stating the exact error message. At any rate, I feel it is best that you create a customer support ticket so that the gurus of SAS can assist you directly and quickly. They will provide you some diagnostics to run on your system if necessary. The rundll error is probably a registry key that needs to be repair and is hanging from the infection removals. https://www.superantispyware.com/precreateticket.html In the support ticket request, provide a link to this forum post as well. During the support request, explain the MBAM findings. Detection of rouge software such as SmithFraudFix Tool must have slipped under the SAS radar screen. They can fix that with no problems once they know that SAS is missing it. Share this post Link to post Share on other sites
TylerDurdin Posted March 12, 2009 Thanks for your advise siliconman, it took me forever to get that diagnostic done for some reason my firefox browser would not let me connect, so I actually had to make IE7 my home page just to get it done. For the first time after all this crap I hope my machine has more viruses than a, well you know. Once again thanx and I'll keep you posted whether your interested or not. thanx alot BTW error loading C:\PpogramFiles\CommonFiles\Paretologic\UUS2\UUS.dll Share this post Link to post Share on other sites