smitfraud c generic again

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Epiyon, Oct 12, 2012.

  1. Epiyon

    Epiyon Private E-2

    Hi, I had this problem a few weeks ago and I was helped by chaslang in this thread http://forums.majorgeeks.com/showthread.php?t=267157. My scans came back clean and I have done nothing risky on my computer since then but just today my computer started rebooting randomly again. I ran a spybot scan and the smitfraud c generic was detected again and in the same place as I found it before. I just want this to go away so please let me know if there is anything that hasn't been mentioned to me before that I should be doing to make sure the infection is completely gone for good.

    Also, during the trial period of the malwarebytes (downloaded as instructed and when instructed) but after my original thread had been closed, malwarebytes kept giving me popups about quarantining various programs that were not previously detected during my first thread postings like Trojan.happili, heuristics.reserved.word.exploit, Trojan.agent, hijack.displayproperties, Trojan.agent.mrggen, and rootkit.0access. I scanned my computer after every instance of the malwarebytes warnings but the scans came back clear (from spybot to), until today when the trial period ran out and the active protection stopped.
     

    Attached Files:

    Epiyon, Oct 12, 2012
    #1
  2. Epiyon

    Epiyon Private E-2

    logs from mgtools since i couldn't fit them in with the first post
     

    Attached Files:

    Epiyon, Oct 12, 2012
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmm! It appears that you go the pihar infection back again. Your TDSSKiller logs showed the below again:
    Code:
    19:24:40.0570 5596  \Device\Harddisk1\DR1\# - copied to quarantine
19:24:40.0591 5596  \Device\Harddisk1\DR1 - copied to quarantine
19:24:40.0979 5596  \Device\Harddisk1\DR1\TDLFS\cmd.dll - copied to quarantine
19:24:40.0981 5596  \Device\Harddisk1\DR1\TDLFS\cmd64.dll - copied to quarantine
19:24:40.0990 5596  \Device\Harddisk1\DR1\TDLFS\drv32 - copied to quarantine
19:24:40.0996 5596  \Device\Harddisk1\DR1\TDLFS\drv64 - copied to quarantine
19:24:40.0998 5596  \Device\Harddisk1\DR1\TDLFS\servers.dat - copied to quarantine
19:24:40.0999 5596  \Device\Harddisk1\DR1\TDLFS\config.ini - copied to quarantine
19:24:41.0000 5596  \Device\Harddisk1\DR1\TDLFS\ldr16 - copied to quarantine
19:24:41.0196 5596  \Device\Harddisk1\DR1\TDLFS\ldr32 - copied to quarantine
19:24:41.0200 5596  \Device\Harddisk1\DR1\TDLFS\ldr64 - copied to quarantine
19:24:41.0212 5596  \Device\Harddisk1\DR1\TDLFS\s - copied to quarantine
19:24:41.0221 5596  \Device\Harddisk1\DR1\TDLFS\ldrm - copied to quarantine
19:24:41.0266 5596  \Device\Harddisk1\DR1 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
19:24:41.0267 5596  \Device\Harddisk1\DR1 - ok
19:24:46.0816 5596  \Device\Harddisk1\DR1 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
    Rerun a new scan with TDSSKiller. Be sure to redownload the most recent version just to make sure you have the current one. Then attach the new log.

    Yes the C:\Windows\svchost.exe file is back too. I want to see the results of the new TDSSKiller scan before continuing to try and fix this. Also do the below.

    Please download aswMBR ( 511KB ) to your desktop.
    • Double click the aswMBR.exe icon to run it
    • Click the Scan button to start the scan
    • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
     
    chaslang, Oct 13, 2012
    #3
  4. Epiyon

    Epiyon Private E-2

    Ok i redownloaded the tdsskiller and downloaded aswmbr and ran a scan with both. The tdsskiller scan showed nothing and I didn't know how to read the aswmbr log so I can't tell if that was clear too. Should I redownload malwarebytes so I can get another trial period with active protection (or outright buy it) because during the trial it was giving me popups that it was quarantining trojans of different names?
     

    Attached Files:

    Epiyon, Oct 13, 2012
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Once you have used the trial on any given PC, the trial is over. If you want to have active antimalware protection from it, you will have to buy it.



    Uninstall the below old versions of software:
    Java(TM) 6 Update 31

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\TDSSKiller_Quarantine
C:\Users\Epiyon\AppData\Local\Temp\7994481B-E832-4F7A-8CD4-491B3BA6370B.exe
C:\Users\Epiyon\AppData\Local\Temp\Low
C:\Users\Epiyon\AppData\Local\Temp\REG9C8E.tmp
C:\Users\Epiyon\AppData\Local\Temp\REGA0D2.tmp
C:\Users\Epiyon\AppData\Local\Temp\tmp5EC2.tmp
C:\Users\Epiyon\AppData\Local\Temp\tmp5EC2.xml
C:\Users\Epiyon\AppData\Local\Temp\tmp5EC3.tmp
C:\Users\Epiyon\AppData\Local\Temp\~DFF51BFFF50F7C955D.TMP
C:\Windows\svchost.exe
 
:Reg
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
:Commands
[purity]
 
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:

    • the C:\_OTM\MovedFiles log
    • the new RogueKiller log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 13, 2012
    #5
  6. Epiyon

    Epiyon Private E-2

    The MGTools scan closed unexpectedly so I'm not sure if the logs are complete. When I used it before it gave a prompt to click and button to continue but it just closed. The zip file did seem to update however. Also, how do people usually get this trojan as I would like to try to actively avoid any behaviors that would risk getting this crap again, and would switching from internet explorer to another web browser, like Chrome, be a smart move?
     

    Attached Files:

    Epiyon, Oct 14, 2012
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're right. It is incomplete. Let's try again with a newer version. After downloading it, be sure to shutdown you protection software before running it.
    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • C:\MGlogs.zip
    You did not tell me how things are working.

    People get it any number of ways. Many times it is thru some form of torrent downloading, sometime playing at online gaming sites which are not necessarily very secure, access sites of questionable nature, opening emails with attachments ( Even if from a friend! They may never have checked it to make sure it is clean. ), not keeping your PC updated, not keeping your PC properly protected.......etc.


    I find that Internet Explorer is more secure than Chrome or Firefox. We have more issues here with those browsers than we do with IE.
     
    chaslang, Oct 14, 2012
    #7
  8. Epiyon

    Epiyon Private E-2

    My malwarebytes keeps giving me the popup every time I turn my computer (I went ahead a bought it) on about quaratining the svchost.exe file so I'm pretty sure that I still have problems. Also, when I went to run MGtools after redownloading it I got a pop up error message that I closed without thinking only to then read the text in MGtools box that I shouldn't close that error message if it pops up. Now I am unable to run MGtools as it says that my internet security doesn't allow it and it won't allow me to download it again.

    Edit: My Norton antivirus won't start now as it has disappeared from the taskbar on the bottom right. I don't know if this is caused by the error message/MGtools scan getting messed up or if its some problem with me running the full version of malwarebytes at the same time as Norton. I tried rebooting to see if that would fix it but it didn't fix it.
     
    Last edited: Oct 15, 2012
    Epiyon, Oct 15, 2012
    #8
  9. Epiyon

    Epiyon Private E-2

    Norton decided to start running again and shows up in the task bar, but I'm still unable to run MGtools or download it as I receive the error message: "Your current security settings do not allow this file to be downloaded."
     
    Epiyon, Oct 16, 2012
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try disabling or uninstalling Norton or download MGtools using another PC and then copy to this PC so that you can run it.

    If you continue to have problems with Norton not running then you definitely need to uninstall it.
     
    chaslang, Oct 17, 2012
    #10
  11. Epiyon

    Epiyon Private E-2

    I was able to uninstall Norton and reinstall it successfully so it works now. Also, I was able to change my security settings in IE to allow me to run MGtools and download things. Somehow one of the settings was switched from the default to disabled and this seemed to be causing the problem mentioned earlier. I was able to run MGtools all the way through this time and have included the zip.
     

    Attached Files:

    Epiyon, Oct 17, 2012
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It probably would have been better to uninstall Norton and leave it uninstalled until we are finished. It may be getting in the way of cleanup. I still see the C:\Windows\svchost.exe infection that OTM tried to remove and Norton could have prevented the removal.

    Let's get a new version of TDSSKiller downloaded and run a new scan. Attach the log here.

    Then continue on with the below.

    • Make sure that Norton is either fully disabled or uninstalled.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
:Files
C:\MGtools_exe.43fexcj.partial
C:\MGtools_exe.cawr2bb.partial
C:\MGtools_exe.ke1bfpn.partial
C:\MGtools_exe.v3jkrll.partial
C:\MGtools_exe.vskug21.partial
C:\Windows\svchost.exe
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the new TDSSKiller log
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 17, 2012
    #12
  13. Epiyon

    Epiyon Private E-2

    I was able to run the scans and attach the logs, but before I ran the most recent scans my computer started acting worse than before. I had four BSOD in the last five hours or so (luckily none while running the scans), and all happened when I was opening multiple programs at once (usually running world of warcraft in window mode, tabbing out, and then opening a web browser).

    I still have the problem with IE's security settings causing troubles but now it seems to just be limited to messing up my google toolbar (even though I uninstalled it and reinstalled it) and not letting me stream music from Pandora.com. The browser and downloading/running files from the internet wasn't an initial issue but started right after MGtools failed to run completely the last time so I don’t know if this trouble is from the Trojan or the scan closing too soon.

    Also, I have my main drive partitioned with the main side (the one with the Trojan issue) running on windows 7 (64 bit) and the secondary side running windows XP (32 bit). Would you recommend that I get rid of the partition and just install windows 7, or is my setup fine the way it is? And is it possible for the Trojan to cross the partition and infect my windows XP side, or if the windows XP side is infected, can the XP side be re-infecting my windows 7 side each time I complete your scans?
     

    Attached Files:

    Epiyon, Oct 18, 2012
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Don't change anything right now.

    Yes both ways.

    Right now the C:\Windows\svchost.exe file is gone. The new TDSSKiller showed that the below was detected again and was removed
    Code:
    00:18:53.0908 4020  \Device\Harddisk1\DR1\# - copied to quarantine
00:18:53.0908 4020  \Device\Harddisk1\DR1 - copied to quarantine
00:18:53.0938 4020  \Device\Harddisk1\DR1\TDLFS\cmd.dll - copied to quarantine
00:18:53.0938 4020  \Device\Harddisk1\DR1\TDLFS\cmd64.dll - copied to quarantine
00:18:53.0948 4020  \Device\Harddisk1\DR1\TDLFS\drv32 - copied to quarantine
00:18:53.0948 4020  \Device\Harddisk1\DR1\TDLFS\drv64 - copied to quarantine
00:18:53.0948 4020  \Device\Harddisk1\DR1\TDLFS\servers.dat - copied to quarantine
00:18:53.0948 4020  \Device\Harddisk1\DR1\TDLFS\config.ini - copied to quarantine
00:18:53.0948 4020  \Device\Harddisk1\DR1\TDLFS\ldr16 - copied to quarantine
00:18:53.0958 4020  \Device\Harddisk1\DR1\TDLFS\ldr32 - copied to quarantine
00:18:53.0958 4020  \Device\Harddisk1\DR1\TDLFS\ldr64 - copied to quarantine
00:18:53.0958 4020  \Device\Harddisk1\DR1\TDLFS\s - copied to quarantine
00:18:53.0988 4020  \Device\Harddisk1\DR1\TDLFS\ldrm - copied to quarantine
00:18:53.0988 4020  \Device\Harddisk1\DR1\TDLFS\u - copied to quarantine
00:18:53.0988 4020  \Device\Harddisk1\DR1 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
00:18:53.0988 4020  \Device\Harddisk1\DR1 - ok
00:18:59.0518 4020  \Device\Harddisk1\DR1 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
    If you run TDSSKiller again, does the above show up still or is it clean now?
     
    chaslang, Oct 18, 2012
    #14
  15. Epiyon

    Epiyon Private E-2

    The scan came back clear but I'm worried that it may return like it did before. Also, if it is possible for trojans to cross hard drive partitions then should I run some of the scans on the XP side to make sure it isn't infected as well?

    I haven't had any BSOD since the last actions you had me perform, but its only been about a day and I haven't put my computer under any load yet. I will report back if I have more BSOD.
     
    Epiyon, Oct 18, 2012
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Good.

    It would not hurt to run a few things after booting from the Windows XP paritition. Download and save MGtools.exe, TDSSKiller and RogueKiller to the Desktop of the WinXP user account that you use and then run new scans. Attach the new logs.
     
    chaslang, Oct 20, 2012
    #16
  17. Epiyon

    Epiyon Private E-2

    Ok I rebooted into my Windows XP side and ran all the scans, and as far as I can tell its all clear. Also, I uninstallled my expired copy of Norton on my XP side before I ran the scans. Is it now ok to reinstall Norton on both the windows XP and windows 7 sides?
     

    Attached Files:

    Epiyon, Oct 20, 2012
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes looks good. Yes you need yo get properly protected. That is included in the below which you need to run on both the Win XP and Win 7 boot partitions. Make sure you complete ALL steps and get old restore points removed where stated.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Oct 20, 2012
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds