Log in or Sign up

help with virtual rootkit, VMMWARE - its from HELL

Discussion in 'Malware Help (A Specialist Will Reply)' started by logikz, Oct 4, 2007.

logikz Private E-2
¿ VTCSO settings gain @I echosuppression defaultmicrophone
defaultcamera
defaultklimit @Y
defaultalways windowlessDisable autoUpdateDisabled autoUpdateInterval @> autoUpdateLastCheck BqVÓ™•p crossdomainAllow crossdomainAlways allowThirdPartyLSOAccess trustedPaths

strange file in my flash player config.... also a couple pictures that were very strange, my steam client was reconfigured somehow to be something different. "Steam for Valve games" I believe this is a very professional rootkit we are dealing with, possibly fraud related. PLEASE HELP ME PLEEEZZZZ

http://img292.imageshack.us/my.php?image=counterstrike2xw0.jpg
http://img92.imageshack.us/my.php?image=counterstrikecx6.jpg
http://img239.imageshack.us/my.php?image=weirdstuffvp3.jpg
Attached Files:
- newfiles.txt
  
  File size:
  
  34.7 KB
  
  Views:
  
  2
- runkeys.txt
  
  File size:
  
  14.8 KB
  
  Views:
  
  3
- Report-Scan-20071004-185158.txt
  
  File size:
  
  7 KB
  
  Views:
  
  2
logikz, Oct 4, 2007

#1
chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Welcome to Major Geeks!

I'm not sure what you are trying to say your problem is. You installed Steam (just installed today) and you installed the other games like CounterStrike. If you are having problems with them, uninstall them. They are not malware.

You did not attach all of the requested logs but what you did attach does not show any problems. The only items I would question are whether you setup the below policies yourself and I would bet you did:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoSMHelp"=dword:00000001
"NoResolveTrack"=dword:00000001
"LinkResolveIgnoreLinkInfo"=dword:00000001
"NoResolveSearch"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000001
"NoStartBanner"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDesktopCleanupWizard"=dword:00000001
"HideRunAsVerb"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableStatusMessages"=dword:00000000
"VerboseStatus"=dword:00000001
Click to expand...

chaslang, Oct 4, 2007

#2
logikz Private E-2

no, i did not set them up myself. Someone, who is very professional with what they do, came into my apartment and locally installed this system. It may not even be malware mind you. It could be how the system was meant to be setup, but i do not want it this way. I have reformatted many times, all i get is an RTM based windows that does not reinstall its system drivers. The problem is advanced. They have also setup my mother's computer, and others i know of. When i format, nothing ever changes. There is a registry file called "Mr. Enigma" in my registry, like it is some sort of game or something. This is a very customized rootkit. My computer thinks it is windows NT server. All i want is the XP professional. I believe it is some sort of VMM that caches itself in a portion of my ram, so even if i wipe the hard drive it puts itself right back on. The bios seems to be odd, being Phoenix Award Workstation 6.00 2003. This post is from a fresh install, after installing counterstrike, and PC Tools firewall, and doing your before you post tutorial. But, it looks like the computer has been the same OS for years. The registry never changes and if i do change it, it is reuploaded to my system. Logging in with Tom's boot disc I find like 15 loop drives, and everytime i format / reinstall it creates another loop drive. What can i do? I need to CLEAN it tho, please dont tell me to format, because ive tried that, many times. I believe there is some major fraud accompanying this, by some professional criminals. Please give me a hand, i'll do whatever u ask.

logikz, Oct 5, 2007

#3
logikz Private E-2

also i get constant requests to connect to ports -- 21213, 43939, 62923.
and a IGMP to a wireless adapter, which i do not have on this desktop computer. ..............
Active Connections

Proto Local Address Foreign Address State
TCP necro-2293a0442:epmap necro-2293a0442:0 LISTENING
TCP necro-2293a0442:1794 mpa.one.microsoft.com:1793 TIME_WAIT
TCP necro-2293a0442:2100 majorgeeks.com:http TIME_WAIT
UDP necro-2293a0442:1040 *:*
UDP necro-2293a0442:1049 *:*
UDP necro-2293a0442:1193 *:*
UDP necro-2293a0442:1783 *:*
UDP necro-2293a0442:1081 *:*
UDP necro-2293a0442:1900 *:*
UDP necro-2293a0442:1940 *:*
UDP necro-2293a0442:1900 *:*

also,
0000:04 00 28 00 10 00 00 00 ..(....
0008:00 00 00 00 00 00 00 00 ........
0010:00 00 00 00 00 00 00 00 ........
0018:F8 91 7B 5A 00 FF D0 11 ø{Z.ÿÐ
0020:A9 B2 00 C0 4F B6 E6 FC ©².ÀO¶æü
0028:EB 53 21 F4 4D AE 23 E7 ëS!ôM®#ç
0030:CD 64 22 9C 1D E9 94 9A Íd"é
0038:00 00 00 00 01 00 00 00 ........
0040:00 00 00 00 00 00 FF FF ......ÿÿ
0048:FF FF 7A 01 00 00 00 00 ÿÿz.....
0050:10 00 00 00 00 00 00 00 .......
0058:10 00 00 00 46 52 4F 4D ...FROM
0060:00 00 00 00 00 00 00 00 ........
0068:00 00 00 00 10 00 00 00 .......
0070:00 00 00 00 10 00 00 00 .......
0078:54 4F 00 00 00 00 00 00 TO......
0080:00 00 00 00 00 00 00 00 ........
0088:36 01 00 00 00 00 00 00 6.......
0090:36 01 00 00 53 54 4F 50 6...STOP
0098:21 20 57 49 4E 44 4F 57 ! WINDOW
00A0:53 20 52 45 51 55 49 52 S REQUIR
00A8:45 53 20 49 4D 4D 45 44 ES IMMED
00B0:49 41 54 45 20 41 54 54 IATE ATT
00B8:45 4E 54 49 4F 4E 2E 0A ENTION..
00C0:0A 57 69 6E 64 6F 77 73 .Windows
00C8:20 68 61 73 20 66 6F 75 has fou
00D0:6E 64 20 35 35 20 43 72 nd 55 Cr
00D8:69 74 69 63 61 6C 20 53 itical S
00E0:79 73 74 65 6D 20 45 72 ystem Er
00E8:72 6F 72 73 2E 0A 0A 54 rors...T
00F0:6F 20 66 69 78 20 74 68 o fix th
00F8:65 20 65 72 72 6F 72 73 e errors
0100:20 70 6C 65 61 73 65 20 please
0108:64 6F 20 74 68 65 20 66 do the f
0110:6F 6C 6C 6F 77 69 6E 67 ollowing
0118:3A 0A 0A 31 2E 20 44 6F :..1. Do
0120:77 6E 6C 6F 61 64 20 52 wnload R
0128:65 67 69 73 74 72 79 20 egistry
0130:55 70 64 61 74 65 20 66 Update f
0138:72 6F 6D 3A 20 77 77 77 rom: www
0140:2E 68 65 6C 70 66 69 78 .helpfix
0148:70 63 2E 63 6F 6D 0A 32 pc.com.2
0150:2E 20 49 6E 73 74 61 6C . Instal
0158:6C 20 52 65 67 69 73 74 l Regist
0160:72 79 20 55 70 64 61 74 ry Updat
0168:65 0A 33 2E 20 52 75 6E e.3. Run
0170:20 52 65 67 69 73 74 72 Registr
0178:79 20 55 70 64 61 74 65 y Update
0180:0A 34 2E 20 52 65 62 6F .4. Rebo
0188:6F 74 20 79 6F 75 72 20 ot your
0190:63 6F 6D 70 75 74 65 72 computer
0198:0A 0A 46 41 49 4C 55 52 ..FAILUR
01A0:45 20 54 4F 20 41 43 54 E TO ACT
01A8:20 4E 4F 57 20 4D 41 59 NOW MAY
01B0:20 4C 45 41 44 20 54 4F LEAD TO
01B8:20 53 59 53 54 45 4D 20 SYSTEM
01C0:46 41 49 4C 55 52 45 21 FAILURE!
01C8:0A 00 ..

0000:04 00 28 00 10 00 00 00 ..(....
0008:00 00 00 00 00 00 00 00 ........
0010:00 00 00 00 00 00 00 00 ........
0018:F8 91 7B 5A 00 FF D0 11 ø{Z.ÿÐ
0020:A9 B2 00 C0 4F B6 E6 FC ©².ÀO¶æü
0028:45 F0 83 B7 1D D5 05 47 Eð·Õ.G
00301 7B F6 A3 51 95 7A 6F Ñ{ö£Qzo
0038:00 00 00 00 01 00 00 00 ........
0040:00 00 00 00 00 00 FF FF ......ÿÿ
0048:FF FF 94 01 00 00 00 00 ÿÿ.....
0050:0D 00 00 00 00 00 00 00 ........
0058:0D 00 00 00 4C 6F 63 61 ....Loca
0060:6C 20 53 79 73 74 65 6D l System
0068:00 00 00 00 05 00 00 00 ........
0070:00 00 00 00 05 00 00 00 ........
0078:55 73 65 72 00 00 00 00 User....
0080:57 01 00 00 00 00 00 00 W.......
0088:57 01 00 00 43 52 49 54 W...CRIT
0090:49 43 41 4C 20 45 52 52 ICAL ERR
0098:4F 52 20 4D 45 53 53 41 OR MESSA
00A0:47 45 21 20 2D 20 52 45 GE! - RE
00A8:47 49 53 54 52 59 20 44 GISTRY D
00B0:41 4D 41 47 45 44 20 41 AMAGED A
00B8:4E 44 20 43 4F 52 52 55 ND CORRU
00C0:50 54 45 44 2E 0A 0A 54 PTED...T
00C8:6F 20 46 49 58 20 74 68 o FIX th
00D0:69 73 20 70 72 6F 62 6C is probl
00D8:65 6D 3A 0A 4F 70 65 6E em:.Open
00E0:20 49 6E 74 65 72 6E 65 Interne
00E8:74 20 45 78 70 6C 6F 72 t Explor
00F0:65 72 20 61 6E 64 20 74 er and t
00F8:79 70 65 3A 20 20 77 77 ype: ww
0100:77 2E 72 65 67 69 73 74 w.regist
0108:72 79 63 6C 65 61 6E 65 rycleane
0110:72 78 70 2E 63 6F 6D 0A rxp.com.
0118:4F 6E 63 65 20 79 6F 75 Once you
0120:20 6C 6F 61 64 20 74 68 load th
0128:65 20 77 65 62 20 70 61 e web pa
0130:67 65 2C 20 63 6C 6F 73 ge, clos
0138:65 20 74 68 69 73 20 6D e this m
0140:65 73 73 61 67 65 20 77 essage w
0148:69 6E 64 6F 77 0A 0A 41 indow..A
0150:66 74 65 72 20 79 6F 75 fter you
0158:20 69 6E 73 74 61 6C 6C install
0160:20 74 68 65 20 63 6C 65 the cle
0168:61 6E 65 72 20 70 72 6F aner pro
0170:67 72 61 6D 20 79 6F 75 gram you
0178:20 77 69 6C 6C 20 6E 6F will no
0180:74 20 72 65 63 65 69 76 t receiv
0188:65 20 61 6E 79 20 6D 6F e any mo
0190:72 65 20 72 65 6D 69 6E re remin
0198:64 65 72 73 20 6F 72 20 ders or
01A0:70 6F 70 2D 75 70 73 20 pop-ups
01A8:6C 69 6B 65 20 74 68 69 like thi
01B0:73 2E 0A 0A 56 49 53 49 s...VISI
01B8:54 20 77 77 77 2E 72 65 T www.re
01C0:67 69 73 74 72 79 63 6C gistrycl
01C8:65 61 6E 65 72 78 70 2E eanerxp.
01D0:63 6F 6D 20 49 4D 4D 45 com IMME
01D8:44 49 41 54 45 4C 59 21 DIATELY!
01E0:0A 0A 00 00 ....

is sent to port 1026

0000:64 31 3A 61 64 32 3A 69 d1:ad2:i
0008:64 32 30 3A 67 6F 75 67 d20:goug
0010:6F 75 20 64 68 74 20 6E ou dht n
0018:61 76 69 67 61 74 6F 72 avigator
0020:39 3A 69 6E 66 6F 5F 68 9:info_h
0028:61 73 68 32 30 3A 9A AB ash20:«
0030:04 4D 02 46 9F C7 2A 2B .M.FÇ*+
0038:1A 1A 4B 0A D8 83 0A E2 K.Ø.â
0040D 43 65 31 3A 71 39 3A ÝCe1:q9:
0048:67 65 74 5F 70 65 65 72 get_peer
0050:73 31 3A 74 38 3A 30 36 s1:t8:06
0058:31 34 37 35 30 33 31 3A 1475031:
0060:79 31 3A 71 65 y1:qe

0000:64 31 3A 61 64 32 3A 69 d1:ad2:i
0008:64 32 30 3A 9A A8 7A 81 d20:¨z
0010:95 52 72 EE 5A FA A1 89 RrîZú¡
0018:23 A8 4C 1B 3D 56 08 59 #¨L=V.Y
0020:36 3A 74 61 72 67 65 74 6:target
0028:32 30 3A 9A AB 02 B7 37 20:«.·7
0030:E2 DE 26 14 3E 81 89 6A âÞ&>j
0038:98 85 C0 B1 BC 0A 8D 65 À±¼.e
0040:31 3A 71 39 3A 66 69 6E 1:q9:fin
0048:64 5F 6E 6F 64 65 31 3A d_node1:
0050:74 34 3A B9 BA 00 00 31 t4:¹º..1
0058:3A 76 34 3A 55 54 11 82 :v4:UT
0060:31 3A 79 31 3A 71 65 1:y1:qe
is sent to port 21213

0000:64 31 3A 61 64 32 3A 69 d1:ad2:i
0008:64 32 30 3A 9B 7D 0C C9 d20:}.É
0010:33 F8 C3 79 4A A7 5B AB 3øÃyJ§[«
0018E F5 91 D1 3B AE F5 26 ÞõÑ;®õ&
0020:36 3A 74 61 72 67 65 74 6:target
0028:32 30 3A 9A AB 07 52 B3 20:«.R³
0030:96 76 0D 61 C3 80 4D E7 v.aÃMç
0038:20 97 2F 03 23 38 BA 65 /.#8ºe
0040:31 3A 71 39 3A 66 69 6E 1:q9:fin
0048:64 5F 6E 6F 64 65 31 3A d_node1:
0050:74 34 3A D9 DD 00 00 31 t4:ÙÝ..1
0058:3A 76 34 3A 55 54 11 FA :v4:UTú
0060:31 3A 79 31 3A 71 65 1:y1:qe

is sent to 43939

logikz, Oct 5, 2007

#4
chaslang MajorGeeks Admin - Master Malware Expert Staff Member
You need to attach the other logs that were requested in the READ ME.

- BitDefender
- PandaActiveScan
- HijackThis - but what to get a new HJT to attach after doing the below.

Also I recommend that you immediately run the below. You don't have a rootkit. You have a SmitFraud infection.

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htmIMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.
Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

Now attach new logs from:

GetRunKey

ShowNew

HJT

How are things working now?
chaslang, Oct 5, 2007

#5
logikz Private E-2

will do, but i have also this log to show. It's coming from a strange area and i see the connection inbound all the time.

Proto Local Address Foreign Address State
TCP necro-2293a0442:epmap necro-2293a0442:0 LISTENING
TCP necro-2293a0442:2869 necro-2293a0442:0 LISTENING
TCP necro-2293a0442:1576 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1577 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1578 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1580 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1581 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1582 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1583 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1584 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1585 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1586 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1587 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1588 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1589 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1590 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1591 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1592 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1593 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1594 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1595 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1596 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1597 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1598 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1599 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1600 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1601 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1602 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1603 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1604 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1606 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1607 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1609 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1610 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1611 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1612 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1613 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1614 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1615 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1616 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1617 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1618 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1619 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1620 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1621 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1622 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1623 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1626 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1627 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1628 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1629 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1630 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1633 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1635 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1637 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1640 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1641 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1643 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1645 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1646 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1649 cds165.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1650 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1651 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1652 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1653 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1654 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1655 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1656 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1657 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1658 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1660 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1661 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1662 cds248.ord.llnw.net:http TIME_WAIT
TCP necro-2293a0442:1663 cds248.ord.llnw.net:http TIME_WAIT
UDP necro-2293a0442:1036 *:*
UDP necro-2293a0442:1040 *:*
UDP necro-2293a0442:1624 *:*
UDP necro-2293a0442:1625 *:*
UDP necro-2293a0442:1669 *:*
UDP necro-2293a0442:27005 *:*
UDP necro-2293a0442:27015 *:*
UDP necro-2293a0442:27020 *:*
UDP necro-2293a0442:1031 *:*
UDP necro-2293a0442:1900 *:*
UDP necro-2293a0442:1900 *:*

logikz, Oct 5, 2007

#6
logikz Private E-2
aeasdfdsa
Attached Files:
- rapport.txt
  
  File size:
  
  1.5 KB
  
  Views:
  
  2
logikz, Oct 5, 2007

#7
logikz Private E-2

SmitFraudFix v2.237

Scan done at 3:24:05.54, Fri 10/05/2007
Run from C:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{EF26974F-267B-49B2-B5BC-982FA90758E2}: NameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EF26974F-267B-49B2-B5BC-982FA90758E2}: NameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

logikz, Oct 5, 2007

#8
chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Please follow instructions and ATTACH logs. Do not post them inline. The reason you could not attach it in message # 9 was because you tried to reattach the same rapport.txt log from option 2. You never attached the first rapport.txt log as requested before going on to step 2.

You also need to attach the other logs I requested and you also need to tell me what problems you are still having.

chaslang, Oct 6, 2007

#9
logikz Private E-2

rarar

logikz, Oct 6, 2007

#10
logikz Private E-2

ssss

logikz, Oct 6, 2007

#11

(You must log in or sign up to reply here.)

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds