Forum Home
Press F1
 
Thread ID: 74707 2006-12-02 09:09:00 Virus help 4Lowie (10869) Press F1
Post ID Timestamp Content User
503776 2006-12-02 09:09:00 Hi all, I've just been infected (the virus kind!). I let my antivirus laps, I know a dumb thing to do. Now I have two icon and programs that have appeared, both telling me that I'm infected and need to download there programs. Do I trust them? The icons appear in the right side of the lower toolbar, one is a round red disk with a white ! mark the other is a yellow triangle that changes to a grey "mine". I ran a new scan with AVG and AdAware but they are still there. Any help would be gratefuly appreciated. 4Lowie (10869)
503777 2006-12-02 09:27:00 system restore back to when you hadnt installed them. (think this is the only way, worked for me) jesse_jax (9283)
503778 2006-12-02 10:40:00 Does sound like a Smitfraud variant.

Even if it isn't, it won't do any harm, so follow the instructions at this site, under the heading "Removal Instructions" (a little way down the page)

www.bleepingcomputer.com 		pheonix (36)
503779 2006-12-02 17:31:00 The first thing is to be sure and do not click on them. kjaada (253)
503780 2006-12-02 19:08:00 Does sound like a Smitfraud variant.

Even if it isn't, it won't do any harm, so follow the instructions at this site, under the heading "Removal Instructions" (a little way down the page)

www.bleepingcomputer.com

That might work for Smitfraud but it doesn't for variants.
Spybot will pick it up and remove most of it.
Then you need to see which program it wants you to download - then google it.

For instance one variant:
Find the Trojan file name

Use regedit

Navigate to the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win[THREE RANDOM CHARACTERS]32

Take note of the file name listed in the above subkey. This is the Trojan file name. Delete this with Hijackthis Misc Tools - Delete on reboot. This stops it recreating itself, then Spybot and Hijackthi scan will remove the rest of it.

The only tricky part is each variant is slightly different. You need to find that file first. And that particular registry location is not the same fofr all of them. 		pctek (84)
503781 2006-12-03 01:03:00 Download HijackThis ( . cyberanswers . org/forum/uploads/HijackThis1991 . exe" target="_blank">www . cyberanswers . org) . It will create a directory folder for you in C\Program files . Rename HijackThis . exe to Analyse . exe ?

Rightclick Hijackthis . exe and choose rename .

Then reboot and after reboot, doubleclick Analyse . exe and run a scan and save the log file . Post the log it creates in your next reply Do not fix anything since most of them listed there are harmless (some are system required) . This program will help determine what,if any, spyware/malware is on your computer . 		Pancake (6359)
503782 2006-12-03 04:43:00 Sorry Pctek, but I beg to differ on your assumption.

There hasn't been a variant that it hasn't cleaned up that I have come across as a Tech. Even some which Spybot couldn't touch. The posting may be old, but the Smitfraud file you are requested to download is kept up to date. 		pheonix (36)
503783 2006-12-03 06:22:00 Sorry Pctek, but I beg to differ on your assumption.

There hasn't been a variant that it hasn't cleaned up that I have come across as a Tech. Even some which Spybot couldn't touch. The posting may be old, but the Smitfraud file you are requested to download is kept up to date.

There has. I had one a couple of weeks ago.
Spybot found some, Hijackthis also, Hijackthis was useful for deleting the main file once I found it.

Smitfraud did not help in this particular case - even though Spybot was calling it a Smitfraud type. 		pctek (84)
503784 2006-12-03 07:00:00 Thanks for the help, clear both of the icons from the toolbar but I think there is still something happening in the back ground. Another window just opened but I closed it before having a better look! Also my AVG is picking up a Trogan now and then. So I'll do some more looking and no dout have some more questions. 4Lowie (10869)
503785 2006-12-03 07:40:00 Just done a scan only with HiJackthis an here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 8:28:13 p.m., on 3/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{2469B7A9-0A60-5129-1124-030625200040}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\HijackThis 1.99.1\Analyse.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Progra~1\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {326CD37E-85BF-D727-09DF-020967BAEB89} - C:\WINDOWS\system32\yrphfec.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\tfrextfm.dll
O2 - BHO: (no name) - {67270207-b9ee-4d26-9270-860fdb060ca1} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {8B7DC88A-8864-488E-BAB2-114BC9D1574A} - C:\WINDOWS\system32\mllmj.dll
O3 - Toolbar: Safety Bar - {fbea0445-4c4a-4136-864a-c72a4a182a84} - C:\Program Files\Safety Bar\SafetyBar.dll (file missing)
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [nxjzyqg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nxjzyqg.dll,nrjxlu
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A327F69-2718-49E8-ABC2-03E7A69340DB}: NameServer = 192.168.80.100,192.168.80.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBDFD30E-F4D6-45BB-BB33-4BB338FDDE05}: NameServer = 202.27.184.3,202.27.184.5
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winexz32 - C:\WINDOWS\SYSTEM32\winexz32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

What do I need to delete 		4Lowie (10869)
1 2