Windows Security Virus

Computing.Net > Forums > Security and Virus > Windows Security Virus

Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free!

Original Message

Name: mahcus
Date: May 12, 2008 at 11:10:24 Pacific
Subject: Windows Security Virus
OS: XP Media
CPU/Ram: NA
Model/Manufacturer: NA

Comment:

I am experiencing the same issues as some others with the Windows security virus. It also looks as if it is logged on as a user besides the Administrator and my task manager has been disabled.
I am going by another poster having the same issue.
http://www.computing.net/answers/se...
Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!

Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Here is what I got from SmitFraudFix:
SmitFraudFix v2.319
Scan done at 14:00:05.92, Mon 05/12/2008
Run from C:\Documents and Settings\Administrator\My Documents\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digi-Watcher.com\Watcher 2.32\Watcher.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Linksys\Linksys WUSB Config Utility\WUSB12Cfg.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\default.htm FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\winfrun32.bin FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\wmsdkns.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.25.5.148
DNS Server Search Order: 24.25.5.147
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5B3C119F-B2EB-4548-B11D-B07F5E7416D5}: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7E99C5E9-D201-4E4A-80CC-DA378FFA77BC}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5B3C119F-B2EB-4548-B11D-B07F5E7416D5}: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7E99C5E9-D201-4E4A-80CC-DA378FFA77BC}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5B3C119F-B2EB-4548-B11D-B07F5E7416D5}: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7E99C5E9-D201-4E4A-80CC-DA378FFA77BC}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End
The other post says to run HijackThis but I wanted to make sure I was headed in the right direction first.
Thanks.
No comment

Report Offensive Message For Removal

Response Number 1

Name: btk1w1
Date: May 13, 2008 at 00:11:50 Pacific

Reply: (edit)

Heya Mahcus
These lines indicate Smitfraud is present on your system...
C:\WINDOWS\default.htm FOUND !
C:\WINDOWS\system32\winfrun32.bin FOUND !
The warning you get with this program that running the cleaning utility on an uninfected system can damage the desktop.... so you should always use option 1 first.
1) If you have already run option 2, run option 1 again to see if you still have the infected files present. Indicated by "FOUND !"
2) If you find that you still have the infected files, go to 3). If the infected files don't show up do not run Smitfraudfix again Go to 5)
3) Reboot your pc into safe mode(Do this by using the F8 method during start-up only) and run option 2 and hit enter to delete. Answer Y to clean the registry... If prompted to replace infected wininet.dll hit Y and enter. A reboot may be needed to complete the process.
4) That's basically the run-down with the Smitfraudfix tool. Remember to make sure you pc has infected files before you run it.
5) A very good program with excellent Smitfraud detection and removal processes is Superantispyware (SAS). After running Smitfraudfix I would download install and update SAS (free for home version). Again boot into safe mode and run the complete scan. Remove everything it finds... You will likely find there is more malware on your system.
Click here for SuperAntispyware - free for home users

Report Offensive Follow Up For Removal

Response Number 2

Name: mahcus
Date: May 13, 2008 at 09:48:52 Pacific

Reply: (edit)

I think that took care of it.
Thanks!
No comment

Report Offensive Follow Up For Removal


remove fake windows security adware C:\WINDOWS\secure=always homepage Windows anti virus popup Windows Security Center Fake Windows Security	Free windows security update cd Windows Security Update CD Windows Media Player Codec Virus windows xp virus HUGE Windows Security Threat ??

Is this a virus??

randomly appering startup...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Do you have your own blog?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Open Control Panel via shortcut?

Loopinig batch file using IF EXIST

Disk Error

Why is NetBEUI faster than TCP/IP

Adobe Acrobat Reader Nag Screen

All Awaiting Reply