Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > Windows Security Virus

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Windows Security Virus

Reply to Message Icon

Name: mahcus
Date: May 12, 2008 at 11:10:24 Pacific
OS: XP Media
CPU/Ram: NA
Product: NA
Comment:

I am experiencing the same issues as some others with the Windows security virus. It also looks as if it is logged on as a user besides the Administrator and my task manager has been disabled.

I am going by another poster having the same issue.
http://www.computing.net/answers/se...

Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.

!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!


Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Here is what I got from SmitFraudFix:

SmitFraudFix v2.319

Scan done at 14:00:05.92, Mon 05/12/2008
Run from C:\Documents and Settings\Administrator\My Documents\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.exe
C:\WINDOWS\ALCWZRD.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digi-Watcher.com\Watcher 2.32\Watcher.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Linksys\Linksys WUSB Config Utility\WUSB12Cfg.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\default.htm FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\winfrun32.bin FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\wmsdkns.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.25.5.148
DNS Server Search Order: 24.25.5.147

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5B3C119F-B2EB-4548-B11D-B07F5E7416D5}: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7E99C5E9-D201-4E4A-80CC-DA378FFA77BC}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5B3C119F-B2EB-4548-B11D-B07F5E7416D5}: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7E99C5E9-D201-4E4A-80CC-DA378FFA77BC}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5B3C119F-B2EB-4548-B11D-B07F5E7416D5}: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7E99C5E9-D201-4E4A-80CC-DA378FFA77BC}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

The other post says to run HijackThis but I wanted to make sure I was headed in the right direction first.

Thanks.

No comment



Sponsored Link
Ads by Google

Response Number 1
Name: btk1w1
Date: May 13, 2008 at 00:11:50 Pacific
Reply:

Heya Mahcus

These lines indicate Smitfraud is present on your system...

C:\WINDOWS\default.htm FOUND !
C:\WINDOWS\system32\winfrun32.bin FOUND !

The warning you get with this program that running the cleaning utility on an uninfected system can damage the desktop.... so you should always use option 1 first.

1) If you have already run option 2, run option 1 again to see if you still have the infected files present. Indicated by "FOUND !"

2) If you find that you still have the infected files, go to 3). If the infected files don't show up do not run Smitfraudfix again Go to 5)

3) Reboot your pc into safe mode(Do this by using the F8 method during start-up only) and run option 2 and hit enter to delete. Answer Y to clean the registry... If prompted to replace infected wininet.dll hit Y and enter. A reboot may be needed to complete the process.

4) That's basically the run-down with the Smitfraudfix tool. Remember to make sure you pc has infected files before you run it.

5) A very good program with excellent Smitfraud detection and removal processes is Superantispyware (SAS). After running Smitfraudfix I would download install and update SAS (free for home version). Again boot into safe mode and run the complete scan. Remove everything it finds... You will likely find there is more malware on your system.

Click here for SuperAntispyware - free for home users


0

Response Number 2
Name: mahcus
Date: May 13, 2008 at 09:48:52 Pacific
Reply:

I think that took care of it.

Thanks!

No comment


0

Sponsored Link
Ads by Google
Reply to Message Icon

Related Posts

See More



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: Windows Security Virus
Windows security alert virus www.computing.net/answers/security/windows-security-alert-virus/24922.html

Windows Security Center Virus www.computing.net/answers/security/windows-security-center-virus/25430.html

remove fake windows security adware www.computing.net/answers/security/remove-fake-windows-security-adware/21626.html