Malware (outwindows) help for chibishinigami

f3theg · Oct 11, 2006

Hello major geeks,
My name is F3theg and I am new to posting on Threads. I was not able to post a reply directly to your thread chibishinigami, for admin reasons??!! but I do have the solution to your problem.

I worked on a computer just today with this same issue. So I just had to get the answer to you. (assuming that you have windows xp)

1. Turn off system restore.

2. Go to C:\program files\videos codec and delete what you can. ( DO NOT run the uninstall for this program.)

3. There are some .exe files in that folder, some files used to uninstall the program, and there are 2 exe's that you will find running under processes in the task manager. I can't remember the names because it took so long to get a reply posted. Rename these exe files to name3.exe, or what ever you wish. The key here is to break up the links to these files.

4. Go to Start>Run> and type MSCONFIG.

5. On the general tab, click on selective startup and uncheck load startup items. Click apply, ok and reboot.

6. Once you log back in, go back to the videos archive folder, and delete it.

I would also advised cleaning up your IE history, autocomplete forms, and clearing all of your temp folders out as well. I didn't have to do it in my case, but BHO's can be sneaky. If you have ad-aware or spybot, run these after the fact to pick up on anything you may have missed.

I have been in the IT business for 5+ years. I have run across this kind of issue a lot. The best thing I can tell the others that may view this post is that the key to conquering a trojan or BHO, is to break up the links. I would go into detail about this now, but my kid is crying. good luck to you chibishinigami

F3theg

chaslang · Oct 12, 2006

That problem was already resolved and using MSconfig is the wrong approach and is not needed. Running SmitFraudFix (as was already done) is the correct way to fix problems related to the SmitFraud family of infections.

f3theg · Oct 13, 2006

Hello Chaslang,
Thank you for your comments. However it seems that there are a few misunderstandings here.

I didn't see in the thread were the problem was actually solved. After re-reading the entire thread, I see that the hijacked IE windows stopped, but he is having some problems with his anti-virus now.

Using Msconfig is an appropriate action to take whenever you diagnose a computer issue. I can say that after removing this infection without using smitfraud fix. Utilities on the internet are not always guarunteed to work, but it is nice when they can save you a couple of steps.

Trojans, BHO's, malware, etc. are all told to startup at some point in the boot process. You will not see this during the boot of course. Disabling your startup folder will prevent these files from loading. (as in my case)

There is not a right way or a wrong way to fix this. There is just your way and my way. Please be open minded enough to accept that there are other ways to fix issues. A forum like this should be a place of innovation and sharing of ideas. If this is a place were geeks attack geeks then I've joined the wrong forum.

f3theg · Oct 13, 2006

I need to make a quick correction in one of my statements. It should read, Disabling your startup "items" will prevent these from loading. Not your startup folder. (Sorry, wrote that when I was still sleep)

chaslang · Oct 14, 2006

Yes there are many ways to fix problems! However disabling startups will not fix all the problems related to SmitFraud infections. Infact they do not normally even appear in startups. They are hidden by loading DLLs from a variety of locations. There are literally hundreds of forms of SmitFraud infections. For the one you are referring to, yes there were some EXE files for the codecs but as you can see, MSconfig did not have to be used to disable everything. Are you sure on your PC where you fix it that you removed entries that may have been added to the below registry keys:

HKEY_CLASSES_ROOT\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And did you locate the DLLs and EXE files that are not stored in the Video Codec folder?

And yes the problem with SmitFraud was already fixed in that thread. The only remaining issue was the problem with McAfee and that is not something under the Startup tab. It is a Service that needs to be Stopped, Disable, and deleted. Using MSconfig it is also possible to stop services from loading at startup but that will not delete them. Using MSconfig can be helpful, but it can also mask problems that are still hiding in the registry and waiting to come back. They entries need to be removed completely. Also, after using MSconfig, you should also make sure to set things back to Normal Startup.

No applications are guaranteed to work not even commercial applications written by many large companies. However the free tools we use do work and they work better than the commercial tools which do very little to help remove the real stubborn malware problems that show each day. Things like Virtumonde, Winlogonhook/Conhook, SmitFraud, ....etc are common problems seen in many of the posts each day. No paid commercial application will fix these and many don't even find them. The free tools find them and do fix them and in cases where they don't fix all components, they make the manual final cleanup easier.

Sorry if you thought I was attacking you. I was not. We fix hundreds of problems like this per week and we do have a good handle on the many forms of these infections and the steps/tools required to fix them. Unless you have fix many of these, you could be in for some surprizes. Reading some of the hundreds of messages posted here each week will illustrate some of the complexities I'm referring to.

f3theg · Oct 16, 2006

Hello Chaslang,
Thank you again for your response, and for your added input to this issue. At the time I fixed the machine I did some further probing with that particular computer and found some of the entries ( not all) that you are referring to. It seems that once I broke up the links, everything was ok. But you make a valid point that you should find the remaining garbage left behind and eliminate it, thus preventing a reinstall.

I do need to also clarify that once the problem was fixed on my end, I did re-enable the startup items ( I left that out of my first posting.) in msconfig.

If there are some free utils, that you have complete confidence in, could you please post back with some of them. (aside from HJT, or ad-aware)

Thank you again,
F3theg

chaslang · Oct 18, 2006

Anything you see us using in this forum means we have confidence in it. There are many specialty tools that we use and you will see some of them mentioned in the sticky threads. While the sticky threads do not mention every tool that we use, they do touch on quite a few. Looking thru the below stickies will reveal many of these tools:

READ & RUN ME FIRST Before Asking for Support

Special Removal Procedures - TitanShield, Virtumonde, Qoologic, SpyAxe, Look2ME, etc

How to Protect yourself from malware!

Alternative Scans

f3theg · Oct 25, 2006

Well as fate may have it, I now hold in my possesion the same computer that I fixed before. The owner told me that her son once again got a hold of it and went surfin'. So now that I have another opportunity to journal this strain of malware here at major geeks, I'd like to do so.

I looked at the history in IE and it appears that the website that started it all is yourprizecenter.com After that entry in histroy it's all downhill from there. I suspect that this is a popup ad on a webpage that may say "click here to claim your prize", but this is just a guess.

The end user is then taken down a road of deception. There are about 4 entries in history that appear to be antivirus or security software offers. They are (antivermins, antivirusgolden, asecuritytest, cdn.drivecleaner) There are about 11 total entreis that will eventually get you down to thesecurepool.com and yourfreedailylinks, Which I believe is the page that takes over as your homepage.

Since I cleaned this pc my way the last time, I will oblige my brother in arms (chaslang) and do it using smitfraud fix.

BTW in my first posting I forgot the names of the 2 files that were running in the video codecs folder. This time around the folder is not videos codec, it is now pornpass manager. (damn that was incriminating) the files are isamonitor, and isamini.

Chaslang, for your benefit and for others out here is there anything other information that you would like to have before I clean the PC? I will have to get this back to her by the weekend so I'll hold off until Friday.

F3theg

chaslang · Oct 26, 2006

f3theg said:

Chaslang, for your benefit and for others out here is there anything other information that you would like to have before I clean the PC? I will have to get this back to her by the weekend so I'll hold off until Friday.
Click to expand...

Well it would be nice to see logs from GetRunKey and ShowNew (both mentioned in the READ & RUN ME sticky) before SmitFraudFix and then after. I will repeat give the two steps of using SmitFraudFix below for you. The same log file should be posted twice. Once after running step 1 and then after running step 2. If you don't post it after step one the file will get overwritten when step 2 is run.

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

f3theg · Oct 27, 2006

Hey Chaslang,
Here are the files that you requested. I did run smitfraud fix and it seems to have taken care of the issue. I like the batch file you put together.

Here are the first 3 files. I will post the others next.

f3theg · Oct 27, 2006

Here are the others

chaslang · Oct 27, 2006

Okay looks like SmitFraudFix remove a bunch of stuff but there are some remaining things!

See if you can goto Add/Remove programs and uninstall the below:

DriveCleaner 2006 Free 1.0.29.2 <-- malware (still loading at startup too)
MarketResearch <-- this is up to you, but no one seems to know what it is or where it came from. I have not been able to get my hands on a PC where it is installed to determine what it is.
SystemDoctor 2006 1.1.80.2 <-- malware
Viewpoint Media Player <-- adware from AOL and no one uses it anyway.

Then delete the below folders if still found:
Code:
"C:\Documents and Settings\**************\Application Data\"
SYSTEM~1      Oct  1 2006              "SystemDoctor 2006 Free"
 
"C:\Program Files\"
DRIVEC~1      Oct 23 2006              "DriveCleaner 2006 Free"
MALWAR~1.COM  Oct  1 2006              "MalwareWipe.com"
SPYWAR~1      Oct 10 2006              "SpywareBot"
 
"C:\Program Files\Common Files\"
DRIVEC~1      Oct 23 2006              "DriveCleaner 2006 Free"
 
"C:\Documents and Settings\*************\Local Settings\Temp\"
UDC6_0~1      Oct 23 2006              "UDC6_0001_D19M2808"
How is the PC running now?

f3theg · Oct 30, 2006

Hi Chaslang,
I didn't get to your response until after I dropped the PC off. The hijacked windows stopped, but I did miss drivecleaner, and system doctor. I will make contact with her again soon to get the rest of this cleaned up.

Thanks for your input on this
F3theg

chaslang · Oct 30, 2006

You're welcome! Make sure you also give her the below link. The educational aspects alone maybe helpful to her:

How to Protect yourself from malware!

Log in or Sign up

Malware (outwindows) help for chibishinigami

f3theg Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

f3theg Private E-2

f3theg Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

f3theg Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

f3theg Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

f3theg Private E-2

Attached Files:

newfilesafter.txt

newfilesbefore.txt

rapportafter.txt

f3theg Private E-2

Attached Files:

rapportbefore.txt

runkeysafter.txt

runkeysbefore.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

f3theg Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member