Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.killav


  • Please log in to reply
9 replies to this topic

#1 RE!GN

RE!GN

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 22 October 2007 - 07:14 PM

Hello,
I was having issues with my other PC and upon running Antivirus software and reading up on it on the web I have determined to have the Trojan.Killav virus. All the signs are there from losing Admin rights on my PC,Losing my control panel,having my homepage changed to a supposed spyware site that can fix all of my headaches,Having new shortcuts on my desktop(3) for spyware sounding websites and as well Pop ups claiming yet again to be the fix I need stating I have spyware on my PC and trying to get me to purchse it.
I have already run Norton Antivirus,Spybot and Adaware ( standards on my PC) to have Norton tell me it fixed most of the Trojan but could not takle it all.Adaware resolved everything it found which was not enough either.Spybot found these issues and claimed to resolve all of them but 1
SPYBOT SCAN INFO:
smitfraud-c
smitfraud-c.msvps
spycrush
spywareBot
WIn32.Agent.ci
ZLob.Downloader.vcd
Zlob.videoActive x access
Zlob.video activexobject
Zlock.vc
Of all of the above listed it stated it repaired all but Zlob.Videoactivexobject.

Norton only stated it found the Trojan.Killav.
I printed a log for Adaware but it is hard to work from my other PC at this point. I did save it to a word DOc on a Flash Key but am scared to move it to this PC as I am not certain if it could infect me here somehow.
I am running Windows XP home as well.
I shut down my PC once I realised what I had in hopes it would not make matters worse and as well I restarted in safe mode running all three scans and then restarted in normal to have my Control panel back but my homepage is still the same.I again shutdown quickly until I could find more info just in case I put a dent in this thing and could minimize the fix at this point.I Still had no Admin rights as well so I assume it has reactivated upon restart as I have read it will and that my attempts did not finish this thing off.
I read that Hijacked may be the program for me but I have little PC skills for this instance and it did not seem like the thing to do for me without some guidance and help. Hopefully you can point me on the right path for this issue.
Thanks,
Gregg

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:40 AM

Posted 22 October 2007 - 07:59 PM

Use the Smitfraudfix tool in the link below. Read and follow the directions carefully.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Follow up with the program below that will remove other malware that accompanies the smitfraud malware.
Install Super Antispyware free. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

How to Start Windows in Safe Mode:
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Please let us know the results.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:40 AM

Posted 22 October 2007 - 09:54 PM

Looks like you may be dealing with other infections besides smitfraud.

Smitfraud.C is Spybot S&D's name for a type of Vundo/Conhook infection. Vundo is associated with the rogue app Winfixer, among others, but it is a completely different infection from Smitfraud and SmitfraudFix is not designed to fix it. For this you need to follow the the instructions for using Vundofix in BC's self-help tutorial "How To Remove Vundo/Winfixer Infection".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:40 AM

Posted 23 October 2007 - 06:24 AM

The reasons for using the Super Antispyware after running the Smitfraud tool is it will remove a lot of malware including Vundo and other malware that accompanies the Smitfraud malware.
Having said that, it is not unusual for any of the commercial programs to be unsuccessful in removing certain Vundo infections. In that case you should Post a Hijack This log in the Hijack This Forum and let the experts guide you.
Do Not post the log in this forum.
The link below has instructions for posting a HJT log.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 RE!GN

RE!GN
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 23 October 2007 - 02:55 PM

Thank you both for your response. I will look into both of these options and post in the hijackthis log.

#6 RE!GN

RE!GN
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 23 October 2007 - 02:58 PM

Also real quick. I am not very skilled in these areas so When I go to download these programs can I do so in safe mode? I know you stated to run them in safe but it is quiet annoying trying to do anything unless in safe mode at this point. Again Thanks.

#7 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:40 AM

Posted 23 October 2007 - 03:28 PM

Yes, you can download with safe mode with networking. You will have to install Super Antispyware in regular mode though.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 RE!GN

RE!GN
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 23 October 2007 - 07:37 PM

Ok here is an update.
I ran the Smitfraudfix and then ran Superantispyware and I found alot of stuff to get rid of.AFter cleaning everything up and restarting I got back control of my control panel,my printers are now back and working,all the popups have gone bye bye,I have no more desktop shortcuts for the three websites it had added on.I as well turned on the protect homepage function of Superantispyware and have my normal homepages back for each user. I then found that my Norton had the phising settings turned off and It could not fix it.I had a problem at first getting to the symantic site for tech help on fixing this( I assume it was a block by the virus I had)I was able to get around it and get my Norton back up and running fully since I had my Admin rights back. SO far it looks like everything is running again fine.
I am running Norton over now in normal mode just to see if all is clear and I plan on doing the same for adaware,spybot S&D,and Superantispyware. Please let me know if I should do anything else to be certain at this point. I have not done the Hijackthis program at all as of yet.
I appreciate the help and look forward to hearing back from you both on this.
Thanks

#9 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:40 AM

Posted 23 October 2007 - 07:58 PM

Glad you are having success. You may not need to post a HJT.
Run a scan with Spybot and let us know what it finds or if it is happy.
Run a scan with Norton's antivirus and let us know if it finds anything.

If they both come up clean and you are not having any problems, remove the existing restore points as some are infected.
Info on how to do that is in the link below if you need it.
http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

Remove temporary files, logs, cookies, etc. by using Ccleaner. Do not use "Advanced Settings" or the "Issues" button. Use only the default settings. http://www.ccleaner.com/
During the install of Ccleaner you will be offered the Yahoo Toolbar. If you don't want it, be sure to UNcheck.

You can permanently remove the quarantined files in ALL security programs.
Remove Smitfraudfix
No need to have both Super Antispyware and Norton Antispyware to run at startup. If you don't want to buy SAS just update it once a week so it will be ready to scan with when needed.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 RE!GN

RE!GN
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 23 October 2007 - 08:15 PM

Ok,sounds like a job for tomorrow my friend. Been a bit of a long battle on my end,lol. Thanks for the input and help.Norton is running now as I type and will run spybot as well. Will work on the C cleaner thing tomorrow.Oh yeah and by the way I also saw SAS had an option on the main page to see what is running on my Pc which I figured "why not try it out" results looked good to me.Only found like 3 unrecognized items and none that were considered threats.Most of the unreconized stuff was symantic/norton items.Not sure if this interests you but figured I would throw it out there.

Edited by RE!GN, 23 October 2007 - 08:19 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users