Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Definite Infection - Looks Like Smitfraud - What To Do?


  • Please log in to reply
4 replies to this topic

#1 eternal_newbie

eternal_newbie

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 02 April 2008 - 01:44 PM

Hey,
first of all I use Windows xp, sp 2. Hate to say that it is in greek (I am in greece and this is the pc of my parents, I would never ever ever use any other language for my system other than english) and some programs run in german (we lived in germany for many years, so we are bilingual). I only state that because in order to write this post I will have to translate names and messages either from greek or german into english, under which the accuracy of the descriptions may suffer.

So,
It all happened when I downloaded a video-codec to watch a streamed video. Before running the installer I scanned it with Panda Internet Security 2007 and it came out clean. I ran the installer, and afterwards these things started happening all at once:
There were suddenly shortcuts on my desktop of which I didnt knew any - something like "immediate security" or something like that. Also, an icon on my system tray appeared and continuosly warned me about my pc having been exposed to serious threats and needing protection right now. At the same time, an unknow anti-virus program - antivirus heat? virus heat? something like that - which was installed on my system without me knowing, opened its main window and started performing a virus search since I appeared to have been infected by spywar and trojans. The list of infected objects grew bigger an bigger, but seconds after that Panda internet security sent out a log message informing me about some virus having been blocked and neutralized and as I was kind of overwhelmed by all these things and shocked, I opened Panda and started a antivirus search on my own.

After that I managed to stop anti virus heat and close it, I deleted the shortcuts from my desktop and uninstalled the antivirus program, as it had been installed like any other program, with its own folder in program files and everything.
The system tray icon continued to blink though, and a toolbar had been added to my internet explorer browser window - system security 7.1. Also, my home site had been erased, so when I opened internet explorer it was blank.
I do not remember exactly what I did next, I think I let Panda security continue with the virus search and disconnected from the internet, while I opened the "manually uninstall programms" window through control panel looking for program names I did not recognize. I actually found two of them, their names where "internet security services" and "web browsing security". I chose "uninstall web browsing security" and a window popped up saying that uninstalling this program would cause windows to restart. I was worried this was what the virus "would want me to do", so I did not do it, yet.

I must admit, I was kind of hopeless and scared to connect to the internet to google up some help. So I returned to the main window of Panda Internet security and found an option to look for vulnerabilities of my pc. I did so, and the program recognized a vulnerability named MS07-069, with the status of a heavy security risk. The program also listed the viruses or other threats which could exploit this weak spot, under this category there was one name listed, no_exploit (turns out there seems to be no virus or spyware which exploits this vulnerability). This option of recognizing vulnerabilities on your pc gives you two buttons with choices to proceed, "more information" and "windows update", the latter conecting you to the microsoft update site. I did so, and found two updates for my windows version, one windows genuine advantage tool and the Microsoft Office 2003 Service Pack 3. I started downloading them both (naively hoping it might help with the virus), and while the genuine advantage tool caused no problems, the installation of the service pack got aborted just before finishing. On the microsoft update site one can view ones update history, and for the service pack it showed me a red x with the error code 0x51f. This seems not to have anything to do with the main problem of the infection, but my antivirus program always stops at a certain point, with an error message occurring saying "The profile name you have entered is not valid or contains characters which are not supported in your current windows system codepage. Please enter a different profile name." The title of thÝs message says "Windows office outlook" in its banner, so I assume it has something to do with the office service pack not installing properly. The last time I ran the search for viruses, it seemed to me that the search lasted longer, and it found something (cookie/tribalfusion, cookie/onestat.com, cookie/AntiSpyKit, Cookie/Doubleclick all of them in C:/Documents and Settings/USER/Cookies ) but still, it stopped at the point where the error message appeared.

Anyway, I finally uninstalled "web browsing security" and the computer restarted. I also deleted "internet security services" from the manually uninstall programs-list, as it was not possible to uninstall it because it seemed to already had been removed (a appearing window said so). After the restart the blinking icon on system tray had disapeared, as well as the security toolbar 7.1, but when I reconnected to the internet the toolbar returned, as well as some pop ups with fake warnings about my vulnerability and another icon on system tray, a yellow triangle with an exclamation mark on it, out of which a baloon pops up now and then informing me about the viruses and spyware I have been infected with and with a link on it to antivirus software.

I searched on the internet and found out about smitfraud. I downloaded smitfraudfix, as well as the free version of SUPERAntispyware. I followed a tutorial to block the system security toolbar from appearing on ie, going to: control panel - internet options - programs - manage add-ons and by deactivating suspicious add-ons: Internet service (this is the toolbar, its file is the WAMDL.DLL), Research (no information for this one) and both windows messenger and problem diagnosis (because they had both unknown providers, allthough I dont think that they are harmfull) The toolbar is still installed on my system, but at least its blocked. After that I prepared to follow the usual way to deal with smitfraud - reboot in safe mode and use smitfraudfix.

The problem is, and that is where I want to conclude, that anytime I choose starting windows in safe mode (keeping f8 pressed at startup before the windows screen appears) I get a blue screen of death, which I cant read, because it is written in some weird characters and not letters, but down at the bottom says STOP: 0x0000007B (0xF7B96524, 0x0000034, 0x00000000, 0x00000000)

My question is: What do I do now?
I have Hijackthis and Combofix, I know that I have to be extremely carefull with both since I am not acquainted with their logs and with their meaning, but I thought I should start at the beginning and with as many details as possible, so that nothing gets overlooked in the process. Thats why I did not go to the Hijackthis forum at once, even though thats where I might end up after all.

So, anyone got any advice for me?

Thanks in advance

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 02 April 2008 - 02:35 PM

to clarify a bit; can you kindly confirm what your present installed antivirus program is and what other protection is also on board ?

have you yet run a full scan with the superantispyware and what did it find ?

It all happened when I downloaded a video-codec to watch a streamed video. Before running the installer I scanned it with Panda Internet Security 2007 and it came out clean


from where did you download this 'program'?

one presumes you have not yet run either the HJT tool nor combofix (please do NOT run EITHER unless instructed to do so by an authorised member of staff)

#3 eternal_newbie

eternal_newbie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 02 April 2008 - 04:04 PM

to clarify a bit; can you kindly confirm what your present installed antivirus program is and what other protection is also on board ?

have you yet run a full scan with the superantispyware and what did it find ?

It all happened when I downloaded a video-codec to watch a streamed video. Before running the installer I scanned it with Panda Internet Security 2007 and it came out clean


from where did you download this 'program'?

one presumes you have not yet run either the HJT tool nor combofix (please do NOT run EITHER unless instructed to do so by an authorised member of staff)


Ok:

My basic antivirus program is Panda Internet Security 2007 (11.00.02).
I downloaded, installed and updated SUPERAntiSpyware Free Edition (4.0.1154)
I have HJT v2, combofix and startuplist. I have used HJT but only to create the log list. I havent deleted or quarantined anything.

I do not remember the site I got the virus from, but it was definately one from the google groups websites, google groups/da-celebs something.

I ran the full computer scan with superantispyware, and it found these: Alot of Adware Tracking cookies, Browser Hijacker. Favorites, Rogue Virus heat (that was the name of the fake antivirus, virus heat - damn it looked professional!), Trojan FakeAlert-Gen/Variant, Trojan.Media-Codec/V4, Trojan.Media-codec/V5, Trojan.Smitfraud Variant/IE Anti-Spyware

I quaranteed them all and rebooted, and now they seem to be gone, I checked internet explorer and its add-ons and the blocked toolbar is gone, as well as the fake alert in system tray.
I'm running another virus check by Panda and after that again by Superantispyware, but for the moment my system seems clean. Or maybe it isnt?

#4 eternal_newbie

eternal_newbie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 02 April 2008 - 05:49 PM

Right.
So with Panda looking for viruses and threats nothing came up.
Scanning with superantispy I found three more addware cookies.
after rebooting and scanning again another one.

I tightened up my security after that, but how can I make sure that I keep save of the addware cookies that track me down once and for all?

#5 eternal_newbie

eternal_newbie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 03 April 2008 - 01:06 PM

up..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users