Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying To Remove Infected Files


  • Please log in to reply
6 replies to this topic

#1 ppabob1

ppabob1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 11 August 2006 - 08:29 PM

I've got an infection picked up by McAfee called "File Names; isamonitor.exe(times 2), isamini.exe(times 2)..isaddon.dll....One of the isamini's and the isaddon.dll was "deleted to complete the clean process".. The others... Status; infected..says file not found when in quarantine/delete mode ...Scan info; memory Trojan or Trojan name; Puper...McAfee can't quarantine/clean or delete them and I've tried to delete them directly and have been unsuccessful. Can anyone help?

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:01:44 PM

Posted 11 August 2006 - 11:34 PM

Follow the Removal Instructions here:
isamonitor.exe
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:44 PM

Posted 12 August 2006 - 07:31 AM

These files related to the smitfraud family of trojans,
In particular a set of malware that falls under the name of Zlob.
You can try tg1911's instructions but I don't think they will work.
You will need a special removal tool called smitfraudfix to remove these files.

You can read more about these files here:

- http://research.sunbelt-software.com/threa...;threatid=44478

- http://www.sophos.com/security/analyses/trojzlobqk.html

Please download SmitfraudFix (by S!Ri)
- Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd
- Select option #1 - Search by typing 1, and press Enter.
- A text file will appear, which lists infected files (if present).
- Please copy/paste the content of that report into your next reply.

David

#4 ppabob1

ppabob1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 17 August 2006 - 04:20 PM

SmitFraudFix v2.81

Scan done at 17:19:18.28, Thu 08/17/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Owner\Application Data


Start Menu





Desktop


C:\Program Files

C:\Program Files\IntCodec\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}"


Scanning wininet.dll infection


End

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:44 PM

Posted 17 August 2006 - 04:50 PM

This really should be in a different forum, but as I see no Hijackthis log we might as well continue here.
Let's continue...

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.

David

#6 ppabob1

ppabob1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 19 August 2006 - 09:23 AM

I think it worked, McAfee doesn't pick up any files infected when I run a scan now. I don't know what the following means, but it never asked me to replace an infected file. Thanks a lot!




SmitFraudFix v2.81

Scan done at 23:30:30.82, Thu 08/17/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:44 PM

Posted 19 August 2006 - 01:39 PM

Well the program has worked and removed the offending registry entry for you.
Let me know if you have any more problems.
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users