slcthomas
asked on
Infected with Rogue Anti-Spyware Product/Smitfraud via 'Rich Video Codec v1.6'
I am running Windows XP SP2 fully updated and Trend Micro Internet Security 2008, Mozilla Firefox. I downloaded and installed 'Video Codec v1.6' from a site because they claimed I need it to look at the posters they advertise there. It turned out to be a malicious Smitfraud that installed itself to give me zillion virus warnings and installed three links on my desktop ( ErrorCleaner, Privacy Protector and Spyware/Malware Protection) who contain links to URL's and are undeletable. I did not go to any of the websites they link to.
From http://www.bleepingcomputer.com/forums/topic17258.html I got Smitfraudfix.exe and run in in Safe Mode. Everything appeared to be fine BUT, some hours later the Desktop Icons re-appear out of nothing (I am connected to the www though) and the Pop-up windows came on again. I followed the procedure at http://www.bleepingcomputer.com/uninstall/6833/Rich-Video-Codec-v1.6.html but it did not help.
This is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:26 PM, on 2007/11/20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\csrss. exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iolo\Common\Lib\iolo DMVSvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneSer vice.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\snmp.e xe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\System32\alg.ex e
C:\WINDOWS\system32\ctfmon .exe
C:\PROGRA~1\TRENDM~1\INTER N~1\TmPfw. exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core- Static\MOM .EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMo n.exe
C:\Program Files\Belkin\F1U201.401\us bshare.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Jula Pan.exe
C:\Program Files\GALTWARE\SCREEN CONTROL\screencontrol.exe
C:\Program Files\WallpaperToy\Wallpap ertoy.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core- Static\ccc .exe
C:\Program Files\JGsoft\EditPadLite\E ditPadLite .exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
C:\WINDOWS\system32\wbem\w miprvse.ex e
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = dsl.cache.saix.net:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O2 - BHO: MSVPS System - {6A78E352-B1FA-4C18-9C48-9 6DD0397977 0} - C:\WINDOWS\popnetmtq.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8 377850BF20 5} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: The jokwmp - {6BA27973-068D-4F85-BE84-1 251E0B20FD 3} - C:\WINDOWS\jokwmp.dll
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core- Static\CLI Start.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh eck.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd .exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMo n.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'Default user')
O4 - Startup: Screen Control.lnk = C:\Program Files\GALTWARE\SCREEN CONTROL\screencontrol.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpap ertoy.Exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync .exe
O4 - Global Startup: F1U201.401.lnk = ?
O4 - Global Startup: JulaPan.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0\bin\np jpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0\bin\np jpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193461141828
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: exalead - {39076C07-7014-41FF-A3CD-8 41360B1C2E C} - (no file)
O21 - SSODL: sapnet - {66BA9E5D-033B-4C46-A0F5-0 3EAED169C4 7} - C:\WINDOWS\sapnet.dll
O21 - SSODL: rmvgor - {11A3A6B8-B392-438B-B95E-5 8DF9415AE9 B} - C:\WINDOWS\rmvgor.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg ag.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\iolo DMVSvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessM anager\bin \nSvcIp.ex e (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneSer vice.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\TmPfw. exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPSer vice.exe
--
End of file - 7338 bytes
In addition to the Trend Micro Internet Security Suite 2008 I use System Mechanic, RegVac, A1Click Ultra PcCleaner, Belarc Advisor and Process Explorer
From http://www.bleepingcomputer.com/forums/topic17258.html I got Smitfraudfix.exe and run in in Safe Mode. Everything appeared to be fine BUT, some hours later the Desktop Icons re-appear out of nothing (I am connected to the www though) and the Pop-up windows came on again. I followed the procedure at http://www.bleepingcomputer.com/uninstall/6833/Rich-Video-Codec-v1.6.html but it did not help.
This is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:26 PM, on 2007/11/20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\Program Files\iolo\Common\Lib\iolo
C:\Program Files\NVIDIA Corporation\nTune\nTuneSer
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\snmp.e
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\System32\alg.ex
C:\WINDOWS\system32\ctfmon
C:\PROGRA~1\TRENDM~1\INTER
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMo
C:\Program Files\Belkin\F1U201.401\us
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Jula
C:\Program Files\GALTWARE\SCREEN CONTROL\screencontrol.exe
C:\Program Files\WallpaperToy\Wallpap
C:\Program Files\ATI Technologies\ATI.ACE\Core-
C:\Program Files\JGsoft\EditPadLite\E
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThi
C:\WINDOWS\system32\wbem\w
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: MSVPS System - {6A78E352-B1FA-4C18-9C48-9
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8
O3 - Toolbar: The jokwmp - {6BA27973-068D-4F85-BE84-1
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMo
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - Startup: Screen Control.lnk = C:\Program Files\GALTWARE\SCREEN CONTROL\screencontrol.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpap
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync
O4 - Global Startup: F1U201.401.lnk = ?
O4 - Global Startup: JulaPan.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O18 - Protocol: exalead - {39076C07-7014-41FF-A3CD-8
O21 - SSODL: sapnet - {66BA9E5D-033B-4C46-A0F5-0
O21 - SSODL: rmvgor - {11A3A6B8-B392-438B-B95E-5
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\iolo
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessM
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneSer
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPSer
--
End of file - 7338 bytes
In addition to the Trend Micro Internet Security Suite 2008 I use System Mechanic, RegVac, A1Click Ultra PcCleaner, Belarc Advisor and Process Explorer
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok guys, I took advice from another site called PC Hell because there is someone who's got exactly the same problems and got rid of everything. I downloaded RogueRemover and followed the tips there.
http://www.pchell.com/support/ultimatedefender.shtml
After rebooting 3 times I did not see the entries in HijackThis any more and I am free from the stuff, for now.
I've got SDFix, too but did not use it until now. We've got quite a time difference between the US of A and South Africa, so I close everything down now and we'll see how it goes tomorrow morning.
Thanks for now
http://www.pchell.com/support/ultimatedefender.shtml
After rebooting 3 times I did not see the entries in HijackThis any more and I am free from the stuff, for now.
I've got SDFix, too but did not use it until now. We've got quite a time difference between the US of A and South Africa, so I close everything down now and we'll see how it goes tomorrow morning.
Thanks for now
ASKER
That was it! PPC is healthy again. SmitfraudFix & RogueRemover run in safe mode did the trick together with the fix it function of HijackThis. I used SAS as as well but it didn't do the whole job. Thanks for the quick response.
ASKER
The quarantined files are: rmv.exe, msmdev.dll and main_uninstaller.exe in the 'virus'secion of TMISS and adware agent int the spyware section. Could it be that the recurrence of the threat's got to do with system restore still runnning ? must I shut it down? set a restore point manually? is it better to run superantispyware in safe mode ? shoukd i send you the log after the scan finished?
(I reset the winsock, thanks)