Solved

Infected with Rogue Anti-Spyware Product/Smitfraud via 'Rich Video Codec v1.6'

Posted on 2007-11-20
8
2,586 Views
Last Modified: 2013-12-06
I am running Windows XP SP2 fully updated and Trend Micro Internet Security 2008, Mozilla Firefox. I downloaded and installed 'Video Codec v1.6' from a site because they claimed I need it to look at the posters they advertise there. It turned out to be a malicious Smitfraud that installed itself to give me zillion virus warnings and installed three links on my desktop ( ErrorCleaner, Privacy Protector and Spyware/Malware Protection) who contain links to URL's and are undeletable. I did not go to any of the websites they link to.
From http://www.bleepingcomputer.com/forums/topic17258.html I got Smitfraudfix.exe and run in in Safe Mode. Everything appeared to be fine BUT, some hours later the Desktop Icons re-appear out of nothing (I am connected to the www though) and the Pop-up windows came on again.  I followed the procedure at http://www.bleepingcomputer.com/uninstall/6833/Rich-Video-Codec-v1.6.html but it did not help.
This is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:26 PM, on 2007/11/20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\JulaPan.exe
C:\Program Files\GALTWARE\SCREEN CONTROL\screencontrol.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = dsl.cache.saix.net:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {6A78E352-B1FA-4C18-9C48-96DD03979770} - C:\WINDOWS\popnetmtq.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: The jokwmp - {6BA27973-068D-4F85-BE84-1251E0B20FD3} - C:\WINDOWS\jokwmp.dll
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Screen Control.lnk = C:\Program Files\GALTWARE\SCREEN CONTROL\screencontrol.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: F1U201.401.lnk = ?
O4 - Global Startup: JulaPan.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193461141828
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: exalead - {39076C07-7014-41FF-A3CD-841360B1C2EC} - (no file)
O21 - SSODL: sapnet - {66BA9E5D-033B-4C46-A0F5-03EAED169C47} - C:\WINDOWS\sapnet.dll
O21 - SSODL: rmvgor - {11A3A6B8-B392-438B-B95E-58DF9415AE9B} - C:\WINDOWS\rmvgor.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 7338 bytes

In addition to the Trend Micro Internet Security Suite 2008 I use System Mechanic, RegVac, A1Click Ultra PcCleaner, Belarc Advisor and Process Explorer
0
Comment
Question by:slcthomas
  • 3
  • 3
  • 2
8 Comments
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 50 total points
Comment Utility
Hi,
Still looks very much like Smitfraud is present here. Although some of those random files are not in the changelog. That's interesting. I would recommend you remove your current version of Smitfraudfix and download a fresh one. Then follow the steps after to make sure it doesn't reappear.

Download SmitfraudFix (by S!Ri) to your Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

Also, when done running this tool it would be advised to clean up temp files, cookies, ect... and to run a spyware scan. AVG is my tool of choice and is free for 30 days. NOTE: After updating it I would recommend running the scan in Safe Mode.

Use ATFCleaner to clean up temp files, ect...
http://www.atribune.org/ccount/click.php?id=1

AVG AS link:
http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=asf
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 75 total points
Comment Utility
O2 - BHO: MSVPS System - {6A78E352-B1FA-4C18-9C48-96DD03979770} - C:\WINDOWS\popnetmtq.dll
O18 - Protocol: exalead - {39076C07-7014-41FF-A3CD-841360B1C2EC} - (no file) (do you recognize this one?)
O21 - SSODL: sapnet - {66BA9E5D-033B-4C46-A0F5-03EAED169C47} - C:\WINDOWS\sapnet.dll
O21 - SSODL: rmvgor - {11A3A6B8-B392-438B-B95E-58DF9415AE9B} - C:\WINDOWS\rmvgor.dll

Those are the 4 nasty things I see....Virtumundo infections if I am not mistaken....

If Smitfraudfix above doesnt help, please do the following....

Install and update Super Anti Spyware and reboot to Safe Mode.

Then do a full scan, and see what it finds. Then you can even do an Online Virusscan for Housecall if you use Safe mode w/ networking.

SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
http://www.superantispyware.com/
One of the best on the market (and it is free, although you can upgrade and get Real Time Protection)

Housecall Online Free Virus Scanner
http:\\housecall.trendmicro.com
Great to do an online Scan in Safe Mode w/ networking
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 75 total points
Comment Utility
And start>run>cmd.exe

netsh winsock reset

will repair that protocol error from HJT....
0
 

Author Comment

by:slcthomas
Comment Utility
Downloaded latest version of Smitfraudfix.exe and did a scan exactly as you recommended. Everything seemed to be ok, even after rebooting. The Trend Micro Internet Security Suite started to put files into quarantine, telling me to wait until they offer a fix. ( troj_agent_yt) BUT this morning the links/icons were back on the desktop. Currently I am running Superantispyware and will notify you on the results.
The quarantined files are: rmv.exe, msmdev.dll and  main_uninstaller.exe in the 'virus'secion of TMISS and adware agent int the spyware section. Could it be that the recurrence of the threat's got to do with system restore still runnning ? must I shut it down? set a restore point manually? is it better to run superantispyware in safe mode ? shoukd i send you the log after the scan finished?
(I reset the winsock, thanks)
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 75 total points
Comment Utility
Yes, update SAS, and run it in Safe Mode......

And you can also disable System restore to clear out the files in it, and always re enable it again once youre clean...

Also, in SAS, go to the preferences button>Scanning (2nd tab I think, check all the boxes there. Then go to Safe Mode, and do a Complete Scan....
0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 50 total points
Comment Utility
Wonder if there is a backdoor running here too? If the above doesn't work give SDFix a try, then run Smitfraudfix again.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please upload the contents to http://www.ee-stuff.com.
0
 

Author Comment

by:slcthomas
Comment Utility
Ok guys, I took advice from another site called PC Hell because there is someone who's got exactly the same problems and got rid of everything. I downloaded RogueRemover and followed the tips there.
http://www.pchell.com/support/ultimatedefender.shtml
After rebooting 3 times I did not see the entries in HijackThis any more and I am free from the stuff, for now.
I've got SDFix, too but did not use it until now. We've got quite a time difference between the US of A and South Africa, so I close everything down now and we'll see how it goes tomorrow morning.
Thanks for now
0
 

Author Comment

by:slcthomas
Comment Utility
That was it! PPC is healthy again. SmitfraudFix &  RogueRemover run in safe mode did the trick together with the fix it function of HijackThis. I used SAS as as well but it didn't do the whole job. Thanks for the quick response.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now