Problems with a virus

I've currently have two machines right now, (one of them is my bosses) that have the same type of infection. I have seen "Smitfraud" infections disable the task manager and regedit before...but this one has also removed the control panel and "run" command.

I can run some programs, but when I try to run "Smitfraudfix" or "Combofix", which normally fixes all these things, the program won't run. I was able to get the task manager up in safe mode, and when I run these programs, they start, then go away.

I have tried to do a "repair" installation of windows, but that didn't fix anything. If I could just SFF to run, everything would be ok.

I'm running out of ideas...any suggestions?

Thanks,

Mac

 

Log in or Sign up to hide all adverts.

When task manager is open, do you have any odd processes running? Are you able to run hijackthis? If we can find a location of some files, we may be able to run a few very specialized tools to remove the pieces.

What about msconfig startup? Clean?

You've dumped the windows temps and prefetch, and all the other temp files?

Are there any other symptoms? Pop-ups? Slow performance?

 

Log in or Sign up to hide all adverts.

Use:
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt


Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


http://siri.urz.free.fr/Fix/SmitfraudFix.exe

 

Log in or Sign up to hide all adverts.

I can't run Smitfraudfix..thats the problem. When I double click on the icon, something immediately kills it.

I have checked all processes in the TM, and have disabled all startup items in MSconfig, and in the registry. I checked the host file for hijacking.

Dude...this machine is pop-up city. It's a smitfraud type of infection...it's full of fake virus scanners that constantly pop up new IE windows. You can barely navigate around the machine for all the crap opening up.

I'm just curious if some knows how they could prevent certain programs from running.

 

Have you tried the freeware version of spybot? Or a linux live cd? There are various trojan removers etc available either from the web or from CDs you get with computer mags.

Booting windows is (I believe) a generally traumatic thing to do (to a PC and your state of mind).
You don't have to, to fix up the big mess!
You have tried admin, or "non-multiuser" mode?

 

Have you done a system restore? If you have not, and still can, restore to the earliest possible date, then turn system restore off (Smitfraud can hide there).

 

No Run in the Start Menu? How about Task manager? Control alt delete, click File, New Task (Run...).

 

Yeah...no run or control panel in the start menu. Task manager, regedit, and all other admin functions disabled.

If I can figure out how they are killing SFF on startup..my problems are solved.

Could it be some sort of shell thing?

 

If it's XP what you could try attempting is this.

Copy REGEDIT from a clean computer, place it into a ZIP file.

Move it across to the infected machine and choose to "Open the Compressed folder" using the Right Mouse menu (That's instead of having say winzip open it)

You should be able to run the copy of REGEDIT from within that folder which in turn can be used to attempt to get control of the system back.

(This actually use to get around most of the Administration lockdowns [i.e. Not allowing EXE execution without Admin authority as the files in the folder use to be treated like they were already on the system.])

 

Thanks Stryder, I'll try that.

 

I was able to get regedit to work in safe mode. I did a search, and couldn't find where they were disabling Smitfraudfix or Combofix. So I tried a more low-tech solution and renamed "smitfraudfix.exe" to "fix.exe" and it worked! Program is running now, and should clear the rest of the crap out.

Thanks for the help.

 

No problem. It's things like this we need to create a serious wiki for, or a blog or something to mark it down as the way to deal with it.