flashing virus alert in systray 3

[wile666]

I have been trying to figure out what is causing this problem. It is a compaq evo n150 laptop running windows 2000 sp4. The user brought it to me because a program called spyfighter was saying he had w32.sinnaka on his system. After running mcafee, spybot and adaware and checking the registry for the entries that the worm is supposed to create I have found nothing. He claims to not have installed spyfighter, so i uninstalled it and removed it from the registry.
But there is an icon in the systray that looks like the windows security icon (globe) and it is flashing red with a white X on it. A mouse over shows Virus Alert!. When I click it only shows a message that says "Your computer is infected. Dangerous infection dectectd on your pc. the system will now download and stinall most efficient antimalware program to prevent data loss and your private information. Click to protect your comuter from the biggest malware threats"
I can't find where this is loading from. It shows up even in safe mode.
I updated the virus software to the latest dat and it still is not finding any virus
I need help.

 

[pechenegs]

Download hijack this from the link below.Please do this. Click here:

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.


* Click here to download smitRem.zip.

http://noahdfear.geekstogo.com/click counter/click.php?id=1

* Save the file to your desktop.
* Unzip smitRem.zip to extract the two files it contains.
* Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.



*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET



* Download the trial version of Ewido Security Suite.

http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.



* Click here for info on how to boot to safe mode if you don't already know how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:



* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.



* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop



* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.


* Go to Control Panel > Internet Options. Click on the Programs tab then
click the "Reset Web Settings" button. Click Apply then OK.



* Next go to Control Panel > Display. Click on the "Desktop" tab then click
the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you
should see an entry checked called something like "Security info" or similar.
If it is there, select that entry and click the "Delete" button. Click OK
then Apply and OK.


* Restart back into Windows normally now.



Run an online antivirus check from

http://www.kaspersky.com/virusscanner

* Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!



post another hijack this log, the ewido and active scan logs and
the contents of smitfiles.txt from the smitRem folder



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[erikhertzel]

The best way to deal with this one that I have found is the Trial version of Spysweeper.

Download it here:

http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

Click the Free Trial link under "Downloads/SpySweeper" to download the program.

Update the defs and do a sweep.

Hope that helps,

Erik

 

[wile666]

Now I am not able to connect to the internet on that computer, I can't run any updates on programs. I will try what you all have suggested.
Thanks.

 

[erikhertzel]

You should also download ms antispyware from

http://www.microsoft.com

and get the updates here:

http://download.spynet.com/ASDefinitions/gcThreatAuditScanData.gcd

http://download.spynet.com/ASDefinitions/gcDeterminationData.gcd

http://download.spynet.com/ASDefinitions/gcThreatAuditThreatData.gcd

Put this all on a memory stick or CD (the program and it's updates) and then go to the PC in trouble and install the program and then copy the gcd files into the Program Files\Microsoft Antispyware directory and overwrite the existing ones for the newest definitions. Run a full system scan.

Still, once the machine can get to the net...and I would assume it will once you hit it with Antispyware, then do the Spysweeper.

Hope this helps,

Erik

 

[wile666]

Everytime I think it's getting better it gets worse. I couldn't get windows explorer to work, so I booted in Safe Mode. The good news is the anoying flashing icon is gone. The Microsoft antispyware would not install in safe mode, so I ran th Runthis.bat and Cleanup. I rebooted an now my desktop locks up. I can access items in systray, but can't click any desktop icons or access the start menu. I have to alt+ctrl+del to reboot.

 

[erikhertzel]

Try getting spybot and it should install in safe mode:

http://www.safer-networking.org/en/download/

Get the program and also the updates and put them on a CD and then install them and hit it with that. Then try getting into regular boot.

Erik

 

[pechenegs]

run smitrem in normal mode if it won't run in safe mode, you might have a new variant of smitfraud!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[pechenegs]

Also, post a hijack this log so we can see what's going on in your computer!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[wile666]

i did run the smitrem in safe mode. then i ran cleanup and rebooted. it was after the reboot that i was unable to access any desktop icons or run anything that seems to be associated with explorer.exe.
right now i can't do anything except in safe mode. i ran spybot, but i will try downloading the updates to a cd because i don't know when it was updated last. i will also try spysweeper.
thanks

 

[pechenegs]

can you post a hijack this log? Maybe if this persists restore your pc back to before you ran the fixes I and others psted and post a hijakc this from there so we cna see what you may or may not have>

What OS do you have Xp ?

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[erikhertzel]

you may try safe mode with networking to see if you can download the updates as well.

And, yes, try the system restore if that applies.

 

[wile666]

the only problem with hijac is that i can only run it in safe mode. unfortunately it 2000 not xp or i would have given up long ago. i'm almost ready to scratch it all and reinstall 2000.

 

[erikhertzel]

did you try getting spybot or adaware downloads on CD with defs on CD that you can run in safe mode....

I will bet those two combined will get at least so you can fight it in regular mode.

Erik

 

[erikhertzel]

Here is the URL's:

Spybot:

http://www.spybotupdates.com/updates/files/spybotsd_includes.exe

Adaware:

http://updates.ls-servers.com/public/defs.zip

 

[wile666]

Thanks. After updating spybot it found windows active desktop and winfixer. i thought i had already gotten rid of the winfixer, but these things have a way of hiding. adaware didn't find anything. i'm going to run virusscan one more time than reboot. wish me luck.

 

[erikhertzel]

Good luck

 

[pechenegs]

if you have winfixer/vundo do this.


Please download

http://www.atribune.org/ccount/click.php?id=4

to your desktop.
· Double-click VundoFix.exe to run it.
· Click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click YES
· Once you click yes, your desktop will go blank as it starts removing Vundo.
· When completed, it will prompt that it will shutdown your computer, click OK.
· Turn your computer back on.


· Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[wile666]

thank you everyone. i am still trying to get to the root of the problem. mcafee virusscan found no problems. i rebooted and still had the same problem with the desktop when i logged in. no response to icons. the only way to access programs is through task manager and even then i can't browse. i logged off and logged back on as the user for the computer itself not the domain. everything seems to work. so it appears that whatever is on it is loading with domain user profile. i am running spysweeper now, but i can't download the latest updates, because i don't want to connect the laptop to my network to access the internet yet. i'll try to see if i can copy the hijackthis log so i can post it, but logged in now, i'm not seeing anything unusual in it.

 

[wile666]

Here's the Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 7:41:01 AM, on 2/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\hphmon04.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\program files\mcafee.com\shared\mcinfo.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [msci] C:\program files\mcafee.com\shared\mcinfo.exe /insfin
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O9 - Extra button: AbsolutePoker NET - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\AbsolutePoker NET\AbsolutePoker NET.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker NET - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\AbsolutePoker NET\AbsolutePoker NET.lnk
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5C10B7A5-D54F-40D7-8D48-24DF75310186}: NameServer = 63.203.35.55,206.13.28.12
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe