Virus or Trojan?

Discussion in 'ESET NOD32 Antivirus' started by beachfireman, Jun 5, 2008.

Thread Status:
Not open for further replies.
  1. beachfireman

    beachfireman Registered Member

    Joined:
    Jun 5, 2008
    Posts:
    3
    I am not a person to just jump in and start a new thread. I usually do a lot of reading and find my answers before asking for help. But I can't find an answer and I NEED HELP!

    Background:

    I know quite a bit about computers. So usual terminology I do understand. I am careful about what I download but somehow this one got past me.

    Problem:

    I was opening what I thought was an mp3 and when I went to open the file a command box opened then closed. I knew right away something was bad but NOD did not say anything at all. Within seconds everything slowed down A ALOT. Then IE windows started popping up for various spy ware products saying "is your system running slower than usual? Download our spyware program, etc". My MS warning window in the tray popped up saying my automatic updates was turned off and when I click to turn it back on I get an IE opoup that says download our spyware software. If I go into control panel and click system, the auto updates is still on. I tried to install spyware doctor and AVAST (I read online that AVAST has fixed this problem where NOD could not) and nothing can be written to the registry. I go into regedit and click on permissions and all the boxes are greyed out and there is user called "restrcited" in there which I have never seen before. My system is so slow it is down to almost nothing. When I work on trying to fix things something keeps trying to open an IE window and connect to something (I already disconnected the computer from the internet) and it gives me the usual work online / try again message. It also disabled my system restore and when I try to re-enable it, it gives me an error and won't turn on.

    Fixes:

    I downloaded AVAST scanner to a flash drive and let that run 5 hours to the end and it found nothing. NOD32 said it found 2 files that were viruses but my choice was limited to "leave it". Remove and quaratine were both greyed out. Adaware found 2 files that it removed but no luck. I tried to install other programs and I was told that I didn't have permission to install the files. See registry permissions above. I immediately disconnected this computer from the internet and all network connections when I saw the slow down within minutes.

    I have the IP address of the page it is trying to connect to and the web site name of a few of the programs this thing is trying to sell. They are at my office though. Of all the searches I have done, I only found a post that AVAST will get rid of this but that didn't happen.

    I don't feel it is a major security issue but more like a ploy for me to buy some anti spyware stuff to fix this problem.

    Any help would be great! I don't think NOD is weak but how did this get through without ANY signs? By the way, the free version of AVG didn't let it go through. FREE? I paid for NOD. So it caught it afterward, but way too late!

    Also, if I put the xp cd in and try a fix, will it fix the registry?
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,722
    Location:
    Texas
  3. Philippe_FR22

    Philippe_FR22 Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    249
    Hello,
    That sounds to be something like SmitFraud...
    http://en.wikipedia.org/wiki/Spyware_Quake

    I can't understand that pratically no Antivirus can get rid of that kind of pet !!!!

    Regards
     
  4. CMoonwolf

    CMoonwolf Registered Member

    Joined:
    Jun 4, 2008
    Posts:
    10
    This is almost exactly what mine did, and Windows called it a TrojanDownloader.xs. I am also trying to fix mine, and just sent a log to NOD to see if they have an answer. Keep me posted if you find a fix, and I will for you too.
     
  5. CMoonwolf

    CMoonwolf Registered Member

    Joined:
    Jun 4, 2008
    Posts:
    10
    Whoo hoo! With this link, I found http://siri.urz.free.fr/Fix/SmitfraudFix_En.php, downloaded Smitfraudfix.exe, followed the instructions, and it FIXED my computer! I suggest you try it too, cause it is exactly what you need.

    C
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The best course of action to submit any suspicious files along with a log from ESET SysInspector and this thread's url enclosed to samples[at]eset.com so that you as well as other users can be protected against it in the future.
     
  7. CMoonwolf

    CMoonwolf Registered Member

    Joined:
    Jun 4, 2008
    Posts:
    10
    I did and still have not heard from anyone. Why doesn't anyone at least acknowledge my emails? I even sent you a PM.

    There is still some adware I can't quite get rid of. NOD is blocking the majority, and the computer is usable now, but every now and then an annoying EO pops up trying to access websites.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I haven't checked the email until now as I've been without Internet for the last 3 days. Currently I'm far away from the office and home, but will do my best to respond you as soon as possible.
     
  9. CMoonwolf

    CMoonwolf Registered Member

    Joined:
    Jun 4, 2008
    Posts:
    10
    Ok, I may send another one, since I've managed to delete the majority of them since I ran the scan.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Ok, feel free to send a new one. I'll check it tomorrow when I arrive home from our partner's conference in Prague ;)
     
  11. beachfireman

    beachfireman Registered Member

    Joined:
    Jun 5, 2008
    Posts:
    3
    Ok, here is where I am at. Demonoid gave me a link to combofix.exe and it made it possible to write to the registry so I could install software people have mentioned. I ran spyware doctor in safe mode and it got rid of almost all of it. A few more scans in regular mode and it seems to be gone. Computer is acting fine and is back up to speed.

    Only problem is that now I cant use google. I can get to the main page but once I enter something to search for it just starts running (hourglass) and then after a minute it times out and I get cannot display this webpage. I also get this on Yahoo and every other website that uses the same language to search for things.

    I looked into my hosts file and it was loaded with tons of stuff. I backed that up and created a new one with basic stuff just like on all our other computers. Reboot and no luck.

    There has to be something that is blocking some sort of scripting or whatever.

    Any ideas?

    PS I have tried FireFox and Opera and all the same results so I doubt it is a browser thing. Other computers on the same network are normal.

    Oh, and the reason I havent responded until now was that I forgot to subscribe to this and I cuoldn't find th epost until today.
     
  12. beachfireman

    beachfireman Registered Member

    Joined:
    Jun 5, 2008
    Posts:
    3
    UPDATE:

    I can browse just fine in safe mode with networking. Something is still in there.

    Here are some keywords:

    google just hangs there and wont display results.
    hourglass hangs there while waiting for google results.
    after login to yahoo mail it stops and goes to a blank screen.
    cant search using google.

    thanks
     
  13. CMoonwolf

    CMoonwolf Registered Member

    Joined:
    Jun 4, 2008
    Posts:
    10
    ok, sent a new one, and am running another one today. I ran eset in safe mode yesterday, and left...I haven't looked at that log, not sure how to yet, and will send that.

    Also, one file, portsv.exe, that I couldn't seem to delete with scans or manually, I finally went into safemode dos, found that file, and manually deleted it. I don't know if that has anything to do with finally being able to get rid of it or not, but it's finally gone. You will find that file in some of my earlier SysInspector logs as a high risk, and was originally created the day and time I know was the attack. It happened 6/3 at about 10:30pm + (can't remember exactly what time) and has been on there since beginning all scans and quarantines. Nothing could seem to delete it. I just now deleted it out of my prefetch folder.
     
  14. Philippe_FR22

    Philippe_FR22 Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    249
    Hi,
    Yes thanks... I'm not currently infected by Smitfraud (no infection on my PC in fact, just few friends of mine's"... I know this tool (and navilog is efficient too)... But my question is why no (or a very few) antivirus can detecte that pest before entering the PC o_O? There are a lot of posts about that kind of spyware (more a trojan than an spyware, to my mind) !

    Regards
     
Thread Status:
Not open for further replies.