System integrity scan wizard virus

By rldhao
Apr 5, 2008
Topic Status:
Not open for further replies.
  1. Hello,

    I appear to be infected with a fake virus alert program that continually informs me that I have a virus on my machine.

    It appears as a yellow triangle with a black exclamation point in the system tray. I have Mcafee and Super Antispyware installed and still have not had success in disabling this fiendish program.

    I would appreciate any insight any members have on removing this unwanted program from my system.

    I have downloaded and run the Hijack this program. I am attaching the logfile to this post.

    Thank you all in advance for any time and consideration that you might spend in trying to solve my issue.
  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Remove these two files:
    C:\Documents and Settings\All Users\Application Data\shydcrut\orgpurif.exe
    C:\WINDOWS\system32\ybkxenyv.exe

    Download Smitfraud Fix
    http://siri.urz.free.fr/Fix/SmitfraudFix.exe

    Clean:

    Reboot your computer in Safe Mode
    (before the Windows icon appears, tap the F8 key continually)

    Double-click SmitfraudFix.exe

    Select 2 and hit Enter to delete infected files.

    You will be prompted: Do you want to clean the registry ? answer Y (yes)
    and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if you are infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

    A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Optional:

    To restore Trusted and Restricted site zone, select 3 and hit Enter.
    You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
    ----------------------------------------------------

    Additional Steps:

    (Start -Run)
    sc stop Messenger
    sc config Messenger start= disabled

    Restart

    Then continue to Viruses/Spyware/Malware, preliminary removal instructions
  3. kritius

    kritius TechSpot Guru Posts: 2,087

    This is the same problem weve been seeing all week, removing them like that doesnt seem to work, I would just proceed with the prelim removal instructions, smitfraudfix is there.

    Also,

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  4. rldhao

    rldhao Newcomer, in training Topic Starter

    Kimsland,

    Thank you so much for your fast response to my problem. I have performed the steps mentioned in your reply and seem to have successfully remediated my system.

    The icon is not present in the system tray. The problem appeared centered around the ybkxenyv.exe application in the windows\system32 directory.

    I also deleted the orgpurif.exe file in the hidden application data directory.

    I am unsure as to what the optional trusted and restricted site zone option in Smitfraudfix.cmd. Any additional insight would be appreciated.
  5. kritius

    kritius TechSpot Guru Posts: 2,087

    Post the logs from the prelim removal, this virus keeps on regenerating and changing its file names etc.
  6. rldhao

    rldhao Newcomer, in training Topic Starter

    Kritius;

    Thank-you so much for responding to my issue. It is good to see that computer users all around the world are willing to assist those of us affected with computer problems we are unable to personally resolve.

    I appreciate your willingness to help and will the MalwareBytes software in my toolbox if the need further arises.

    Thanks again from your new friend in Delaware, Ohio USA.
  7. kritius

    kritius TechSpot Guru Posts: 2,087

    At least post a HijackThis log to see if you are clean.
  8. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    rldhao if you're happy, then we're happy
  9. rldhao

    rldhao Newcomer, in training Topic Starter

    Kritius,

    As you requested, here is a copy of the newest hijack log. Thanks again.
  10. kritius

    kritius TechSpot Guru Posts: 2,087

    They're back.. unless this is an old log?

    C:\Documents and Settings\All Users\Application Data\shydcrut\orgpurif.exe

    Download and Run ComboFix
    • Download this file from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  11. rldhao

    rldhao Newcomer, in training Topic Starter

    Kritius,

    Here is the results of the Combox box log and I also created a new Hijack this log. THanks again for all of your assistance.,
     
  12. kritius

    kritius TechSpot Guru Posts: 2,087

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O21 - SSODL: SrvWin - {8e4c5947-f87b-4d56-9572-e4067b539db9} - (no file)
    O21 - SSODL: KernelBoot - {adcf39fc-e0ba-44cb-8969-251e0e77630d} - (no file)

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\WINDOWS\system32\RLD-ybkxenyv.rld
      C:\WINDOWS\system32\ybkxenyv.exe
      C:\Documents and Settings\All Users\Application Data\shydcrut\orgpurif.exe
      
      Folder::
      C:\Documents and Settings\All Users\Application Data\shydcrut
      
      Registry::
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
      "qzyLjZWkkL"=-
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    ATF Cleaner

    • Download and Run ATF Cleaner
      Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

      Under Main choose:

      • Windows Temp
        Current User Temp
        All Users Temp
        Temporary Internet Files
        Java Cache

        *The other boxes are optional*
        Then click the Empty Selected button.
      if you use Firefox:

      • Click Firefox at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
      if you use Opera:

      • Click Opera at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      Click Exit on the Main menu to close the program

    Manually clear cache
    • Open an Explorer folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of four or more folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
    • If desired, reset the folder options you changed in step 1.

    Rename HijackThis.exe to rldhao.exe by doing the following;

    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to rldhao.exe
    • Run HijackThis again and select scan now and save a log
    • Attach the new log back here
  13. rldhao

    rldhao Newcomer, in training Topic Starter

    Hello again,

    I've followed the instructions in your email. Here are the two log files. It feels redundant, but thanks again!
  14. kritius

    kritius TechSpot Guru Posts: 2,087

    Theres still a few stubborn ones, so one more time, I know it seems like a lot of work but you really dont want this on your computer.

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\WINDOWS\system32\ybkxenyv.exe
      
      Folder::
      C:\Program Files\PC-Cleaner
      
      Registry::
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "lkhwzfbc"=-
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    This bit may not be needed but we need to be sure,

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below (if still present)
    O4 - HKCU\..\Run: [lkhwzfbc] C:\WINDOWS\system32\ybkxenyv.exe

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Delete Files on Reboot
    • Start Hijackthis
    • Click on the Config button
    • Click on the Misc Tools button
    • Click on the button labeled Delete a file on reboot...
      A new window will open asking you to select the file that you would like to delete on reboot.
    • Navigate to each file and click on it once, and then click on the Open button.
      C:\WINDOWS\system32\ybkxenyv.exe
    • You will now be asked if you would like to reboot your computer to delete the file.
    • Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.
  15. rldhao

    rldhao Newcomer, in training Topic Starter

    Combo Box Fix Script

    Hi Kritius,

    I've completed the combox fix script and rerun Hijack this. I didn't see the ybkxenyv.exe listed in the log file.


    I am attaching both log files. Thanks.
  16. kritius

    kritius TechSpot Guru Posts: 2,087

    Looks good,

    P2P Warning!

    • IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

      Limewire

      Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
      Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

      I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

      References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
      http://www.techweb.com/wire/160500554
      http://www.internetworldstats.com/articles/art053.htm
      See Clean/Infected P2P Programs here

      I would recommend that you uninstall LimeWire,Shareaza, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

      If you wish to keep it, please do not use it until your computer is cleaned.

    Just one more scan to do to see if we got everything,

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.