# System Alert!! Fake! Re: anti-vermins.com



## J_D (Jan 6, 2007)

Hi

Today my brother managed to get his computer infected. He was on the net when he was asked to install a Active X control which he unwisely did and since then his homepage was changed and was presented with numerous adds etc but also his System tray now showed a new icon which is there all the time flashing and tells him about system detected virus activity etc. the balloon info and icon are supposed to look like a Windows security centre notification, but when you click on the balloon info speech bubble you are sent to a website (www.anti-vermins.com) and are invited to download their antivirus protection, which he thankfully has not done, because on Further research this would have made his system very open to hackers etc.

Anyway I’ve spent quite a bit of time on it because it was in a bad way.

I firstly I ran his antivirus, Norton internet security scan which showed up nothing, but then my brother decided to tell me its been out of date since last June so no wonder it didn't pick anything up!!.

Because I am pretty anti Norton, I decided to get rid of his ageing 2005 version and replaced it with Kaspersky

On a full system scan with an up-to-date kaspersky antivirus, I found 47 items, here is a copy of these items: which I have deleted

Protection
----------
Total scanned:	72483
Detected:	47
Untreated:	0
Start time:	06/01/2007 19:46:51
Duration:	00:50:07


Detected
--------
Status	Object
------	------
not found: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\Program Files\Video ActiveX Object\isamini.exe
not found: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\Program Files\Video ActiveX Object\isamonitor.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\Program Files\Video ActiveX Object\pmsngr.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\Program Files\Video ActiveX Object\pmmon.exe//PE_Patch//UPack
not found: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\PROGRAM FILES\VIDEO ACTIVEX OBJECT\ISADDON.DLL//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	Running module: isamonitor.exe\isamonitor.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	Running module: isamini.exe\isamini.exe
not found: Trojan program Trojan-Downloader.Win32.Zlob.awu	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP225\A0019751.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.atn	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP225\A0019769.exe//PE_Patch.UPX//UPX//data0007
deleted: Trojan program Trojan-Downloader.Win32.Zlob.awu	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP225\A0019769.exe//PE_Patch.UPX//UPX//data0008
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022453.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022454.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022455.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjb	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022464.exe//PE_Patch.UPX//UPX//stream//data0006
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022479.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022480.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022481.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022495.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022496.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022497.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022510.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022511.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022512.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bdi	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022520.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022527.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022528.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022529.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022546.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022547.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022548.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022570.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022571.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022572.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022586.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022587.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022588.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022995.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022996.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022997.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023095.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023096.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023097.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023106.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023107.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc	File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023108.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.ask	File: C:\Documents and Settings\Ray\My Documents\Download Files\keycodec.912.exe//UPX//data0007
deleted: adware not-a-virus:AdWare.Win32.Comet.ac	File: C:\Program Files\Screensavers.com\SSSInst\bin\SSSInst.dll

After I had cleared these up I did a reboot. Everything seemed fine apart from the System tray notification thing.

I have had a look at msconfig startup files, I found nothing suspicious

I have used "BT yahoo Antispy" (it was on the system already so I might as well give it a go
That found the following:





I am currently scanning with Windows Defender. This has detected Zlob.

So far everything is back normal apart from the system tray notification icon see image:





I really don’t know how to get rid of that could anyone please help 
Cheers

Additional info about problem that I have found:
http://www.daniweb.com/techtalkforums/thread66091.html


----------



## Buzz1927 (Jan 6, 2007)

Let's have a look at what's left on the machine.

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


----------



## J_D (Jan 7, 2007)

Hi

Thanks Buzz

Here is the report from SmitFraudFix

SmitFraudFix v2.132

Scan done at 11:16:24.68, 07/01/2007
Run from C:\Documents and Settings\Ray\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ray


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ray\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Ray\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 

C:\Program Files\Video ActiveX Object\ FOUND !
C:\Program Files\VideoKeyCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"

[HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Buzz1927 (Jan 7, 2007)

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows.  A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at *C:\rapport.txt*


----------



## J_D (Jan 7, 2007)

Hi

Thanks Buzz it all seems clear now!!

here is the report of the clean:

SmitFraudFix v2.132

Scan done at 12:16:36.82, 07/01/2007
Run from C:\Documents and Settings\Ray\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"

[HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\gwquvw.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\system32\gwquvw.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\Video ActiveX Object\ Deleted
C:\Program Files\VideoKeyCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done. 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Thanks again


----------



## Buzz1927 (Jan 7, 2007)

That did it


----------

