The main problem is a vunrablity in windows explorer that
allows code to be executed,This deosnt affect Windows XP
service pack 2 users but others should get the patch from
Microsoft to prevent this.
http://www.microsoft.com/technet/security/bulletin/ms05-
002.mspx
The malware component takes advantage of unpatched PCs to
infect the user with any number of different malicious
payloads, including Trojans, keyloggers and dialers.
On some occasions, can also display blue screen errors.
Removing This :
Download Hijack This
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Go to Start > Control Panel > Add or Remove Programs and
remove the following programs, if found:
Security IGuard
Virtual Maid
Search Maid
Exit Add/Remove Programs.
Press CTRL ALT DELETE to open Windows Task Manger. Click
on the Processes tab and end the processes named in the
list a bit further down.
Exit Task Manager.
download Killbox
http://www.downloads.subratam.org/KillBox.zip
Extract the program to your desktop and double-click on
its folder, then double-click on Killbox.exe to start the
program.
In the killbox program, select the Delete on Reboot
option.
In the field labeled Full Path of File to Delete enter
the file paths listed below ONE AT A TIME (EXACTLY as it
appears, copy each file path and paste it in the field)
MAKE SURE TO ENTER ALL FILE PATHS!:
C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
c:\bsw.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\hhk.dll
C:\Windows\System32\hp***.tmp <= *** is a number of
random characters
The tmp file is installed as a BHO and hijacks to
quicknavigate.com you will need to check the random part
on yours before using killbox(Hijack This will show the
entry if it exists)
Press the button that looks like a red circle with a
white X in it after each one. When it asks if you would
like to delete on reboot, press the YES button, when it
asks if you want to reboot now, press the NO button.
Do this after each one until you have entered the LAST
file path I have listed above. After that LAST file path
has been entered press the YES button at both prompts so
that your computer restarts.
While your computer is restarting, tap the F8 key
continually until a menu appears. Use your up arrow key
to highlight Safe Mode, then hit enter.
Make sure you can view hidden files.(Goto start,then
search then tools on the top bar,goto folder options then
to the second page which is View.Tick the box that says
Show Hidden Files and Folders plus untick the box below
this that says Hide Extensions for known types,click
apply then exit)
Using Windows Explorer, delete the following (please do
NOT try to find them by "search" because they may not
show up that way)
FOLDERS to delete if found:
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard
Reboot into normal mode.
A registry file to undo most of the changes is available
here:
http://www.bleepingcomputer.com/files/reg/smitfraud.reg
Doubleclick that file and confirm you want to merge it
with the registry.
Download the Hoster from HERE
http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=2654.0;id=285
Save to desktop then run Press "Restore Original Hosts"
and press "OK". Exit Program.
Download DelDomains to the desktop
http://www.mvps.org/winhelp2002/DelDomains.inf
right-click and select: Install (All you will notice is
the desktop icons flash off then on then its finished)
Run a virus scan.
Trend Micro
http://housecall.antivirus.com/
Panda
http://www.pandasoftware.com/activescan/co...n_principal.h
tm
Symantecs Security Check & Virus scanner
http://security.symantec.com/default.asp?
productid=symhome&langid=ie&venid=sym
Hope This Helps
Andy
