Tech Support Forum - View Single Post - TROJ_AGENT.CZG Virus/searchbar.findthewebsiteyouneed.com Adware

Susan528 · 11-22-2006, 05:39 PM

You mentioned Winfixer so let's check for that too.

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

======
Stop and Disable Service

Go to Start > Run and type in Services.msc then cllick OK
Click the Extended tab.
Scroll down until you find Remote Administrator Service (r_server)
Click once on the service to highlight it.
Click Stop
Right-Click on the service.
Click on 'Properties'
Select the 'General' tab
Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
From the drop-down menu, click on ‘Disabled'
Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.

Then place hijackthis with the entries below.
Scan with HijackThis. Place a check against each of the following:
O2 - BHO: (no name) - {046C9BD8-7943-5EEF-4F15-2FC7E57CB2EE} - C:\WINDOWS\system32\rmzh.dll (file missing)
O2 - BHO: (no name) - {1B318261-69F4-4105-A0A9-6443BD6AF7E8} - C:\WINDOWS\system32\lzqciocg.dll (file missing)
O2 - BHO: (no name) - {DBC0876E-30A3-4A05-ACAF-611348D431B5} - C:\WINDOWS\system32\jifubvhx.dll (file missing)
O2 - BHO: (no name) - {EB641928-F7E6-8841-E46A-F87AEEEC0EE4} - C:\WINDOWS\system32\abihrihx.dll (file missing)

DO NOT CHECK if administrator set them or you used Spybots Home Page and Option Lock down features
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Post (reply) with Please post:
C:\rapport.txt
a fresh HijackThis log and we will take another look.

11-22-2006, 05:39 PM	#4 (permalink)
Susan528 Analyst, Security Team Join Date: Nov 2006 Posts: 215 OS: WinXP Pro	You mentioned Winfixer so let's check for that too. Download SmitfraudFix (by S!Ri) to your Desktop. http://siri.urz.free.fr/Fix/SmitfraudFix.zip Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press Enter This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. IMPORTANT: Do NOT run any other options until you are asked to do so! Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. ====== Stop and Disable Service Go to Start > Run and type in Services.msc then cllick OK Click the Extended tab. Scroll down until you find Remote Administrator Service (r_server) Click once on the service to highlight it. Click Stop Right-Click on the service. Click on 'Properties' Select the 'General' tab Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box From the drop-down menu, click on ‘Disabled' Click the 'Apply' tab, then click 'OK' The service is now stopped and disabled. Then place hijackthis with the entries below. Scan with HijackThis. Place a check against each of the following: O2 - BHO: (no name) - {046C9BD8-7943-5EEF-4F15-2FC7E57CB2EE} - C:\WINDOWS\system32\rmzh.dll (file missing) O2 - BHO: (no name) - {1B318261-69F4-4105-A0A9-6443BD6AF7E8} - C:\WINDOWS\system32\lzqciocg.dll (file missing) O2 - BHO: (no name) - {DBC0876E-30A3-4A05-ACAF-611348D431B5} - C:\WINDOWS\system32\jifubvhx.dll (file missing) O2 - BHO: (no name) - {EB641928-F7E6-8841-E46A-F87AEEEC0EE4} - C:\WINDOWS\system32\abihrihx.dll (file missing) DO NOT CHECK if administrator set them or you used Spybots Home Page and Option Lock down features O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing) Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis. Post (reply) with Please post: C:\rapport.txt a fresh HijackThis log and we will take another look. __________________ Proud member of ASAP since 2005 If you feel we've helped you, Please donate to the forum