smitfraudfix and AVG

[Weatherlawyer]

I think that AVG has removed my copy of SmitFraudFix.

Any ideas if it has been throwing false positives over the last few weeks?

My computer seems to be working OK. I am not sure if it has slowed down or
whether the servers I am browsing are busy when I go there. (It isn't too bad
for the most part.)

I am about to go and look at HjT and do a complete scan in Safe Mode. It's
just that I can't see why my SmitFraudFix won't open.

 

[PA Bear [MS MVP]]

If you'd been using SmitFraudFix under the guidance of an expert in such
matters, the expert would have told you that "a SmitFraud Fix file
(process.exe) is detected by some antivirus apps as a "RiskTool". Antivirus
apps cannot distinguish between "good" and "malicious" use of such programs,
therefore they may alert the user. Please ignore any such warnings."

Scanning with HJT in Safe Mode seldom yields different results than one done
in normal mode.

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[Weatherlawyer]

If you'd been using SmitFraudFix under the guidance of an expert in such
matters, the expert would have told you that "a SmitFraud Fix file
(process.exe) is detected by some antivirus apps as a "RiskTool". Antivirus
apps cannot distinguish between "good" and "malicious" use of such programs,
therefore they may alert the user. Please ignore any such warnings."

Scanning with HJT in Safe Mode seldom yields different results than one done
in normal mode.

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

I went into Safe Mode to run a suite of scanners all of which turned up
nothing.

However, just before going I got hold of StopZilla which found 61 threats.
Now I appreciate these things find threats that are not there sometimes but
61 and a large fraction of them were my hosts files.

Then they wanted money from me to remove them.

Anyway. I am content that I am pretty free of bugs for now. I will go and
get the SFF and make AVG see it isn't a threat (somehow.)

And run an HjT on one of the sites you suggested thanks.

I think it is clean but I want to get advice about what programmes I don't
need. I have an astonishing number of nVidiae things running. My Graphics
card and Firewall come from them so I can't just block them whilenihil.

Thanks for the reply.

Mike.

 

[AlmostBob]

I went into Safe Mode to run a suite of scanners all of which turned up
nothing.

However, just before going I got hold of StopZilla which found 61 threats.
Now I appreciate these things find threats that are not there sometimes
but
61 and a large fraction of them were my hosts files.

Then they wanted money from me to remove them.

Anyway. I am content that I am pretty free of bugs for now. I will go and
get the SFF and make AVG see it isn't a threat (somehow.)

And run an HjT on one of the sites you suggested thanks.

I think it is clean but I want to get advice about what programmes I don't
need. I have an astonishing number of nVidiae things running. My Graphics
card and Firewall come from them so I can't just block them whilenihil.

Thanks for the reply.

Mike.

the entries in your hosts file are placed there to redirect bad websites to
nul,
that stopzilla cant or wont destinguish that the name in your hosts file is
a GOOD thing suggests that there may be other issues with it. especially
since it demands payment for what is available free from judicious use of
HJT Spybot adaware superantispyware, et al
"rogue program" immediately jumps to mind as a first impression
--

 

[PA Bear [MS MVP]]

I went into Safe Mode to run a suite of scanners all of which turned up
nothing.

Most AV/anti-spyware scans can neither detect nor remove the really bad
stuff. That's like saying, "My car started so everything must be OK under
the hood."

However, just before going I got hold of StopZilla which found 61 threats.
Now I appreciate these things find threats that are not there sometimes
but
61 and a large fraction of them were my hosts files.

Then they wanted money from me to remove them.

I call that ransomeware, myself.

Anyway. I am content that I am pretty free of bugs for now. I will go and
get the SFF and make AVG see it isn't a threat (somehow.)

The author of SFF (s!ri) hasn't updated it in almost a month so it's pretty
useless if you've got a SmitFraud/Zlob variant that surfaced on or after 19
Dec-07; cf. http://siri.urz.free.fr/Fix/ChangeLog.php

And run an HjT on one of the sites you suggested thanks.

I think it is clean but I want to get advice about what programmes I don't
need. I have an astonishing number of nVidiae things running. My Graphics
card and Firewall come from them so I can't just block them whilenihil.

The expert handling your HJT forum thread can help you with this, too.

 

[pcbutts1]

That not exactly the whole truth. Siri's program has always been detected by
AV software and it is not just Process.exe. Look at the scan results below.
I use Process. exe in my Remove-it program and the scans are way too
different to be a coincidence. 1st list is smithfraudfix, 2nd is
process.exe, 3rd is my Remove-it program.

File SmitfraudFix.exe received on 01.16.2008 02:45:31 (CET)

Result: 11/32 (34.38%)

AhnLab-V3 2008.1.16.10 2008.01.15 -
AntiVir 7.6.0.48 2008.01.15 TR/VB.20480.D
Authentium 4.93.8 2008.01.15 -
Avast 4.7.1098.0 2008.01.15 -
AVG 7.5.0.516 2008.01.15 VB.CEC
BitDefender 7.2 2008.01.16 -
CAT-QuickHeal 9.00 2008.01.15 -
ClamAV 0.91.2 2008.01.15 PUA.PWTool.Reboot
DrWeb 4.44.0.09170 2008.01.15 Tool.Prockill
eSafe 7.0.15.0 2008.01.15 -
eTrust-Vet 31.3.5461 2008.01.16 -
Ewido 4.0 2008.01.15 -
FileAdvisor 1 2008.01.16 -
Fortinet 3.14.0.0 2008.01.16 Misc/PrcViewer
F-Prot 4.4.2.54 2008.01.15 W32/Reboot.A
F-Secure 6.70.13030.0 2008.01.15 -
Ikarus T3.1.1.20 2008.01.16 -
Kaspersky 7.0.0.125 2008.01.16 not-a-virus:RiskTool.Win32.Reboot.f
McAfee 5208 2008.01.15 potentially unwanted program PrcViewer
Microsoft 1.3109 2008.01.15 -
NOD32v2 2794 2008.01.15 Win32/PrcView
Norman 5.80.02 2008.01.16 -
Panda 9.0.0.4 2008.01.15 -
Prevx1 V2 2008.01.16 Heuristic: Suspicious File With Bad Child Associations
Rising 20.27.12.00 2008.01.15 -
Sophos 4.24.0 2008.01.15 -
Sunbelt 2.2.907.0 2008.01.15 -
Symantec 10 2008.01.15 -
TheHacker 6.2.9.187 2008.01.13 -
VBA32 3.12.2.5 2008.01.15 Trojan.Shutdown
VirusBuster 4.3.26:9 2008.01.15 -
Webwasher-Gateway 6.6.2 2008.01.15 -


File Process.exe received on 01.16.2008 02:51:47 (CET)

Result: 8/32 (25%)

Antivirus Version Last Update Result
AhnLab-V3 2008.1.16.10 2008.01.15 Win-AppCare/PrcViewer.53248
AntiVir 7.6.0.48 2008.01.15 -
Authentium 4.93.8 2008.01.15 -
Avast 4.7.1098.0 2008.01.15 -
AVG 7.5.0.516 2008.01.15 -
BitDefender 7.2 2008.01.16 -
CAT-QuickHeal 9.00 2008.01.15 -
ClamAV 0.91.2 2008.01.15 -
DrWeb 4.44.0.09170 2008.01.15 Tool.Prockill
eSafe 7.0.15.0 2008.01.15 -
eTrust-Vet 31.3.5461 2008.01.16 -
Ewido 4.0 2008.01.15 -
FileAdvisor 1 2008.01.16 Low threat detected
Fortinet 3.14.0.0 2008.01.16 Misc/PrcViewer
F-Prot 4.4.2.54 2008.01.15 -
F-Secure 6.70.13030.0 2008.01.15 -
Ikarus T3.1.1.20 2008.01.16 -
Kaspersky 7.0.0.125 2008.01.16 -
McAfee 5208 2008.01.15 potentially unwanted program PrcViewer
Microsoft 1.3109 2008.01.15 -
NOD32v2 2794 2008.01.15 Win32/PrcView
Norman 5.80.02 2008.01.16 -
Panda 9.0.0.4 2008.01.15 Application/Processor
Prevx1 V2 2008.01.16 -
Rising 20.27.12.00 2008.01.15 -
Sophos 4.24.0 2008.01.15 -
Sunbelt 2.2.907.0 2008.01.15 -
Symantec 10 2008.01.15 -
TheHacker 6.2.9.187 2008.01.13 Aplicacion/Processor.20
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.15 -
Webwasher-Gateway 6.6.2 2008.01.15 -

File npremove-itsetup.exe received on 01.16.2008 02:03:04 (CET)

Result: 2/32 (6.25%)

AhnLab-V3 2008.1.16.10 2008.01.15 -
AntiVir 7.6.0.48 2008.01.15 -
Authentium 4.93.8 2008.01.15 -
Avast 4.7.1098.0 2008.01.15 -
AVG 7.5.0.516 2008.01.15 -
BitDefender 7.2 2008.01.16 -
CAT-QuickHeal 9.00 2008.01.15 -
ClamAV 0.91.2 2008.01.15 -
DrWeb 4.44.0.09170 2008.01.15 -
eSafe 7.0.15.0 2008.01.15 -
eTrust-Vet 31.3.5461 2008.01.16 -
Ewido 4.0 2008.01.15 -
FileAdvisor 1 2008.01.16 -
Fortinet 3.14.0.0 2008.01.16 -
F-Prot 4.4.2.54 2008.01.15 -
F-Secure 6.70.13030.0 2008.01.15 -
Ikarus T3.1.1.20 2008.01.16 Virus.Win32.Trojan
Kaspersky 7.0.0.125 2008.01.16 -
McAfee 5208 2008.01.15 -
Microsoft 1.3109 2008.01.15 -
NOD32v2 2794 2008.01.15 -
Norman 5.80.02 2008.01.16 -
Panda 9.0.0.4 2008.01.15 -
Prevx1 V2 2008.01.16 Heuristic: Suspicious Self Modifying File
Rising 20.27.12.00 2008.01.15 -
Sophos 4.24.0 2008.01.15 -
Sunbelt 2.2.907.0 2008.01.15 -
Symantec 10 2008.01.15 -
TheHacker 6.2.9.187 2008.01.13 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.15 -
Webwasher-Gateway 6.6.2 2008.01.15 -
Additional information
File size: 702981 bytes
MD5: 3d543ac958b785a533f24a02aeb2dfb8
SHA1: 726d0d47817a66a5f7f7eb388f057dc678bbc5e3
PEiD: -
Prevx info:
http://info.prevx.com/aboutprogramtext.asp?PX5=14A6205A054CA605BA650A313D29DB002BBA7BA9


--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz, Beauregard T.
Shagnasty,Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell

 

[Weatherlawyer]

Most AV/anti-spyware scans can neither detect nor remove the really bad
stuff. That's like saying, "My car started so everything must be OK under
the hood."

What on earth are you talking about?

The author of SFF (s!ri) hasn't updated it in almost a month so it's pretty
useless if you've got a SmitFraud/Zlob variant that surfaced on or after 19
Dec-07; cf. http://siri.urz.free.fr/Fix/ChangeLog.php

That runs counter to the statement you posted on your web site when I
suggested that another poster made sure she had the most up to date
definitions for the scanners which were to help her out.

Which scanners incidentally you seem to be indicating -if I am familiar with
a language my people have been speaking since pre-Roman times, have little or
no effect.

Which is it?

 

[Weatherlawyer]

the entries in your hosts file are placed there to redirect bad websites to
nul,

I am aware of that but any competent scanner should understand the concept
of the word Host's files.

that stopzilla cant or wont distinguish that the name in your hosts file is
a GOOD thing suggests that there may be other issues with it. especially
since it demands payment for what is available free from judicious use of
HJT Spybot adaware superantispyware, et al
"rogue program" immediately jumps to mind as a first impression

Yes, my opinion too. I got rid as soon as it failed to do what it said on
the bottle.

I have no complaints about people trying to earn an honest crust. I gfet so
much for free I am grateful, it's just that I got it from Tom Coyote who
after running down a number of other programmes recommended that one.

I shan't be going there again.

Or was I misdirected I wonder? He got DDOSed a few times a while back.
Perhaps the buggers are still haunting him.

I'll have to look into that.

Ah well things seem to be working OK once again. So I must have caught
whatever it was with the Safe Mode scans.

Thanks all.

 

[PA Bear [MS MVP]]

By selectively quoting only parts my reply (and not including any of your
post to which I was replying), you've taken my comments out of context.

I own neither AumHa.org nor AumHa.net.

SmitFraudFix isn't a scanner, it's a utility to detect and remove (if found)
some SmitFraud/Zlob infections...only. Since it's not been updated in
nearly a month and since the SmitFraud/Zlob trojans are constantly mutating,
it cannot and will not detect or remove more recent SmitFraud/Zlob
infections.

Anti-spyware applications (e.g., Defender, Spybot, Ad-Aware, AVG AS,
Spysweeper) /can/ be useful and you should always check for and install
updates before scanning, just like an anti-virus application.
Unfortunately, none of them are effective against these more recent variants
either. AVG AS is just about worthless these days, IMHO.

 

[Weatherlawyer]

By selectively quoting only parts my reply (and not including any of your
post to which I was replying), you've taken my comments out of context.

I own neither AumHa.org nor AumHa.net.

I beg pardon. I went there and joined that forum after following the link on
your replies.

Someone on there has serious issues.

Still no harm done, I am, far too thick to take offence.

I clip all posts to include only the germaine to my reply.

If you want to see the thread I am using this server:

http://www.microsoft.com/windowsxp/...98a60e6c72d&cat=&lang=en&cr=US&sloc=en-us&p=1
for the messages.

 

[PA Bear [MS MVP]]

I beg pardon. I went there and joined that forum after following the link
on
your replies.

Someone on there has serious issues.

<snip>

Including links in my sig doesn't mean that I own the pages/sites they take
you to.

Assuming http://aumha.net/viewtopic.php?t=31288 is your thread, you made no
mention whatsover of a SmitFraud infection, using SmitFraudFix, of AVG
(anti-virus? anti-spyware?), or of anything else you posted in your first
message in this thread (cf.
http://groups.google.com/group/microsoft.public.windowsxp.general/msg/d39c4528cb5d295f).

Furthermore, you originally posted your HijackThis log in a forum that has
absolutely nothing to do with "too many processes" so I moved it to an
appropriate forum.

Whatever your problem or question is, best of luck to you.

Startup Program Loading
http://aumha.org/a/loads.htm