Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hoax.Win32.Renos.vaos & Backdoor.Win32.Hupigon.dckd Found on my sy


  • This topic is locked This topic is locked

#1
mlansky

mlansky

    Member

  • Member
  • PipPipPip
  • 104 posts
Hi,

I woke up today to find a message from f-secure stating that there is riskware on my computer. The name of the riskware is FraudTool.win32.syskontroller and it was located in my C:\program files\symantec\liveupdate\MFC71.DLL. So then I went to use SmitFraudFix (that Dell recommended for me to run) and a message from F-Secure Anti-Virus popped up stating: Malicious code found in the file C:\documents and settings\colin tenszen\desktop\smithfraudfix\IEDfix.exe Infection: Hoax.Win32.Renos.vaoz Action: The file was deleted. So once I clicked on the ok button another similar message popped up stating: Malicious code found in the file C:\documents and settings\colin tenszen\desktop\smithfraudfix\swsc.exe Infection: Backdoor.Win32.Hupigon.dckd Action: The file was deleted.

Also, now it will not let me run SmitFraudFix and SmitFraudFix is all red and SmitFraudFix gives me the message "Fichier swsc.exe absent! swcs.exe file missing! Unzip all the archive in a folder.

I don't know why I'm getting these messages when I try to open SmitFraudFix. I used to be able to run it without any problems before. This is really bothering me since I take really good care of my computer. I just want everything to work and run properly. Can someone please help me out with these issues.

Thank you for your time.

Below is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:15:00, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Process Lasso\processlasso.exe
C:\Program Files\Process Lasso\processgovernor.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=2061203
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,[email protected]
O4 - HKLM\..\Run: [ProcessGovernor] C:\Program Files\Process Lasso\processgovernor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ProcessSupervisorGUI] C:\Program Files\Process Lasso\ProcessLasso.exe /tray
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ctensz.spaces...ad/MsnPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1176256647718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.co...?BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ,,wp.shawcable.net
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8192 bytes
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I can't see anything suspicious in your log though...

I woke up today to find a message from f-secure stating that there is riskware on my computer. The name of the riskware is FraudTool.win32.syskontroller and it was located in my C:\program files\symantec\liveupdate\MFC71.DLL. So then I went to use SmitFraudFix (that Dell recommended for me to run) and a message from F-Secure Anti-Virus popped up stating: Malicious code found in the file C:\documents and settings\colin tenszen\desktop\smithfraudfix\IEDfix.exe Infection: Hoax.Win32.Renos.vaoz Action: The file was deleted. So once I clicked on the ok button another similar message popped up stating: Malicious code found in the file C:\documents and settings\colin tenszen\desktop\smithfraudfix\swsc.exe Infection: Backdoor.Win32.Hupigon.dckd Action: The file was deleted.

As a matter of fact, those are all false positives.

C:\program files\symantec\liveupdate\MFC71.DLL <=== is a part of Symantec LiveUpdate
C:\documents and settings\colin tenszen\desktop\smithfraudfix\IEDfix.exe <== is a part of Smitfraudfix, an extra removaltool integrated
C:\documents and settings\colin tenszen\desktop\smithfraudfix\swsc.exe <== this is a modified version of sc.exe which many tools use to delete/disable services

In anyway, there's really no need to keep smitfraudfix as this tool updates everyday.
Also, you may uninstall Symantec LiveUpdate and Symantec LiveUpdate notice since you have F-Secure installed.
  • 0

#3
mlansky

mlansky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
miekiemoes,

Thank you for looking at and responding to my post. I sincerely appreciate it and feel so much better knowing that there is no need to be alarmed or worried about anything. I was seriously worried yesterday evening that my computer had a bunch of malware/virus/trojans on it.

I just have 2 more questions. First of all regarding SmitFraudFix. So you're saying SmitFraudFix is updated daily and there is no need to keep this program on my computer? So whenever I wanna use it to run a scan, just download it, then scan my computer and once I'm done, just delete it? Second of all, you said I should get rid of Symantec. What is the best way to get rid of all of my Symantec products on my computer such Symantec LiveUpdate and Symantec LiveUpdate notice like you stated?

Thank you so much once again for looking at my HiJackThis log and for replying to my post. It sincerely means alot. I'm just glad my computer is malware free.

Colin

Also, I was wondering is you had any experience with F-Secure? I'm running it as my anti-virus software and it really slows down my machine. Is there something I can do about that, yet still run F-Secure as I've heard it's a really good anti-virus program?
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

To answer your questions...

First of all regarding SmitFraudFix. So you're saying SmitFraudFix is updated daily and there is no need to keep this program on my computer? So whenever I wanna use it to run a scan, just download it, then scan my computer and once I'm done, just delete it?

Yes, you should delete it everytime and redownload it everytime when you need it.

Second of all, you said I should get rid of Symantec. What is the best way to get rid of all of my Symantec products on my computer such Symantec LiveUpdate and Symantec LiveUpdate notice like you stated?

You can uninstall Symantec LiveUpdate and Symantec LIveUpdate notice via software > add & remove programs.

Also, I was wondering is you had any experience with F-Secure? I'm running it as my anti-virus software and it really slows down my machine. Is there something I can do about that, yet still run F-Secure as I've heard it's a really good anti-virus program?

Yes, it is known that F-Secure may slow down the computer. There's nothing much you can do about that, except for adding more RAM, or uninstall F-Secure and replace it with another Antivirus. See my signature below under Antivirus for the ones I recommend.
  • 0

#5
mlansky

mlansky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
miekiemoes,

Thank you once again for your valued response and for your recommendations. As always it is much appreciated. I will refer back to your posts if ever I have these problems again.

Thank you!
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
You're most welcome :)
  • 0

#7
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP