I removed a spyware infection, and I’m called out again about 6 days later with another infection. The PC is a newish Dell PC running Norton IS, and it has about 4 user accounts.
At first I worry that I didn’t clean out the infection correctly the first time, but I later find the dates of the infected files are from 2 days ago (Sunday 03/11/2007).
I can’t run task manager (its been disabled), and starting IE results in a browser hijack attempt (luckily winpatrol pops up and warns of a home page change to softwarereferral.com).
Norton IS doesn’t start correctly (no icons in the taskbar).
I decide to go into safe mode. I login as Administrator
I then run bhodemon, and winpatrol and notice that advrepnok.dll is regarded as an unknown BHO… a google search shows its another smitfraud variant.
The file is in the c:windows folder… a sort by date order shows 5 files with the same date (and very similar time): 3rd November 2007.
The files are: advrepnok.dll, hupsrv.dll, bindmod.dll, sdrmod.dll, wtopmod.exe
I rename them to *.dlll or *.exee so that they cannot be “found” (ie I add an extra character to the extension)
I then scan the registry with regedit, and rename any reference to the 5 files to *.dl or *.ex (ie I remove a character from the extension)
Next, I use bhodemon to disable any bho related to the 5 bad files. I also check using winpatrol, just to be sure
I restart into normal XP mode, and Norton gives a brief complaint about some other trojan, and then settles down. Otherwise everything seems to work perfectly.
Now I just go to regedit and re-enable taskmanager.
A new customer calls me the next day.
I find the PC (also a Dell with Norton IS and a few user accounts) has the same infection.
But at least the task manager wasn’t disabled.
I repeat what I did the day before, and it clears the problem.
I also notice that both PCs have “Free crazy video downloader and converter” (fcvdc.exe) installed.
Maybe its a coincidence, or maybe its something like limewire and the various messenger programs: a potential conduit for spyware infections.