[Resolved] Did first post get lost?{optix trojan> smrtdrv}

[FrustratedAmy]

I tried to post earlier, but got an error. Did it work?

 

[FrustratedAmy]

The last couple of months we have had a lot of problems. Nimda...dead CD rom....Fixed Nimda, new CD Rom, reinstalled Windows 98 and office 97. Things were better for awhile. About 2 weeks ago, NAV quit responding. Something was eating up RAM in the background and we started getting illegal operation errors and occasionally blue screens. Attempts to reinstall NAV failed. I bought 2002 Systemworks, installs either had errors or when the program was opened it would just "drop out", disappear with no error message. Searched Symantec. Tried uninstall, reinstall IE5.5, Symclean utility....finally got a clean install, but the NAV could not update. I managed one virus scan at Symantec. Found JS Seeker. I manually removed that since I cannot get NAV to run. Since then, I cannot even get a scan at Symantec to run. It sits there showing 0 files scanned and 0 infected. I think I have looked at every file on this computer! DLed RX Pack from rmbox. The .exe files are OK. A few things in start up that I am not sure about. And there is a file named C:\trace.txt that was 14 megs and appears to be tracing our internet use. If I delete it, it creates another one. It started loging this on Dec 7. I DLed Cleaner from Moosoft. It disappears when I open it. I am at my wits end. Help!

 

[Dark Star]

FrustratedAmy,

Welcome to TSG.....

"A few things in start up that I am not sure about"

Copy/Paste them post them we can all look see.

"And there is a file named C:\trace.txt that was 14 megs and appears to be tracing our internet use."

Gotta a firewall ?.........Is it trying to call home?

"I DLed Cleaner from Moosoft. It disappears when I open it."

what disappears?

DS

 

[FrustratedAmy]

Last question first: the cleaner attempts to run, gets maybe a 10th of the way and the whole thing disappears. It just drops out with no error message and no sign it was ever running. This is how NAV behaves as well.

I don't have a firewall. I have had in the past, and I have Norton Internet Security, still in the box, because nothing is installing properly right now.

There are 2 processes running in the background that I can't identify: romdrv.exe and smrtdrv.exe We recently replaced the CD Rom drive, which might explain romdrv.exe. Smrtdrv.exe performs numerous illegal operations that lock the computer up. I disabled it so it would not run at start up (renamed), but some process replaced it last night - possibly an attempt to re-install NAV. Other than that, my start up log has some things I am not familiar with. I will attempt to attach it, but I tried that with the original post and it didn't transfer.

Thanks for your help

Amy

 

[Rollin' Rog]

I believe both smrtdrv.exe, romdrv.exe and some other files and folders as well may be a part of a trojan setup. Be sure to do a Find Files for each and delete or rename all instances.

Examine the startup log closely, you will see a shortcuts in your Startup folders which needs to be deleted.

You will also see these files being referenced in Winstart.bat in a way that allows them to be recopied and renewed if deleted. You need to delete or rename the Winstart.bat file to prevent this and then find and delete or rename the files and folder mentioned.

=================- WINSTART.BAT File - (c:\windows\winstart.bat) -=================- @echo off :s @if exist "C:\WINDOWS\olefiles\romdrv.exe" goto q @copy "C:\WINDOWS\SYSTEM\sirhyyl#{t" "C:\WINDOWS\Profiles\amy\Start Menu\Programs\Startup\romdrv.exe" > nul :f -=================

After you have renamed or deleted the Winstart.bat file and rebooted, be sure to look for sirhyyl#{t in c:\windows\system and try to delete it. You may need to rename it first, and then delete it from DOS. This could be tough.


=================
I do not think the olefiles folder is a legitimate one and should be moved out of the Windows directory, deleted or renamed until its pupose or lack of one is determined.
==================

There are also two registry entries, not standard referencing shell folders for these files, they are covered here:

[3] HKLM - Shell Folders HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders "Common Startup"="C:\\WINDOWS\\olefiles" .....................................................................

[4] HKLM - User Shell Folders HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders "Common Startup"="C:\\WINDOWS\\olefiles


The "normal" "common startup" entry should be:

C:\WINDOWS\All Users\Start Menu\Programs\StartUp

 

[Dark Star]

Rog,

Just trying to learn something here too.

Is this the problem or a part of the problem?

@if exist "C:\WINDOWS\olefiles\romdrv.exe" goto q
@copy "C:\WINDOWS\SYSTEM\sirhyyl#{t"

 

[FrustratedAmy]

I did all the things mentioned in Rollin Rog's post. I was then able to run The Cleaner which found Optix and Optixkiller trojan horses and removed them. My system seems to be stable again for the first time in weeks. Smrtdrv.exe was a part of the Optixkiller trojan. My only problem is trace.txt is still logging internet access. From other posts here I am guessing I need ADware to check for spyware.

Bless you! I must have spent 36 hours fighting with this. Symantec had no reference to Smrtdrv.exe when I searched and THEY were on vacation and I have yet to hear from them regarding this issue.

Thank you! Thank you! Thank you!

No longer Frustrated Amy

 

[Rollin' Rog]

Outstanding, I was just about to reply to DarkStar when I saw your last post.

A version of Optix is in fact what I suspected, we had a previous thread here where I went looking for that olefiles folder in Google and the Optix trojan was the closest thing I could find. Very new and nothing else quite like it. Evidently fries antivirus and firewall applications to keep from being detected.

http://forums.techguy.org/showthread.php?s=&threadid=62826&highlight=Smrtdrv.exe

I'm glad to see the Cleaner confirmed it.

 

[FrustratedAmy]

Adaware seems to have eliminated whatever was writing to trace.txt. Norton Systemworks installed and updated without a hitch and found no viruses. I am SOOO thankful!