Hello

i don’t know if this is an ad-ware or a virus/worm. but my computer has acquired a application that keeps on sending to the internet. I track the application tag as Project1 in the task manager but in the processes indicates it is a hdisklink.exe program (but there are other processes name like my.exe and dsmartload.exe). I manage to locate the file after checking the file in properties the comments says: “you can stop me but you can’t stop the GURLteam” avast and other anti-virus and anti-ad-ware software does not work but they are blocking some anonymous Ip address.

The application could not be deleted manually “it is write protected” or even if you could delete it or move it to other drive it returns as if nothing happens.

I hope someone knows how to eliminate this application. And what is the GURL team ?

thjank you in advance

Download - update and run Ewido http://www.ewido.net/en/download/ See if that helps. If it is not cured run a Hijack this log and we will see what we can do to help

Edit check this link out http://www.mail-archive.com/botnets@whitestar.linuxbox.org/msg00314.html

A google search for hdisklink.exe gets three German sites which might indicate the smitfraud so it might be worth checking this out, it certainly shouldn’t hurt to try it.

Please download SmitfraudFix from: http://siri.geekstogo.com/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press “Enter”; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

This one has a combined removal tool with instructions , courtesy of my Netherlander friend
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

A google search for GURLteam, seems to relate to some botnet activities as in the Link essexboy posted.

Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.

this is the report from the SmithFraudFix

SmitFraudFix v2.45

Scan done at 11:15:52.50, 05/19/2006
Run from C:\Documents and Settings\oem\My Documents\downloads\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\NEW

»»»»»»»»»»»»»»»»»»»»»»»» C:\NEW\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\NEW\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\NEW\system32

C:\NEW\system32\migicons.exe FOUND !
C:\NEW\system32\ztoolbar.bmp FOUND !
C:\NEW\system32\ztoolbar.xml FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\oem\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\oem\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“My Current Home Page”

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Well a google search for the file names found would indicate these as malware:
C:\NEW\system32\migicons.exe
See http://www.bleepingcomputer.com/forums/lofiversion/index.php/t51946.html

C:\NEW\system32\ztoolbar.bmp
C:\NEW\system32\ztoolbar.xml
See http://www.spywareremove.com/removeZToolbar.html

So deleting/renaming/moving/adding these to the avast chest and then emailing them from the avast chest to Alwil Software.

Hi Nizrel :

 If you are running "SmithFraudFix" AND it shows it found
 something, you should be getting guidance of Experts
 found on antiSPYWARE forums; if you know of none, I
 recommend the forums at www.landzdown.com .