Question:

I go to my Yahoo home page and my virus protection states that a trojan program is trying to be loaded.

by  |  earlier

0 LIKES UnLike

Just today (8/6/2008) I went to my Yahoo Home Page and for some unknown reason I'm getting a message from my virsu software that a trojan program is trying to load on my computer. Is anyone else having this issue? I have these two programs on my system. One is called fengxing.exe and the other is thunder.exe.

Thanks!

Bruce Marcoux

 Tags:

   Report

16 ANSWERS


  1. we have had this break out at our company as well. anyone who goes to yahoo has caught it. Does anyone know what the payload is. we have tracked down all the above files and deleted them. also found them in the temp folder for the user and deleted them as well. Also deleted them from the prefetch. But yet they come back after every reboot

    anyone have a proven fix?

    JB


  2. You need to delete fengxing.exe and thunder.exe because every program that ends with .exe is a virus that can modify your personal settings.So delete them then scan to see if they are gone because it may be too late.

  3. Restart your PC in safe mode with networking

    http://www.pchell.com/support/safemode.s...

    Download, install and run a full scan with Malwarebytes

    http://www.malwarebytes.org

    Run a full scan with Micro Trend House Call

    http://housecall.trendmicro.com/

    After the scans, restart the PC and update your anti-virus, remember to only have one anti-virus installed on your PC


  4. zucki, that seems to have worked thanks.

  5. Thank you Zucki! Your solution fixed my problems.

  6. I would log off and run a virus scan.

  7. Yup,  I had the same issue this morning too.  But my corporate AV didn't not block it.  Now i have the Fengxing file I'm trying to clean up.

    But yes, it all started when I went to my Yahoo home page.

  8. My internet connection also died after deleting mmchost.dll.  Connectivity returns when I restore it, but it appears to be infected.  Working in firefox is not a problem, but sss.exe reappears whenever I start IE.

  9. I got the same thing today. When I booted up, I got 3 windows appearing from fengxing.exe and then 620.exe. Unfortunately there's not alot of info on this trojan. I ran TrendMicro and it didn't even detect anything. Our IT guy deleted everything by hand and now my PC seems to be fine again.

    I think this trojan is related to a Funshion app I had. I had a Funshion exe file even though it didn't appear in Add/Remove Programs. Funshion is rated red by SiteAdvisor. Funshion is a Chinese company so there's that connection too.

    But then again I also use Yahoo as my home page so it still could have been that.

  10. I have/had the same problem.  Interesting that my Virus scan did not find this one.  If anyone comes up with the steps needed to get rid of this bugger please update it here.  I have tried deleting it but it seems to "reappear" when I reboot

  11. This virus/trojan is currently making its away around the net. I strongly advise you to remove the link you have at the bottom of your "Additional Details" to prevent other people from clicking and being infected.

    I checked the page with my local AV as well as a corporate proxy av. Both reports the site is trying to download a trojan to your system.

    The virus is also known by other file names as follows:

    sss.exe, beauty.exe, sl.exe, fengxing.exe, thunder.exe


  12. I've have ran the LSPFix and deleted the mmchost.dll file, however, my computer still does not seem to working properly.  Still cannot connect to the internet, cannot search for related programs, cannot open other programs like excel.  Is anyone else still having problems?

  13. Yes, I am getting it also. I contacted Tech Support and tried to tell them about it, but they tried to tell me I got it somewhere else. My home page is Yahoo, and it came up as soon as I got on the internet. Freakin' Yahoo, anything for a buck nowadays.

    I got a message from Windows that my system files had been updated by an unknown, unsigned program. So I reinstalled the Windows files and now I am having to reset all my defaults and properties. I am running Windows 2000 with Explorer 5, I guess the developer didn't think anyone would be using those versions, which is how I found it. Now when I go to Yahoo it tries to install the stuff, I cancel out, and eventually a window pops up for Fengxing but it has no content. I force it to close. I am avoiding the Yahoo! home pages and am using Firefox if I have to read my mail.

    My laptop went right through it with no notices, it has XP and Explorer 6 on it. I assume it is infected now.

    Thanks to the previous answer, I went into my \Win32\System directory, found the Fengxing.exe file and deleted it.

  14. I'm having a huge problem with this now -- I deleted fengxing.exe and all the files in the system32 folder that looked to be associated with it (by date/time), then also just decided to uninstall Yahoo browser services, installer, etc from Remove Programs, etc. -- and now I cannot launch System Restore, my Antivirus, etc.  nor can I connect to the internet.

  15. If your virus protection (that you didn't specify) is blocking a trojan from loading, then that's good.

    You might consider running a scan and seeing if your virus protection can delete the infection from your computer so that it won't try to load every time you open your browser.

  16. Finally I found a way to get this Trojan out of my way.

    The mmchost.dll is an LSP provider (Layered Service Provider) which means that every winsock user application will load the mcchost.dll. mcchost is like a proxy that retrieve any winsock operation (createsocket,connect,listen,recv,send) and able to change the behavior of the operation.

    Here is what you will have to do to safely remove it : Download http://www.download.com/LSPFix/3000-2085...

    This application can remove LSP providers. When running the LSPFix application you will see that mmchost.dll is on the "Keep" list. all you have to do is to check the checkbox "I know what I'm doing" and move mmchost.dll to the Remove list. Press finish and that's it.

    Go to windows\system32 and delete/rename the mmchost.dll to make sure nothing refer to it anymore.

    Hope that is working for you all, enjoy.

Question Stats

Latest activity: earlier.
This question has 16 answers.

BECOME A GUIDE

Share your knowledge and help people by answering questions.