Trojan-Spy.HTML.Smitfraud.c

[Pieter_Arntz]

I found this fix written by bananafanafo at GeeksToGo. (I made some minor changes since this board does not use HijackThis logs unless absolutely necessary.)

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*Click here and download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINDOWS\sites.ini
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\hhk.dll
C:\WINDOWS\System32\helper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\System32\ole32vbs.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\msmsgs.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

A registry file to undo most of the changes is available here:
http://metallica.geekstogo.com/smitfraud.reg
Doubleclick that file and confirm you want to merge it with the registry.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run a virus scan. If you do not have an AV installed, use ActiveScan - Save the results from the scan!

[Pieter_Arntz]

A new version has emerged.

Files:
Sysdir%\shnlog.exe
Sysdir%\intmon.exe
Sysdir%\msmsgs.exe
Sysdir%\hhk.dll
Sysdir%\hp***.tmp <= *** is a number of random characters

The tmp file is installed as a BHO and hijacks to quicknavigate.com

Where Sysdir% is your system directory (f.e. C:\Windows\System32)

When installing itself it "destroys" all the other BHOs you may have.

[Pieter_Arntz]

A new variant called stealthSWs114.h!dll hoax
This one works the same as the last variant of Smitfraud and the fix is also the same.

Hijacks to: http://www.startsearches.net/

Screenshot:
http://www.webhelper4u.com/CWS/Resea...dinfected.html

Also a new CLSID for the BHO was found:

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpC776.tmp

First one was: O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp3C2E.tmp

[Pieter_Arntz]

A new version advertising for AntivirusGold

New Startup entries:

O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\System32\LogFiles\A5281300.so
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe

Also comes in the flavor:
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe

Extra files to be deleted:
Sysdir%\LogFiles\A5281300.so
Sysdir%\winnook.exe
Windir%\desktop.html <= screenshot below
Windir%\screen.html

The annoying message on your desktop is kind of hard to get rid of when you don't know how.
Click on the upper edge of the screen and drag it down untill you notice a cross in the upper right corner. Click it to close the screen and you will have access to your real desktop and can change the settings.
It is a modified explorer screen laid between your desktop and the shortcuts on it. Easy once you know.

[Pieter_Arntz]

A new element was added:

O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\zloader3.exe

Displays the warning shown below on a complete black background.
Removing almost all the tabs of desktop-properties.
The smitfraud reg mentioned earlier will restore those so you can change the background of the desktop back to what you had.

Files to be removed:
C:\WINDOWS\zloader3.exe
C:\WINDOWS\system32\oleadm.dll
C:\WINDOWS\system32\oleadm32.dll
C:\WINDOWS\system32\wp.bmp

If you had this variant it is imperative that you use the online Panda-scan since your wininet.dll was replaced by a infected file.

[Pieter_Arntz]

noahdfear, who is an Expert at GeeksToGo, has written a removal tool for all known variants of the Smitfraud family of infections, as well as the bundled malware that comes with it, including:

Security IGuard
Virtual Maid
Search Maid
AntiVirusGold
PSGuard
SpySheriff

Here are noahdfear's canned speeches for the Smitfraud removal tool.

Windows XP/2K (includes Ewido)

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download smitRem.zip and save it to your desktop.
Right click on the file and extract it to its own folder on the desktop.

Please download, install, and update the free version of Ewido Security Suite:

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes, the status bar at the bottom will display "Update successful"
5. Exit Ewido. DO NOT run a scan yet.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:

===================================================
HijackThis entries here if needed. Delete any other malware files not associated with the smitfraud variants and SpySheriff.
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Now open Ewido Security Suite

• Click on Scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop
• Close Ewido

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.


Restart your computer in normal mode.

Run Panda's online virus scan and perform a full system scan. Make sure the Autoclean box is checked!

Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.



Windows 9X/ME (without Ewido)


CODE
You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download smitRem.zip and save it to your desktop.
Right click on the file and extract it to its own folder on the desktop.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:

===================================================
HijackThis entries here if needed. Delete any other malware files not associated with the smitfraud variants and SpySheriff.
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.

Also uncheck "View my Active desktop as a web page".
Click OK then Apply and OK.


Restart your computer in normal mode.

Run Panda's online virus scan and perform a full system scan. Make sure the Autoclean box is checked!

Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.


Thanks to noahdfear for all his work on this.