Smitfraud-c is back again

I just did a scan with Spybot as part of my weekly scans and in the morning I found a listing for smitfraud-c. Having seen a thread like this here last week I found my way back to it and didn't discover a real solution besides sending something to Eset and reporting a sample to them. I just wanted to let everyone know about this possible variant (or not).

Nod32 is fully updated with all systems running and it didn't even give me a warning this thing was on the loose. So much for advanced heuristics or detection... hope it will do better next time.

I'm going to attempt to have spybot clean this mess up.

Also, I had spybots real time protection running, and according to spybot this thing is hiding in 6 registry keys. Doesn't spybot teatimer alert me to changes in my registry? Why didn't it this time? It always alerts me when I change something, but its kind of pointless if it fails to alert me when I change nothing and a nasty does.

psych1610

 

If it is in your Windows Registry , NOD32 will not alert you simply because it doesn't guard the registry. In case there are no files , it is pointless .

I think this is something that wasn't found before , some left tracks which haven't been remove before .

Why don't you try this thread:
https://www.wilderssecurity.com/showthread.php?t=178177

 

Will do, I saw that thread before just wanted to report here as there didn't seem to be a definite conclusion from it. I'll follow those steps and hope for the best that none of my info. got out there.

Any idea on why teatimer didn't say anything?

Ad watch by lavasoft was also silent during this one, and I think that has some form of a registry protection to.

psych1610

 

If we assume that these are old leftovers , they have always been there so there is no way for TeaTimer to do anything . It may just be from the previous infestion.

 

I tried that fix, but still nothing. In safe mode spybot didn't detect the threat. In normal mode spybot is still detecting the entries. I guess the other smitfraud tool didn't do anything.

psych1610

 

Ok, So spybot deleted the threats no problem, but I don't really trust just spybot to tell me everything is off of my system.

Should I still get the hijack this logs, etc. per the link above and send it to eset?

Or maybe since it says it is gone it really is and I should just check with an online virus scanner like kapersky's (since nod obviously doesn't detect it).

Any ideas?

psych1610

 

www.superantispyware.com

Free...and IMO the most effective out there, blows away Spybot.

 

That is a very good idea.

 

This is me, very disappointed in nod32. I have done a complete, thorough scan with nod32 in safe mode. It said I have 0 threats and nothing to worry about. *wipes brow* what a relief.

Just for the heck of it I allowed Kapersky's internet scanner to run a full scan of my computer. It has detected one virus and 8 infections and it's not done yet. That's very, very disappointing that an online scanner run when my computer is not in safe mode can detect something nod can't running a thorough scan in safe mode. Congrats on having a low footprint, a wonderful forum, and a fast scanning time but all of that is useless if it can't detect any threats except for the old ones. I'm going to stop now before I start heavily bashing nod, because that is not my intent. It found trojans on my computer my other AV couldn't... and because I still need it to get this damn thing, whatever it is, off of my pc.

The following is the scanner log from Kapersky. Right now it looks like I'm off to file a hijack this log and some others with eset.


Kaspersky Anti-Virus database records: 367171
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 34410
Number of viruses found: 1
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 02:11:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\log\engine0.log Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\log\engine0.log.lck Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\log\error0.log Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\log\error0.log.lck Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\log\execution0.log Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\log\execution0.log.lck Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\Logs\AWEVLOG.txt Object is locked skipped
C:\Documents and Settings\Owner\Application Data\stickies\store.ldb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\stickies\store.mdb Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\gbq0lrqv.default\Cache\63329BDCd01/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\gbq0lrqv.default\Cache\63329BDCd01/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\gbq0lrqv.default\Cache\63329BDCd01 RarSFX: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\540 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\JET9E53.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\xx2 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\xx3 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\xx4 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\xx5 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\xx6 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8422.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\logs\nod32\NDL2053.DAT Object is locked skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-1202660629-1409082233-839522115-1003\Dc1\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-1202660629-1409082233-839522115-1003\Dc2.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-1202660629-1409082233-839522115-1003\Dc2.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-1202660629-1409082233-839522115-1003\Dc2.exe RarSFX: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{96BBD581-9E2E-45F0-9C18-01E9DABA0F17}\RP198\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

Assuming you're right, LowWaterMark, I apologize about my last comments made about nod. Just the same, it allowed something in. I understand that "no AV's are perfect", but I'm frustrated because of this event. It allowed something in that was mentioned last week, or two weeks ago on this forum. I know all about the submission process and how it has to be prioritized and I understand, but isn't a week or two enough time to prioritize and get this thing added so at least heuristics will detect it?

Anyway, I'm done attacking nod for this. Back to the problem: Since Kapersky just detected the fix, and not the problem, am I to assume that the problem smitfraud-c does not exist anymore? Or should I just send ESET what I have of the hijack this log etc. just to be safe?

psych1610

 

If you suspect your computer is infected with undetected malware, send a log from Autoruns to support[at]eset.com along with as many details as possible for perusal. As for detection rate, we're constantly improving both the proactive and reactive detection and I'm sure the results are visible.

 

I sincerely hope my words were not mistaken for bashing nod32. I did choose it for a reason. However, at the moment (and still right now) I am extremely frustrated in my suite of security products helping to protect my computer. Of everything I have going on in real time, not one stopped this freaking thing from coming in. Anyhow, I thank everyone for their help, including the Eset support team. I hope I didn't offend the people trying to build this product.

psych1610

 

The Smitfraud variants are, IMO, the most aggressive and constantly evolving ones out there, and are the biggest pain in the butt. I consider Kasperskys the only AV product out there with greater detection than NOD..and some Smitfraud variants can slip past even Kaspersky.

Smitfraud is just the nastiest malware out there, IMO.