Trojan-Spy.HTML.Smitfraud.c

Discussion in 'news, general information and FAQs' started by Pieter_Arntz, Apr 17, 2005.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I found this fix written by bananafanafo at GeeksToGo. (I made some minor changes since this board does not use HijackThis logs unless absolutely necessary.)

    Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

    Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

    Security IGuard
    Virtual Maid
    Search Maid


    Exit Add/Remove Programs.

    *Click here and download Killbox by Option^Explicit.
    *Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
    *In the killbox program, select the Delete on Reboot option.
    *Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\wp.exe
    C:\wp.bmp
    C:\bsw.exe
    C:\WINDOWS\sites.ini
    C:\WINDOWS\popuper.exe
    C:\WINDOWS\system32\hhk.dll
    C:\WINDOWS\System32\helper.exe
    C:\WINDOWS\System32\intmonp.exe
    C:\WINDOWS\System32\msmsgs.exe
    C:\WINDOWS\System32\ole32vbs.exe
    C:\WINDOWS\system32\msole32.exe
    C:\WINDOWS\System32\shnlog.exe
    C:\WINDOWS\System32\intmon.exe
    C:\WINDOWS\System32\msmsgs.exe


    *Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
    *Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

    *IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

    Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

    FOLDERS to delete (in bold) if found:

    C:\Program Files\Search Maid
    C:\Program Files\Virtual Maid
    C:\Windows\System32\Log Files
    C:\Program Files\Security IGuard

    Reboot into normal mode.

    A registry file to undo most of the changes is available here:
    http://metallica.geekstogo.com/smitfraud.reg
    Doubleclick that file and confirm you want to merge it with the registry.

    1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

    2.) Download: http://www.mvps.org/winhelp2002/DelDomains.inf
    To use: right-click and select: Install (no need to restart)
    Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

    3.) Download, install, and run CleanUp!

    4.) Run a virus scan. If you do not have an AV installed, use ActiveScan - Save the results from the scan!
     
    Last edited: Jun 6, 2005
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    A new version has emerged.

    Files:
    Sysdir%\shnlog.exe
    Sysdir%\intmon.exe
    Sysdir%\msmsgs.exe
    Sysdir%\hhk.dll
    Sysdir%\hp***.tmp <= *** is a number of random characters

    The tmp file is installed as a BHO and hijacks to quicknavigate.com

    Where Sysdir% is your system directory (f.e. C:\Windows\System32)

    When installing itself it "destroys" all the other BHOs you may have.
     
    Last edited: May 16, 2005
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    A new variant called stealthSWs114.h!dll hoax
    This one works the same as the last variant of Smitfraud and the fix is also the same.

    Hijacks to: http://www.startsearches.net/

    Screenshot:
    http://www.webhelper4u.com/CWS/Research/screenimages/searchmaidinfected.html

    Also a new CLSID for the BHO was found:

    O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpC776.tmp

    First one was: O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp3C2E.tmp
     
    Last edited: May 21, 2005
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    A new version advertising for AntivirusGold

    New Startup entries:

    O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\System32\LogFiles\A5281300.so
    O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe

    Also comes in the flavor:
    O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe

    Extra files to be deleted:
    Sysdir%\LogFiles\A5281300.so
    Sysdir%\winnook.exe
    Windir%\desktop.html <= screenshot below
    Windir%\screen.html

    The annoying message on your desktop is kind of hard to get rid of when you don't know how.
    Click on the upper edge of the screen and drag it down untill you notice a cross in the upper right corner. Click it to close the screen and you will have access to your real desktop and can change the settings.
    It is a modified explorer screen laid between your desktop and the shortcuts on it. Easy once you know.
     

    Attached Files:

    Last edited: Jun 3, 2005
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    A new element was added:

    O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\zloader3.exe

    Displays the warning shown below on a complete black background.
    Removing almost all the tabs of desktop-properties.
    The smitfraud reg mentioned earlier will restore those so you can change the background of the desktop back to what you had.

    Files to be removed:
    C:\WINDOWS\zloader3.exe
    C:\WINDOWS\system32\oleadm.dll
    C:\WINDOWS\system32\oleadm32.dll
    C:\WINDOWS\system32\wp.bmp

    If you had this variant it is imperative that you use the online Panda-scan since your wininet.dll was replaced by a infected file.
     

    Attached Files:

    Last edited: Jun 13, 2005
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    noahdfear, who is an Expert at GeeksToGo, has written a removal tool for all known variants of the Smitfraud family of infections, as well as the bundled malware that comes with it, including:

    Security IGuard
    Virtual Maid
    Search Maid
    AntiVirusGold
    PSGuard
    SpySheriff

    Here are noahdfear's canned speeches for the Smitfraud removal tool.

    Windows XP/2K (includes Ewido)

    You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

    Please download smitRem.zip and save it to your desktop.
    Right click on the file and extract it to its own folder on the desktop.

    Please download, install, and update the free version of Ewido Security Suite:
    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
    4. After the update finishes, the status bar at the bottom will display "Update successful"
    5. Exit Ewido. DO NOT run a scan yet.

    If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
    Ad-Aware SE Setup
    Again, do NOT run a scan yet.


    Next, please reboot your computer in Safe Mode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.
    Now scan with HJT and place a checkmark next to each of the following items:

    ===================================================
    HijackThis entries here if needed. Delete any other malware files not associated with the smitfraud variants and SpySheriff.
    ===================================================

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
    Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

    Next, run Ad-aware and perform a full scan. Remove everything found.

    Now open Ewido Security Suite
    • Click on Scanner
    • Click on Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    • Close Ewido

    Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.


    Restart your computer in normal mode.

    Run Panda's online virus scan and perform a full system scan. Make sure the Autoclean box is checked!

    Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
    Let us know if any problems persist.



    Windows 9X/ME (without Ewido)


    CODE
    You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

    Please download smitRem.zip and save it to your desktop.
    Right click on the file and extract it to its own folder on the desktop.

    If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
    Ad-Aware SE Setup
    Again, do NOT run a scan yet.


    Next, please reboot your computer in Safe Mode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.
    Now scan with HJT and place a checkmark next to each of the following items:

    ===================================================
    HijackThis entries here if needed. Delete any other malware files not associated with the smitfraud variants and SpySheriff.
    ===================================================

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
    Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

    Next, run Ad-aware and perform a full scan. Remove everything found.

    Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.

    Also uncheck "View my Active desktop as a web page".
    Click OK then Apply and OK.


    Restart your computer in normal mode.

    Run Panda's online virus scan and perform a full system scan. Make sure the Autoclean box is checked!

    Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the smitRem tool, which will be located at C:\smitfiles.txt.
    Let us know if any problems persist.


    Thanks to noahdfear for all his work on this.
     
Thread Status:
Not open for further replies.