Report on Smitfraud-c and Smitfraud-C.toolbar888

  • Thread starter Thread starter its_my_dime
  • Start date Start date
I

its_my_dime

This was a real problem to clean up because it kept reinfecting itself and
it consists of more than a dozen different files and registry entries plus
some assorted popups.

Some hints. (and I'm not a techie so pardon the level of this discussion):

The bad stuff is all in the Windows/System32 file and in the registry.

The various *.exe files (ishost, ismini, isnotify etc.) need to be deleted
manually in safe mode

A group of *.dll files that keep changing names seem to carry the Trojans
and keep restoring them to the computer. These dll's can be identified by
sorting system32 by date; they are the most recent. Some can be easily
deleted; some cannot.

There are also a few files that write stuff to the registry (again, most
recent) but keep coming back.

Two programs: drweb-cureit and vundofix were able to delete the dll files
after reboot. ProcessExplorer (from Windows) (right click on explorer - go
to threads) can kill some of the active dll's and allow deletion.

I ran Spybot many times because it was helpful in finding some of the bad
files and registry entries that kept returning. Searching the registry for
bar888 found a bunch more. I used several other virus scanning programs
as well. smitfraudfix and smitrem may have been helpful; I ran them both
but am not sure what they did. The hijackthis log also showed some files to
be deleted that would not otherwise been obvious.

Semantec's web site gave TWO registry deletions for the returning and ever
present and mssmgr. .

You probably need to turn off restore points. I tried restoring the system
and it didn't work anyway.

Based on something I read, I put a clean copy of wininit.exe into system32.

There was a time that the computer would only boot in safe mode.

This was really a process of reducing the number of bad things almost one at
a time until the computer began to function again. At the end, it took
Defender and NAV about four passes each to get rid of the final pop-ups and
smaller issues.

Fortunately, I have a laptop and wireless network so that the various AV and
other files could be downloaded and moved (safe mode with networking) to the
infected
computer.

In summary: unless you really know what you are doing (I don't), it will
take the better part of a day; lots of web research (google); many
downloads, scans and reboots; and a lot of frustration to get rid of this
thing.

I appreciate everybody's help and feedback.
 
its_my_dime said:
This was a real problem to clean up because it kept reinfecting
itself and it consists of more than a dozen different files and
registry entries plus some assorted popups.

Some hints. (and I'm not a techie so pardon the level of this
discussion):
The bad stuff is all in the Windows/System32 file and in the registry.

The various *.exe files (ishost, ismini, isnotify etc.) need to be
deleted manually in safe mode

A group of *.dll files that keep changing names seem to carry the
Trojans and keep restoring them to the computer. These dll's can be
identified by sorting system32 by date; they are the most recent. Some
can be easily deleted; some cannot.

There are also a few files that write stuff to the registry (again,
most recent) but keep coming back.

Two programs: drweb-cureit and vundofix were able to delete the dll
files after reboot. ProcessExplorer (from Windows) (right click on
explorer - go to threads) can kill some of the active dll's and allow
deletion.
I ran Spybot many times because it was helpful in finding some of the
bad files and registry entries that kept returning. Searching the
registry for bar888 found a bunch more. I used several other
virus scanning programs as well. smitfraudfix and smitrem may have
been helpful; I ran them both but am not sure what they did. The
hijackthis log also showed some files to be deleted that would not
otherwise been obvious.
Semantec's web site gave TWO registry deletions for the returning and
ever present and mssmgr. .

You probably need to turn off restore points. I tried restoring the
system and it didn't work anyway.

Based on something I read, I put a clean copy of wininit.exe into
system32.
There was a time that the computer would only boot in safe mode.

This was really a process of reducing the number of bad things almost
one at a time until the computer began to function again. At the
end, it took Defender and NAV about four passes each to get rid of
the final pop-ups and smaller issues.

Fortunately, I have a laptop and wireless network so that the various
AV and other files could be downloaded and moved (safe mode with
networking) to the infected
computer.

In summary: unless you really know what you are doing (I don't), it
will take the better part of a day; lots of web research (google);
many downloads, scans and reboots; and a lot of frustration to get
rid of this thing.

I appreciate everybody's help and feedback.
Click to expand...

Thanks for posting. You say that you don't really know what you are doing;
but you have now learned a lot more than some of the rest of us!

Well done for getting rid of it!
 
From: "its_my_dime" <[email protected] (hold the .spam)>

| This was a real problem to clean up because it kept reinfecting itself and
| it consists of more than a dozen different files and registry entries plus
| some assorted popups.
|
| Some hints. (and I'm not a techie so pardon the level of this discussion):
|
| The bad stuff is all in the Windows/System32 file and in the registry.
|
| The various *.exe files (ishost, ismini, isnotify etc.) need to be deleted
| manually in safe mode
|
| A group of *.dll files that keep changing names seem to carry the Trojans
| and keep restoring them to the computer. These dll's can be identified by
| sorting system32 by date; they are the most recent. Some can be easily
| deleted; some cannot.
|
| There are also a few files that write stuff to the registry (again, most
| recent) but keep coming back.
|
| Two programs: drweb-cureit and vundofix were able to delete the dll files
| after reboot. ProcessExplorer (from Windows) (right click on explorer - go
| to threads) can kill some of the active dll's and allow deletion.
|
| I ran Spybot many times because it was helpful in finding some of the bad
| files and registry entries that kept returning. Searching the registry for
| bar888 found a bunch more. I used several other virus scanning programs
| as well. smitfraudfix and smitrem may have been helpful; I ran them both
| but am not sure what they did. The hijackthis log also showed some files to
| be deleted that would not otherwise been obvious.
|
| Semantec's web site gave TWO registry deletions for the returning and ever
| present and mssmgr. .
|
| You probably need to turn off restore points. I tried restoring the system
| and it didn't work anyway.
|
| Based on something I read, I put a clean copy of wininit.exe into system32.
|
| There was a time that the computer would only boot in safe mode.
|
| This was really a process of reducing the number of bad things almost one at
| a time until the computer began to function again. At the end, it took
| Defender and NAV about four passes each to get rid of the final pop-ups and
| smaller issues.
|
| Fortunately, I have a laptop and wireless network so that the various AV and
| other files could be downloaded and moved (safe mode with networking) to the
| infected
| computer.
|
| In summary: unless you really know what you are doing (I don't), it will
| take the better part of a day; lots of web research (google); many
| downloads, scans and reboots; and a lot of frustration to get rid of this
| thing.
|
| I appreciate everybody's help and feedback.
|

That's interesting becauase VundoFix is geared towards the Vundo Trojan/Virtumonde Adware
family of malware which is separate from the SmitFraud family of malware which icludes the
FakeAlert and Zlob Trojans.

Your posting "...various *.exe files (ishost, ismini, isnotify etc.)..." is indicative of
the ZLob Trojan family files.

Maybe you had both a SmitFraud and Vundo infection. I don't know but that uis most likely.

The tools mentioned are the *best* for removing SmitFraud and generate log files so you can
SEE and READ what they did.

noahdfear's SmitFraud removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Maybe what you had was a Broad-Spectrum infection. As such you should have used the
following as well..

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html


I also want to stress that prevention is better than cure and prevention is performed by
practicing Safe Hex.
 
David H. Lipman said:
From: "its_my_dime" <[email protected] (hold the .spam)>

| This was a real problem to clean up because it kept reinfecting itself
and
| it consists of more than a dozen different files and registry entries
plus
| some assorted popups.
|
| Some hints. (and I'm not a techie so pardon the level of this
discussion):
|
| The bad stuff is all in the Windows/System32 file and in the registry.
|
| The various *.exe files (ishost, ismini, isnotify etc.) need to be
deleted
| manually in safe mode
|
| A group of *.dll files that keep changing names seem to carry the
Trojans
| and keep restoring them to the computer. These dll's can be identified
by
| sorting system32 by date; they are the most recent. Some can be easily
| deleted; some cannot.
|
| There are also a few files that write stuff to the registry (again, most
| recent) but keep coming back.
|
| Two programs: drweb-cureit and vundofix were able to delete the dll
files
| after reboot. ProcessExplorer (from Windows) (right click on
explorer - go
| to threads) can kill some of the active dll's and allow deletion.
|
| I ran Spybot many times because it was helpful in finding some of the
bad
| files and registry entries that kept returning. Searching the registry
for
| bar888 found a bunch more. I used several other virus scanning
programs
| as well. smitfraudfix and smitrem may have been helpful; I ran them
both
| but am not sure what they did. The hijackthis log also showed some
files to
| be deleted that would not otherwise been obvious.
|
| Semantec's web site gave TWO registry deletions for the returning and
ever
| present and mssmgr. .
|
| You probably need to turn off restore points. I tried restoring the
system
| and it didn't work anyway.
|
| Based on something I read, I put a clean copy of wininit.exe into
system32.
|
| There was a time that the computer would only boot in safe mode.
|
| This was really a process of reducing the number of bad things almost
one at
| a time until the computer began to function again. At the end, it took
| Defender and NAV about four passes each to get rid of the final pop-ups
and
| smaller issues.
|
| Fortunately, I have a laptop and wireless network so that the various AV
and
| other files could be downloaded and moved (safe mode with networking) to
the
| infected
| computer.
|
| In summary: unless you really know what you are doing (I don't), it
will
| take the better part of a day; lots of web research (google); many
| downloads, scans and reboots; and a lot of frustration to get rid of
this
| thing.
|
| I appreciate everybody's help and feedback.
|

That's interesting becauase VundoFix is geared towards the Vundo
Trojan/Virtumonde Adware
family of malware which is separate from the SmitFraud family of malware
which icludes the
FakeAlert and Zlob Trojans.

Your posting "...various *.exe files (ishost, ismini, isnotify etc.)..."
is indicative of
the ZLob Trojan family files.

Maybe you had both a SmitFraud and Vundo infection. I don't know but that
uis most likely.

The tools mentioned are the *best* for removing SmitFraud and generate log
files so you can
SEE and READ what they did.

noahdfear's SmitFraud removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Maybe what you had was a Broad-Spectrum infection. As such you should
have used the
following as well..

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html


I also want to stress that prevention is better than cure and prevention
is performed by
practicing Safe Hex.
Click to expand...

Thanks. That explains a lot. I'm sure I had smitfraud because of the "your
computer is infected" pop ups. Obviously, I had vundo as well. I suspect
that toobar888 was a third issue. mssmgr may have been another.

I wonder of medicare pays for all this.....
 
From: "its_my_dime" <[email protected] (hold the .spam)>

< snip >

| Thanks. That explains a lot. I'm sure I had smitfraud because of the "your
| computer is infected" pop ups. Obviously, I had vundo as well. I suspect
| that toobar888 was a third issue. mssmgr may have been another.
|
| I wonder of medicare pays for all this.....
|

Does medicare pay for AMYTHING these days ? < LOL >

You only indicated you scanned with Norton AV. Just to make sure, I suggest scanning with
OTHER anti virus products. The following provides scanners from four other AV vendors...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *
 
This was a real problem to clean up because it kept reinfecting itself and
it consists of more than a dozen different files and registry entries plus
some assorted popups.
Click to expand...

<snip>

Do you know how you get infected in the first place?
 
Rock said:
<snip>

Do you know how you get infected in the first place?
Click to expand...

Yep. Downloaded and opened something I shouldn't have. Scanned it first
with NAV that said it was OK.
 
From: "its_my_dime" <[email protected] (hold the .spam)>


|
| Yep. Downloaded and opened something I shouldn't have. Scanned it first
| with NAV that said it was OK.
|

Was it a "codec" file ?
 
Back
Top