Re: Report on Smitfraud-c and Smitfraud-C.toolbar888

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "its_my_dime" <its_my_dime@xxxxxxxxxxxxxx (hold the .spam)>

| This was a real problem to clean up because it kept reinfecting itself and
| it consists of more than a dozen different files and registry entries plus
| some assorted popups.
|
| Some hints. (and I'm not a techie so pardon the level of this discussion):
|
| The bad stuff is all in the Windows/System32 file and in the registry.
|
| The various *.exe files (ishost, ismini, isnotify etc.) need to be deleted
| manually in safe mode
|
| A group of *.dll files that keep changing names seem to carry the Trojans
| and keep restoring them to the computer. These dll's can be identified by
| sorting system32 by date; they are the most recent. Some can be easily
| deleted; some cannot.
|
| There are also a few files that write stuff to the registry (again, most
| recent) but keep coming back.
|
| Two programs: drweb-cureit and vundofix were able to delete the dll files
| after reboot. ProcessExplorer (from Windows) (right click on explorer - go
| to threads) can kill some of the active dll's and allow deletion.
|
| I ran Spybot many times because it was helpful in finding some of the bad
| files and registry entries that kept returning. Searching the registry for
| bar888 found a bunch more. I used several other virus scanning programs
| as well. smitfraudfix and smitrem may have been helpful; I ran them both
| but am not sure what they did. The hijackthis log also showed some files to
| be deleted that would not otherwise been obvious.
|
| Semantec's web site gave TWO registry deletions for the returning and ever
| present and mssmgr. .
|
| You probably need to turn off restore points. I tried restoring the system
| and it didn't work anyway.
|
| Based on something I read, I put a clean copy of wininit.exe into system32.
|
| There was a time that the computer would only boot in safe mode.
|
| This was really a process of reducing the number of bad things almost one at
| a time until the computer began to function again. At the end, it took
| Defender and NAV about four passes each to get rid of the final pop-ups and
| smaller issues.
|
| Fortunately, I have a laptop and wireless network so that the various AV and
| other files could be downloaded and moved (safe mode with networking) to the
| infected
| computer.
|
| In summary: unless you really know what you are doing (I don't), it will
| take the better part of a day; lots of web research (google); many
| downloads, scans and reboots; and a lot of frustration to get rid of this
| thing.
|
| I appreciate everybody's help and feedback.
|

That's interesting becauase VundoFix is geared towards the Vundo Trojan/Virtumonde Adware
family of malware which is separate from the SmitFraud family of malware which icludes the
FakeAlert and Zlob Trojans.

Your posting "...various *.exe files (ishost, ismini, isnotify etc.)..." is indicative of
the ZLob Trojan family files.

Maybe you had both a SmitFraud and Vundo infection. I don't know but that uis most likely.

The tools mentioned are the *best* for removing SmitFraud and generate log files so you can
SEE and READ what they did.

noahdfear's SmitFraud removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Maybe what you had was a Broad-Spectrum infection. As such you should have used the
following as well..

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html


I also want to stress that prevention is better than cure and prevention is performed by
practicing Safe Hex.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


.

Relevant Pages

  • Re: Report on Smitfraud-c and Smitfraud-C.toolbar888
    ... | The bad stuff is all in the Windows/System32 file and in the registry. ... FakeAlert and Zlob Trojans. ... Maybe you had both a SmitFraud and Vundo infection. ...
    (microsoft.public.windowsxp.general)
  • smitfraud creating fake registry entries??
    ... I have been seeing lot's of variants of Smitfraud during my daily work. ... spysheriff, spyquake, virusbust, win antivirus pro 2006, winfixer ... other trojan/viruses in the registry, sometimes quite strange ones, as they ...
    (microsoft.public.security.virus)
  • Re: Nearly 100% CPU Usage
    ... Paul Calcagno wrote: ... for the download) will this registry problem go away that might have been ... is that I ran the OneCare Live scanner in safe mode. ... Add-ons because trying to enable them one at a time when IE is open ...
    (microsoft.public.windowsxp.general)
  • Re: Nearly 100% CPU Usage
    ... that's an option if undoing the Registry changes does not work. ... it opens, tries to connect to the home page, then shuts itself down. ... is that I ran the OneCare Live scanner in safe mode. ... Add-ons because trying to enable them one at a time when IE is open ...
    (microsoft.public.windowsxp.general)
  • Re: Windows Start Menu
    ... Took my life in my hands and gave CCLeaner a go specifically the Registry Cleaner. ... I should mention I no longer try and use Trend Micro Housecalls - it has lousy communication screens and I found that it was telling me it was going through phases, but leaving it alone for some 30 minutes I got the message it was in a loop. ... So I switched to IE, which I don't normally use and there was a prompt to download Google Chrome, which I did. ... I tried Safe Mode but without selecting 'Safe Mode with Networking' I couldn't e-mail or browse. ...
    (comp.lang.cobol)