Re: Report on Smitfraud-c and Smitfraud-C.toolbar888

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eP0Z8JKEHHA.4120@xxxxxxxxxxxxxxxxxxxxxxx
From: "its_my_dime" <its_my_dime@xxxxxxxxxxxxxx (hold the .spam)>

| This was a real problem to clean up because it kept reinfecting itself
and
| it consists of more than a dozen different files and registry entries
plus
| some assorted popups.
|
| Some hints. (and I'm not a techie so pardon the level of this
discussion):
|
| The bad stuff is all in the Windows/System32 file and in the registry.
|
| The various *.exe files (ishost, ismini, isnotify etc.) need to be
deleted
| manually in safe mode
|
| A group of *.dll files that keep changing names seem to carry the
Trojans
| and keep restoring them to the computer. These dll's can be identified
by
| sorting system32 by date; they are the most recent. Some can be easily
| deleted; some cannot.
|
| There are also a few files that write stuff to the registry (again, most
| recent) but keep coming back.
|
| Two programs: drweb-cureit and vundofix were able to delete the dll
files
| after reboot. ProcessExplorer (from Windows) (right click on
explorer - go
| to threads) can kill some of the active dll's and allow deletion.
|
| I ran Spybot many times because it was helpful in finding some of the
bad
| files and registry entries that kept returning. Searching the registry
for
| bar888 found a bunch more. I used several other virus scanning
programs
| as well. smitfraudfix and smitrem may have been helpful; I ran them
both
| but am not sure what they did. The hijackthis log also showed some
files to
| be deleted that would not otherwise been obvious.
|
| Semantec's web site gave TWO registry deletions for the returning and
ever
| present and mssmgr. .
|
| You probably need to turn off restore points. I tried restoring the
system
| and it didn't work anyway.
|
| Based on something I read, I put a clean copy of wininit.exe into
system32.
|
| There was a time that the computer would only boot in safe mode.
|
| This was really a process of reducing the number of bad things almost
one at
| a time until the computer began to function again. At the end, it took
| Defender and NAV about four passes each to get rid of the final pop-ups
and
| smaller issues.
|
| Fortunately, I have a laptop and wireless network so that the various AV
and
| other files could be downloaded and moved (safe mode with networking) to
the
| infected
| computer.
|
| In summary: unless you really know what you are doing (I don't), it
will
| take the better part of a day; lots of web research (google); many
| downloads, scans and reboots; and a lot of frustration to get rid of
this
| thing.
|
| I appreciate everybody's help and feedback.
|

That's interesting becauase VundoFix is geared towards the Vundo
Trojan/Virtumonde Adware
family of malware which is separate from the SmitFraud family of malware
which icludes the
FakeAlert and Zlob Trojans.

Your posting "...various *.exe files (ishost, ismini, isnotify etc.)..."
is indicative of
the ZLob Trojan family files.

Maybe you had both a SmitFraud and Vundo infection. I don't know but that
uis most likely.

The tools mentioned are the *best* for removing SmitFraud and generate log
files so you can
SEE and READ what they did.

noahdfear's SmitFraud removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Maybe what you had was a Broad-Spectrum infection. As such you should
have used the
following as well..

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html


I also want to stress that prevention is better than cure and prevention
is performed by
practicing Safe Hex.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


Thanks. That explains a lot. I'm sure I had smitfraud because of the "your
computer is infected" pop ups. Obviously, I had vundo as well. I suspect
that toobar888 was a third issue. mssmgr may have been another.

I wonder of medicare pays for all this.....


.

Relevant Pages

  • smitfraud creating fake registry entries??
    ... I have been seeing lot's of variants of Smitfraud during my daily work. ... spysheriff, spyquake, virusbust, win antivirus pro 2006, winfixer ... other trojan/viruses in the registry, sometimes quite strange ones, as they ...
    (microsoft.public.security.virus)
  • Re: Report on Smitfraud-c and Smitfraud-C.toolbar888
    ... | The bad stuff is all in the Windows/System32 file and in the registry. ... | There was a time that the computer would only boot in safe mode. ... FakeAlert and Zlob Trojans. ... Maybe you had both a SmitFraud and Vundo infection. ...
    (microsoft.public.windowsxp.general)
  • Re: (OT) Computer Question
    ... I found 5 virii and one malware, but I still can't get to Automatic ... Aren't the malware and virus scans supposed to clean the Registry? ... gave it a second thought about the effects of an infection. ... packages all took a shot at looking into the Registry. ...
    (alt.autos.toyota)
  • Re: (OT) Computer Question
    ... I found 5 virii and one malware, but I still can't get to Automatic ... Aren't the malware and virus scans supposed to clean the Registry? ... second thought about the effects of an infection. ... packages all took a shot at looking into the Registry. ...
    (alt.autos.toyota)
  • Re: New Trojan
    ... >>infection. ... > registry entry, as was mentioned earlier in this thread. ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
    (Incidents)