Tech Support Forum - View Single Post

MicroBell · 05-04-2006, 07:31 PM

Updated: 03-07-07

SmitFraud and It's Variants (Zlob) Removal Instructions

Smitfraud is a Desktop Hijacker that changes your desktop and pops up a FALSE security warning that your system is infected. It useally installs a "Fake" security program which trys to trick you into purchasing the program to remove these entrys.

Common hijackthis log entrys you may see:

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp6DD8.tmp (Note: filename is random, but CLSID is NOT.)
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpXXX.tmp
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hp76EF.tmp
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\zloader3.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - HKLM\..\Run: [Alfacleaner] C:\Program Files\Alfacleaner\Alfaleaner.exe /h
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe
O4 - Startup: spysheriff.lnk = C:\Program Files\SpywareSheriff\spysheriff.exe
O4 - HKLM\..\Run: [SpywareQuake.com] C:\Program Files\SpywareQuake.com\Spyware-Quake.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Documents and SO9 - Extra button:
O4 - HKCU\..\Run: [SpySheriff] C:\Documents and Settings\David\Desktop\eKhM31T4O8\SpySheriff.exe
O9 - Extra button: Microsoft AntiSpyware helper - {4D186D89-32DB-439E-A37D-50511D6393C7} - (file missing) (HKCU) (Note: sometimes a file is listed)

This infection has many varients. The list below contains ALL the varients this FIX will remove. If you have one or more of these programs installed...then run this FIX.

AdwarePunisher
AdwareSheriff
AlphaCleaner
Antispyware Soldier
AntiVermeans
AntiVermins
AntiVerminser
AntiVirGear
AntivirusGolden
AVGold
Brain Codec
BraveSentry
DirectVideo
EliteCodec
eMedia Codec
FreeVideo
Gold Codec
HQ Codec
iCodecPack
Image ActiveX Object
iMediaCodec
IntCodec
iVideoCodec
JPEG Encoder
Key Generator
MalwareCrush 3.7
MalwareWipe
MalwareWiped
MalwareWipePro
MalwareWiper
Media-Codec
MediaCodec
MMediaCodec
MovieCommander
MPCODEC
My Pass Generator
PCODEC
Perfect Codec
PestCapture
PestTrap
PornMag Pass
PornPass Manager
PowerCodec
PrivateVideo
PSGuard
QualityCodec
quicknavigate.com
Registry Cleaner
Security iGuard
Silver Codec
SiteTicket
Smitfraud
SoftCodec
SpyAxe
SpyCrush
SpyDown
SpyFalcon
SpyGuard
SpyHeal
SpyHeals
SpyLocked
SpyMarshal
SpySheriff
SpySoldier
Spyware Soft Stop
Spyware Vanisher
SpywareKnight
SpywareQuake
SpywareSheriff
SpywareStrike
Startsearches.net
strCodec
Super Codec
TitanShield Antispyware
TrueCodec
Trust Cleaner
UpdateSearches.com
VidCodecs
Video Access ActiveX Object
Video ActiveX Object
VideoAccess
VideoBox
VideoCompressionCodec
VideoKeyCodec
VideosCodec
VirusHeat 3.9
Virtual Maid
VirusBlast
VirusBurst
Win32.puper
WinAntiSpyPro
WinHound
WinMediaCodec
XXXHoliday
X Password Generator
X Password Manager
ZipCodec

The Fix
+++++++++++++++++++++++++++++++++++

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download SmitfraudFix (by S!Ri) to your Desktop.

---------------------------------------------------------------------------------------------

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Double-click smitfraudfix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Restart in normal Windows.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Double-click smitfraudfix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Run an Online scan

Perform an online scan with Panda ActiveScan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.
______________________________

You should now be free of the smitfraud variant. If you require help with the removal of the smitfraud variant you have or to check your HJT log, then please start your own thread in the hijackthis section of this forum and a trained Analyst will review your logs.

*Note* The above fix creates the following logs which you should also post along with your hijackthis log.

Panda log
C:\rapport.txt (log from the SmitfraudFix tool)

WARNING:

Use of the information in this fix is to be used at YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you.

05-04-2006, 07:31 PM	#4 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,951 OS: Windows XP-Pro SP2	Updated: 03-07-07 SmitFraud and It's Variants (Zlob) Removal Instructions Smitfraud is a Desktop Hijacker that changes your desktop and pops up a FALSE security warning that your system is infected. It useally installs a "Fake" security program which trys to trick you into purchasing the program to remove these entrys. Common hijackthis log entrys you may see: O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp6DD8.tmp (Note: filename is random, but CLSID is NOT.) O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpXXX.tmp O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hp76EF.tmp O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\zloader3.exe O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h O4 - HKLM\..\Run: [Alfacleaner] C:\Program Files\Alfacleaner\Alfaleaner.exe /h O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe O4 - Startup: spysheriff.lnk = C:\Program Files\SpywareSheriff\spysheriff.exe O4 - HKLM\..\Run: [SpywareQuake.com] C:\Program Files\SpywareQuake.com\Spyware-Quake.exe O4 - HKCU\..\Run: [SpySheriff] C:\Documents and SO9 - Extra button: O4 - HKCU\..\Run: [SpySheriff] C:\Documents and Settings\David\Desktop\eKhM31T4O8\SpySheriff.exe O9 - Extra button: Microsoft AntiSpyware helper - {4D186D89-32DB-439E-A37D-50511D6393C7} - (file missing) (HKCU) (Note: sometimes a file is listed) This infection has many varients. The list below contains ALL the varients this FIX will remove. If you have one or more of these programs installed...then run this FIX. AdwarePunisher AdwareSheriff AlphaCleaner Antispyware Soldier AntiVermeans AntiVermins AntiVerminser AntiVirGear AntivirusGolden AVGold Brain Codec BraveSentry DirectVideo EliteCodec eMedia Codec FreeVideo Gold Codec HQ Codec iCodecPack Image ActiveX Object iMediaCodec IntCodec iVideoCodec JPEG Encoder Key Generator MalwareCrush 3.7 MalwareWipe MalwareWiped MalwareWipePro MalwareWiper Media-Codec MediaCodec MMediaCodec MovieCommander MPCODEC My Pass Generator PCODEC Perfect Codec PestCapture PestTrap PornMag Pass PornPass Manager PowerCodec PrivateVideo PSGuard QualityCodec quicknavigate.com Registry Cleaner Security iGuard Silver Codec SiteTicket Smitfraud SoftCodec SpyAxe SpyCrush SpyDown SpyFalcon SpyGuard SpyHeal SpyHeals SpyLocked SpyMarshal SpySheriff SpySoldier Spyware Soft Stop Spyware Vanisher SpywareKnight SpywareQuake SpywareSheriff SpywareStrike Startsearches.net strCodec Super Codec TitanShield Antispyware TrueCodec Trust Cleaner UpdateSearches.com VidCodecs Video Access ActiveX Object Video ActiveX Object VideoAccess VideoBox VideoCompressionCodec VideoKeyCodec VideosCodec VirusHeat 3.9 Virtual Maid VirusBlast VirusBurst Win32.puper WinAntiSpyPro WinHound WinMediaCodec XXXHoliday X Password Generator X Password Manager ZipCodec The Fix +++++++++++++++++++++++++++++++++++ Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. Please download SmitfraudFix (by S!Ri) to your Desktop. --------------------------------------------------------------------------------------------- Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. ______________________________ Double-click smitfraudfix.exe to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Restart in normal Windows. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ______________________________ Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. ______________________________ Double-click smitfraudfix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ______________________________ Run an Online scan Perform an online scan with Panda ActiveScan Click on Scan Your PC Now A "pop up" window will appear, or a new tab will open. Click on Register Choose the option you like most, but we recommend the Free Registration. Click on Register Enter your e-mail address, and create a password. Select "I do not want to receive any type of information". (unless you want to receive such information) Click on Send Confirm registration, and continue by entering your user name and password, then click on Enter Select Full Scan, then Click on Scan Now Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser. If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect Please ignore the offer to buy the program. Click on Export To Export the log and save it to your desktop. * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Avast users note: Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database. ______________________________ You should now be free of the smitfraud variant. If you require help with the removal of the smitfraud variant you have or to check your HJT log, then please start your own thread in the hijackthis section of this forum and a trained Analyst will review your logs. *Note* The above fix creates the following logs which you should also post along with your hijackthis log. Panda log C:\rapport.txt (log from the SmitfraudFix tool) WARNING: Use of the information in this fix is to be used at YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by tetonbob : 04-24-2008 at 05:18 PM. Reason: removed AVG AntiSpyware; no longer available