1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

smitFraud

Discussion in 'Security and Privacy' started by TonyT, 2008/04/18.

  1. 2008/04/18
    TonyT

    TonyT SuperGeek Staff Thread Starter

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    FYI

    There seems to be a new variant of smitFraud (spy sheriff) circulating. Two days ago I spent 4 hrs total removing it and other malware from a laptop, including Vundo variants.

    I used noahdfear's smitFraud utility and it was able to get rid of all but 2 malicious files, which were memory resident and could not be deleted upon reboots. It appears that this malware is coded to replicate itself upon system reboots using some type of administrator policy or hard code in the program itself.

    I ended up using Autoruns to locate where the malware was and then booting the laptop from a "live linux" distro on a usb stick and deleting the 2 remaining malicious files. This particular malware was loading at boot via 6 different registry points:

    HKLM/...Run
    HKCU/...Run
    HKLM/...Winlogon
    HKLM/...Windows/Explorer/Shell Execute
    HKLM/...CurrentControSet/Services
    HKLM/...Explorer/BHOs

    I had to manually remove the dir and images used by the malware for the desktop wallpaper hijack.

    Unfortunately, I did not save a copy of the malware and I had removed the logs made by utilities.
     
    Last edited: 2008/04/18
    TonyT,
    #1
  2. 2008/04/19
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    These days it's not uncommon of there to be several variants of SmitFraud\Zlob per week.

    I'm not sure if Dave updates his tool anymore, I've not noticed any postings as such, but he'll be able to more correctly answer that.

    SmitFraudFix, however is updated all the time. That changelog lists all the new stuff with each new variant.

    The other advantage of running the tool is that it looks for other tings too and cleans a lot more than you could ever do manually and a heck of a lot faster too.

    Glad you got it done tho, do you recall any file names?
     
    TeMerc,
    #2


  3. to hide this advert.

  4. 2008/04/19
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Spy Sheriff is a pretty old variant, though they may be giving it another go-round with some new files (although I haven't heard of it as of yet). Common loading points for the dlls that keep it from being killed off are;

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

    TeMerc is correct about updates too ....... I stopped adding updates well over a year ago. S!Ri's SmitfraudFix is still being updated regularly.
     
    noahdfear,
    #3
  5. 2008/04/19
    TonyT

    TonyT SuperGeek Staff Thread Starter

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    SharedTaskScheduler was another point where it loaded from. I ran that other tool after I'd run yours too.
     
    TonyT,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...