Re: smitfraud creating fake registry entries??



From: "Runlevel0" <runlevel0@xxxxxxxxxxx>

| Hey group,
|
| I have just begun to post here (new ISP, new news server).
|
| My intention is to exchange information and help where I can.
| I am also registered in the Hijackthis forums (german) and work as a TS
| agent at a Dutch firm. I actually love helping ppl, it's my second nature.
|
| Here is one bit of info I would like to discuss:
|
| I have been seeing lot's of variants of Smitfraud during my daily work.
| There aren particularly difficult to remove, even w/o tools (I have seen
| insofar: spysheriff, spyquake, virusbust, win antivirus pro 2006, winfixer
| and pest trap).
|
| What I noticed is that you can find at least two or three entries related to
| other trojan/viruses in the registry, sometimes quite strange ones, as they
| are unusual or even old (sasser, sober, mydoom).
|
| When you try to search those critters in the filesystem you wont normally be
| able to find them, even using DIR [filename] /a
|
| Looking the files up in the quarantine of the AV is normally also negative.
|
| My theory is that those entries are put there by smitfraud itself
| to mislead the legitime antivirus and the user so that he thinks he actually
| needs the paid version of the rogue scanner.
|
| Have any of you some info on this?
|

winfixer is a totally differnt malware infection family from the SmitFraud family.

It is based upon the Vundo Trojan/Virtumunde Adware.



Two phase answer...

Perform Part 1 then perform Part 2

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.


If you are using any version of Sun Java that is prior to JRE Version 5.0 update 6,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0 update 6. There are vulnerabilities in them and they are actively being
exploited. It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 6 on the PC that they be removed ASAP.

The latest version is Sun Java JRE/JSE Version 5.0 Update 8

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.5.0_08


http://www.java.com/en/download/manual.jsp

or

http://java.sun.com/javase/downloads/index.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1




Part 1
------------
Download Adware-Virtumundo Removal Tool --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:
--------------

Download Atribune's VUNDOFIX.EXE
http://www.atribune.org/ccount/click.php?id=4

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


.