PDA

View Full Version : smitfraud-c



dogbyte
2006-03-25, 00:03
I'm new here and spybot just detected smitfraud-c and I can't seem to get rid of it. Any tips?

tashi
2006-03-25, 00:07
Hello dogbyte. :)

Please follow these instructions.
Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)

Start a topic here:
Malware Forum (http://forums.spybot.info/forumdisplay.php?f=22[/url)

Someone will then take a look at the system and advise you as soon as available to do so.

Cheers.

Highliner
2006-03-27, 12:13
Hello. Must concur with dogbyte. I spent the last 90 minutes trying to get smitfraud-c off my computer. File name is winuwi32.dll located in windows\system32 directory. Rebooted several times in safe mode. Tried to delete file, met with message 'access is denied.' Homepage redirected to hxxp://www.necessaryupdates.com/. Tray button on my computer says 'Virus Alert.' What is even more infuriating is that this ***ing hijacker has taken control over Spybot Search and Destroy, in that the checkbox for permanently blocking all known bad pages cannot be checked, so the malware is free to re-download every time I connect to the Internet. This seems to be the worse homepage hijacker yet. Thank God there is no destructive payload on this little bastard, I want it gone!
Here is the bull*** from the redirected page:

Attention! Your system is under control of remote computer with IP address 227.4.167.118. The remote computer has access to the following folders on your PC:
- \WINDOWS\System32
- \Program Files\Internet Explorer
- \My Documents
- Drive C:\ files
Click here to download official anti-spyware software

Your private info is collected by W32.Sinnaka.A@mm
Your IP address: 4.242.33.94

Your Country: US, United States

They know you're using: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FDM)

Operation System: OS Windows

Risk status for futher investigation: VERY HIGH RISK

Time of investigation: Mon Mar 27 1:10:34 PST 2006

Much obliged to the Spybot team for your efforts. I trust you guys, i'm flashing my IP address for all to see. Apparently, others are taking note and unfortunately trying to one-up you so their malware program gets through your firewall. Suggestions to permanently remove this thing? How can they override the settings so that I cannot check the 'permanently block all bad pages' like it used to be?

spybotsandra
2006-03-27, 12:24
Hello,

Do you have downloaded the latest detection rules including new detections for Smitfraud?
http://www.safer-networking.org/en/download/index.html
This should fix it.
Or choose the direct installation file:
http://www.safer-networking.org/updates/files/spybotsd_includes.exe

Best regards
Sandra
Team Spybot

Highliner
2006-03-28, 21:37
Yes, of course, Sandra, I would not be as dumb to try to remove malware without the recent update!
The problem seems to lie with Internet Explorer. It has so many holes in it that I have abandoned it altogether in favor of Firefox. I actually knew better, but was more 'comfortable' with IE until now.
Problem files: NVCTRL.EXE, MSSEARCHNET.EXE, HPAB74.TMP (and 3 others with a .tmp extention), all located in C:\Windows\System32.
Turns out that the malware was running module nvctrl.exe, called it up under the task manager, ended process, only to have itself put back. Also did the same with mssearchnet.exe, it kept putting itself back, presumabably from a redundant registry entry and hidden file somewhere that kept it from being deleted. I tried to send a spy report of this newer version of Smitfraud-c; this time Spybot issued an access violation warning because the malware got into the Spybot program and overrode the 'permanently block all bad downloads' box so that it could not be checked.
I started this time in safe mode, manually deleted all known bad files, then ran the Spybot S&D again. Only issue came up was Vcodec, and that was removed without it putting itself back.
Clearly, then, Firefox is the way to go, since this browser is smart enough to know what Internet Explorer should have. I finally got the 'virus warning' cleared from my tray. Turns out that the virus warning was actually a phony warning put there by the malware itself, redirecting the unsuspecting user to the website to buy the spyware remover that put the malware there to begin with. This is just stupid. Knowing that the program put the malware there to start, why would I buy their product? I don't even want to know of their existence.
So I hope the Spybot people take note that there are now serious individuals out there looking for weaknesses in the Spybot program itself and trying to gain unauthorized access to the features so as to disallow the user to block known bad downloads so that the malware is free to hijack the internet connection and reinstall itself at will. I'm on Firefox now, and my connection is not being hijacked--simply because I'm not using Internet Explorer.
Perhaps a knowledgeable person at Microsoft will take note of these facts and next time make an internet browser that is truly ready for the market, and not a product that is half-baked and peppered with vulnerabilities.

Regards,

Highliner :) O^
...she said, 'Why are you slamming your computer so hard? You just broke the keyboard!'
...and I replied with great relish, 'It is not my computer.'