Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Smitfraud Variant?


  • Please log in to reply
3 replies to this topic

#1 smitfraud_victim

smitfraud_victim

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 26 June 2008 - 01:11 PM

Hello,

I found some of the information here on smitfraud helpful, so I thought I would try and give something back. I tried to email the guys at the smitfraudfix website, but I couldn't seem to find and email address for them. Anyway, maybe they will read this, or this information will help someone else.

I believe I ran across a new version of smitfraud.... I attempted to remove is several times using the smitfraudfix tool (v2.328), but it did not work. The version I had used two files:

lphc7koj0etc9.exe 109,056 bytes

blphc7koj0etc9.scr 60,928 bytes

both files were located in c:\windows\system32

lphc7koj0etc9.exe was memory resident, used about 8.2k, and was visible via task manager process list.

both files were visible in the registry at:

HKEY_USERS\S-1-5-21-3570616145-104262437-1874526873-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache

I was unable to find an actual "\Run" entry in the registry for either of these. Based on the limited reading that I have done on this little cretin, and the behavior that I saw, it seems that this variant may have weaved itself into the windows shutdown process as a way of assuring it is reloaded on restart.

I renamed both of the files and the problem seems to have gone away. I have saved the files if someone from smitfraudfix is interested in examining them. I can be contacted at smitfraud_victim@yahoo.com

Hope this helps someone!

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 June 2008 - 07:25 AM

Hi Smitfraud_victim,

Each Smitfraud-related problem has this kind of files included.
Mostly SmifraudFix isn't enough. It's used in combination with other programs or scripts. That's why you couldn't delete the infection. :thumbsup:

Do you still have the Smitfraud-infection on your pc?

#3 smitfraud_victim

smitfraud_victim
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 27 June 2008 - 06:12 PM

Hi Smitfraud_victim,

Each Smitfraud-related problem has this kind of files included.
Mostly SmifraudFix isn't enough. It's used in combination with other programs or scripts. That's why you couldn't delete the infection. :flowers:

Do you still have the Smitfraud-infection on your pc?


=========

No, I was able to remove the infection with the combination of deleting the files+running the fix. I guess I shoulda been more clear about that in my original post. :thumbsup:

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 28 June 2008 - 02:43 AM

All right, happy to hear that.
Have I answered your questions? :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users