Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Smitfraud ... I Think !


  • Please log in to reply
6 replies to this topic

#1 Sticksman

Sticksman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 24 May 2006 - 06:34 PM

Having done a lot of searching ... I think I'm infected with "Smitfraud"

I've got the "Yellow Security Alert!" triangle in the bottom right task bar. I get directed to various Porn / Gambling websites and my homepage (I.e 6) is www.topsecuritysite.com (which I can't change).

Any help would be much appreciated.
Thanks
Sticks

:thumbsup:

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:05:06 PM

Posted 24 May 2006 - 07:36 PM

Try this:
How To Remove The Smitfraud / Psguard / Virtualmaid
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 evets

evets

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 25 May 2006 - 07:31 AM

Hi,
I found a smitfraud infection because winlogin was trying to contact freeprohosting.net (whatever that is) via the Internet.
I found http://siri.urz.free.fr/Fix/SmitfraudFix.php
which removes it in one simple operation (none of the HiJack log events mentioned in TG1911's post showed anything on my machine and only a scan from Xoftspy detected it.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:06 PM

Posted 25 May 2006 - 10:37 AM

freeprohosting.net is a site responsible for lots of bad malware to include smitfraud and others. See here.

Edited by quietman7, 25 May 2006 - 10:38 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 evets

evets

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 26 May 2006 - 03:18 AM

Thanks for the URL, lots of info.
http://support.microsoft.com/?kbid=841290
downloads a checksum utility which gives a completely different checksum for winlogon on the 'ex' infected machine from one on a laptop which has not been on the network. Both winlogons have the same version.
I'm just about to copy the 'good' one to the other machine; maybe suicidal.
On second thoughts I'll wait to see if anyone knows if I can/should do this ???

Edited by evets, 26 May 2006 - 03:44 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:06 PM

Posted 26 May 2006 - 06:56 AM

evets, if the smitfraudfix did not work then I suggest you read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, not here, for assistance by the HJT Team Experts.

It may take a while to get a response because the HJT Team members are very busy. Please be patient as they are volunteers who will help you out as soon as possible. Once you have made your post, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have no replies as this makes it easier for them to identify those who have not been helped. If you post another response, a team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 evets

evets

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 26 May 2006 - 07:30 AM

quietman,
Thanks for the help.
Winlogon seems to respawn itself if removed, however I booted in dos and replaced it with a good winlogon
which FCIV gives the checksum
01c3346c241652f43aed8e2149881bfe winlogon.exe
This is the same as the checksum on my non infected computer and remains the same (ie is not being overwritten by malware)
I'd be interested to know what FCIV checksum anyone else gets for version 5.1.2600.2180 of winlogon.
At a quick look FCIV seems like a really useful program, it can compile a database of checksums of a number of directories and make periodic comparisons.
I don't pretend to know how virus checkers work but none of the ones I ran found anything wrong with a (presumably) corrupt winlogon.
I have posted a hijack log as you suggest

Edited by evets, 26 May 2006 - 08:20 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users