Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud/trojan-downloader Detection


  • Please log in to reply
9 replies to this topic

#1 TrekFan1

TrekFan1

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 29 June 2007 - 10:05 PM

Hi, guys. I really hope you can help me with this. MWAV keeps detecting a Smitfraud browser hijacker in my system. The problem is that MWAV no longer allows me to clean the errors it finds (I have to buy the program for that). Also, other programs - including Spybot and the Kaspersky online virus/spyware scan - did not detect this. I have run VundoFix and SmitfraudFix, but MWAV still detects the hijacker. And to make matters worse, since I've downloaded & installed SmitfraudFix, MWAV has detected SmitfraudFix files as a "trojan-downloader.bat.ftp.ab" file. Does that mean I made a mistake in downloading and running SmitfraudFix or is it just a false positive? And how can I get rid of the Smitfraud browser hijacker?

Here is the portion of the MWAV log file with the description of the errors detected:
Fri Jun 29 22:43:39 2007 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gator.com !!!
Fri Jun 29 22:43:39 2007 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.

Fri Jun 29 22:43:40 2007 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\p3p\history\gator.com !!!
Fri Jun 29 22:43:40 2007 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.

Fri Jun 29 22:43:40 2007 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\p3p\history\gator.com !!!
Fri Jun 29 22:43:40 2007 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.

Fri Jun 29 22:43:42 2007 => Offending Folder found: C:\Documents and Settings\Owner\Application Data\aim\twokumpb\bartcache\1024
Fri Jun 29 22:43:42 2007 => Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.

Fri Jun 29 22:43:45 2007 => Offending file found: C:\Documents and Settings\Owner\Desktop\smitfraudfix\process.exe
Fri Jun 29 22:43:45 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (process.exe)! Action taken: No Action Taken.

Fri Jun 29 22:43:45 2007 => Offending file found: C:\Documents and Settings\Owner\Desktop\smitfraudfix\reboot.exe
Fri Jun 29 22:43:45 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (reboot.exe)! Action taken: No Action Taken.

Fri Jun 29 22:43:45 2007 => Offending file found: C:\Documents and Settings\Owner\Desktop\smitfraudfix\swreg.exe
Fri Jun 29 22:43:45 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (swreg.exe)! Action taken: No Action Taken.

Fri Jun 29 22:43:45 2007 => Offending file found: C:\Documents and Settings\Owner\Desktop\smitfraudfix\swsc.exe
Fri Jun 29 22:43:45 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (swsc.exe)! Action taken: No Action Taken.

The gain.gator errors always pop up after I update SpywareBlaster, and everytime those errors were fixed (when the program allowed me to fix errors), a few items on SpywareBlaster would have its protection disabled. I am not too worried about these (unless I have reason to be?); I mainly want to know how to get rid of the Smitfraud browser hijacker and if I need to worry about the Trojan-Downloader detections (and how to get rid of them, of course). Also, let me know if you want me to post a HijackThis log, if that will help anything.

Any help whatsoever in this matter would be greatly appreciated. Thank you.

~~~Charles, aka TrekFan1

Edited by TrekFan1, 29 June 2007 - 10:07 PM.


BC AdBot (Login to Remove)

 


#2 TrekFan1

TrekFan1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 30 June 2007 - 05:58 AM

Ok, I just completed a scan using CounterSpy. It detected one piece of adware, but the Smitfraud thing is still being detected by MWAV. Oh, and I forgot to mention before that I also tried CWShredder. No dice. :thumbsup: And to make matters worse, MWAV is now detecting a NEW error:

Sat Jun 30 06:45:46 2007 => Offending Key found: HKLM\Software\antispyware !!!
Sat Jun 30 06:45:46 2007 => Object "2antispyware Corrupted Adware/Spyware" found in File System! Action Taken: No Action Taken.

Not good. :flowers:

Anyway, I've downloaded CCleaner and SUPERAntiSpyware and will try those next in Safe Mode. I'll also remove and re-download SmitfraudFix as a ZIP file and try running that again. Wish me luck...

#3 buddy215

buddy215

  • Moderator
  • 13,501 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:45 AM

Posted 30 June 2007 - 07:08 AM

Other than MWAV supposedly finding malware, what symptoms do you have? Popups, browser hijacking, search redirects, etc?

Let us know what Super Antispyware finds.

There are a few free antivirus programs that do remove what they find. Here is a link to free programs that have been used and recommended by the members of BC.
http://www.bleepingcomputer.com/forums/topic3616.html
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 TrekFan1

TrekFan1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 30 June 2007 - 03:08 PM

Thanks for the reply. :flowers: As far as I know, I have not had any symptoms; nothing out of the ordinary has occurred. It's just that MWAV detects this bloody browser hijacker that nothing else can detect.

As for SUPERAntiSpyware... it didn't find anything. :thumbsup: I also ran XoftSpySE, but it only found a moderate risk called "Funcade" and a bunch of potentially unwanted programs called "Viewpoint". And, of course, I couldn't get rid of them without purchasing the product, so I assume they're still on here. I'm assuming the "Viewpoint" is the Viewpoint Media Player on my system. I'm not sure if it's "unwanted" or not (it has the Window Media Player symbol attached to it... so I guess it's safe?)

I will check out some of the programs in the link and see what comes up. I'll let you know how it goes.

Thanks! :trumpet:

~~~Charles, AKA TrekFan1

#5 buddy215

buddy215

  • Moderator
  • 13,501 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:45 AM

Posted 30 June 2007 - 03:32 PM

AOL and AIM force Viewpoint on you. If you don't mind being spied on, keep it.
http://www.pchell.com/support/viewpoint.shtml
How to Remove Viewpoint Media Player, Toolbar, or Manager

1) Right-click on the clock in your taskbar and choose Task Manager
2) Click on the Processes tab and search for VIEWMGR.EXE, if its found, click on it and then click End Task to close it
3) Click on Start, Control Panel, Add/Remove Programs
4) Uninstall any of the following programs associated with Viewpoint

Viewpoint Manager
Viewpoint Media Player

Viewpoint Toolbar
5) Close the Add/Remove Programs and Control Panel
6) Restart your computer

Warning: If you install AOL Instant Messenger, Adobe Atmosphere plugin, or another program that requires Viewpoint, it will download and install again.

--------------------------------------------------------------------------------

As far as Xoft and MWAV goes, they are known to report false positives.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 TrekFan1

TrekFan1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 01 July 2007 - 04:23 AM

Done. Viewpoint's outta here. Thanks for the heads up. :thumbsup:

Anyways, I've run a few other programs (AVG Anti-Spyware included) and they didn't detect anything but MWAV is still detecting both the "2antispyware" value and the smitfraud hijacker. I know the program's been known to report false positives, but it's still bugging me. Would it cause any problems if I manually removed the supposedly offending registry value (HKEY_LOCAL_MACHINE/SOFTWARE/AntiSpyware) or the supposedly dangerous file (C:\Documents and Settings\Owner\Application Data\aim\twokumpb\bartcache\1024)? Would it hurt anything if I did that?

Please reply back soon. I'll be on the lookout. Thanks!

#7 buddy215

buddy215

  • Moderator
  • 13,501 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:45 AM

Posted 01 July 2007 - 06:47 AM

I would recommend leaving the registry as is. I would also recommend removing Smitfraudfix, MWAV, XOFTSpy.
If you uninstall the two antimalware programs, you will have a better chance of getting a clean uninstall if you do it in safe mode.

The antivirus I use is AVG free for home users. I also have Spybot Search and Destroy with teatimer enabled and WinPatrol free. I have Spyware Blaster, too.
They don't get to do much though, as I have Firefox Browser with NoScript which is the safest way to surf the net.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 TrekFan1

TrekFan1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 01 July 2007 - 08:11 AM

I already got rid of SmitfraudFix and XoftSpy. I'll probably lose MWAV, too... but out of curiosity, why do you recommend it's removal? Just curious...

Also, what about the file that's supposedly a browser hijacker (C:\Documents and Settings\Owner\Application Data\aim\twokumpb\bartcache\1024)? Should I got ahead and delete that manually?

The anti-virus I am currently using is avast!. I used to have AVG free, but now it appears they no longer offer it for free... am I mistaken? I do have Spybot, though, normally with the TeaTimer activated, as well as SpywareBlaster. I'll have to try that WinPatrol program, though.

Also, how do you get Firefox with NoScript? I use Mozilla Firefox... is NoScript an add-on?

Reply back soon. :thumbsup:

Edited by TrekFan1, 01 July 2007 - 08:12 AM.


#9 buddy215

buddy215

  • Moderator
  • 13,501 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:45 AM

Posted 01 July 2007 - 08:57 AM

Yes, NoScript is an extension for Firefox. There are thousands of sites that presently you can get malware from by just visiting (drivebys) and more are being infected every day. It also assists in blocking ads.
http://noscript.net/

--------------------------------------------------------------------------------

If you are using Avast you should not have but one antivirus installed/running on your computer. This could be part of the problem with false positives. You have scanned with several excellent scanners and none find any problem. That is why I suggest removing the MWAV.
AVG is still free for the home user. Both antivirus and antispyware.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 TrekFan1

TrekFan1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 01 July 2007 - 01:49 PM

Yah, I've installed NoSript already, lol! Thanks for telling me about that. :flowers:

The only anti-virus I'm running is avast!; when I'm running MWAV or Kaspersky, I turn avast! off. The other programs were just malware/spyware removers.

I'll get rid of MWAV, ASAP. I guess I'll leave the supposed "hijacker" alone, too. ;) I'll also check up on AVG... but I wish I could go back to AntiVir. That's what I was using before avast!, at it worked pretty good, but apparently once I switched, there's no going back to AntiVir: it won't let me download updates for free anymore. :thumbsup:

Anyways, thanks for your help! I greatly appreciate it. :trumpet:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users