Smitfraud/Trojan.Zlob Removal - AntiVermin, VirusBurster, Video ActiveX Object, etc..
Trogan
London, UK
This guide will show you how to identify and remove the Smitfraud/Trojan.Zlob variants
What is Smitfraud/Trojan.Zlob?
Smitfruad, also known as Trojan.Zlob, is a family of Desktop Hijackers. These infections change your Desktop background to issue fake warning messages on your computer, similar (and almost identical) to Windows Update Notification balloons. These alerts tend to be accompanied by a rogue anti-spyware program (see list below) installed on your computer without your consent. Clicking on one of these fake security alerts will either bring you to a home page where you can purchase other fraudulent software, or without your permission, will automatically install onto your computer.
This is a partial list of rogue anti-spyware programs. There are many, many more.
AdwarePunisher AdwareSheriff AlphaCleaner Antispyware Soldier AntiVermeans AntiVermins AntiVerminser AntivirusGolden AVGold
BraveSentry MalwareWipe MalwareWiped MalwaresWipeds MalwareWipePro MalwareWiper PestCapture PestTrap PSGuard
quicknavigate.com Registry Cleaner Security iGuard Smitfraud SpyAxe SpyCrush SpyDown SpyFalcon SpyGuard SpyHeal SpyHeals
SpyLocked SpyMarshal SpySheriff SpySoldier Spyware Vanisher Spyware Soft Stop SpywareLocked SpywareQuake SpywareKnight
SpywareSheriff SpywareStrike Startsearches.net TitanShield Antispyware Trust Cleaner UpdateSearches.com Virtual Maid VirusBlast
VirusBurst Win32.puper WinHound Brain Codec DirectVideo EliteCodec eMedia Codec FreeVideo Gold Codec HQ Codec iCodecPack
Lets start...
Tools needed - Download the following tools to a convinient location, such as the Desktop For Windows XP and 2000 only!
PREPARATION
Extract all the files from SmitfraudFix.zip to your Destop. This will create a new SmitfraudFix folder on your Desktop.
We will use this later.
IDENTIFICATION
Entries in a HijackThis log
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\Media-Codec\isaddon.dll
O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\VideoKeyCodec\isaddon.dll
O2 - BHO: (no name) - {274c0420-ebe0-4f1d-b473-edd1aa9b85dd} - C:\Program Files\iVideoCodec\isaddon.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\X Password Generator\isaddon.dll
O2 - BHO: MSVPS System - {100B21CD-3B97-44FB-B1C0-EA6249E482E8} - C:\WINDOWS\ddesupport.dll
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" hide
O4 - HKLM\..\Run: [SpyCrush] C:\Program Files\SpyCrush\SpyCrush.exe /h
O4 - HKLM\..\Run: [AntiVermins] C:\Program Files\AntiVermins\AntiVermins.exe /h
O4 - HKLM\..\Run: [VirusBursters] C:\Program Files\VirusBursters\virusbursters.exe /h
O4 - Global Startup: .protected
O21 - SSODL: msole - {80047F31-5F13-47A4-ACFB-CC64BCCDDE75} - C:\WINDOWS\msole.dll
O21 - SSODL: msdde - {7725C992-B6C9-42AC-ACF9-A00D6AA45166} - C:\WINDOWS\msdde.dll
Note: Not all entries are listed. This is just a small selection to give you an idea of what to look for in HijackThis. With each new variant/version of Smitfraud there are always new entries.
REMOVAL
1. You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
2. Please reboot your computer to Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
4. Make sure any other open windows are closed.
5. Now double-click smitfraudfix.cmd in the SmitfraudFix folder.
6. When the tool opens, you will see the intro/credit screen. Simply press any key on your keyboard to continue.
7. You will now see a menu, as seen in the image below. Select option #2 "Clean (Safe mode recommended)" by typing 2 and pressing "Enter" on your keyboard.
8. SmitfraudFix will begin the cleaning process by going through the cleaning process.
9. Once the clean-up has been completed, SmitfraudFix will open and start Disk Cleanup as seen below. Disk Cleanup can take several minutes to complete .
From Microsoft
The Disk Cleanup tool helps free up space on the hard disk by searching the disk for files that can be safely deleted. You can choose to delete some or all of the files. Use Disk Cleanup to perform any of the following tasks to free up space on the hard disk:
- Remove temporary Internet files.
- Remove downloaded program files. For example, ActiveX controls and Java applets that are downloaded from the Internet.
- Empty the Recycle Bin.
- Remove Windows temporary files.
- Remove optional Windows components that you are not using.
- Remove installed programs that you no longer use.
11. The tool will now restart your computer back to Normal Mode to finish the cleaning process. If it does not restart automatically, please restart manually. (Start > Turn Off Computer > Restart).
12. Once you are back in Normal Mode, a Notepad file will appear onscreen, with results from the cleaning process.
13. The following is an example of a clean SmitfraudFix log. Check your log, and when done, close Notepad.
SmitFraudFix v2.223
Scan done at 23:44:23.46, 2007-09-17
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Belkin 802.11g Wireless Card - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{991F5295-C031-4689-99AE-CC0C7FFDE964}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{991F5295-C031-4689-99AE-CC0C7FFDE964}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Note: You may lose your Desktop background. If this is the case, you can get it back by selecting it again in Display Properties (Start > Control Panel > Display Properties > Desktop tab)
By following this guide, your computer should be free of the Smitfraud/Trojan.Zlob infection.
If you are still having problems or would like further help with this or other infections, then follow the steps in the following link:
Steps To Take Before Posting a HijackThis Log!
0
This discussion has been closed.