• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Smitfraud ?

Channel Hopper

Suffering fools, so you don't have to.
Staff member
Messages
24,280
Likes
5,180
My Satellite Setup
A little less analogue, and a lot more crap.
My Location
UK South
#1
I have been getting the odd loan(shark) advert that then changes into a group of five or six of them after clicking the close sign. Setting up the firewall and Explorer to higher security hasn't made much of a difference, and running the AV / Spyware checks bring up just the usual cookies I am used to.

A search on Google has thrown up something called Smitfraud and a removing tool (which has been run), but the popups are now distinctly darker and of a highly illegal nature - if viewed.

Removed the hard drive and fitted this one to get going again (using a borrowed XP Professional disc - but I do not want to corrupt this one if I can help it by looking through the old drive to clean it.

Can data of this nature 'jump' across hard drives without a prompt ?

I have slaved the other to a drive running Win 98 on Fat 32 but it doesn't recognise the files in the older drive - I think its to do with the 40GB+ limits. To save going round in circles , does anyone have a tool that I can guarantee removal of whats in there, otherwise I may have to put the drive beyond use.
 

Channel Hopper

Suffering fools, so you don't have to.
Staff member
Messages
24,280
Likes
5,180
My Satellite Setup
A little less analogue, and a lot more crap.
My Location
UK South
#3
Thanks

The problem is more to do with not wanting to connect the old drive back into the PC (or anywhere near the Internet) until I can clean it.

Does anyone know what way Smitfraud uses to get onto the PC - does it mask the existing browser ?
 

Topper

Amo Amas Amant Admin
Staff member
Messages
21,429
Likes
3,184
My Satellite Setup
IDD CI24 ECONO MM Penta 1.20 Galaxy II
1.2Mtr Polar MTG yes it has been on the arc for 25 years and is now fixed on 13 East using two pairs of rusty molegrips. Unlike me they never groan but always perform.
My Location
Blackburn, Lancashire
#4
Name: smitfraud-c.toolbar888
Risk Impact: High
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
Behavior

888bar is an application that is a toolbar for Internet Explorer providing shortcuts to go to search engines, portals, and gambling Web sites. The software has reportedly been installed on computers without notice or consent and is a potentially unwanted program.


Name: smitfraud-c.toolbar888
Risk Impact: High
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
When 888bar is executed, it creates the following files:
  • C:\Program Files\Common Files\{3839DF00-0D3F-1033-0729-050001}\888.dll
  • C:\Program Files\Common Files\{3839DF00-0D3F-1033-0729-050001}\Uninstall.dll
  • C:\Program Files\Common Files\{D8e9df00-0d3f-1033-0729-050001}\system.dll
  • C:\Program Files\Common Files\{D8e9df00-0d3f-1033-0729-050001}\Update.exe

Next, the program creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{c004dec2-2623-438e-9ca2-c9043ab28508}

It then creates the following registry entries:
HKEY_CLASSES_ROOT\"LuckyToolbar.LuckytoolbarObj.1" = "888bar"
HKEY_CLASSES_ROOT\"LuckyToolbar.LuckytoolbarObj.a\CLSID" = "{c004dec2-2623-438e-9ca2-c9043ab28508}"
HKEY_CLASSES_ROOT\CLSID\{c004dec2-2623-438e-9ca2-c9043ab28508}\"ProgID" = "LuckyToolbar.LuckyToolbarObj.1"
HKEY_CLASSES_ROOT\CLSID\{c004dec2-2623-438e-9ca2-c9043ab28508}\"VersionIndependentProgID" = "LuckyToolbar.LuckyToolbarObj."
HKEY_CLASSES_ROOT\CLSID\{c004dec2-2623-438e-9ca2-c9043ab28508}\"InprocServer32" = "C:\Program Files\Common Files\{3839DF00-0D3F-1033-0729-050001}\888.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib\"" = "{569304BA-83ED-4CFF-AC26-BE3E482F7208}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib\"Version" = "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid32\"" = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid\"" = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\"" = "ILuckyToolBarObj"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0\win32\"" = "C:\Documents and Settings\Administrator\Desktop\888\ffff13bd_6e379d04.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\HELPDIR\"" = "C:\Documents and Settings\Administrator\Desktop\888\"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\FLAGS\"" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\"" = "888Bar 1.0 Type Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LuckyToolBar.LuckyToolBarObj\CurVer\"" = "LuckyToolBar.LuckyToolBarObj.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LuckyToolBar.LuckyToolBarObj\CLSID\"" = "{C004DEC2-2623-438e-9CA2-C9043AB28508}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LuckyToolBar.LuckyToolBarObj.1\CLSID\"" = "{C004DEC2-2623-438e-9CA2-C9043AB28508}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LuckyToolBar.LuckyToolBarObj\"" = "888Bar"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LuckyToolBar.LuckyToolBarObj.1\"" = "888Bar"
HKEY_USERS\S-1-5-21-1960408961-507921405-725345543-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\"{C004DEC2-2623-438E-9CA2-C9043AB28508}" = "C2 DE 04 C0 23 26 8E 43 9C A2 C9 04 3A B2 85 08"

The program then provides shortcuts to go to search engines, portals, and gambling Web sites.

Here is a link for the removal process it is too large to post
 

Channel Hopper

Suffering fools, so you don't have to.
Staff member
Messages
24,280
Likes
5,180
My Satellite Setup
A little less analogue, and a lot more crap.
My Location
UK South
#5
What I had was not anything to do with gambling, and since running the tool now its a lot to do with what looks like gothic s_x, mother/son relationships and (possibly) worse

I think I wll go outside with the drive, a beer and a sledgehamer
 

Topper

Amo Amas Amant Admin
Staff member
Messages
21,429
Likes
3,184
My Satellite Setup
IDD CI24 ECONO MM Penta 1.20 Galaxy II
1.2Mtr Polar MTG yes it has been on the arc for 25 years and is now fixed on 13 East using two pairs of rusty molegrips. Unlike me they never groan but always perform.
My Location
Blackburn, Lancashire
#6
Channel Hopper said:
I think I wll go outside with the drive, a beer and a sledgehamer
Sad innit....... Deal wivit!