Smitfraud ?

Channel Hopper

Suffering fools, so you don't have to.
Staff member
Joined
Jan 1, 2000
Messages
35,533
Reaction score
8,554
Points
113
Age
59
Website
www.sat-elite.uk
My Satellite Setup
A little less analogue, and a lot more crap.
My Location
UK
I have been getting the odd loan(shark) advert that then changes into a group of five or six of them after clicking the close sign. Setting up the firewall and Explorer to higher security hasn't made much of a difference, and running the AV / Spyware checks bring up just the usual cookies I am used to.

A search on Google has thrown up something called Smitfraud and a removing tool (which has been run), but the popups are now distinctly darker and of a highly illegal nature - if viewed.

Removed the hard drive and fitted this one to get going again (using a borrowed XP Professional disc - but I do not want to corrupt this one if I can help it by looking through the old drive to clean it.

Can data of this nature 'jump' across hard drives without a prompt ?

I have slaved the other to a drive running Win 98 on Fat 32 but it doesn't recognise the files in the older drive - I think its to do with the 40GB+ limits. To save going round in circles , does anyone have a tool that I can guarantee removal of whats in there, otherwise I may have to put the drive beyond use.
 

Channel Hopper

Suffering fools, so you don't have to.
Staff member
Joined
Jan 1, 2000
Messages
35,533
Reaction score
8,554
Points
113
Age
59
Website
www.sat-elite.uk
My Satellite Setup
A little less analogue, and a lot more crap.
My Location
UK
Thanks

The problem is more to do with not wanting to connect the old drive back into the PC (or anywhere near the Internet) until I can clean it.

Does anyone know what way Smitfraud uses to get onto the PC - does it mask the existing browser ?
 

Topper

Amo Amas Amant Admin
Staff member
Joined
Nov 18, 2004
Messages
23,991
Reaction score
4,014
Points
113
Age
69
My Satellite Setup
Has gone to a good home elsewhere
My Location
Blackburn, Lancashire
Name: smitfraud-c.toolbar888
Risk Impact: High
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
Behavior

888bar is an application that is a toolbar for Internet Explorer providing shortcuts to go to search engines, portals, and gambling Web sites. The software has reportedly been installed on computers without notice or consent and is a potentially unwanted program.


Name: smitfraud-c.toolbar888
Risk Impact: High
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
When 888bar is executed, it creates the following files:
  • C:\Program Files\Common Files\{3839DF00-0D3F-1033-0729-050001}\888.dll
  • C:\Program Files\Common Files\{3839DF00-0D3F-1033-0729-050001}\Uninstall.dll
  • C:\Program Files\Common Files\{D8e9df00-0d3f-1033-0729-050001}\system.dll
  • C:\Program Files\Common Files\{D8e9df00-0d3f-1033-0729-050001}\Update.exe

Next, the program creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{c004dec2-2623-438e-9ca2-c9043ab28508}

It then creates the following registry entries:
HKEY_CLASSES_ROOT\"LuckyToolbar.LuckytoolbarObj.1" = "888bar"
HKEY_CLASSES_ROOT\"LuckyToolbar.LuckytoolbarObj.a\CLSID" = "{c004dec2-2623-438e-9ca2-c9043ab28508}"
HKEY_CLASSES_ROOT\CLSID\{c004dec2-2623-438e-9ca2-c9043ab28508}\"ProgID" = "LuckyToolbar.LuckyToolbarObj.1"
HKEY_CLASSES_ROOT\CLSID\{c004dec2-2623-438e-9ca2-c9043ab28508}\"VersionIndependentProgID" = "LuckyToolbar.LuckyToolbarObj."
HKEY_CLASSES_ROOT\CLSID\{c004dec2-2623-438e-9ca2-c9043ab28508}\"InprocServer32" = "C:\Program Files\Common Files\{3839DF00-0D3F-1033-0729-050001}\888.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib\"" = "{569304BA-83ED-4CFF-AC26-BE3E482F7208}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib\"Version" = "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid32\"" = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid\"" = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\"" = "ILuckyToolBarObj"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0\win32\"" = "C:\Documents and Settings\Administrator\Desktop\888\ffff13bd_6e379d04.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\HELPDIR\"" = "C:\Documents and Settings\Administrator\Desktop\888\"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\FLAGS\"" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\"" = "888Bar 1.0 Type Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LuckyToolBar.LuckyToolBarObj\CurVer\"" = "LuckyToolBar.LuckyToolBarObj.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LuckyToolBar.LuckyToolBarObj\CLSID\"" = "{C004DEC2-2623-438e-9CA2-C9043AB28508}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LuckyToolBar.LuckyToolBarObj.1\CLSID\"" = "{C004DEC2-2623-438e-9CA2-C9043AB28508}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LuckyToolBar.LuckyToolBarObj\"" = "888Bar"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LuckyToolBar.LuckyToolBarObj.1\"" = "888Bar"
HKEY_USERS\S-1-5-21-1960408961-507921405-725345543-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\"{C004DEC2-2623-438E-9CA2-C9043AB28508}" = "C2 DE 04 C0 23 26 8E 43 9C A2 C9 04 3A B2 85 08"

The program then provides shortcuts to go to search engines, portals, and gambling Web sites.

Here is a link for the removal process it is too large to post
 

Channel Hopper

Suffering fools, so you don't have to.
Staff member
Joined
Jan 1, 2000
Messages
35,533
Reaction score
8,554
Points
113
Age
59
Website
www.sat-elite.uk
My Satellite Setup
A little less analogue, and a lot more crap.
My Location
UK
What I had was not anything to do with gambling, and since running the tool now its a lot to do with what looks like gothic s_x, mother/son relationships and (possibly) worse

I think I wll go outside with the drive, a beer and a sledgehamer
 

Topper

Amo Amas Amant Admin
Staff member
Joined
Nov 18, 2004
Messages
23,991
Reaction score
4,014
Points
113
Age
69
My Satellite Setup
Has gone to a good home elsewhere
My Location
Blackburn, Lancashire
Channel Hopper said:
I think I wll go outside with the drive, a beer and a sledgehamer

Sad innit....... Deal wivit!
 
Top