SmithFraud Rogue: VirusBurst [Updated 10-9]

TeMerc · **Posted:** Sat May 13, 2006 11:08 pm

Latest Rogue: Animalware

See here

%SYSTEM%\winmuse.exe<<<<---newfile
O4 - HKLM\..\Run: [ZPoint] %SYSTEM%\winmuse.exe
[-HKEY_LOCAL_MACHINE\SOFTWARE\WMuse]

%SYSTEM%\winbrume.dll<<<<---new file

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{196B9CB5-4C83-46F7-9B06-9672ECD9D99B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{196B9CB5-4C83-46F7-9B06-9672ECD9D99B}"=-

%SYSTEM%\truetype.exe
O4 - HKLM\..\Run: [truetype] %SYSTEM%\truetype.exe
O4 - HKLM\..\RunServices: [truetype] %SYSTEM%\truetype.exe
O4 - HKCU\..\Run: [truetype] %SYSTEM%\truetype.exe<<<<---new file

Complete listings\changelog of files for fix by S!Ri can be found here

TeMerc · **Posted:** Thu May 18, 2006 4:25 pm

THREE more variants found:

Quote:

Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{89aef01d-d237-49c7-84dc-4e1904c1fd31}"="AutoDisc Ware"

[HKEY_CLASSES_ROOT\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@="C:\WINDOWS\system32\sbnudh.dll"<<<<new file

[HKEY_CURRENT_USER\Software\Classes\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@="C:\WINDOWS\system32\sbnudh.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a566f298-05a6-4b3d-b672-da7c27316430}"="AutoDisc Ware"

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{a566f298-05a6-4b3d-b672-da7c27316430}\InProcServer32]
@="C:\WINDOWS\system32\htey.dll<<<<---new file"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{e04408db-4812-4478-8d4d-e46edcffd3b6}”=”AutoDisc Ware”

[HKEY_CURRENT_USER\Software\Classes\CLSID\
{e04408db-4812-4478-8d4d-e46edcffd3b6}\InProcServer32]
@=”C:\WINDOWS\system32\fyhhxw.dll”<<<<---bad file

Rumors are that the C:\WINDOWS\system32\fyhhxw.dll infector has randomly changing CLSID.

TeMerc · **Posted:** Fri May 19, 2006 9:34 am

Two more posted by Bleeping:

Quote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{5bc82bdb-bc03-4671-9a78-3ef2b68449de}”=”advisability”

[HKEY_CURRENT_USER\Software\Classes\CLSID\
{5bc82bdb-bc03-4671-9a78-3ef2b68449de}\InProcServer32]
@=”C:\WINDOWS\system32\oqipt.dll”<<<<---

and

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{70fbd528-2d3c-4a00-9b8c-bbf441e534be}”=”AutoDisc Ware”

[HKEY_CURRENT_USER\Software\Classes\CLSID\
{70fbd528-2d3c-4a00-9b8c-bbf441e534be}\InProcServer32]
@=”C:\WINDOWS\System32\iqzv.dll”<<<<---

TeMerc · **Posted:** Sun May 28, 2006 10:56 pm

Yet another variant found, Siri tool updated:

Quote:

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{f5947202-e9cb-4a72-88e7-22f2cbd2b124}"="chenopodiaceae"

[HKEY_CLASSES_ROOT\CLSID\{f5947202-e9cb-4a72-88e7-22f2cbd2b124}\InProcServer32]
@="C:\WINDOWS\System32\bolnyz.dll" <<<<---new file

[HKEY_CURRENT_USER\Software\Classes\CLSID\{f5947202-e9cb-4a72-88e7-22f2cbd2b124}\InProcServer32]
@="C:\WINDOWS\System32\bolnyz.dll"

TeMerc · **Posted:** Tue May 30, 2006 10:47 pm

ANother new variant:

Quote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a0c51615-738a-4542-801a-5af61614e182}"="bedimples"

[HKEY_CLASSES_ROOT\CLSID\{a0c51615-738a-4542-801a-5af61614e182}\InProcServer32]
@="C:\WINDOWS\system32\higjxe.dll"<<<<---new file

[HKEY_CURRENT_USER\Software\Classes\CLSID\{a0c51615-738a-4542-801a-5af61614e182}\InProcServer32]
@="C:\WINDOWS\system32\higjxe.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{62eb0924-19d2-4226-b4b9-8ad1f70904c1}"="bronchovascular"

[HKEY_CLASSES_ROOT\CLSID\{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32]
@="C:\WINDOWS\system32\hvnwm.dll"<<<<---new file

[HKEY_CURRENT_USER\Software\Classes\CLSID\{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32]
@="C:\WINDOWS\system32\hvnwm.dll"

TeMerc · **Posted:** Sat Jun 03, 2006 11:28 pm

Well it seems that after a lengthy period offline, to deal with lifes typical trappings, in this case a move to a new home, noahadfear has returned and updated his SmithRem tool.

You can find a list of targeted files and folders as well as a list of rregistry keys removed altered by SmithRem

TeMerc · **Posted:** Thu Jun 15, 2006 11:06 pm

New Smithfraud apps:
Titan Shield and Trust Cleaner

Both targeted and removed by both SmithRem and SmithFraudFix tools.

From Sunbelt:

Quote:

Titan Shield offers loads of fun. Available at antispywarebox(dot)com (a new rogue site) and titanshield(dot)com

Sunbelt Blog

From Bleeping Computing and Sunbelt

TeMerc · **Posted:** Sat Jun 17, 2006 11:43 pm

More SpywareQuake variants found in the last 24 hours or so:
oybgrql.dll
yvvdj.dll
xuefh.dll

Those along with corrsponding CLSIDs have been added to both SmithFraudFix by Siri and SmithRem by noahadfear.

TeMerc · **Posted:** Fri Jun 23, 2006 10:53 pm

SmithFraudFix updated 3 times this week:

Quote:

Version 2.64 (June 22, 2006)

%SYSTEM%\ixt?.dll
%SYSTEM%\ixt??.dll
%SYSTEM%\ishost.exe
%SYSTEM%\ismon.exe
%SYSTEM%\isnotify.exe
%SYSTEM%\issearch.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"ishost.exe"=-
"issearch.exe"=-

%SYSTEM%\tnvocyn.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0ffdaffc-d80d-47bf-b9b0-895ea240f4de}"="adelges"
[HKEY_CLASSES_ROOT\CLSID\{0ffdaffc-d80d-47bf-b9b0-895ea240f4de}]
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{0ffdaffc-d80d-47bf-b9b0-895ea240f4de}]

Version 2.63 (June 20, 2006)

O2 - BHO: (no name) - {7fcf04b6-6354-47ef-b45e-a48268e92757} - C:\WINDOWS\System32\ixt1.dll
%SYSTEM%\ixt0.dll
%SYSTEM%\ixt1.dll
HKEY_CLASSES_ROOT\CLSID\{7fcf04b6-6354-47ef-b45e-a48268e92757}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7fcf04b6-6354-47ef-b45e-a48268e92757}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fcf04b6-6354-47ef-b45e-a48268e92757}

%SYSTEM%\viwpzla.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"
[HKEY_CLASSES_ROOT\CLSID\{6af69c4d-420a-4c95-b34f-e4635f84f53b}]
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{6af69c4d-420a-4c95-b34f-e4635f84f53b}]

%SYSTEM%\guxxa.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"
[HKEY_CLASSES_ROOT\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}]
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}]

%SYSTEM%\hvcycg.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7916f057-223f-4612-ac84-e882cbe043d4}"="bals"
[HKEY_CLASSES_ROOT\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4}]
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4}]

Version 2.62 (June 18, 2006)

%ALLUSERDESKTOP%\Security Troubleshooting.url

O2 - BHO: adobepnl.ADOBE_PANEL - {0F7E55FC-6D46-491C-922B-4EBC6636B561} - C:\WINDOWS\system32\adobepnl.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F7E55FC-6D46-491C-922B-4EBC6636B561}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F7E55FC-6D46-491C-922B-4EBC6636B561}]

%SYSTEM%\xuefh.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{f85e05f5-667e-41b0-ab8a-147337a99e65}"="bloodthirst"
[HKEY_CLASSES_ROOT\CLSID\{f85e05f5-667e-41b0-ab8a-147337a99e65}]
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{f85e05f5-667e-41b0-ab8a-147337a99e65}]

%SYSTEM%\yvvdj.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"
[HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}]
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}]

%SYSTEM%\oybgrql.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ed39ecef-902e-4ed1-8434-71e8db89e5ca}"="decorin"
[HKEY_CLASSES_ROOT\CLSID\{ed39ecef-902e-4ed1-8434-71e8db89e5ca}]
[HKEY_CURRENT_USER\Software\Classes\CLSID\{ed39ecef-902e-4ed1-8434-71e8db89e5ca}]

=%-SmithFraudFix Changlog Page

TeMerc · **Posted:** Thu Jul 06, 2006 4:46 pm

Quote:

Version 2.68 (July 06, 2006)

Generic Renos Fix v1.3 (ShellServiceObjectDelayLoad keys scanner added)

%SYSTEM%\zlara.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"
[HKEY_CLASSES_ROOT\CLSID\{89e4aaba-3b21-49b3-b922-8ca35193c68e}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{89e4aaba-3b21-49b3-b922-8ca35193c68e}]

%SYSTEM%\vpxnk.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"altmannsberger"="{210b4043-35ca-4aa0-8796-191f9663dfb3}"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"altmannsberger"="{210b4043-35ca-4aa0-8796-191f9663dfb3}"
[HKEY_CLASSES_ROOT\CLSID\{210b4043-35ca-4aa0-8796-191f9663dfb3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{210b4043-35ca-4aa0-8796-191f9663dfb3}]

%SYSTEM%\jevtxpg.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"fairydom"="{5839511e-ec1b-4f91-ace3-fb88e52f5239}"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"fairydom"="{5839511e-ec1b-4f91-ace3-fb88e52f5239}"
[HKEY_CLASSES_ROOT\CLSID\{5839511e-ec1b-4f91-ace3-fb88e52f5239}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839511e-ec1b-4f91-ace3-fb88e52f5239}]

TeMerc · **Posted:** Fri Jul 07, 2006 9:18 am

New rogue on the loose: SpyHeal

Quote:

According to Sunbelt’s researcher Patrick Jordan: “From seriall(com)com with the VladZone infestation, it calls the IP for the security scam hijacking and SpywareQuake install. Also, from the sysprotectionpage(dot)com showed spyheal(dot)com as one of the new partner sites.”

Tom wrote:

Looks to be another sibling of the SmithFraud family. I'm sure files will begin to pop up soon enough

Sunbelt Blog

TeMerc · **Posted:** Fri Jul 07, 2006 2:41 pm

I took the time to add my two cents as a reviewer on the SiteAdvisor page:

SiteAdvisor Details

It has not been fully revied as yet however.

AndyAtHull · **Posted:** Sun Jul 09, 2006 4:10 pm

Very weird this one. Over 15,000 results in google and no logs. All shareware sites etc.

Having said that, if the logs start to come. My article and sunbelts are 4th and 5th. Let us hope that this warns the users quicker!

Has anyone tested this yet Temerc? Apart from the obvious, Sunbelt.

TeMerc · **Posted:** Sun Jul 09, 2006 4:49 pm

AndyAtHull wrote:

Has anyone tested this yet Temerc? Apart from the obvious, Sunbelt.

Bleeping tested it

AndyAtHull · **Posted:** Mon Jul 10, 2006 2:42 am

Hi TeMerc,

Should of known

Thanks

TeMerc · **Posted:** Tue Aug 15, 2006 11:32 pm

New rogue Zlob\SmithFraud Variant: VirusRescue
Yet another in a long line of alleged spyware removers this one does as the many others, trys to dupe users into thinking they are infected when in fact, the app itself has added the infection.

You can read more about some of what it does on SiteAdvisor Review

TeMerc · **Posted:** Fri Aug 18, 2006 10:30 am

Well here is some interesting info about the asshats over at VirusRescue.

They tried to claim in a security forum called Security Cadets run by AndyAtHull, one of our members here that they were a legit outfit. rofl

It's amazing how far some of these idiots will go to try and discredit what security researchers find, even thos the proof is in black and white.

And Moore over at Bluetack has more info.

Seems one of the people associated with it was\is also associated with SpyAxe, SpyFalcon and SpywareStrike.

And they are of course hosted on the notorious ESTDOMAINS INC .

AndyAtHull · **Posted:** Fri Aug 18, 2006 12:25 pm

It's funny what a bit of Kung-Fu does to shut them up. At least for the time being! :lol:

MysteryFCM · **Posted:** Fri Aug 18, 2006 2:40 pm

hehe, nice one Andy

TeMerc · **Posted:** Fri Aug 18, 2006 6:24 pm

Yes, Andy did indeed kick his ass. And I Dugg it too!!

TeMerc · **Posted:** Fri Aug 18, 2006 11:45 pm

I forgot to add that PG has a write up too

TeMerc · **Posted:** Thu Aug 31, 2006 3:44 pm

New rogue out there, found by Bleeping Computers, caled VirusBurst.

See here

Naturally it's quite similar to the other rogues. You'de think these asshats would figure out something that isn't almost an exact dupe of the last one, GUI wise at least.

But that's ok, it makes noticing them that much easier for researchers.

I'm sure the SmithFraud tools will be updated quickly.

Bleeping Manual Removal

AndyAtHull · **Posted:** Fri Sep 01, 2006 9:25 am

There are many links now. Including a detailed article by BlueTack

I've said this before. We may beat their web-page before they get put into the search engines

TeMerc · **Posted:** Mon Sep 04, 2006 11:37 pm

Well Bleeping found a couple of new files:
C:\Windows\System32\gtpbx.dll

C:\Windows\System32\duxzj.dll

Bleeping Computer Blog

TeMerc · **Posted:** Sat Sep 09, 2006 2:18 pm

Two new files from VirusBusrt:
C:\Windows\System32\wuwbxp.dll
C:\Windows\System32\oqabf.dll

Bleeping Computer

TeMerc · **Posted:** Thu Sep 14, 2006 9:24 am

Two new infectors were discovered today for VirusBurst. The files are:

C:\Windows\System32\qxfgcg.dll
C:\Windows\System32\syycum.dll

Bleeping Computing Blog

AndyAtHull · **Posted:** Tue Sep 19, 2006 6:23 am

New affiliates/installers that are related to VirusVurst. X Password Generator - Thanks to Jahewi. No digg-ity

Read his post on his site. Has all the HJT entries you need.

C:\WINDOWS\System32\syycum.dll

TeMerc · **Posted:** Wed Sep 20, 2006 11:33 am

A new infector were discovered today for VirusBurst. The file is:

C:\Windows\System32\titiau.dll

Bleeping Computer

TeMerc · **Posted:** Thu Sep 28, 2006 2:03 pm

New variants of VirusBurst found and added to SmithFraudFix detection database:
C:\Windows\System32\httge.dll
C:\Windows\System32\gqagksr.dll

TeMerc · **Posted:** Mon Oct 09, 2006 7:15 pm

Threee new VirusBurst infection files found today:
C:\WINDOWS\System32\tazth.dll
C:\WINDOWS\system32\dpfwu.dll
C:\WINDOWS\System32\ficqv.dll

Bleeping Computer

SmithFraud Rogue: VirusBurst [Updated 10-9]

Who is online

Who is online

Who is online
	In total there is 1 user online :: 0 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes) Most users ever online was 282 on Tue Sep 25, 2012 11:30 am Users browsing this forum: No registered users and 1 guest