What is “Smitfraud”
SmitFraud or W32/SmitFraud.A is a type of spyware that installs itself into a computer via adware, without any user notice. Most of the time, it installs itself after the computer user installs a fake codec, such as BrainCodec, PCodec or VideoKeyCodec. It infects a Windows DLL with a computer virus. SmitFraud changes the infected computer’s desktop background either into a Blue Screen of Death, or any background displaying a fake error message.
Infected users also receive notifications asking users to install a fake anti-spyware program such as Spylocked, Spydawn, SpySheriff, SpyAxe or Spyware Quake, on the infected computer to remove the spyware. After a fake scan, the program asks users to pay for the full version before removing the spyware it has found. When users pay, the notifications disappear and the background turns normal, but the infection is still present.
SmitFraud is now being used to term infections where in users receive fake alerts from software luring the user with installing some affiliated Fake / Rogue AntiSpyware with or without user’s knowledge.
Types of known Smitfraud
Desktop Hijack malware:
AdwarePunisher, AdwareSheriff, AlphaCleaner, Antispyware Soldier, AntiVermeans, AntiVermins, AntiVerminser, AntiVirGear, AntivirusGolden, AVGold, BraveSentry, IE Defender, MalwareWipe, MalwareWiped, MalwaresWipeds, MalwareWipePro, MalwareWiper, PestCapture, PestTrap, PSGuard, quicknavigate.com, Registry Cleaner, Security iGuard, Smitfraud, SpyAxe, SpyCrush, SpyDown, SpyFalcon, SpyGuard, SpyHeal, SpyHeals, SpyLocked, SpyMarshal, SpySheriff, SpySoldier, Spyware Vanisher, Spyware Soft Stop, SpywareLocked, SpywareQuake, SpywareKnight, SpywareSheriff, SpywareStrike, Startsearches.net, TitanShield Antispyware, Trust Cleaner, UpdateSearches.com, Virtual Maid, Virus Protect, Virus Protect Pro, VirusBlast, VirusBurst, VirusRay, Win32.puper, WinHound, Brain Codec, DirectAccess, DirectVideo, EliteCodec, eMedia Codec, EZVideo, FreeVideo, Gold Codec, HQ Codec, iCodecPack, iMediaCodec, Image ActiveX Object, Image Add-on, IntCodec, iVideoCodec, JPEG Encoder, Key Generator, Media-Codec, MediaCodec, MMediaCodec, MovieCommander, MPCODEC, My Pass Generator, Online Image Add-on, Online Video Add-on, PCODEC, Perfect Codec, PowerCodec, PornPass Manager, PornMag Pass, PrivateVideo, QualityCodec, Silver Codec, SiteEntry, SiteTicket, SoftCodec, strCodec, Super Codec, TrueCodec, VideoAccess, VideoBox, VidCodecs, Video Access ActiveX Object, Video ActiveX Object, Video Add-on, VideoCompressionCodec, VideoKeyCodec, VideosCodec, WinAntiSpyPro, WinMediaCodec, X Password Generator, X Password Manager, ZipCodec.
Smitfraud manual removal:
*I would not recommend this method because its rather complex manual removal process and can lead to undesirable results. Take caution and make sure you fully understand what are you doing.
Kill processes:
bsw.exe, helper.exe, hookdump.exe, intmon.exe, intmonp.exe, msmsgs.exe, msole32.exe, ole32vbs.exe, popuper.exe, shnlog.exe, uninstiu.exe, winhook.exe, winstall.exe, wp.exe, zloader3.exeHELP:
how to kill malicious processes
Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsFY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsFZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msn messenger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\CustomizeSearch=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\(Default)=[site address]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\internet updateSearch the Windows registry for {D5BC2651-6A61-4542-BF7D-84D42228772C} entry.
HELP:
how to remove registry entries
Unregister DLLs:
wldr.dllHELP:
how to unregister malicious DLLs
Delete files:
bsw.exe, helper.exe, hookdump.exe, intmon.exe, intmonp.exe, msmsgs.exe, msole32.exe, ole32vbs.exe, popuper.exe, shnlog.exe, uninstiu.exe, winhook.exe, winstall.exe, wp.exe, zloader3.exe, hhk.dll, oleadm.dll, oleadm32.dll, param32.dll, wldr.dll, hp[X].tmp, perfcii.ini, sites.ini, wp.bmpHELP:
how to remove harmful files
Delete directories:
C:\Windows\System\Log Files
C:\Windows\System32\Log Files
C:\Winnt\System32\Log Files
Misc:
Smitfraud does not install all listed objects. It creates only some of them depending on its variant.[X] is a set of four random characters.
Exact file location:
bsw.exe, winstall.exe, wp.exe – C:
popuper.exe, uninstiu.exe, zloader3.exe, sites.ini – C:\Windows or C:\Winnt
wp.bmp – C: and C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32
helper.exe, hookdump.exe, intmon.exe, intmonp.exe, msmsgs.exe, msole32.exe, ole32vbs.exe, shnlog.exe, winhook.exe, hhk.dll, oleadm.dll, oleadm32.dll, param32.dll, wldr.dll, hp[X].tmp, perfcii.ini – C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32In some cases it might be necessary to replace the infected wininet.dll file with a clean copy. wininet.dll is a system file located in default system directory, which is one of the following: C:\Windows\System, C:\Windows\System32, C:\Winnt\System32.
Related articles
- Fake Spyware Blockers Are the New Internet Threat In 2010 (prweb.com)
- Source of Malware (cyberdefend.wordpress.com)
- Remove Windows Antivirus 2011 (thediamondringreview.com)
- Spyware/Adware/Virus/Trojan/Rootkit/Keylogger Removal Guide (compfaqz.wordpress.com)
- Today’s Computer Tips 07-11-2011 (cmaankur.wordpress.com)
- New Fake Anti-Spyware Program MS Removal Tool Masquerades as Microsoft Anti-Spyware App (prweb.com)
- SpyRid Latest Rogue Antispyware to Infect Systems without Users Knowledge (prweb.com)