Home Articles Spyware Research Support Scan Now Purchase F.A.Q.

Spyware/SmitFraud

Alias: SmitFraud, Smitfraud.c, Trojan-Spy.HTML.Smitfraud.c, Trojan-Spy.HTML

Description:

Smitfraud.c virus is a dangerous trojan that belongs to the family of Trojan Spies. The virus is capable of tracking and saving the user's activity on his/her system. Information about the user's key strokes, screenshots, logs of active applications and other user actions are collected and then passed on to the virus' master server. Smitfraud.c is also a Desktop Hijacker that changes the Windows Desktop to a picture that simulates a Windows fatal error, warning users that they have been affected by Trojan-Spy.HTML.Smitfraud.c. These kind of messages attempt to trick users into purchasing the fake antispyware program. A sample error message could look like the following:

Security warning
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01) + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c

* System can not function in normal mode.
* Please check you security settings.
* Scan your PC with any avaliable antivirus / spyware remover program to fix the problem.

Threat type:

Hijacker - A Hijacker is a software application that takes control of your browser's settings. Usually it changes your home page and redirects it to some unknown site or modifies your search settings. It prevents you from changing back your browser's settings. An infected browser usually operates much slower.

Spyware - Spyware is any software application that gathers information from the user's PC and transmits it to the Spyware author (usually hackers, but sometimes corporations). The information is gathered and transmitted without the user's knowledge or consent. Spyware applications may steal sensitive corporate information and transmit it to competitors. Spyware also degrades PC performance and can consume huge amounts of bandwidth, especially on corporate servers.

Trojan - A Trojans or Trojan Horse is any programs that installs itself secretly, quite often with sinister intent. Once installed, the trojan author (hacker) can gain complete control of the infected PC. Trojans are usually designed to steal sensitive information and/or destroy the system. Trojans can be distributed as unsolicited email attachments, or bundled with freeware and shareware programs.

Advice: Remove This is a very high risk threat and should be removed immediately as to prevent harm to your computer or your privacy.

Detection:
SpyNoMore detects Spyware/SmitFraud: Yes

Threat risk: Very High Risk

Extremely dangerous malware. Uses stealth installation, randomly named entries and has the capability to self update or resurrect after incomplete removal. Almost impossible to remove manually. Category mostly consists of trojans and spyware.

Symptoms:

Desktop wallpaper becomes hijacked by a black screen containing the message "your computer is infected with smitfraud virus/spyware, click here for removal".

Pop up balloon messages claiming that your PC is infected.

Presence of the following files:
   C:\wp.exe
   C:\wp.bmp
   C:\bsw.exe
   C:\WINDOWS\sites.ini
   C:\WINDOWS\popuper.exe
   C:\WINDOWS\system32\hhk.dll
   C:\WINDOWS\System32\helper.exe
   C:\WINDOWS\System32\intmonp.exe
   C:\WINDOWS\System32\msmsgs.exe
   C:\WINDOWS\System32\ole32vbs.exe
   C:\WINDOWS\system32\msole32.exe
   C:\WINDOWS\System32\shnlog.exe
   C:\WINDOWS\System32\intmon.exe
   C:\WINDOWS\System32\msmsgs.exe

Spyware/SmitFraud Signature Details: The following information includes some of the standard signatures associated with this spyware threat. Please do not attempt to manually remove these items from your computer; Removing these items incorrectly or partially can cause your computer to experience critical errors, prevent your computer from restarting or cause loss of Internet connectivity. Should you be infected with Spyware/SmitFraud, you can clean your computer by downloading SpyNoMore now.

Running Process Signatures:

File Signatures:

%WINDOWS%\system32\spam.ico
%WINDOWS%\system32\param32.dll
%WINDOWS%\system\guninst.exe
%WINDOWS%\sites.ini
%WINDOWS%\system32\mobile.ico
%WINDOWS%\system32\games.ico
%WINDOWS%\system32\spyware.ico
%WINDOWS%\system32\vzvbvs.exe
%WINDOWS%\system32\scanner.ico
%WINDOWS%\system32\casino.ico
%WINDOWS%\system32\hhk.dll
%WINDOWS%\system32\helper.exe
%WINDOWS%\system32\pharm2.ico
%WINDOWS%\system32\intmonp.exe
%WINDOWS%\system32\shnlog.exe
%WINDOWS%\system32\pharm.ico
%WINDOWS%\system32\intmon.exe
c:\bsw.exe
%WINDOWS%\popuper.exe
%WINDOWS%\system32\msole32.exe
%WINDOWS%\system32\msmsgs.exe
%WINDOWS%\system32\date.ico
%WINDOWS%\system32\ole32vbs.exe
%WINDOWS%\system32\network.ico

Registered Dll (Dynamic Link Library) Signatures:

Internet Explorer Integration:

Folder Signatures:
%WINDOWS%\system32\log files
%PROGRAM_FILES%\virtual maid
%PROGRAM_FILES%\search maid

Registry Signatures:
N/A

SpyNoMore Collected Residual File Signatures: