What is Smitfraud?
- Type: Virus
- Category: Trojans and viruses
- Discovered: 1 June 2005
- Removal tools: Malwarebytes' Anti-Malware, Spyware Doctor
1. Introduction
Smitfraud infection installs itself into a computer without any user notice. It can be noticed by Blue Screen of Death - error screen displayed by Microsoft Windows. Smitfraud will display fake system error or security alert messages to scare PC user forcing him to buy assumed spyware protection software. Some of Windows important files can be replaced with infected ones. It is recommended to remove Smitfraud infection as soon as it has been detected.
2. Smitfraud removal tools:
- Malwarebytes' Anti-Malware (for the installation guide click here)
- Spyware Doctor (for the installation guide click here)
3. Screenshot:
4. Smitfraud files:
advsort.dll, iereport.dll, mssms.dll, ossmart.dll, tlhelp.dll, vpnconfig.dll, wmpdev.dll, wmphost.dllintel32.exe, intell321.exe, m00.exe, policyverifier.exe, printer.exe, PSGuard.exe, svchost.exe, SYSMONMS.EXE, wincrt.exe, winntify.exe, zloader3.exe
5. Hijackthis entries:
O4 Entries
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\[username]\svchost.exe
O4 - HKLM\..\Run: [bal] C:\Program Files\WinMsg\SYSMONMS.EXE
O4 - HKLM\..\Run: [FX] C:\Documents and Settings\[username]\Desktop\m00.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\system32\intel32.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Windows Critical Alert] "C:\WINDOWS\system32\wincrt.exe"
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\zloader3.exe
O21 Entries
O21 - SSODL: advsort - {Random CLSID} - C:\WINDOWS\advsort.dll
O21 - SSODL: iereport - {5A50E6E8-64AA-400D-BF2D-22A046F8A5A4} - C:\windows\iereport.dll
O21 - SSODL: mssms - {1427183A-8A2E-45B5-AA2A-D9228700B9C8} - C:\WINDOWS\mssms.dll
O21 - SSODL: ossmart - {Random CLSID} - C:\WINDOWS\ossmart.dll
O21 - SSODL: tlhelp - {Random CLSID} - C:\WINDOWS\tlhelp.dll
O21 - SSODL: vpnconfig - {Random CLSID} - C:\WINDOWS\vpnconfig.dll
O21 - SSODL: wmpdev - {Random CLSID} - C:\WINDOWS\wmpdev.dll
O21 - SSODL: wmphost - {Random CLSID} - C:\WINDOWS\wmphost.dll
O23 Entries
O23 - Service: Windows Notification Service (Winnotify) - Unknown owner - C:\WINDOWS\System32\winntify.exe
Other Entries
C:\Windows\policyverifier.exe
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\[username]\svchost.exe
O4 - HKLM\..\Run: [bal] C:\Program Files\WinMsg\SYSMONMS.EXE
O4 - HKLM\..\Run: [FX] C:\Documents and Settings\[username]\Desktop\m00.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\system32\intel32.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Windows Critical Alert] "C:\WINDOWS\system32\wincrt.exe"
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\zloader3.exe
O21 Entries
O21 - SSODL: advsort - {Random CLSID} - C:\WINDOWS\advsort.dll
O21 - SSODL: iereport - {5A50E6E8-64AA-400D-BF2D-22A046F8A5A4} - C:\windows\iereport.dll
O21 - SSODL: mssms - {1427183A-8A2E-45B5-AA2A-D9228700B9C8} - C:\WINDOWS\mssms.dll
O21 - SSODL: ossmart - {Random CLSID} - C:\WINDOWS\ossmart.dll
O21 - SSODL: tlhelp - {Random CLSID} - C:\WINDOWS\tlhelp.dll
O21 - SSODL: vpnconfig - {Random CLSID} - C:\WINDOWS\vpnconfig.dll
O21 - SSODL: wmpdev - {Random CLSID} - C:\WINDOWS\wmpdev.dll
O21 - SSODL: wmphost - {Random CLSID} - C:\WINDOWS\wmphost.dll
O23 Entries
O23 - Service: Windows Notification Service (Winnotify) - Unknown owner - C:\WINDOWS\System32\winntify.exe
Other Entries
C:\Windows\policyverifier.exe