Remove SMITHFRAUD
WARNING: Remember that malware is often embedded in your registry. When ever you delete or modify anything in the registry you MUST be cautious as you could possibly do irreparable damage to your operating system.
Trojan-Spy.HTML.SMITHFRAUD.C TABLE of Contents
Intro. Hi, I'm SMITHFRAUD. I WANT TO PROTECT YOU.
A. What is Trojan-Spy.HTML.Smithfraud
B. Symptoms
Step 1. System Preparation
A. Show Hidden Files
B. Make Smithfraud.txt
C. Make Malware.txt
D. Download Smithfraud.reg
E. GET KILLBOX
Step 2. Remove Malware
A. Boot into Safemode
B. Use KILLBOX to remove malware
C. Remove ScareWare
Step 3. Run smithfraud.reg
INTRO. Hi, I’m SMITHFRAUD. I WANT TO PROTECT YOU.
A. What is Trojan-Spy.HTML.Smithfraud?
Smithfraud is what I like to call ScareWare. It is malware
that tries scare you into using some so called spy ware protection
called “Security IGuard.” More on Smithfraud.
B. Some of the Symptoms of the Trojan-Spy.HTML.SMITHFRAUD:
- System running extra slow
- Can not use Task Manager
- Can not change desktop
You will also see:
“
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM01) +
00010E36. Error was caused by Trojan-Spy.HTML.Smithfraud.c”
This will be displayed on your desktop and on a black screen when you reboot your system
Printing out the following instructions will make it easier for you:
STEP 1. SYSTEM PREPARATION
A. SHOW ALL HIDDEN FILES:
Windows 95
• Open My Computer.
• Select the View menu and click Options.
• Select the View Tab.
• Select the Show all files Radio Button.
• Click OK.
Windows 98
• Open My Computer.
• Select the View menu and click Folder Options.
• Select the View Tab.
• In the Hidden files section select Show all files.
• Click OK.
Windows ME (Get rid of this horrible OS)
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.
• Click Start, Programs and Accessories and open Windows Explorer.
• Select a hard drive from the left hand side of the Windows Explorer window.
• Select View the Entire contents of this drive.
Windows 2000
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.
Windows XP
• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.B. Copy this text below into a text file called Smithfraud.txt
Put it on your desktop (this is a list of bad files) Although you can just type them manually its best to copy and paste so you don’t have typo’s.
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C. Copy and Paste the following text into a file called Malware.txtPut it on your desktop (this is a list of bad files) Although you can just type them manually its best to copy and paste so you don’t have typo’s.
C:\WINDOWS\SYSTEM\Xcite.dll
C:\WINDOWS\SYSTEM\FLEOK
C:\WINDOWS\SYSTEM\stlbupdt.dll
C:\WINDOWS\TEMP\SAHUpdate
C:\WINDOWS\Application Data\Lycos
C:\WINDOWS\TEMP\msview.inf
C:\WINDOWS\TEMP\asmfiles.cab
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\SYSTEM\kyf.dat
C:\WINDOWS\SYSTEM\wb.dll
C:\WINDOWS\SYSTEM\CometTB.dll
C:\WINDOWS\SYSTEM\CometTB.exe
C:\WINDOWS\SYSTEM\Agent.dll
C:\WINDOWS\SYSTEM\nostalgia.dll
C:\WINDOWS\SYSTEM\OMsetup.exe
C:\WINDOWS\SYSTEM\cm1.dll
C:\WINDOWS\SYSTEM\stlbupdt.dll
C:\WINDOWS\SYSTEM\Xcite.exe
C:\WINDOWS\SYSTEM\Xcite.dll
C:\WINDOWS\SYSTEM\msss.exe
C:\WINDOWS\SYSTEM\kyf.dat
C:\WINDOWS\TEMP\saveinstwm.exe
C:\WINDOWS\TEMP\MSView.inf
C:\WINDOWS\TEMP\asmfiles.cab
C:\WINDOWS\TEMP\asmfiles.cab[asm.exe]
C:\WINDOWS\TEMP\__unin__.exe
C:\WINDOWS\msxmidi.exe
C:\RECYCLED\DC1\unbzip2s.dll
C:\RECYCLED\DC8.EXE
C:\wp.bmp
D. Download SmithFraud RegIt is best to put Smithfraud.reg to your desktop (so you can find it). DO NOT double click on it yet.
Right Click on this link and "Save As":
http://www.bleepingcomputer.com/files/reg/smitfraud.reg
E. GET KILLBOX
Download the Killbox Unzip it to the desktop.
STEP 2. DELETE the MALWARE
A. Boot into SAFE MODE
Getting into Safe Mode on Window is easy.
Reboot your computer and HIT the “F8” Funtion Key like crazy
If it doesn’t, work try again. The system should ask you what mode you want to
boot in. You want “Safe Mode” or “Safe Mode with Networking”
MORE ON SAFE MODEB. Use KillBox to remove the Malware
Once you are in Safe Mode you will be able to delete all the unwanted malware. Use Malware.txt and Smithfraud.txt on your desktop to copy and pasted each path (e.g c:\wp.bmp) into Killbox and click the “X” to remove them.
You will be prompted to reboot each time you delete one of the files. Choose “NO” until you are complete.
C. Remove ScareWare files that were possibly added by Trojan.spy.smithfraud.c
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
- Security IGuard
- Virtual Maid
- Search Maid
Exit Add/Remove Programs.
Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes (it is running):
wsys.exe
Exit the Task Manager when finished.
TO KILL ALL THE “TROJAN-SPY.HTML.SMITFRAUD.C” FILES
AT ONCE AUTOMATICALLY:
Double-click Killbox.exe to run it.Select "Delete on Reboot".
You’ll need the text you copied in your SMITHFRAUD.TXT (highlighting ALL of them and pressing CTRL + C)
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
STEP 3. RUN SMITHFRAUD.REG
Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to update the registry, click YES. Wait for the "Smitfraud.reg has been successfully added to the registry"
http://www.bleepingcomputer.com/files/reg/smitfraud.reg
If you haven't already done so, Right click on the link and download it the desktop. As your last step, click on the smitfraud.reg file.
It will ask you if you are sure, click "yes." Registry Edits do not take hold until you reboot. This edit just cleans up some of the Smithfraud files from your registry.
Many trojan and virus fixes can be found on Beeping
Computers site. It
is an excellent resource.
Here are some free scans to check an make sure there are no holes left in your network:
These are sites that allow you to scan your system from the outside. It is a very simple penetration test.
If you system is exposed to the Internet go to my Broadband Internet Security Site.
If ALL else fails and you have already backed up your data (or don't need to) Reload your operation system. That will fix everything! Secure your system or you will get more malware for sure.
FIN.
References:
http://www.xtra.co.nz -Show Hidden files
www.bleepingcomputer.com - smithfraud.reg
http://www.viruslist.com - Trojan-Spy.HTML.Smithfraud.c
http://forum.us.dell.com - Scanners
http://www.geekstogo.com - Trojan-Spy.HTML.Smithfraud.c
removal (thanks to “thatman” with
the GeekSquad Staff)
http://www.geekstogo.com - GREAT
STUFF
http://www.atribune.org - Killbox (mad props to Option^X)
http://www.pchell.com - Safe
Mode
http://www.webhelper4u.com - Hijacking
Scare ads
List of more removal tools:
http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41
http://www.netrn.net/spywareblog/
