How to delete Smitfraud - Removal tool, fix instructions

Name: Smitfraud

Aliases: Adware/Smitfraud, W32/Smitfraud.A, Trojan-Spy.HTML.Smitfraud.a, Phish-BankFraud.eml, Trojan.Bankfraud, HTML.Phishing.Bank-1, HTML/Smithfraud.gen

Type: Spyware

Size: 123,718

First appeared on: 08.06.2005

Damage: Low

Brief Description:
Smitfraud is an adware program that infects the Windows file WININET.DLL with the virus detected as W32/Smitfraud.A.

The infected DLL (Dynamic Link Library) hooks all the calls to the function HttpSendRequest, and as a result the adware is able to log the web pages accessed by the user and send this information to a server, or download and run a file that installs a so-called antispyware program on the computer, stealthily and without user consent.

This program changes the Windows Desktop to a picture that simulates a Windows fatal error, warning users that they have been affected by Trojan-Spy.HTML.Smitfraud.c. These kind of messages attempt to trick users into purchasing the fake antispyware program.

Smitfraud is installed in the affected computer by other adware, detected as CWS.YEXE, which is downloaded while accessing several adult sites or pirated software sites.

Visible Symptoms:

Smitfraud is easy to recognize once it has affected the computer, as it installs a so-called antispyware program that changes the Windows Desktop to the following, in an attempt to pass itself off as a Windows fatal error (also known as blue screen of death):

Security warning.
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01) * 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c

  • System can not function in normal mode.
  • Please check your security settings.

Scan your PC with available antivirus / spyware remover program to fix the problem.

Technical description:

Smitfraud carries out the following actions:

  • It infects the Windows file WININET.DLL with the virus detected as W32/Smitfraud.A. The infected DLL (Dynamic Link Library) hooks all the calls to the function HttpSendRequest.
  • By using the infected DLL, Smitfraud is able to:
    • Log the web pages accessed by the user and send them to any of the following servers: http:// ecjnoe3inwe. com, http:// fjrewcer32. com or http:// dkjfwekjnc4. com.
    • If the function is called from Internet Explorer, it will download and run a file, which is the installer for the so-called antispyware program PSGuard.
  • It installs PSGuard without user consent.
  • PSGuard changes the Windows Desktop to a picture that simulates a Windows fatal error, warning users that they have been affected by Trojan-Spy.HTML.Smitfraud.c:

These kind of messages attempt to trick users into purchasing the fake antispyware program.

Smitfraud creates the following files:

  • OLEADM32.DLL in the Windows system directory. The adware will attempt to replace the Windows file WININET.DLL with this file when the computer is started. It is a modified version that hooks all the calls to the function HttpSendRequest, which will be transferred to OLEADM.DLL instead. OLEADM32.DLL is detected as W32/Smitfraud.A.
  • OLEADM.DLL in the Windows system directory. All the calls to the function HttpSendRequest are transferred to this DLL, which:
    • Sends the web pages accessed by the user to one out of three possible servers: http:// ecjnoe3inwe. com, http:// fjrewcer32. com or http:// dkjfwekjnc4. com.
    • If the function is called by Internet Explorer, it will download and run a file called PSGUARDINSTALL.EXE from the website http:// download. psguard. com.
  • WP.BMP. This is the picture displayed on the Windows Desktop.
  • UNINSTIU.EXE, in the Windows directory. This is the file that is executed when the user attempts to uninstall the adware using the Control Panel.

Smitfraud creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ Internet update
    By creating this entry, Smitfraud is displayed in the Control Panel, option Add/Remove Programs with the name Internet Update, so as to be confused with a legitimate Windows application.
    If the user attempts to uninstall the adware using the Control Panel, Smitfraud only removes its picture from the Windows Desktop. However, all the files it has created will remain on the affected computer.

Propagation:

Smitfraud is installed in the affected computer by other adware, detected as CWS.YEXE, which is downloaded while accessing several adult sites or pirated software sites.