SmitFraud attacks show fake antispyware programs popups on your screen and/or a balloon popup from the windows system tray displaying a warning message that your computer is infected with spyware and telling you to purchase, download & install their program to remove it. The creator of each popup is an affiliate of the particular antispyware program they are promoting, so each time an unsuspecting user purchases the advertised program in hopes of removing the trojan the person behind the attack gets paid.Smitfraud variants:
pchell.com
Smitfraud-c
Smitfraud-g
Smitfraud-C.Coreservice
Smitfraud-a
Smitfraud
W32.Smitfraud
Trojan.Smitfraud
SmitFraud automatical removal tool:
Smitfraud manual removal:
Remove SmitFraud files:
retadpu1000106.exe
retadpu.exe
retadpu[2].exe
retadpu[1].exe
wjiio.exe
retadpu21.exe
arpl.exe
retadpu77.exe
drsmartload815a.exe
drmv2clt.exe
MTE3NDI6ODoxNg[1].exe
MTE3NDI6ODoxNgnew.exe
drsmartload44a[1].exe
cproc.exe
ntsystem.exe
MTE3NDI6ODoxNg.exe
drsmartload1.exe
drsmartload95a.exe
drsmartload849a.exe
drsmartload46a.exe
drsmartload45a.exe
drsmartload100a[1].exe
drsmartload849v.exe
drsmartload46v.exe
drsmartload45v.exe
drsmartload849a8b5.exe
drsmartload849a[1].exe
drsmartload45a[1].exe
loader[1].exe
drsmartload46a[1].exe
drsmartload849a7h.exe
drsmartload46a7h.exe
drsmartload45a7h.exe
drsmartload.exe
drsmartload849a7i.exe
drsmartload46a7i.exe
drsmartload45a7i.exe
drsmartload192a[1].exe
drsmartload849a849m.exe
drsmartload46a46m.exe
drsmartload45a45m.exe
zloader3.exe
wp.exe
winstall.exe
winhook.exe
uninstiu.exe
shnlog.exe
popuper.exe
ole32vbs.exe
msole32.exe
msmsgs.exe
intmonp.exe
intmon.exe
hookdump.exe
helper.exe
Remove SmitFraud registry entires:
87EF7048-8905-4E82-862E-65004D4DFA80
6a307130-b248-4b23-b2b7-4498da8c977a
C2DE4340-CB68-450F-90CD-9BE1A26739D7
3ADCBC16-19FA-4C59-9C22-E17C71B5FD7A
AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236
0B9B7B2E-30E3-4C5D-AD2C-C38724979B4B
MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\vtursro
MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\ssqnool
FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F
b292ec9f-a074-4115-8342-1f459702d8d2
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
b292ec9f-a074-4115-8342-1f459702d8d2
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\instcat
27321538-5739-4aa1-b84c-7d18e4383f1f
5f938c17-fbc7-4a3c-8526-85e5b1a1f762
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
5f938c17-fbc7-4a3c-8526-85e5b1a1f762
SOFTWARE\Policies\06849E9F-C8D7-4D59-B87D-784B7D6BE0B3
dfa61db1-388e-4c87-8d56-540fa229bcb4
f31aee4a-1530-4fef-8537-79c6973bff9a
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
f31aee4a-1530-4fef-8537-79c6973bff9a
03413bf7-e34c-445b-bfc0-a2b127255871
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\incestuously
19452E5B-963F-4886-766D-0526284B6F61
Microsoft\drsmartload2
64ba30a2-811a-4597-b0af-d551128be340
aea3d2df-2b2c-4d7b-81a0-d975c6dc088e
ed39ecef-902e-4ed1-8434-71e8db89e5ca
WMuse
5839511e-ec1b-4f91-ace3-fb88e52f5239
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
64ba30a2-811a-4597-b0af-d551128be340
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
aea3d2df-2b2c-4d7b-81a0-d975c6dc088e
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\decorin
f79fd28e-36ee-4989-aa61-9dd8e30a82fa
D5BC2651-6A61-4542-BF7D-84D42228772Centry.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallinternetupdate
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerSearchURL(Default)=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerSearchSearchAssistant=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerSearchCustomizeSearch=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainLocalPage=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainSearchPage=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainSearchBar=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainDefault_Search_URL=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainDefault_Page_URL=[siteaddress]
FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunmsnmessenger
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWindowsFZ
Search the Windows registry for {D5BC2651-6A61-4542-BF7D-84D42228772C} entry.HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWindowsFY
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionUninstallinternet update
HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerSearchURL(Default)=[site address]
HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerSearchSearchAssistant=[site address]
HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerSearchCustomizeSearch=[site address]
HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerMainLocal Page=[site address]
HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerMainSearch Page=[site address]
HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerMainSearch Bar=[site address]
HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerMainDefault_Search_URL=[site address]
HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerMainDefault_Page_URL=[site address]
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionRunmsn messenger
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionRunWindowsFZ
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionRunWindowsFY
No comments:
Post a Comment