WARNING: Remember that malware is
often embedded in your registry. When ever you delete or modify anything
in the registry you MUST be
cautious as you could possibly do irreparable damage to your operating
system.
Trojan-Spy.HTML.SMITHFRAUD.C TABLE of Contents
A. What is Trojan-Spy.HTML.Smithfraud
B. Symptoms
A. Show Hidden Files
B. Make Smithfraud.txt
C. Make Malware.txt
D. Download Smithfraud.reg
E. GET KILLBOX
A. Boot into Safemode
B. Use KILLBOX to remove malware
C. Remove ScareWare
INTRO. Hi, I’m SMITHFRAUD. I WANT TO PROTECT YOU.
A. What is Trojan-Spy.HTML.Smithfraud?
Smithfraud is what I like to call ScareWare. It is malware
that tries scare you into using some so called spy ware protection
called “Security IGuard.” More on Smithfraud.
B. Some of the Symptoms of the Trojan-Spy.HTML.SMITHFRAUD:
- System running extra slow
- Can not use Task Manager
- Can not change desktop
You will also see:
“
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM01) +
00010E36. Error was caused by Trojan-Spy.HTML.Smithfraud.c”
This will be displayed on your desktop and on a black screen when you
reboot your system
Printing out the following instructions will make it easier for you:
STEP 1. SYSTEM PREPARATION
A. SHOW ALL HIDDEN FILES:
Windows 95
• Open My Computer.
• Select the View menu and click Options.
• Select the View Tab.
• Select the Show all files Radio Button.
• Click OK.
Windows 98
• Open My Computer.
• Select the View menu and click Folder Options.
• Select the View Tab.
• In the Hidden files section select Show all files.
• Click OK.
Windows ME (Get rid of this horrible OS)
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and
folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.
• Click Start, Programs and Accessories and open Windows Explorer.
• Select a hard drive from the left hand side of the Windows Explorer window.
• Select View the Entire contents of this drive.
Windows 2000
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and
folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.
Windows XP
• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and
folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.
B. Copy this text below into a text file called
Smithfraud.txt
Put it
on your desktop (this is a list of bad files) Although you can
just type them manually its best to copy and paste so you don’t have typo’s.
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C. Copy and Paste the following text into a file called Malware.txt
Put it on your desktop (this is a list of bad files) Although you
can just
type them manually its best to copy and paste so you don’t have
typo’s.
C:\WINDOWS\SYSTEM\Xcite.dll
C:\WINDOWS\SYSTEM\FLEOK
C:\WINDOWS\SYSTEM\stlbupdt.dll
C:\WINDOWS\TEMP\SAHUpdate
C:\WINDOWS\Application Data\Lycos
C:\WINDOWS\TEMP\msview.inf
C:\WINDOWS\TEMP\asmfiles.cab
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\SYSTEM\kyf.dat
C:\WINDOWS\SYSTEM\wb.dll
C:\WINDOWS\SYSTEM\CometTB.dll
C:\WINDOWS\SYSTEM\CometTB.exe
C:\WINDOWS\SYSTEM\Agent.dll
C:\WINDOWS\SYSTEM\nostalgia.dll
C:\WINDOWS\SYSTEM\OMsetup.exe
C:\WINDOWS\SYSTEM\cm1.dll
C:\WINDOWS\SYSTEM\stlbupdt.dll
C:\WINDOWS\SYSTEM\Xcite.exe
C:\WINDOWS\SYSTEM\Xcite.dll
C:\WINDOWS\SYSTEM\msss.exe
C:\WINDOWS\SYSTEM\kyf.dat
C:\WINDOWS\TEMP\saveinstwm.exe
C:\WINDOWS\TEMP\MSView.inf
C:\WINDOWS\TEMP\asmfiles.cab
C:\WINDOWS\TEMP\asmfiles.cab[asm.exe]
C:\WINDOWS\TEMP\__unin__.exe
C:\WINDOWS\msxmidi.exe
C:\RECYCLED\DC1\unbzip2s.dll
C:\RECYCLED\DC8.EXE
C:\wp.bmp
D. Download SmithFraud Reg
It is best to put Smithfraud.reg to your desktop (so you can find
it). DO
NOT double click on
it yet.
Right Click on this link and "Save As":
http://www.bleepingcomputer.com/files/reg/smitfraud.reg
E. GET KILLBOX
Download the Killbox Unzip
it to the desktop.
STEP 2. DELETE the MALWARE
A. Boot into SAFE MODE
Getting into Safe Mode on Window is easy.
Reboot your computer and HIT the “F8” Funtion Key like
crazy
If it doesn’t, work try again. The system should ask you
what mode you want to
boot in. You want “Safe Mode” or “Safe Mode
with Networking”
MORE ON SAFE
MODE
B. Use KillBox to remove the Malware
Once you are in Safe
Mode you will be able to delete all the unwanted
malware. Use Malware.txt and Smithfraud.txt on your desktop to copy
and pasted
each path (e.g c:\wp.bmp) into Killbox and
click the “X” to
remove them.
You will be prompted to reboot each time you delete one of the files.
Choose “NO” until you are complete.
C. Remove ScareWare files that were possibly added by Trojan.spy.smithfraud.c
Go to Start > Control Panel > Add or Remove Programs and remove
the following programs, if found:
- Security IGuard
- Virtual Maid
- Search Maid
Exit Add/Remove Programs.
Press Control-Alt-Del to enter the Task Manager.
Click on the Processes
tab and end the following processes (it is running):
wsys.exe
Exit the Task Manager when finished.
TO KILL ALL THE “TROJAN-SPY.HTML.SMITFRAUD.C” FILES
AT ONCE AUTOMATICALLY:
Double-click Killbox.exe to run it.
Select "Delete on Reboot".
You’ll need the text you copied in your SMITHFRAUD.TXT (highlighting
ALL of them and pressing CTRL + C)
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at
the Delete on Reboot prompt. Click "No" at the Pending Operations
prompt.
If your computer does not restart automatically, please restart it manually.
STEP 3. RUN SMITHFRAUD.REG
Locate "smitfraud.reg" on your desktop and double-click it.
When asked if you want to update the registry, click YES. Wait for
the "Smitfraud.reg has been successfully added to the registry"
http://www.bleepingcomputer.com/files/reg/smitfraud.reg
If you haven't already done so, Right click on the link and download it
the desktop. As your last step, click on the smitfraud.reg file.
It will ask you if you are sure, click "yes." Registry Edits do not take
hold until you reboot. This edit just cleans up some of the Smithfraud
files
from your registry.
Many trojan and virus fixes can be found on Beeping
Computers site. It
is an excellent resource.
Here are some free scans to check an make sure there are no holes left
in your network:
These are sites that allow you to scan your system from
the outside. It is a very simple penetration test.
Sygate
GRC
If you system is exposed to the Internet go to my Broadband
Internet Security Site.
If ALL else fails and you have already backed up your data (or don't need
to) Reload your operation system. That will fix everything! Secure your
system or you will get more malware for sure.
FIN.
References:
http://www.xtra.co.nz -Show Hidden files
www.bleepingcomputer.com - smithfraud.reg
http://www.viruslist.com - Trojan-Spy.HTML.Smithfraud.c
http://forum.us.dell.com - Scanners
http://www.geekstogo.com - Trojan-Spy.HTML.Smithfraud.c
removal (thanks to “thatman” with
the GeekSquad Staff)
http://www.geekstogo.com - GREAT
STUFF
http://www.atribune.org - Killbox (mad props to Option^X)
http://www.pchell.com - Safe
Mode
http://www.webhelper4u.com - Hijacking
Scare ads
List of more removal tools:
http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41
http://www.netrn.net/spywareblog/
