« Zlob
SpySheriff »

Smitfraud

No Comments
Domesticus By Domesticus in Trojans | 86 views
Rate it:
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

Smitfraud Description

SmitFraud (also known as W32/SmitFraud.A) is a malicious spyware application that may install itself secretly via adware. SmitFraud may also be brought into your computer bundled with a fake codec (that may include the following: BrainCodec, VideoKeyCodec or PCodec). SmitFraud is designed to inject a corrupt code in Windows DLL that usually results in Blue Screen of Death (a nasty desktop modification). SmitFraud may also generate misleading warning messages, in order to scare gullible computer users into buying fraudulent anti-spyware applications. It is strongly recommended to dispose of SmitFraud as soon as possible.

Type: Trojans

Automatic Detection of Smitfraud

 
 

Download SpyHunter’s Detection Scanner
to Detect Smitfraud.

 
 

Smitfraud Technical Report

As new Smitfraud details are reported by our customers and findings from our Threat Research Center, we will update this section.

The following Smitfraud files with its MD5s were created in the system:

File Name File Size MD5
oembios32.dll 21504 25ae4f6e51336bb2a454870f40cf0cb1
wjiio.exe 38216 ddc57b76f71a82da9abc05ea00247a15
retadpu.exe 45056 5a6b91738dfa140b59ff1b7c36bdf2de
retadpu1000106.exe 45056 be5edac25bd1450060f93116ede6de88
retadpu21.exe 45056 3933fa8deca73bd514e6ce3d934ee8a9
akylrvamqzjn.exe 30792 280bdc03f8f964e4c91d6ea1f6e61168
cvajjkohifjam.exe 33232 f1f06bee214b2748e7b6b8d189c92370
retadpu21.exe 39424 2e3188cc31f1b72a4055322e24199085
byxusss.dll 31254 8cef9f4bb684f88e419f5de46e289bc2
arpl.exe 8704 01604c6bc08f7dffbcc7d61b523704a5
ssqnool.dll 31254 f62114fa101cca85d3764369f0619a1c
arpl.exe 8192 6eecbe1e5d39c14533551bf4b20a54c6
oembios32.dll 22016 e25c0e171d4122f36d0f7c7f67b4a9eb
bndsrgxt.dll 270336 d3ae8abe74fe369a440a3ae34d26a30f
bndsrdkq.dll 237568 d32f3a7f23d4f46a63782e0f3e3e58f8
domnftwost.dll 249856 e8c7137cb166e6b92026e260842f1d39
domnftwmnf.dll 278528 4a072e173046118bd10a0fc1f485b13c
domnftwost.dll 286720 d3b563e60f7565118338036556ac7132
fprbryrr.dll 77888 b5c929794d9ac781f114899b2fa6796c
domnftwwrn.dll 249856 c726baa4e67a4db3dd72a2ee459cbeac
domnftwlvq.dll 286720 e01303b47d29e8d364546ff4fbd57fda
dxpvqlmtqn.dll 258048 39340fc1535a3ae339c2b3c85e69ada7
dxpvqlmgtv.dll 253952 1a898cd724eaf55a1fbf0d2f2e7b30b6
dxpvqlmqng.dll 253952 7170c7ae83c1b87a52d4383daef881e8
bvtqfvx.dll 221184 b92fad2973e556975fc3c1b69e470cea
n2ewma1xxsv2234.exe 12796 d6d3d287116ae0aa11b7d903f96a53cb
temlxopqmlf.dll 212992 a013e2cbe3d2cc69bf84adf566bd7243
temlxopqqem.dll 212992 c06ab0f70a3b196fdfb058b3b24581b7
temlxopqtga.dll 241664 6ba886a3ccb5aaf38ba160e7216f7a41
svpekgonmgx.dll 212992 1779b87fa840101e6daef2e5b5185a07
temlxopqnmd.dll 212992 84ff0a014c16c34ac2ba979d74d31473
temlxopqxpw.dll 212992 36e0115253fcff5ba17d6ff5b27daa42
temlxopqpkd.dll 212992 bf6514726d2a77e48c04aaaab0b470b9
temlxopqxpw.dll 217088 6351615f9575f51a214b7d85d30a6d55
mlJyAQgh.dll 37376 29da3c87c76f79813956cf28f6bab351
tuvTjJcY.dll 270336 6332bfccd8e162549e74f5ba9facba1f
temlxopqpkd.dll 212992 b8019743e97b692ad6e1c9e9c99eda3b
asgp32.dll 20992 ee8e630fc5b8bf01c2d33010470c1fde
gndarmblsnv.dll 294912 004a23526b7d9da3691a85b2aee83006
drsmartload1.exe 40960 ffa2897c91083a895ede1672c8e51821
MTE3NDI6ODoxNg.exe 25105 f7212a74bcec46b93283656ccd886af0
setup[1].exe 199168 a2d452661fe31df61027e03de619b470
video.avi[1].exe 199168 a2d452661fe31df61027e03de619b470
madonna.avi[1].exe 199168 a2d452661fe31df61027e03de619b470
faceback.exe 99328 48713b65a5760f03f7661fd848fcb876
drsmartload1.exe 28672 5bb95c9cf7aa0c066c9667be6e7e64c4
drsmartload45a.exe 28024 44973d6051f7d0a88310866b3532f7e1
atmtd.dll 687592 6d5f90ea52fe0cdc102b14485563eba0
drsmartload1.exe 61440 4f2229ff7d02086527d44f0b1b24c765
drsmartload45a.exe 28672 d90333f18e27c218cf7efd2b1a30212a
drsmartload46a.exe 28672 d9f95415d24dee922ad9748e918a9363
drsmartload849a.exe 28672 d471f4ffd83dc95df6d63076dcdf6cc1
csrss.exe 103424 f7f18b92a3d6f169b05d95cef3e01d37
services.exe 118272 d85e078fed9ce534fa5e2ef999955955
loader[1].exe 65536 0df6f6343f59c0e5763b99c9c1aa7d99
Update.exe 131072 56615860fde60e74d9d57c77aa45e1b4
faceback.exe 99328 b48ac0c093945da7c9fe315c22119875

Smitfraud has typically the following processes in memory:

  • hookdump.exe
  • msmsgs.exe
  • popuper.exe
  • hhk.dll
  • shnlog.exe
  • winstall.exe
  • drsmartload45a45m.exe
  • drsmartload192a[1].exe
  • drsmartload46a7i.exe
  • drsmartload45a7h.exe
  • drsmartload46a[1].exe
  • drsmartload849a[1].exe
  • drsmartload45v.exe
  • drsmartload100a[1].exe
  • drsmartload46a.exe
  • drsmartload1.exe
  • cproc.exe
  • tazth.dll
  • MTE3NDI6ODoxNg[1].exe
  • olnohdw.dll
  • ssqnool.dll
  • wjiio.exe
  • retadpu.exe
  • bndsrgxt.dll
  • domnftwmnf.dll
  • dxpvqlmtqn.dll
  • asgp32.dll
  • helper.exe
  • intmonp.exe
  • ole32vbs.exe
  • param32.dll
  • oleadm32.dll
  • winhook.exe
  • zloader3.exe
  • drsmartload849a849m.exe
  • drsmartload45a7i.exe
  • drsmartload.exe
  • drsmartload849a7h.exe
  • drsmartload45a[1].exe
  • oybgrql.dll
  • drsmartload849v.exe
  • drsmartload45a.exe
  • drsmartload95a.exe
  • ntsystem.exe
  • ixt2.dll
  • MTE3NDI6ODoxNgnew.exe
  • drsmartload815a.exe
  • arpl.exe
  • vtursro.dll
  • retadpu[2].exe
  • oembios32.dll
  • domnftwost.dll
  • domnftwlvq.dll
  • n2ewma1xxsv2234.exe
  • faceback.exe
  • bsw.exe
  • intmon.exe
  • msole32.exe
  • wldr.dll
  • oleadm.dll
  • uninstiu.exe
  • wp.exe
  • drsmartload46a46m.exe
  • dnr4019qe.dll
  • drsmartload849a7i.exe
  • drsmartload46a7h.exe
  • loader[1].exe
  • drsmartload849a8b5.exe
  • drsmartload46v.exe
  • atmtd.dll
  • drsmartload849a.exe
  • MTE3NDI6ODoxNg.exe
  • winetn32.dll
  • drsmartload44a[1].exe
  • drmv2clt.exe
  • retadpu77.exe
  • retadpu21.exe
  • retadpu[1].exe
  • retadpu1000106.exe
  • bndsrdkq.dll
  • domnftwwrn.dll
  • dxpvqlmqng.dll
  • gndarmblsnv.dll

Smitfraud creates the following registry entries:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunmsnmessenger
  • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainDefault_Search_URL=[siteaddress]
  • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainLocalPage=[siteaddress]
  • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerSearchURL(Default)=[siteaddress]
  • f79fd28e-36ee-4989-aa61-9dd8e30a82fa
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\64ba30a2-811a-4597-b0af-d551128be340
  • ed39ecef-902e-4ed1-8434-71e8db89e5ca
  • Microsoft\drsmartload2
  • 03413bf7-e34c-445b-bfc0-a2b127255871
  • dfa61db1-388e-4c87-8d56-540fa229bcb4
  • 5f938c17-fbc7-4a3c-8526-85e5b1a1f762
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\b292ec9f-a074-4115-8342-1f459702d8d2
  • MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\ssqnool
  • AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236
  • 6a307130-b248-4b23-b2b7-4498da8c977a
  • 1AC7107A-938F-4347-864C-C51E49EC586E
  • 9D2C4CFB-0C11-4658-9EF5-B05BED9CC447
  • D878CD49-CE41-4434-831D-EFC15D06D25C
  • 973ecdd8-1e81-4c28-b5a1-69966c0a2ce4
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWindowsFZ
  • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainDefault_Page_URL=[siteaddress]
  • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainSearchPage=[siteaddress]
  • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerSearchSearchAssistant=[siteaddress]
  • D5BC2651-6A61-4542-BF7D-84D42228772Centry.
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\aea3d2df-2b2c-4d7b-81a0-d975c6dc088e
  • WMuse
  • 64ba30a2-811a-4597-b0af-d551128be340
  • Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\incestuously
  • f31aee4a-1530-4fef-8537-79c6973bff9a
  • Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\5f938c17-fbc7-4a3c-8526-85e5b1a1f762
  • Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\instcat
  • FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F
  • 0B9B7B2E-30E3-4C5D-AD2C-C38724979B4B
  • C2DE4340-CB68-450F-90CD-9BE1A26739D7
  • C4248759-304D-477D-A1B3-F706CF99756D
  • 3808C05F-CFB0-4C9B-858D-851CC3EBB3BC
  • 8AC6FA22-65B6-41B0-B0BB-243F35B86E74
  • 4480F41F-F91F-4781-B1EA-30D261DA06AC
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWindowsFY
  • FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF
  • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainSearchBar=[siteaddress]
  • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerSearchCustomizeSearch=[siteaddress]
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallinternetupdate
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\decorin
  • 5839511e-ec1b-4f91-ace3-fb88e52f5239
  • aea3d2df-2b2c-4d7b-81a0-d975c6dc088e
  • 19452E5B-963F-4886-766D-0526284B6F61
  • Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\f31aee4a-1530-4fef-8537-79c6973bff9a
  • SOFTWARE\Policies\06849E9F-C8D7-4D59-B87D-784B7D6BE0B3
  • 27321538-5739-4aa1-b84c-7d18e4383f1f
  • b292ec9f-a074-4115-8342-1f459702d8d2
  • MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\vtursro
  • 3ADCBC16-19FA-4C59-9C22-E17C71B5FD7A
  • 87EF7048-8905-4E82-862E-65004D4DFA80
  • 5085333B-FD15-4754-A571-852F7077C5F2
  • EACC5636-980A-4D26-9250-1CF418E6D1D1
  • BA6BD7B1-990F-4D05-8D6C-9CBAFCB3C7ED
  • 82B07A2B-F0AF-45FC-BE44-18D83B01EAD9

Important Article Disclaimer

article disclaimer
ESG Support Center

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Furl
  • StumbleUpon
  • Technorati
  • YahooMyWeb
This entry was posted on 04/28/05 and is filed under Trojans. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Comment

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Top Malware

Recommended Products

Featured Videos

Poll

How much money have you spent trying to rid your PC of spyware?
View Results

Recent Articles

Top FAQs


Archives

Home Sitemap RSS Feed Privacy Policy End User License Agreement Copyright 2003-2009. Enigma Software Group USA, LLC. All Rights Reserved.