smitfraud-C

pc10

I have just spent the last 3 hours trying to sort out my mates PC!

AVG picked up 4 viruses - got them sorted.

On the toolbar at bottom right hand corner was a (fake) windows alert that came up with a security warning message about the computer being infected with spyware and click here to sort it - clicking took me to a page that was selling some sort of spyware removel apparently.

Spybot came up with a few entries - one was for smitfraud-C - eventually managed to get a clean scan.

Adaware is clean.

Microsoft antispyware is clean.

AVG shows no more viruses.

My mate has zone alarm running (all upto date)

I have run hijack this and deleted a few entries from it.

Searching google took me to a tool from majorgeeks.com which was to remove this smitfraud-C - I ran it but it came back with a clean report.

To summarise - all scans are now clean HOWEVER this fake windows alert STILL comes up every few seconds. Sometimes the homepage will change to one called spyware something or other (apologies for my poor memory and I'm back at my own house now so I can't even check the correct name!)

I did the scans while system restore was both on and off.

Any ideas what else I can do?

Heres hoping

christie_m

pc10 - Without knowing more details about the pop-up/fake window it's difficult to pin down I'm afraid. A couple of generic things you can try:-

1. Make sure the machine is fully patched i.e. run the Windowsupdate utility on the Microsoft site.

2. Try scanning with an alternative Anti-Virus package (not every virus is detected/cleaned fully by every a-v package)

3. Might be worthwhile posting the Hijack This logs to this on another board...someone might sport something you've missed inadvertently.

JonG_3

I presume the PC and all the above mentioned antivirus / antispywares are up to date with SP2 and all MS critical updates ?

I'd download and run CWShredder as a first - it's free and quick to run.

Could then try some online antivirus scanners, see section 6 here :-

http://forums.majorgeeks.com/showthread.php?t=35407

If that fails find out exactly what website it takes you too and do some research on the net with Google.

Good Luck !

esuhl

It might be worth going to http://housecall.trendmicro.com/ to try their free online virus scan to see if it picks up anything AVG missed.

Browntoa

i bet this is "Spyware sheriff"

were you running those scans in safe mode on his PC ??

you need to turn System restore OFF first otherwise it will re-install

add ewido form www.ewido.net to the scans and run this first

indiegirl_2

I've had this on my dad's PC, took about 3 hours (including a drive over there as I couldn't do it by remote assistance!) in total to sort out...

HijackThis only showed the browser helper object file (BHO: HomepageBHO), which needs to be changed. There's also (from memory) some files which need deleting (which off the top of my head I can't remember).

Beware that the smitfraud trojan attempts to overwrite the wininet.dll file, so even when you successfully remove it, you may have error messages on login regarding the wininet.dll file. I got around this by keeping a copy from a clean XP machine on standby to copy over once I'd run all the removal tools.

I ended up using a complete mishmash of all the removal tools available, but the SmitRem finally did the trick (I think! It was a while back now)... you can find SmitRem here. It's definitely a 'Safe Mode' job though...

And yes - as Browntoa says - stop the System Restore before you do anything... it'll live in there and still report otherwise!

Also, once it's tidied up, ensure that all M$ updates are completed as Micro$oft have released a security bulletin which covered the smitfraud trojan.

I've now put M$ Antispyware (beta) on my dad's PC, because it's got the most user-friendly warning system I've seen so far... personally I use Spybot's Tea Timer, but it's not good for non-techie PC users...

Hope you can get it sorted!

Browntoa

theres a new one shutting down Ms Antispyware....seen it on a couple of PC's, it comes up with a fatal error as it loads, off tomorrow night to wotk out whats doing it on a friends....4 weeks after i fixed his PC from the last lot.... sigh !!!!!

pc10

Hi,

Thanks for the replies.

I haven't been back to my mates machine yet - will go later on.

Everthing on the PC is up to date - SP2, MS updates, AVG etc etc.

It was SmitRem that I got from majorgeeks site and I ran it in safe mode as it said and it came up clean.

All the other scans are clean now but its just this fake windows alert thats still there.

Should I be able to do a system restore to an earlier date and will that sort out the problem?

T4i

Yup, my dad got this too.......

Took me bout 1.5hrs to clean.......

2 things......make sure system restore is turned OFF totaly before you start cleaning and boot into safe-mode.

This is the guide I printed out and followed step-by-step to clean. Works 100%.
http://www.precisesecurity.com/adware-spy/awtss-005dec.htm

I also used Spyware Doctor to do additional checks.....

Good Luck!

shown73

I managed to push it to one side with EWIGO anti malware software. If all else fails, have a look at their website, it works. Spybot still picks it up, and can't deal with it, but at the same time it doesn't cause me any more trouble. Good luck, I know how b----y annoying it can be.