=====================================================================

Only for Windows XP and Windows 2000

Hello and welcome to the WhatTheTech Forum's .

Use at your own risk: WhatTheTech forum's, does not take responsibility for any outcome of following these directions. Every computer is different, so we cannot guarante the outcome. If you are apprehensive, please post a log from HijackThis in the designated forum and let us take a look and guide you to a clean system.

This is a "self help" to remove the infections on Windows 2000 and all XP versions ONLY.If you don't have W2K or XP, please Register and post a HijackThis log for manual removal. Instructions are below.

Keep in mind this infection can be accompanied by other infections as well. We strongly suggest you Register after running this fix and posting a HijackThis log for one of the pro's to check over.


Please do not delete anything unless instructed to.


Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.



______________________________

Next:
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter



This program will scan large amounts of files on your computer for known patterns so please be patient while it works. It will create a file named: c:\rapport.txt

We suggest you stop at this point and post a HijackThis log along with the contents of the c:\rapport.txt


IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


Running the Clean

Warning: running option #2 on a non infected computer will remove your Desktop background.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.




The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files. Proceed like this:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware, and run a full scan.

IMPORTANT: Do not open any other windows or
programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
• Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab
  then click on "Complete System Scan".
• ewido will now begin the scanning process, be patient this may take a little
  time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all
  actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the
  screen and save it to a text file on your system (make sure to remember where
  you saved that file, this is important).

Close AVG Anti-Spyware and Reboot in Normal Mode.

______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing
Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________
you need to download HijackThis from here and post your HijackThis log here:

Please create a new Topic and post the requested items.

Please post:
[*]c:\rapport.txt
[*]Results from Malwarebytes' Anti-Malware scan
[*]A new HijackThis log
[/list]Your may need several replies to post the requested logs, otherwise they might get cut off.

This post has been edited by LDTate: Jun 8 2008, 06:41 AM

Updated Sept.23,2006 to add VirusBurst

Updated to modify Ewido to AVG Anti-Spyware
Oct.14, 2006

Updated to add:
Video ActiveX Object

Updated to add:
Generic Zlob

Updated to add:
SpyLocked

Updated to add:
PrivateVideo

Updated to add:
SPYLOCKED 4.0.EXE
SpyLocked 4.1
VideoPlugin
PornoPlayer

Update to add:
spycrusher

Update to add:
Video ActiveX Access

Added:
VirusProtectPro

Updated to add Ultimate Fixer and Ultimate Defender

This topic has been left open to allow specific questions and comments related ONLY to this guide. It's NOT for posting HJT logs, links to your logs, or any other general malware help. Replies not following these rules will be deleted. Thanks for your cooperation.

Updated: Sept.02, 2007

This tool removes Desktop Hijack malware: AdwarePunisher, AdwareSheriff, AlphaCleaner, Antispyware Soldier, AntiVermeans, AntiVermins, AntiVerminser, AntivirusGolden, AVGold, BraveSentry, MalwareWipe, MalwareWiped, MalwaresWipeds, MalwareWipePro, MalwareWiper, PestCapture, PestTrap, PSGuard, quicknavigate.com, Registry Cleaner, Security iGuard, Smitfraud, SpyAxe, SpyCrush, SpyDown, SpyFalcon, SpyGuard, SpyHeal, SpyHeals, SpyLocked, SpyMarshal, SpySheriff, SpySoldier, Spyware Vanisher, Spyware Soft Stop, SpywareLocked, SpywareQuake, SpywareKnight, SpywareSheriff, SpywareStrike, Startsearches.net, TitanShield Antispyware, Trust Cleaner, UpdateSearches.com, Virtual Maid, VirusBlast, VirusBurst, Win32.puper, WinHound, Brain Codec, DirectVideo, EliteCodec, eMedia Codec, FreeVideo, Gold Codec, HQ Codec, iCodecPack, iMediaCodec, Image ActiveX Object, IntCodec, iVideoCodec, JPEG Encoder, Key Generator, Media-Codec, MediaCodec, MMediaCodec, MovieCommander, MPCODEC, My Pass Generator, PCODEC, Perfect Codec, PowerCodec, PornPass Manager, PornMag Pass, PrivateVideo, QualityCodec, Silver Codec, SiteEntry, SiteTicket, SoftCodec, strCodec, Super Codec, TrueCodec, VideoAccess, VideoBox, VidCodecs, Video Access ActiveX Object, Video ActiveX Object, VideoCompressionCodec, VideoKeyCodec, VideosCodec, WinAntiSpyPro, WinMediaCodec, X Password Generator, X Password Manager, ZipCodec...

Thanks Larry, thats quite a list, these dirt bags have been busy.

Do I need a new link to the download or will the old one work with all the updates?