Hi RK
This is the only way i know for smitfraud but maybe worth
getting other view's on this as this way is alot of work.
Copy this to notepad so you can view it in safemode if
needed.
Download Hijack This
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Download Ccleaner:
http://download.ccleaner.com/download119bin.asp
Disable System Restore:
Goto start > right click my computer > choose properties
then goto system restore and check the box ' Turn off
system restore ' then press apply,Again you can set a new
restore point when you are clean by following the above
but unchecking turn off system restore .
Go to Start > Control Panel > Add or Remove Programs and
remove the following programs, if found:
Search Maid
Security IGuard
Virtual Maid
Exit Add/Remove Programs.
open Windows Task Manager by press CTRL,ALT & DELETE
click on the Processes tab and end the processes named in
the list below.
Exit Task Manager.
download Killbox
http://www.downloads.subratam.org/KillBox.zip
Extract the program to your desktop and double-click on
its folder, then double-click on Killbox.exe to start the
program.
In the killbox program, select the Delete on Reboot
option.
In the field labeled Full Path of File to Delete enter
the file paths listed below ONE AT A TIME (EXACTLY as it
appears, copy each file path and paste it in the field)
MAKE SURE TO ENTER ALL FILE PATHS!:
C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
c:\bsw.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\hhk.dll
C:\Windows\System32\hp***.tmp <= *** is a number of
random characters
The tmp file is installed as a BHO and hijacks to
quicknavigate.com you will need to check the random part
on yours before using killbox(Hijack This will show the
entry if it exists)
Press the button that looks like a red circle with a
white X in it after each one. When it asks if you would
like to delete on reboot, press the YES button, when it
asks if you want to reboot now, press the NO button.
Do this after each one until you have entered the LAST
file path I have listed above. After that LAST file path
has been entered press the YES button at both prompts so
that your computer restarts.
While your computer is restarting, tap the F8 key
continually until a menu appears. Use your up arrow key
to highlight Safe Mode, then hit enter.
Make sure you can view hidden files.(Goto start,then
search then tools on the top bar,goto folder options then
to the second page which is View.Tick the box that says
Show Hidden Files and Folders plus untick the box below
this that says Hide Extensions for known types,click
apply then exit)
Using Windows Explorer, delete the following Folders if
any exist:
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard
Reboot into normal mode.
A registry file to undo most of the changes is available
here:
http://andymanchesta.com/Downloads/smitfraud.reg
Doubleclick that file and confirm you want to merge it
with the registry.
Download the Hoster from HERE
http://andymanchesta.com/Downloads2/hoster.zip
Save to desktop then run Press "Restore Original Hosts"
and press "OK". Exit Program.
Download DelDomains to the desktop
http://www.mvps.org/winhelp2002/DelDomains.inf
right-click and select: Install (All you will notice is
the desktop icons flash off then on then its finished &
reset the zones)
Goto Start then run and type
prefetch
delete the contents of this folder
Run Ccleaner on all 3 settings (windows,apps & issues)
and clear anything found.
Reboot Again
Run a virus scan and see if's still being detected.
Trend Micro
http://housecall.antivirus.com/
Panda
http://www.pandasoftware.com/activescan/co...n_principal.h
tm
Symantecs Security Check & Virus scanner
http://security.symantec.com/default.asp?
productid=symhome&langid=ie&venid=sym
Regards Andy
