ATTENTION! HJT log helpers. New canned fix for SpySherrif, Smitfraud & AntivirusGold

[Flrman1]

This fix is posted here primarily as a reference for those who are experienced with helping on the forums with these infections. If you are a victim of this infection, It is not recommended that you attempt to fix this on your own. Before you attempt anything, post your Hijack This log in the Security forum and wait for help from one of our experienced helpers.


The following fix provided by noadhfear will work to remove all of these:

AntiVirusGold
Smitfraud
SpySheriff

Note: The smitRem fix will work on 9x systems also, but ewido will only work on XP/2K systems. In noahdfear's original fix he had Adaware included in the fix, but I've found that the smitRem fix and ewido alone work fine. For 9x systems you should use Adaware instead of Ewido.

For XP/2k systems:

* Click here to download smitRem.exe.

• Save the file to your desktop.
• It is a self extracting file.
• Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
• Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

* Download the trial version of Ewido Security Suite here.

• Install ewido.
• During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido
• It will prompt you to update click the OK button and it will go to the main screen
• On the left side of the main screen click update
• Click on Start and let it update.
• DO NOT run a scan yet. You will do that later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan it will prompt you to clean files, click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar.If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and the ewido scan

For 98/ME systems:

* Click here to download smitRem.exe.

• Save the file to your desktop.
• It is a self extracting file.
• Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
• Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

* Go here and download Ad-Aware SE.

• Install the program and launch it.
• First in the main window look in the bottom right corner and click on Check for updates now
• Click Connect and download the latest reference files.
• Do not run Adaware yet. Just download the updates and have it ready to run later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Now launch Adaware:

• From main window click Start then under Select a scan Mode tick Perform full system scan.
• Next deselect Search for negligible risk entries.
• Now to scan just click the Next button.
• When the scan is finished mark everything for removal and get rid of it.
• Right-click the window and choose select all from the drop down menu and click Next

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Web" tab. Under "View my Active desktop as a web page" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button.
Remove the check by "View my Active desktop as a web page".
Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

I am attaching my canned fixes for you with all the code tags. Mine is slightly different than the original posted by noadhfear, but not much. Feel free to save it and use it.

 

[Flrman1]

I should also mention that if there are other files and HJT entries involved in the log, you will have to add those options to the fix to delete the related files by adding info to download and use Killbox to to delete any other files. Use Killbox or whatever is your preferred method, but I do highly recommend that all of you that help with the logs start using Killbox. It is much easier on the victim that way. They don't have to go through the tedious process of finding all the files. As we all know many of them can't seem to find files that are there anyway.

 

[khazars]

ok, cheers for the info, killbox it is!
Thx for the update on 9x, this will be very useful.

 

[Flrman1]

I edited the part about removing the Security info page in the Display properties. It should be like so:

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar.If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

Either change that in your text file if you have already downloaded it or redownload it.

 

[Cheeseball81]

I was hoping this would get "Stickied" sooner or later. Great info! Thank you.

 

[Flrman1]

 

[Flrman1]

Thanks to cybertech for reminding me that ewido only works on xp/2k boxes. The smitrem fix works fine on 9x boxes, but use Adware in combination with it on 9x. I have edited the original post to reflect that and uploaded my canned response for that too.

 

[cybertech]

Thanks Mark, as always nice job!

 

[Cookiegal]

Thanks for posting this Mark. Great work, as always!

Thanks for all you do.

 

[Flrman1]

You're Welcome guys. Noahdfear did all the work. I'm just a Parrot!

 

[MFDnNC]

You're Welcome guys. Noahdfear did all the work. I'm just a Parrot!

Aren't we all !!!!!!!!!!!!!!!!!!!!!!!!

 

[talon03]

Aren't we all !!!!!!!!!!!!!!!!!!!!!!!!

Nope, I'm an old dog following you guys around trying to learn new tricks!

 

[beardbuster]

I just wanted to says "THANKS"
That walk thru really rocks and I was able to get back to normal again after becoming infected with SpySheriff
I wanted to add that I have WXP and could not follow the instructions in safe made and had to run all the programs in normal bootup... Not sure if I did anything wrong but I tried and tried and was lucky I was real careful what I deleted without being in safe mode...
again THANKS !!!
Clyde

 

[Flrman1]

Welcome to TSG beardbuster. Glad you found this useful!

 

[beardbuster]

THANKS for the

flrman1
I'll be sure to let others know about this place