SmitFraud was just a type of spyware (W32/SmitFraud) but now as Wikipedia explains “SmitFraud is now being used to term infections where in users receive fake alerts from software luring the user with installing some affiliated Fake/Rogue AntiSpyware (or other software) with or without the users knowledge.” My particular version installed a red and blue flashing shield in my system tray and would pop up windows stating that my PC was infected with spyware and that I needed to buy “Virus Protect Pro”. After I would close out that window other browser windows would open with further ads, many of these appeared to download their own viruses and Trojans.

As I stated before neither Spybot Search & Destroy nor Ad-aware would remove the SmitFraud. They both would eliminate other key loggers and spy ware that they would find but the core intrusion would remain. CCleaner wouldn’t find it either, it would just clean up the remnants of what Spybot S&D and Adaware would remove.

While this is not a scientific explanation of how I got rid of it, it was this combination of products that finally did the trick.

First I forced my internet zone to the highest security level and forced my McAfee firewall into lockdown to limit re-infections as I began scans with my available installed tools such as CCleaner, Spybot S&D and AD-aware. Make sure you inoculate your system with Spybot S&D’s inoculation process. I would only unlock my firewall when I needed to access the internet or download a new tool.

I then updated my hosts file from this site: http://www.mvps.org/winhelp2002/hosts.htm

Since your PC will lookup domain names in your host file before it search DNS, by associating known problem domain names with your 127.0.0.1 address many malicious attacks never get a chance to start. I had been maintaining the host file but had let it get out of date.

You can also use Spybot Search and Destroy to update the host file with it’s known list of problem domains, this is an advance feature in Spybot S&D. Later we will run a SmitFraud tool and this may delete your hosts file entries so you will want to revisit this step after you complete the SmitFraudFix step below.

I ran Trend Micro’s Housecall to make sure that it wasn’t something that Trend Micro’s virus scanner could remove the McAfee was just missing. But again it found things and removed them but the core intrusion remained.

If your Windows version can run it get Microsoft Defender, Karen in User Support said it worked for her. My Windows version was Win 2000 and so Window’s Defender was not available to me.

Use MSConfig to verify that something is not loading at start up which should not be there. For Win 2000 MSconfig is not available but copying it from an XP system works. For this intrusion nothing was found but it was worth a try and I removed some other unnecessary programs from start up which improved my system performance.

My first big break through was after I read a post that suggested using AVG Anti-Spyware (formerly ewido anti-spyware) and SMITFRAUDFIX. This is a similar post as the one I found earlier with similar instructions: http://forums.tomcoyote.org/How_Remove_Smitfraud_Video_Activex_Object_t61697.html

SMITFRAUDFIX appears to have it’s own GENERIC.PUP virus that McAfee doesn’t like. Removing GENERIC.PUP with McAfee will keep SMITFRAUDFIX from running so Run SMITFRAUDFIX then after the clean up is complete then let McAfee clean up GENERIC.PUP. As the instructions explain SMITFRAUDFIX must be run from Safe mode so get ready to press F8 at windows startup.

Some useful tips:

• Run everything twice: I found I pretty much had to run everything twice and I ran CCleaner after each spyware, adware or virus scan to clean up the bits that were left over.
• After the SMITFRAUDFIX is ran you may/will have to replace your HOSTS file because SMITFRAUD may/will clean all your entries.
• I read that is a good thing to maintain a list of restricted sites in your internet security options restricted zone of problem IP addresses.

The sad thing is that I can no longer trust a previously reliable system. Now that the infection has been cleared I must now plan to move my personal info and files off the system and rebuild it. So besides loosing a lot of sleep cleaning up this infection I must now waste time rebuilding PC’s. This said, prevention is the key, so use popup blockers. Use Mcafee’s trusted site tool. Maintain your hosts file as instructed above and keep your virus, spyware and adware tools up to date.

Scott Leturno
Webmaster
Moraine Valley Community College
Palos Hills, IL
708-974-5787