Wednesday, May 03, 2006

Easy Fix For Spyware and Virus Alert

This post is pretty out of date, so I wouldn't use it now. SmitFraudFix is still around and updating, so you can still use that. Ewido got bought by AVG and was renamed AVG Antispyware, but it's mostly useless now. Most good antispyware programs will remove this now anyways.


If you have been getting a warning that says you have spyware or a virus from a pop up by the clock, then you have what is called Smitfraud. Your homepage is also likely to have changed to one that says spyware has been detected and you can't change it to what you want it to be. Maybe a new program called SpywareSheriff, SpywareQuake, SpyFalcon, or something you have not heard of before is now on your computer. If you have the following warning on your computer, then you are a victim of spyware. Here are a few other pictures of the desktopwarning and older pop up balloon.

Do not buy anything from the warnings on your computer because they are from the same people who put the spyware on your computer. This warning along with the fake alert on your homepage are just ways to trick you into buying something from the ones who put the spyware on your computer. All of the warnings on the page are either made up and not true, The easy and free way to get rid of this is to follow the removal instructions below.

There is a tool called SmitFraudFix that does most of the work for you. This tool is created by S!ri and is free to use. Yes, there is an exclamation mark in his name.



  • Download SmitFraudFix from S!ri's website
  • Download Ewido Anti-Spyware
  • Read the instructions and make notes or print this page.
  • Once you begin to use the fix, close all programs including Internet Explorer

Once you have downloaded both programs, find the SmitFraudFix file you just downloaded. It is a zip file, so you will need to extract it. For Windows XP, simply click the folder to open it. Once the zip folder has been opened, look to the left side of your screen and select "Extract All Files". You will be asked a few questions and then the files will be moved to a folder where you told XP to move it. If you have Winzip, then it will open when you click the SmitfraudFix file. Follow the instructions Winzip displays. If are not using XP, then you will need Winzip to open SmitFraudFix.

Before running SmitFraudFix, you will want to install Ewido Anti-Spyware. Once it is installed, open the program and check for updates. After Ewido is done updating, close the program for now. You will use it later.

To completely fix your computer, you will need to restart the computer into what is called Safe Mode. When you are in safe mode, you will not have access to the Internet. If you haven't already, copy or print these instructions so you have a guide to look at. To restart in Safe Mode, do the following:

  • Restart your computer
  • After hearing your computer beep once during start up, but before the Windows icon appears, press F8
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode

Once you are in Safe Mode, find where you extracted SmitFraudFix to. Open the folder and click on the SmitFraudFix.cmd icon. A window will open with a blue background and several choices. To clean your computer, type the number 2 and then enter. Your desktop will disappear except for the blue SmitFraudFix window. After a short period of time, you will be asked if you want to clean the registry. Select yes by typing Y and then hit enter. If you are asked if you want to replace the wininet.dll, choose yes to replace it.

SmitFraudFix will tell you when it is done and ask if you want to run the disk clean up utility. Please allow it to run. It may take a long time to finish and it may appear that it is doing nothing. It could take an hour to finish. The spyware that you have leaves many bad files in your temp directories which need to be deleted. When the clean up utility is done, delete all the files it finds. The files are safe to delete because they are temporary and some are bad files from the spyware. Close SmitFraudFix when you are done by entering Q in the options and hit enter to close it.

Once you are finished with SmitfraudFix, open Ewido and run a scan. You should still be in safe mode when doing this. When Ewido detects a malware infection, allow Ewido to remove it. When Ewido is finished, you should be free of your spyware problems. Restart the computer the way you normally do and you may see your desktop background is gone. All you need to do is select whatever wallpaper you were using before being infected to get back to normal.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

If this spyware caused you too much of your time and you would like to complain, please visit Malware Complaints. There are different sections for many counties. Find you country and then look for what the name of the spyware you had was. The spyware you just cleaned is called by many names such as SpyAxe, SpyFalcon, SpywareQuake, WinHound, Malware Wipe, or Pest Trap. If you don't know, then use the one called SmitFraud. Posting a complaint can help to stop spyware like this if enough people do it.

The above will work on removing VirusBurst, VirusRescue, SpyFalcon, SpywareQuake, SpyAxe, MalwareWipe, Pest Trap, WinHound, AntiVirusGold, SpywareSheriff, SpySheriff, and several others. This method will remove all of the known version that use the fake warning above the clock, but it isn't a cure for every type of spyware. So keep that in mind if you are trying this and you don't have any of the above programs or the warning by the clock.

50 comments:

Anonymous said...

Thanks for the fix, Nick. My Norton antivirus kept showing Spyfalcon as the culpret so I searched the Net for help and nothing worked until I followed your step-by-step. I'm not sure if Smitfraud and Spyfalcon are related, but your blog was exactly what I needed. You the man!

Anonymous said...

Hey Nick! Thanks for the info...

So I did everything you said...twice and I STILL have the rotton flashing red and green icon in my system tray with the pop up as you've shown on your site.

I have noticed that it EVEN loads during safe-mode....which I think is the problem! The SmitFraudFix seems to momentarily get rid of it, but as soon as it completes after the Cleanup Disk Space and the Clean Registry the desktop comes back and it loads right back up!!! Using Ewido came up with 4 bad files and delted them and STILL the same problem. Any other ideas how I can get rid of it??

Thanks for your time..

Bill

Nick said...

Try downloading SmitFraudFix again. There were many new detections added to it yesterday. There is a new version of this hijacker called SpywareSheriff that SmitFraudFix was not targetting before yesterdays update.

Robbie Bonham said...

Cheers for that, Nick! Got it sorted...

Anonymous said...

Thank you very much!You saved me from a desesperate situation!It walks very well!

Anonymous said...

Thank you so much for the valuable information! I was desperate to get our computer fixed. Everything worked just like you said! Keep up the great information!

Thanks,
Courtney

Anonymous said...

Hi Peeps,
Don't know much about anti virus progs etc. but I managed to get rid of AWVTU.DLL and ATMCLK.EXE after a fortnight of banging my head off the keyboard.
It goes something like this:-
Go to http://www.browser-hijack.com/
Download Free Trial Version Now (2.33M)
Run Prog and it will disclose baddy files but it won' t delete them because it's a trial version!
Take a note of the location(it's usually SYSTEM32) and the filenames.
Don't bother trying to delete them at this stage as the system won't allow you as they are in use.
Reboot computer
Go to BIOS
Set Boot Device for floppy drive
Insert FDISK(get it here:-http://www.23cc.com/free-fdisk/)
Press save changes and let the computer boot off the floppy.
When you see the flashing cursor at A:\ type C:\
Then type DEL C:\WINDOWS\SYSTEM32\AWVTU.DLL
Then do the same for all the other filenames you have a note of.
WHOOHOO! VIRUS FREE!
Don't forget to reset the BIOS to boot off hard drive!
Happy Virus killing!
_________________

Anonymous said...

Hello,

Followed the steps listed and unfortunately still have the flashing icon.

My symantec antivirus scan has just found the following file which it claims is to do with SpySherif (Ewido thinks that this is fine):

C:\WINDOWS\system32\sbnudh.dll

Does SmitFraudFix need to check for this too?

Nick said...

Hello, the file sbnudh.dll is new, and will be added to option #2 soon. For the time being, download a new copy of SmitFraudFix and run option #4. Make sure you have started the computer in safe mode. The instructions for safe mode are in the instructions in the post. Just follow the on screen instructions that option 4 will give you.

If you are still having problems after that, you can post a hijackthis log at one of the following help forums:

Geeks to Go, Spyware Warrior, or Malware Removal

Anonymous said...

Followed the instructions, Fantastic work guys, Machine all working fine, Thanks heres

Anonymous said...

Nice work.


Cheers to ya,

m

Richard Cotton said...

WOW!! What a contribution you are making. I had SpywareQuake stuck in my system. I followed your instructions to the letter and BOOM! it is gone.

Thank you - Thank you - Thank you!!

If you ever need any exercise support, you have a free membership coming - www.myexerciseplan.com

Blake said...

THANK YOU!

For what it is worth, this did not work the first time around. When I downloaded the Smitfraudfix .zip off your link and ran the .cmd file, it froze.

The 2nd time I went to the website directly (i.e., typed it into the browser, then navigated to the download) and that worked out fine.

Thanks again!!!

Blake

Anonymous said...

Thank you so much -- I had the stupid PestTrap infesting my computer and this took it out and has kept it out. Awesome!

Anonymous said...

thanks for the answer to my problem. this spyware quake thing has been pissing me off now for 3 days. your advice fixed it. thanks.

Anonymous said...

My thanks to the group. 41763 infections found. I no longer show any indication of Spywarequake or the annoying pest in the taskbar.

RussianRadiance said...

Thank you so much, it took me a few times but it worked like a charm. I struggled with this for 12 hours straight even with my firewall and spybot. This malware is a horror and I hate the fact that someone can take over your computer then try to strong-arm you into buy there software. Yes I did make complaints. Thanks again, your lifesavers. Keep up the good work, Albert

Anonymous said...

Thankyou so very much for this info. I was running so many diff programs in attempt to get rid of this crap. I came across this site in a google search. This would have saved me 6hrs+ in lost time if i had searched earlier.

damn spyquake... Id personally shoot the creators.

Anonymous said...

Yes, we need to make the entire world know how to get rid of this suckers so no one would be the victim again!

Thank you for the tip!!!

Anonymous said...

thanks!

Piero C said...

Just got busted, currently in Safe Mode.. you could also try Safe Mode with Networking, that works wonder.. we'll see if this gets sorted out... thx

Piero C said...

I still have Downloader.Delf.amb in my system, Ewido still detects it even after I've deleted it a few time.. what can I do about this? Thanks.

Hans Beemsterboer said...

I got rid of the SpyQuake version of this Trojan Worm.

First, in safe mode, I manually removed the maliciously installed files from the WINDOWS/system32 directory.

Then, also in safe mode, I manually cleaned the registry, especially entries with:
dcomcfg.exe
atmclk.exe
regperf.exe

Finally, in normal mode, I could remove the flashing "Virus Alert" warning by running a quick scan with Ewido. Thanks for pointing me to this direction.

mini1day said...

Well, Nellie2 or Nick, whomever gave me the procedure to remove that annoying virus alert in my taskbar tray, it worked marvelously. It's great to have some honest people out there saving the PC's of many not so savy and computer literate people.
Thank you Thank you Thank you!
Mini1day in Canada

donchikas said...

Thank You Nick. The clean up went without any complications. The programs you give up to use are awsome. Thanks once again.

Anonymous said...

Thank you so much. I knew that this is also spyware but didn't know how to fix this annoying message. 10000000 thanks

Dean said...

Thanks for the useful information posted in your blog. I had a lot of problems moving SpyFalcon from my system at first but with the help of this resource, Anti-Spyware-101 and Spyware DB I was able to get it off my sytem jus fine. Thanks again.

Anonymous said...

thank you, worked perfectly first time, well done, no anoying pop-ups or anything anymore. Works 100%

Rob said...

My Ad-aware found the damned spyware and claimed to clean it but obviously failed to rip it all the way out by its nasty little roots - the popup kept returning.
But your advice worked for me - thankyou so much. I particularly appreciate your effort to spell things out (like how to get into Safe Mode) for people like me who don't usually need to do stuff like that.

Daniel said...

Nick, I can't begin to express my sincere appreciation for inventing this fix for the Alert Icon problem, I was about to do a full reinstall and erase of the hard drive to rid of this problem, I'm glad I found your fix first, thanks much man for your contributions in fighting the assholes who corrupt our pc's everyday.

Anonymous said...

Thanks so much for this piece of info, it's worth its weight in gold! I just got duped by this winantivirus nonsense, came in via 2 trojans via hotmail. Now it is all fixed thanks to you!

William Kolar said...

Just a note...

Apparently they are not limiting themselves to spyware. I had something similar happen, but instead of "detecting spyware" I got a virus warning... download this virusscan to clean it... well I didn't, and now my old system crashes and reboots every ten minutes or so..

Nick said...

I've seen them use the virus warning one before. Same idea different names. Sometimes several different spywares or trojans get downloaded and they do screw your system up.

Follow the advice above and see if that helps.

Anonymous said...

Thank you for the information i was going insane with all this spyware nonsense it worked right away and was efficient.

Anonymous said...

Thank You so much. I am a pretty big computer dork. I even sell computer parts on ebay. But winfixer had me stumped and I couldn't stand the thought of editing the registry and slowly, slowly, removing it manually. Your instructions and links helped me immensly. I mean what is a dork with a slow infected computer. TY very much. A++++++++++++. It works perfectly

Anonymous said...

Awesome help and support for the fellow being! This site has it together and exemplifies nothing but good spirit to all. The methods these Trojan's are using are horrific! Why would anyone engineer such an atrocious beast on the unsuspecting? If these Sypware/Trojan/Virus developers were to use their education in a manor of well being…just think how much more our beautiful world we would be! Thank you!

Anonymous said...

I was so happy when you fix worked. Thank you so much for being a computer angel and warrior at the same time. I do believe in miracles and you!!!

Anonymous said...

dude u are fucking awsome!!!
i had the same problem
u save me man
i had over 400 infected files from that website

Craig said...

I spent about $100 on various anti-spyware software and none of them could get rid of the VirusBurst icon on my taskbar. I finally found your web site here and on the first try I zapped it! Thanks for your help.

Anonymous said...

Gary said..

Thankyou, Thankyou thankyou ,,

It's guys like you that make the web a wonderful place.

Anonymous said...

I'm fighting with mine tonight. There's a nice hot place in the futures of the people who create and inflict these things.

Anonymous said...

Thank you so much for the info, this finally worked on my computer and I saved this as a bookmark...Good thing I did my friend just got it on her computer and she was able to fix her's also.

Thanks again, :)

No Adware said...

Thanks for the accurate instructions. I could have found it very useful last year when I had infections.

My mottos was: Reformat the PC and all spyware and adware will dissapear.

It did work but your method seems much better.

Anonymous said...

I really appreciate this. Saved my butt!

Anonymous said...

thank you,thank you,thank you... keep up the GOOD work

Pierre said...

I Love you... worked perfectly

Anonymous said...

Wow that is awesome!

I was going crazy trying to get that stuff off my NEW computer. Nothing worked until i did what all you suggested. YOU ARE THE BEST! I am bookmarking this for future reference. MAN You have so saved my life!

B.Dabbs

Anonymous said...

hey guys -- wicked job.
any chance to have a list of all the Manual steps required w/o installing anything else? At this stage [after removing some files already] I get the annoying cross with red background in the sys tray with the tip window 'warning' about the infection. Appreciate your help here.
Ciao

idan said...

Hey -- THANKS.
I used an alternative method and would like to hear back if possible:
I searched and removed all the files as in: http://www.wiki-security.com/wiki/Parasite/Pest_Trap/#Remove_Pest%20Trap_manually

However it left annoying icon that pops an harmless [cross-fingers] balloon every few seconds: 'you are infected or whatever'. To avoid this i went *right-click*, Properties on the task bar > Taskbar tab, Customize > located the relevant 'icon' and set to 'Always Hide'. This seems to work at the mo.

What can I do to get rid of it for ever and ever!?

Cheers

Anonymous said...

My office machine is infected with a virus and I am trying to do what is suggested here. But when I restart the machine in safe mode, it gives only two options - username and password, but no "Log on to". Without the domain name, system is not allowing me to log in.

How can I enter domain name in Safe mode to login to the system? I am admin on the system.

Sitemeter