For a few weeks now i've had numerous pop ups appear on my pc and can't get rid off the cause. I am using firefox 2 as my browser but my pc trys to open up the pop ups through Internet Explorer.

I have tried a variety of different ways to remove this virus but have come to a dead end.

Whilst doing a search with Spybot S&D I get the following file which I cannot remove:

"Smitfraud-C. Coreservice" which has 4 other files contained within it. When I try to remove it, one of the files can be deleted and the other 3 can't. It then asks if I want to do another scan on boot and i've tried this aswell but still can't remove these files.

I have the following antivirus/spyware programs on my pc:

Spybot S&D, Pop Gun, Kill box, F-Secure(Beta version for Vista).

I have also had AVG Antivirus on my pc and tried to remove it with this but this didn't work either, this is when I actually caught the virus.

Could someone kindly assist me in removing this from my pc?

I've posted in another couple of forums but had no reply.

Thanks, Bryan.

www.myspace.com/tobaccoslammers

Have you tried them in safe mode?

Here is all the the info needed to empower yourself, anything you are not sure of, put into a search engine like Google.
Read this link 1st, it has step by step.
http://www.wilderssecurity.com/show...
Important: Create a specific folder on your hard drive called HijackThis to keep its backups.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HijackThis. Download and unzip HijackThis.exe into this folder.
http://www.merijn.org/downloads.html Or, http://tomcoyote.com/hjt/ Or, http://www.spywareinfo.com/~merijn/...
If possible run HJT in Normal mode ( not Safe ) with all your normal startup's working.
HijackThis Tutorial - How to Analyse your own log.
http://spywarewarrior.com/viewtopic...
http://hometown.aol.co.uk/jrmc137/h...
http://www.bleepingcomputer.com/tut...
http://www.malwarehelp.org/understa...
HijackThis log file analysis ( online )
http://hijackthis.de/index.php?lang...
Or,
http://startup.networktechs.com/pag...
http://hjt.iamnotageek.com
Malware Prevention: Prevent Re-infection
http://wiki.castlecops.com/Malware_...
http://www.offroaders.com/ralphtheg...

Hi thanks for your replies.

Razor2.3: Yes I have tried to remove them in safe mode but it didn't work.

JohnW: I've had a look through the info you gave me but I honestly don't understand it. I have managed to create a specific folder on my hard drive for HJT as you suggested but other than that i'm lost!

Any other advice?

www.myspace.com/tobaccoslammers

It would be worth jacking up IE security to Max until this problem is resolved.

As regards #2 then unfortunately it does take quite a bit of effort to get shot of these nasties yourself. Take it step by step, mostly the groupings are different aspects of the same thing. For example there are several auto-analyzers given because somtimes one will give additional useful information compared to another.

DerekW

what I would do is D/L avast free http://www.avast.com/eng/programs.html to your desktop. Then disable AVG and F-Secure, install avast and let it do a bootscan on reboot. Remove all it finds and move it to the chest. That's how I got rid of the Smitfraud problem on 4 PC's in the past week.
Also run a free online scan http://www.spywareinfo.com/xscan.php and remove all it finds.
You may also want to put Spyware Blaster http://majorgeeks.com/download2859.... in your arsenal.

If your problem still persists, you may have to disable system restore and rescan again.

Hopefully my advice will help you...Please post back with your results....thanks

Somehow, this was double posted...sorry...I really don't know how it happened?

Hopefully my advice will help you...Please post back with your results....thanks

I too recommend SpywareBlaster as it is an excellent program (although exactly the same idea as SpyBot's Immunize feature if you use that).

Note that neither of these cure anything after it has got in. They prevent them from taking hold in the first place.

DerekW

Ok, So I downloaded Avast antivirus as requested by "XpUser4Real" and disabled F-Secure, ran a boot scan to which nothing appeared to have happened???

So I restarted my pc and did a thorough scan with Avast. After the scan finished I had a list off 157 files. I clicked on all of these files and chose to move them to the chest, many of these couldn't be moved as it stated that they were password protected.

In the Avast chest I now have the following:

Infected files - 32
User Files - 0
System Files - 3

All of the infected files contain the following info:

Name - SmitfraudCCoreService(different no's here).zip

Original Location - C:\ProgramData\Spybot - Search & Destroy\Recovery

Do I simply delete these files from the chest or do I need to do something else?

If I have to delete these what would you reccomend that I do next?

Also can I remove Avast now and enable F-Secure?

At present I am still getting these pop ups.

www.myspace.com/tobaccoslammers

once in the chest they are in quarantine so you can leave them in there. What are the ACTUAL pop-ups you are getting?
Also, yes, just disable Avast and you can use F-Secure again.

Hopefully my advice will help you...Please post back with your results....thanks

I'm getting random pop ups to various sites and ones to nowhere???

I'm using firefox 2 as my browset but get pop ups trying to open Internet Explorer.

www.myspace.com/tobaccoslammers

"I have managed to create a specific folder on my hard drive for HJT as you suggested but other than that i'm lost!"

That was the last step in a logical process.

Did you try Step by Step?

Read this link 1st, it has step by step.
http://www.wilderssecurity.com/show...

Hi Johnw. I've looked through the step by step notes but most of the stuff on there is for Windows XP users, i'm on Windows Vista. Any of the programs mentioned on it are beta versions for Vista.

Currently I have Avast Antivirus running on my PC and it is upto date. I tried turning F-Secure back on aswell but when any off these programs are running I still get the pop ups. I done another search with Spybot and it's still finding the Smitfraud bug but wont remove it.

I really don't know what to do next here. I've tried loads off different things and downloaded tons off stuff for weeks now and can't remove this fault.

Here is a list off all the protection programs I have the now and none of them will remove the bug:

1. F-Secure Internet Security Technology(Beta version for Windows Vista)
2. Avast Antivirus
3. Spybot S&D
4. Killbot
5. Popgun

www.myspace.com/tobaccoslammers

do the errors say where the infections are located? Could it be they are in the restore?
If so, turn off system restore and rescan.
Did you do the online scan I suggested earlier?
Also, I would suggest Spyware Blaster

I didn't see any mention of cleaners. Use CCleaner and ATF Cleaner to clean out all the junk from your PC.

Hopefully my advice will help you...Please post back with your results....thanks

"Any of the programs mentioned on it are beta versions for Vista"
Everything is in Beta tobacco_slammers, that is why there is a constant stream of upgrades, hotfixes, bug fixes etc.

Another important part of my 1st post.
"anything you are not sure of, put into a search engine like Google"

As you have a trojan, try these online scans, may have to use all.
Free online Trojan scan.
http://www.webroot.com/services/spy...
http://www.trojanscan.com/
http://www.pcflank.com/
http://www.spywareinfo.com/xscan.php
http://www.windowsecurity.com/troja...

Disabling Windows Vista System Restore
http://www.bleepingcomputer.com/tut...

This is a very good trojan remover. Make sure you update it after installing.
http://free.grisoft.com/doc/avg-ant...