Using a guide like this is at your own risk. If in doubt ask in the Malware Removal forum

SpyHeal



Mirrored from http://forum.securitycadets.com/index.php?showtopic=232 Thanks also goes to Kimberly and Grinler


What you need to do:-

First of all it would be a good idea to print this guide of as you will have to reboot into safe mode

1. You would need to manually remove this program which is very easy:

• Click on Start
• Then click on Control Panel
• Double click on the Add/Remove icon
• Find the entry: SpyHeal 2.1, if it excists. Then on every entry found, click on them and click on Remove
• If the computer asks to reboot, please click on No (reboot at a later date) and close all the windows.

2. Your next step is to download SmitFraudFix.zip (<-- Click there) by SiRi and save it to your desktop! This tool only works on (WinXP, Win2K).

3. Extract the .zip file you just downloaded to your desktop. Right click on the file and select "Extract here" or "Extract all". The blow image is what you should see when extracted.



4. Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install Ewido by double clicking the installer.
• Follow the prompts. Make sure that Launch Ewido is checked.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
    Note: If the Update now option is grayed out, follow the steps below.
    • Click on Update on the toolbar.
    • Under Manual update, click on the Start Update button.
    • Wait until you see the Update succesfull message.
• Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

5. Next step is to reboot into Safe Mode like so:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8
• A menu should appear
• Select the first option, to run Windows in Safe Mode
• When you are at the logon prompt, log in as the user your normally log in as
• You should then see your Desktop, make sure all windows are closed

6. Open the Smitfraudfix folder on your desktop and the contents of the folder will be similar to the image below.



7. Please double-click on the SmitfraudFix.cmd file, as shown in the image above, to start the removal process.

When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.

8. You will now see a menu as shown in the image below. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).



The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program as shown by the image below.



This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically.

9. When Disk Cleanup has finished, you will see an option asking Do you want to clean the registry? (y/n). At this screen press the Y button and then press the enter key.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

10. When the last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all windows and applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.

Once the computer has rebooted, you may be presented with a Notepad screen containing a log of all the files removed from your computer.
(Otherwise the tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.)

11. Go back into Safe Mode (Look at Step 5)

12. Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

13. Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

14. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

14. You should be free of this program. However, if you still seem infected create a new post with the following information in the Malware Removal Forum.:
Please post:

1. c:\rapport.txt
2. Ewido log
3. A new HijackThis log

You may need several replies to post the requested logs, otherwise they might get cut off.

This topic has been left open to allow specific questions and comments related ONLY to this guide. It's NOT for posting HJT logs, links to your logs, or any other general malware help. Replies not following these rules will be deleted. Thanks for your cooperation.