Removing Smitfraud-c trojan infection
One false click (not even performed by me) was all it took to turn my yesterday evening and most of today into a frustrating battle against a surprisingly nasty trojan called Smitfraud-c.
Smitfraud-c came into our desktop computer’s Windows 2000 system as a part of a group of viruses, adware, spyware and trojans that were caught from what appeared like a harmless-looking link sent on the MSN messenger network. Fortunately, I was able to act quickly, and more than a dozen serious infections were detected and removed by Avast!, AVG Anti-Spyware (former Ewido Anti-Spyware), Ad-Aware and Spybot Search and Destroy before anything too serious could happen. Yet, one annoying little bugger remained — Smitfraud-c.
Now, if you do a few searches on the Internet you will find out that Smitfraud is not something that is easily removed. I ended up trying almost a dozen different tools and methods, and spending all my morning and afternoon battling with the little devil. And whatever I did, I always got the same result from Spybot: Smitfraud-c was present, and it could not be removed. More specifically, there was a related dll file that was apparently running while Spybot was operating, and there seemed to be no way of getting rid of that file. (I have by now already forgotten what the file was actually called…)
It must also be noted that although Spybot has in the past given false positives about Smitfraud, it was clear that mine were not false positives. Firstly, this issue was corrected in the program over a year ago. Secondly, almost every time I ran Spybot, a new malware infection could be found. And Smitfraud, apparently, was the culprit.
At the point when I was already considering formatting the hard drive and doing a fresh install of the operating system, I finally found a solution. And, for those who may be battling with the same problem, here is how I did it:
WARNING: I TAKE NO RESPONSIBILITY FOR THESE INSTRUCTIONS. DON’T USE IF YOU DON’T KNOW WHAT YOU ARE DOING.
1. Boot to Windows Safe mode
2. Run HijackThis (you need to first search for and download it if you haven’t got it)
3. Click “Open the Misc Tools section”, then “Delete a file on reboot…”, select the dll file that Spybot has been complaining about, and close HijackThis.
4. Reboot Windows to Normal mode
5. Run Spybot Search and Destroy. It will again detect Smitfraud-c, but this time around it will be able to remove it.
22 Responses 
Risto
December 1st, 2006 (permalink)
I usually use three tools to remove those nasty spyware applications.
1. Sysinternals Process Explorer – Get detailed information about running processes.
2. Sysinternals Autoruns – You can monitor and modify programs which start automatically at windows startup.
3. Unlocker – Delete any file even if it’s being used by another process.
With these you can disarm almost any trojan horse or spyware out there. Of course you should do a virus scan and spyware scan to your system after removing any running threats.
jaico
April 10th, 2007 (permalink)
your advice was very useful..i struggled to rid my computer if the smitfraud-c worm…….spybot’s recent scan says that all is right…but i cannot connect to the internet anymore….would be great if you could suggest something…the error says that the computer fails to read the ip configuration….thanx in advance
vili
April 10th, 2007 (permalink)
I’m afraid I can’t really help any more than what I have written above.
That’s basically all I know about the issue.
Bret
April 15th, 2007 (permalink)
If your NIC isn’t getting an IP try resetting winsock with the command: “netsh winsock reset” from the command line.
Marty Simpson
April 19th, 2007 (permalink)
I followed Vertebrate Silence steps to remove Smitfraud-c. Downloaded HijackThis OK and was ready to “delete a file on reboot…..” but when I ran Spybot to get the dll file that Spybot should be complaining about I couldn’t find any dll file associated with why Spybot can’t remove Smitfraud-C? Any ideas?
Jim
May 2nd, 2007 (permalink)
Thanks so much for this advice. After reviewing so many other pages with so many steps and different software to download, at first I thought this seemed to be too good to be true. BUT- it worked. I had S&D remove at boot a file called netloy.dll and some other suspicious dll files that HiJackThis spotted and POOF! my problems with the virus ceased. No more random Webpages springing up. No more smut popping up. I thank you so very much!
Skit
May 17th, 2007 (permalink)
Thanks friends,
it was very usefull.
Skit
AJ
June 5th, 2007 (permalink)
It works.
Went into Safe Mode – Ran Spybot and it found the Smitcore entries and files and removed it.
the guy
July 11th, 2007 (permalink)
Thanks so much for this post. I ended up doing something a little bit different to destroy this bastard bug, but I wouldn’t have walked this path without your direction. Thanks again!
Gordon L
September 13th, 2007 (permalink)
I was not able to delete the file but for some reason I was able to rename the file – that seemed to chill it for a little bit but then it came back, a fresh copy. I noticed that the fresh copy had the same (fairly recent) date/time stamp. Sorting my Windows folder by Date, I discovered about 6 different files with the identical date/time, 4 of them were of identical size. I deleted the ones I could, and renamed the other two.
So far, (knock on wood) it seems to be okay. No new files appearing.
Important thing to note here: files were appearing in the C:\WINDOWS folder, and the bad boys had the same timedate stamps.
Good luck – smitfraud.c is the most persistent pest I’ve had the sorry experience to deal with in my 26 years of PC computing, not the most damaging, but for sure the hardest bug to squash.
shadowsonic77
September 21st, 2007 (permalink)
hey i got this dam virus like 2 days ago and tried everything to remove it it just keeps on coming back i need help pls.it keeps giving me a windows security alert warning then gives me some crap about u got viruses and spyware on ur pc pls do a full system scan or download a anti virus prog to rem it then doesnt mater where i click my browser pops up and it goes to this virus protection site to download it its none stop it keeps poping up..wat can i do??
RickRude
September 22nd, 2007 (permalink)
To the guy above me: Just use spybot (it will remove it), another good free spyware remover is superantispyware. You might also want to try spyware doctor starter edition/free edition (which is essentially the same as the paid-for version without a few of the real-time add-ons.)
AdmiralTigerclaw
October 8th, 2007 (permalink)
My sister’s computer had this problem the last few days.
The way it looks, and from all the different HELP ME! notices I’ve located online, it appears that it’s an extremely hardy and capable trojan requiring multiple avenues of attack.
Mainly because it screws up the HOST files, snatches that DLL up, installs some components of itself, and I’m willing to bet, hides in the IE browser cache stuff as well.
As such, attacking it from any ONE cleanup procedure just isn’t enough to finish the task if it’s got its claws deep into the system.
For example, I didn’t have an uncleanable Dynamic Lybrary Link (.dll) file to deal with. Instead, it was infected HOST files.
Thus, I attacked it with an extensive multi-angled assault of cleaning, searching, clearing and a fix tool. Along with telling SB-S&D to scan on boot to catch it before the processes all started up. I essentially set my Sis’ laptop up and declared WAR.
And I just won.
I suggest, among other things, grabbing up the SmitFraudFix file as one more tool/option/weapon of digital combat against this menace.
As Earthworm Jim says…
“EAT! DIRT! FOUL CYBERNETIC PESTULANCE!!! AAAHHH HAHAHAHAHAHAHAHAAAAA!!!!”
Klavier
November 7th, 2007 (permalink)
‘c:\windows\privacy_danger’ wont let itself be deleted, moved, copied or accesed. It is what my spybot S&D found as part of smitfraud-c and couldn’t remove.
“file is not accessible, Access denied” “this file can not be deleted, Access denied” and other such things… I tried the hijack this and the remove file on reboot and it ain’t workin’.
seethru
November 21st, 2007 (permalink)
risto…u the man!!! thank you for the info…i was just recently hit with the smitfraud-c virus…. autoruns and processmanager helped me to kill the problem!!!I must say that i love process manager! it is like task manager but so much more complex tells you what is running, where it is located, manufacturer,and the files associated with it. process manager is quite simply the sh!t!
as risto said
sysinternals….download the suite can be found easily google it
run autoruns(your program startup list)
run process explorer(procexp.exe)
download unlocker that is usefull as well
thanks to this site smitfraud-c was taken care of very quickly(like 10 minutes) when i had been scratching my head for hours in registry manager.
spybot search and destroy was helpfull!!!
THANKS GUYS!!!!
Klavier
December 10th, 2007 (permalink)
Unlocker comes from where?
Anomonous
December 23rd, 2007 (permalink)
useful. and if the internet goes out, you can, if you havent already done this you can reinstall but have viral. i downloaded firefox, and ads went away. i think my smitfraud-c is embedded in my copy of internet explorer 7.
Dusty
January 6th, 2008 (permalink)
I have the same issue that Klavier is having. I have the C:\WINDOWS\privacy_danger file that wont let me delete it, move it or anything. Downloaded the SmitfruadFix and it wont get ride of it. Downloaded the Unlocker and it cant unlock it… im at a loss here and this is realy cuasing problems for me. Any additional suggestions???
IArtist
February 26th, 2008 (permalink)
My puter caught this bug last night! Immediately I ran my AVG virus scan and spybot search & destroy with no luck at removing this sucker. Then after reading pages of information on this bug I decided to run my scans again while the puter was in safemode. Yeah victory finally got rid of the little booger and all it’s friends. The only other thing I can add to my approach was making sure my homepage and search was set to my favorite choices before I started the scan. Oh and after spybot deleted smitfraud-c from the registration I used the immunize button twice. Good luck to all!
****For our friend with the IP address problem, if you use cable internet try plugging the cable from the modem directly into the back of the puter and then back again into the router. That is what I did to solve my problem. The browser was able to pick up the address.
Andrew
May 3rd, 2008 (permalink)
I used Unlocker to delete the privacy_danger file. Dusty, if you right click it and try to unlock, it gives you a little drop down menu of actions you can take, delete is one of them. Use that and the privacy_danger file will be deleted, and you will be able to get rid of the smitfraud-c with spybot. I got that far, the smitfraud-c is gone, however, I still get those annoying pop ups telling me I need to update my anti-spyware software. Here’s a print screen of it, AFTER i’ve gotten rid of the smitfruad-c.
http://img74.imageshack.us/img74/2331/shitgm4.jpg
Dahlar
March 13th, 2009 (permalink)
very useful…
I found a strange rundll32.exe instance launced under my user account.
So i looked at his properties and i found the dll which was the core of this warm-trojan.
I killed this process
I removed the dll file
then i search in the registry and removed the DCOM element which was used as launcher.
Now my pc is ok