Posted 26 June 2008 - 01:11 PM
I found some of the information here on smitfraud helpful, so I thought I would try and give something back. I tried to email the guys at the smitfraudfix website, but I couldn't seem to find and email address for them. Anyway, maybe they will read this, or this information will help someone else.
I believe I ran across a new version of smitfraud.... I attempted to remove is several times using the smitfraudfix tool (v2.328), but it did not work. The version I had used two files:
lphc7koj0etc9.exe 109,056 bytes
blphc7koj0etc9.scr 60,928 bytes
both files were located in c:\windows\system32
lphc7koj0etc9.exe was memory resident, used about 8.2k, and was visible via task manager process list.
both files were visible in the registry at:
I was unable to find an actual "\Run" entry in the registry for either of these. Based on the limited reading that I have done on this little cretin, and the behavior that I saw, it seems that this variant may have weaved itself into the windows shutdown process as a way of assuring it is reloaded on restart.
I renamed both of the files and the problem seems to have gone away. I have saved the files if someone from smitfraudfix is interested in examining them. I can be contacted at email@example.com
Hope this helps someone!