01-20-2012 07:48 AM
So, my wife's computer started acting flakey on websites and weird security messages kept popping up and her internet options security setttings kept changing. She had Symantec Endpoint Protection (fully updated regularly and scan regularly).
I installed Spybot Search and Destroy and it found that svchost.exe was a trojan identified as smitfraud-c.generic. Unforutnately, S&D failed to remove. I then installed malwarebytes which started blocking traffic to known malicious sites (22.214.171.124) from svchost.exe and identified the same trojan, and again that couldn't remove it.
I backed up the data to a blank USB disk drive, powered off the PC and formatted and installed the OS again, bought and installed Norton 360 even though Symantec Endpoint Protection is obvious crap and failed to protect tthe PC, N360 still has the best reviews. 2 hours later after installing Windows update, it blue screened. I installed a fresh copy of malwarebytes, and low and behold the virus was there.
I then proceded to use a slew of other viral removal tools to no avail. I would let her use one of my macs, however, I imagine that the USB drive is infected now as well, and would like to get it removed. I'm scanning it with SEP for the Mac, but I doubt it will find it. I'm not worried about the Mac getting infected, but I doubt she will be content using the Mac and eventually, I'll have to move her back to Windows.
Symantec seems to be totally unaware of the trojan, however, many other sites are aware of it.
I guess I could try and boot from a linux disk and format the drive and replace the MBR...but I wonder if I should disconnect the HD during the CD boot process?
01-21-2012 06:30 AM
SSmitfraus-c is a known virus to symantec
Click on the link below for the instructions to remove it
keep me posted about the result
01-22-2012 09:01 AM
Unfortunately, after wiping the drive and doing a fresh install again, it was appears the virus was residing in the MBR or other location on the mobo and entering memory even on DVD boot.. Yes, I ensured it was powered off before booting from DVD.
I pulled the drive out and formatted on a Linux system (destroyed the partition map, put on a new MBR and FAT file system.) Ths resulted in the PC failing to get past POST, it wouldn't even allow going to into BIOS. I yanked the drive, wiped it any data and filesystem, and destroyed the partition map. This allowed the PC to pass POST, but it couldn't boot off known wokring instlalation disks (I verified they worked on another system.)
Now, I'm suspecting that the virus is in the BIOS or another non-volatile memory on the motherboard. However, not leaving things to chance, I put a different drivve in the system with an NTFS file system on it, and now the system can boot off CD and the HD (which subsequently was infected.). It doesn't appeart to be a DVD drive hardware failure...
So, I'm going to remove the battery and power, then using just the power cord, boot off write protected media and flash the bios. If that doesn't work, I guess it's trash the laptop time and chalk it up to life with Windows. I really wish that if SEP did know about this virus that it would have prevented it's infection. Yes, I know a user could override the protection, but the user of the laptop is no slouch when it comes to technology and if SEP popped up and said "DANGER WILL ROBINSON, INFECTION IMMINENT IF YOU PROCEED!!!!" she wouldn't have. Thus, I still believe that a fully updated SEP 11 failed to protect the PC, let's hope that Norton 360 fairs better (I bought her a new laptop in the mean time....)
If I could only convince her to use Linux or a Mac...sigh.