Sunday, September 24, 2006

Removing Fake Security Programs Like VirusBurst, WinMedia & Other Codecs

It seems that the writers of the rogue applications are on a spree. The latest, WinMediaCodec was discovered on a few days ago. (See what it looks like at the Sunbelt Blog). Fortunately, by Saturday morning, S!Ri, the developer, had already updated SmitFraudFix. Good thing too because within an hour I was helping someone with that infection. It was also fortunate that the person found the help site because his/her friends said there was no way to remove it and a clean format was the only solution. Rest assured, if you are unfortunate enough to be infected by one of these rogues that there is help available.

I have seen a lot of search results locating this blog after searching Google for VirusBurst and the like. As a result, it is time to provide the preliminary steps for removing the likes of VirusBurst, MediaCodec, WinMediaCodec, as well as future iterations of what we generically refer to as the "SmitFraud" infection. Understand that this will provide relief, but additional steps will likely be needed to completely remove the the debris. That is where the security help forums come into play. You can find me and others at LandzDown and Freedomlist as well as others in the community at the various ASAP member sites.

You might find digging out dandelions an easier task so roll up your sleeves and get to work!

A. Start by downloading and installing the following files:
  1. Download HijackThis© from: .

    1. At the download prompt, choose "Save".
    2. Navigate to the saved file and double-click the installer, HJTsetup.exe.
    3. HijackThis will be installed on your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.
    4. When the installation is complete, exit HijackThis.

  2. Download SmitfraudFix (© S!Ri) to your Desktop from . Extract all the files to your Desktop and a folder named SmitfraudFix will be created on your Desktop.

    Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user (See

  3. Download ewido anti-spyware from HERE. Save the file to your desktop so you can locate it.

    1. Locate the ewido anti-spyware icon on the desktop.
    2. Double-click the large yellow "e" ewido icon to launch the set up program.
    3. The installation will require a restart of the computer.
    4. Launch ewido to update to the latest definition files.
    5. On the main screen select the "Update" icon
    6. Click "Start Update". The update will start and a progress bar will show the updates being installed.
    7. If you have problems with the updater, you can use this link to manually update ewido -- ewido manual updates

  4. Setup ewido as follows:

    1. Select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    2. In the Settings screen click "Recommended actions" and then select "Quarantine".
    3. Under "Reports"
      • Select "Automatically generate report after every scan"
      • DE-Select "Only if threats were found"
      • close ewido
B. Restart your computer in Safe Mode.
  1. Wait 30 seconds, and then turn the computer on.

  2. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.

  3. Ensure that the Safe Mode option is selected.

  4. Press Enter. The computer then begins to start in Safe Mode.

  5. Login on your usual account (If you need further assistance with Safe Mode, see Symantec).
C. Scanning and system cleaning with ewido.
  1. Lauch ewido-anti-spyware by double-clicking the icon on the desktop.

    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.

  2. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"

  3. ewido will now begin the scanning process. Be patient as this may take a little time.

  4. While scanning, ewido will list any infections found on the left side.

  5. When the scan is completed, the recommended action should be set to Quarantine. If not click Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right side.

  6. Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

  7. Close ewido.
D. Navigate to the SmitfraudFix folder on your desktop.
  1. Double-click smitfraudfix.cmd file to start the tool.

  2. Select option #2 - Clean by typing 2 and press Enter.

    running option #2 on a uninfected computer will remove your Desktop background.

  3. Wait for the tool to complete and disk cleanup to finish.

  4. You will be prompted : "Registry cleaning - Do you want to clean the registry?"

    1. Answer Yes by typing Y
    2. Hit Enter.

  5. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.

    1. If prompted, answer Yes to the question "Replace infected file?" by typing Y
    2. Hit Enter.

  6. A reboot may be needed to finish the cleaning process. If your computer does not restart automatically please do it yourself manually.

  7. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

That will have taken care of the majority of the problem. However, there are likely remnants or other problems caused by the rogue installation. It is advisable to go to one of the security sites for a reviw. Its easy to register. Then create a topic in the appropriate forum for HijackThis logs. Be sure to include a copy of the rapport.txt, ewido log and a HijackThis log.

(Do NOT attempt to remove anything with HijackThis on your own. It is very powerful and removing the wrong thing could easily cripple the computer.)

Note: Special thanks to S!RI for not only creating SmitFraudFix but also for keeping it updated.

No comments: