So I still haven't been able to clean the spyware/adware/virus/whatever off of my roommate's computer. It kind of doesn't matter anymore because he's decided to just format the hard disk, but today he turned on the computer to see this:

Well, it seems he has spyware problems. It says so right on the screen.

that's the smitfraud virus. this is how to remove it.

first run smitfraudfix in safe mode.

then run combofix in normal mode.

then load spybot s&d and it will clean up the remnants

it sometimes creates system polices that prevent you from doing things like task manager or changing the background. they are in hkey_current_user -> software -> microsoft -> windows -> polices

they will be named things like norun and notaskmgr. delete them, log in, log out, you will be fine.


also, pretty sure i told you it was smitfraud in the previous thread here. i run a computer shop, do this every day, so i can call them pretty easily. i'm in the chat if you have questions, i can walk you through cleaning it up.

Oh, thanks NoEsc. I really just wanted to share a funny picture, but I'll check that out.

There's a really fun policy which blocks registry editor from running. Would be surprised if this thing DIDN'T set it.

I'm sure there're tools to remove just that registry entry so you can use regedit again to clean up other stuff like it.

That's probably why you have to remove it in safe mode. I've seen many similar cases of this. (not on my machines)

yeah, you can do it in safe mode. the policy is set on the current user, so you can go into safe mode using the built in admin account and reset it for the other user.