Trojan-spy smitfraud

[casajameli]

Help. I have been hit by the above virus. Other postings suggest the wallpaper is blue with the security message - which mine is - but I cannot see any desktop icons, or use my computer at all.

Does anyone know how I can get my computer to "open", so I can run the latest McAfee AV software, and start trying some of the fixes I have read on this forum

Thanks guys

[ronjor]

casajameli

Welcome to Wilders.

See the link for some info. I'll move to virus and trojan support issues.

http://www.wilderssecurity.com/showthread.php?t=75890

[casajameli]

Thanks Ron,

I have checked the link, but my main problem is that I'm looking at a blue screen which does nothing. I cannot go to "Start, Programs, etc" because the screen is locked blue with the security message - nothing else

Aaaarrrggggghhhhhhh! (tis a little frustrating)

[ronjor]

Can you start in the safe mode and do a scan?

http://www.pchell.com/support/safemode.shtml

[casajameli]

No, if I open in safe mode I just get a black blank screen, with "safe mode" in each corner of the screen (whether I choose "Administrator" or me)

[ronjor]

Have you seen this link?

Bleeping Computer

[ronjor]

If you can't get into your computer, then there is a big problem. This post will be seen by others so, give it time.

[casajameli]

Ron,

All these links look very tempting, teasing almost. But I just cannot get my computer to start up properly (or look as though it has). The screensaver comes on as normal, but I cannot do anything with the computer, so I can't try any of this

I really need to know how to get past "first base"

Ta

[Bubba]

Ron,

When you are in Regular mode or Safe mode....can you ctrl\alt\delete....and bring up Task Manager ?

If you can....do you see the Explorer process running ?

[casajameli]

Bubba,

Yes, I can "Cntrl, Alt, Delete", and yes, it does bring up Task Mgr box.

Under "User Name" there are lots of processes running, but it looks like Explorer is missing.

How the heck do I get this restored?

Dave

[Bubba]

Quote:

Originally Posted by casajameli

but it looks like Explorer is missing

Hmm....I was afraid of that.

In Task manager click the New Task button on the General tab. In the dialogue box type explorer.exe....select OK. Does the Desktop appear ?

If so....I would suggest you attempt a system restore to a date before this all started.

We can then possibly attempt to remove smitfraud using the instructions Ron provided in post # 2

[casajameli]

That doesn't work. I get an error message which says "Windows cannot find explorer.exe. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search"

I've tried using the "browse" button in Task Manager, and I can find "Explorer" but it won't open.

I suspect the problem (before I address Trojan) is due to running McAfee AV. This found various viruses, and dealt with all but 3. It told me to manually quarantine or delete them, and I deleted. I wonder now if one of those was a key oerating file

How can I get into my Recycle Bin through the Task Manager - it isn't appearing when I look at my Desktop Items

[Bubba]

Quote:

Originally Posted by casajameli

That doesn't work. I get an error message which says "Windows cannot find explorer.exe.

I noticed you mentioned Administrator in an earlier post. I'll assume Win 2000 or XP ? If so....would you Please try again and instead of just explorer.exe....use the corresponding entry in bold.

Win2000=C:\WinNT\explorer.exe
or

WinXP=C:\Windows\explorer.exe

[SteveKes]

Hi

got exactly same problem as Casajameli. Using XP Home SP1.

Using C:\Windows\explorer.exe in Task MAnager just produces the error message "Windows cannot find.....etc..."

Any ideas gratefully received.

Thanks

SteveKes

[guidot]

I've tried everything. Spybot, AVG, Macafee, etc and no good. The mouse doesn't work but I've still run in all the above softwave with no positive results. Help!!

I'm a computer consultant who has a client's PC doing the exact same thing. We did a spyware and virus cleanup on the machine from Safe Mode and rebooted. After the reboot none of the clients profiles will get beyond the desktop background. Screen savers come on, other programs run, etc but the taskbar and desktop icons never show.

We've named a copy of explorer.exe explorer.com and are able to get File Manager to load that way, but the system refuses to run explorer.exe. I also noticed that Internet Explorer (iexplore.exe) won't run either.

I've gone so far as to copy explorer.exe from another PC onto a floppy disk and tried running it from there thinking perhaps the one on the computer is corrupt. Same error about "cannot find" blah blah blah.

I have an SP2 CD and was able to install it through File Manager (I though MAYBE if there's a file or registry issue SP2 might correct it during it's install). That resulted in the same thing... which is pretty much nothing.

I've tried system restore from before the virus/spyware cleanup. I've tried an XP repair, etc but nothing has worked.

I've backed my clients data up but I'm desperately trying to avoid blowing away their system and reloading it.

SOLUTION FOUND:

I found this info on another message board and was about doing backflips when I found out it worked.

Here's how to fix this issue:

1. CTRL-Alt-Del to bring up Task Manager.
2. Click File | New Task(run).
3. Type regedit in the Run box and click OK.
4. Browse to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution.options

5. Under this key there will be subkeys named explorer.exe and iexplorer.exe.
These keys are pointing to files that have been removed (virus/spyware); explorer32dbg.exe and iexplore_dbg.exe. Delete the explorer and iexplorer keys entirely. The should not be listed under the Image File Execution.Options key.
6. Close the Registry Editor.
7. Restart the computer.

The Windows desktop should load fine now.

Thanks. that worked great! I thought i was going to have to reinstall windows on this guys machine.

Many thanks, found this and resolved my problem.

Cheers

you rock. this worked for me as well

[Pieter_Arntz]

Quote:

Originally Posted by WayneAtDataware

SOLUTION FOUND:

I found this info on another message board and was about doing backflips when I found out it worked.

Here's how to fix this issue:

1. CTRL-Alt-Del to bring up Task Manager.
2. Click File | New Task(run).
3. Type regedit in the Run box and click OK.
4. Browse to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution.options

5. Under this key there will be subkeys named explorer.exe and iexplorer.exe.
These keys are pointing to files that have been removed (virus/spyware); explorer32dbg.exe and iexplore_dbg.exe. Delete the explorer and iexplorer keys entirely. The should not be listed under the Image File Execution.Options key.
6. Close the Registry Editor.
7. Restart the computer.

The Windows desktop should load fine now.

This fix is good. For Startpage.O

Does not have one bit to do with Smitfraud however.

Regards,

Pieter

Quote:

Originally Posted by casajameli

Help. I have been hit by the above virus. Other postings suggest the wallpaper is blue with the security message - which mine is - but I cannot see any desktop icons, or use my computer at all.

Does anyone know how I can get my computer to "open", so I can run the latest McAfee AV software, and start trying some of the fixes I have read on this forum

Thanks guys

i was hit by the same one last night and i also went to that help link on this site,hower my computer still functions but i still need and must get rid of it please help us!!

I have this exact virus on my computer.

I've tried doing the steps here: http://www.wilderssecurity.com/showthread.php?t=50662
And also here: http://www.wilderssecurity.com/showthread.php?t=75890

Neither of these have worked. I do however, have another warning overlapping the first blue screen w/the virus warning on it that says:

'System Stopped. System has stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer until all spyware removed.'

I've also gone into the registry keys and manually deleted the items found by Spypot Search and Destroy.
If anyone could help, I'd be extremely grateful.

PS I do have all my desktop icons, just the blue background w/warnings.

I think that the trojan gets deleted when you run virus/spyware scan. The back ground is just a wallpaper. If you can't change it it might be due to a registry edit. Look under

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001

You can delete the "No" subkeys completly. If you have ran virus/spyware scans, youshould be ok.

Hey WayneAtDataware, it takes alot to impress me, but i am impressed with this solution. I spent an hour searhing the registry for the corrupted reg file, but after i saw ur post i was glad and i could not believe that the problem was in 'Image File Execution.options'. Thanks alot for posting the solution and not keeping it to yourself.