Trojan-spy smitfraud

Discussion in 'malware problems & news' started by casajameli, May 26, 2005.

Thread Status:
Not open for further replies.
  1. casajameli
    Offline

    casajameli Registered Member

    Help. I have been hit by the above virus. Other postings suggest the wallpaper is blue with the security message - which mine is - but I cannot see any desktop icons, or use my computer at all.

    Does anyone know how I can get my computer to "open", so I can run the latest McAfee AV software, and start trying some of the fixes I have read on this forum

    Thanks guys
  2. ronjor
    Online

    ronjor Global Moderator

  3. casajameli
    Offline

    casajameli Registered Member

    Thanks Ron,

    I have checked the link, but my main problem is that I'm looking at a blue screen which does nothing. I cannot go to "Start, Programs, etc" because the screen is locked blue with the security message - nothing else

    Aaaarrrggggghhhhhhh! (tis a little frustrating)
  4. ronjor
    Online

    ronjor Global Moderator

  5. casajameli
    Offline

    casajameli Registered Member

    No, if I open in safe mode I just get a black blank screen, with "safe mode" in each corner of the screen (whether I choose "Administrator" or me)
  6. ronjor
    Online

    ronjor Global Moderator

  7. ronjor
    Online

    ronjor Global Moderator

    If you can't get into your computer, then there is a big problem. This post will be seen by others so, give it time.
  8. casajameli
    Offline

    casajameli Registered Member

    Ron,

    All these links look very tempting, teasing almost. But I just cannot get my computer to start up properly (or look as though it has). The screensaver comes on as normal, but I cannot do anything with the computer, so I can't try any of this

    I really need to know how to get past "first base"

    Ta
  9. Bubba
    Offline

    Bubba Updates Team

    Ron,

    When you are in Regular mode or Safe mode....can you ctrl\alt\delete....and bring up Task Manager ?

    If you can....do you see the Explorer process running ?
  10. casajameli
    Offline

    casajameli Registered Member

    Bubba,

    Yes, I can "Cntrl, Alt, Delete", and yes, it does bring up Task Mgr box.

    Under "User Name" there are lots of processes running, but it looks like Explorer is missing.

    How the heck do I get this restored?

    Dave
  11. Bubba
    Offline

    Bubba Updates Team

    Hmm....I was afraid of that.

    In Task manager click the New Task button on the General tab. In the dialogue box type explorer.exe....select OK. Does the Desktop appear ?

    If so....I would suggest you attempt a system restore to a date before this all started.

    We can then possibly attempt to remove smitfraud using the instructions Ron provided in post # 2 :doubt:
  12. casajameli
    Offline

    casajameli Registered Member

    That doesn't work. I get an error message which says "Windows cannot find explorer.exe. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search"

    I've tried using the "browse" button in Task Manager, and I can find "Explorer" but it won't open.

    I suspect the problem (before I address Trojan) is due to running McAfee AV. This found various viruses, and dealt with all but 3. It told me to manually quarantine or delete them, and I deleted. I wonder now if one of those was a key oerating file

    How can I get into my Recycle Bin through the Task Manager - it isn't appearing when I look at my Desktop Items
  13. Bubba
    Offline

    Bubba Updates Team

    I noticed you mentioned Administrator in an earlier post. I'll assume Win 2000 or XP ? If so....would you Please try again and instead of just explorer.exe....use the corresponding entry in bold.

    Win2000=C:\WinNT\explorer.exe
    or

    WinXP=C:\Windows\explorer.exe
  14. SteveKes
    Offline

    SteveKes Registered Member

    Hi

    got exactly same problem as Casajameli. Using XP Home SP1.

    Using C:\Windows\explorer.exe in Task MAnager just produces the error message "Windows cannot find.....etc..."

    Any ideas gratefully received.

    Thanks

    SteveKes
  15. guidot
    Offline

    guidot Registered Member

    I've tried everything. Spybot, AVG, Macafee, etc and no good. The mouse doesn't work but I've still run in all the above softwave with no positive results. Help!!
  16. WayneAtDataware
    Offline

    WayneAtDataware Guest

    I'm a computer consultant who has a client's PC doing the exact same thing. We did a spyware and virus cleanup on the machine from Safe Mode and rebooted. After the reboot none of the clients profiles will get beyond the desktop background. Screen savers come on, other programs run, etc but the taskbar and desktop icons never show.

    We've named a copy of explorer.exe explorer.com and are able to get File Manager to load that way, but the system refuses to run explorer.exe. I also noticed that Internet Explorer (iexplore.exe) won't run either.

    I've gone so far as to copy explorer.exe from another PC onto a floppy disk and tried running it from there thinking perhaps the one on the computer is corrupt. Same error about "cannot find" blah blah blah.

    I have an SP2 CD and was able to install it through File Manager (I though MAYBE if there's a file or registry issue SP2 might correct it during it's install). That resulted in the same thing... which is pretty much nothing.

    I've tried system restore from before the virus/spyware cleanup. I've tried an XP repair, etc but nothing has worked.

    I've backed my clients data up but I'm desperately trying to avoid blowing away their system and reloading it.
  17. WayneAtDataware
    Offline

    WayneAtDataware Guest

    SOLUTION FOUND:

    I found this info on another message board and was about doing backflips when I found out it worked.

    Here's how to fix this issue:

    1. CTRL-Alt-Del to bring up Task Manager.
    2. Click File | New Task(run).
    3. Type regedit in the Run box and click OK.
    4. Browse to the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows NT\CurrentVersion\Image File Execution.options

    5. Under this key there will be subkeys named explorer.exe and iexplorer.exe.
    These keys are pointing to files that have been removed (virus/spyware); explorer32dbg.exe and iexplore_dbg.exe. Delete the explorer and iexplorer keys entirely. The should not be listed under the Image File Execution.Options key.
    6. Close the Registry Editor.
    7. Restart the computer.

    The Windows desktop should load fine now. :)
  18. TheGeek
    Offline

    TheGeek Guest

    Thanks. that worked great! I thought i was going to have to reinstall windows on this guys machine.
  19. RC1
    Offline

    RC1 Guest

    Many thanks, found this and resolved my problem.

    Cheers
  20. deac
    Offline

    deac Guest

    you rock. this worked for me as well :D
  21. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    This fix is good. For Startpage.O

    Does not have one bit to do with Smitfraud however.

    Regards,

    Pieter
  22. someguyinneed
    Offline

    someguyinneed Guest

    i was hit by the same one last night and i also went to that help link on this site,hower my computer still functions but i still need and must get rid of it please help us!!
  23. UnhappyGirl
    Offline

    UnhappyGirl Guest

    I have this exact virus on my computer.

    I've tried doing the steps here: http://www.wilderssecurity.com/showthread.php?t=50662
    And also here: http://www.wilderssecurity.com/showthread.php?t=75890

    Neither of these have worked. I do however, have another warning overlapping the first blue screen w/the virus warning on it that says:

    'System Stopped. System has stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer until all spyware removed.'

    I've also gone into the registry keys and manually deleted the items found by Spypot Search and Destroy.
    If anyone could help, I'd be extremely grateful.

    PS I do have all my desktop icons, just the blue background w/warnings.
  24. V3T_TOO
    Offline

    V3T_TOO Guest

    I think that the trojan gets deleted when you run virus/spyware scan. The back ground is just a wallpaper. If you can't change it it might be due to a registry edit. Look under

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "NoDispBackgroundPage"=dword:00000001
    "NoDispAppearancePage"=dword:00000001

    You can delete the "No" subkeys completly. If you have ran virus/spyware scans, youshould be ok.
  25. MacGuy
    Offline

    MacGuy Guest

    Hey WayneAtDataware, it takes alot to impress me, but i am impressed with this solution. I spent an hour searhing the registry for the corrupted reg file, but after i saw ur post i was glad and i could not believe that the problem was in 'Image File Execution.options'. Thanks alot for posting the solution and not keeping it to yourself.
Thread Status:
Not open for further replies.