Trojan-spy smitfraud

Discussion in 'malware problems & news' started by casajameli, May 26, 2005.

Thread Status:
Not open for further replies.
  1. casajameli

    casajameli Registered Member

    Help. I have been hit by the above virus. Other postings suggest the wallpaper is blue with the security message - which mine is - but I cannot see any desktop icons, or use my computer at all.

    Does anyone know how I can get my computer to "open", so I can run the latest McAfee AV software, and start trying some of the fixes I have read on this forum

    Thanks guys
  2. ronjor

    ronjor Global Moderator

  3. casajameli

    casajameli Registered Member

    Thanks Ron,

    I have checked the link, but my main problem is that I'm looking at a blue screen which does nothing. I cannot go to "Start, Programs, etc" because the screen is locked blue with the security message - nothing else

    Aaaarrrggggghhhhhhh! (tis a little frustrating)
  4. ronjor

    ronjor Global Moderator

  5. casajameli

    casajameli Registered Member

    No, if I open in safe mode I just get a black blank screen, with "safe mode" in each corner of the screen (whether I choose "Administrator" or me)
  6. ronjor

    ronjor Global Moderator

  7. ronjor

    ronjor Global Moderator

    If you can't get into your computer, then there is a big problem. This post will be seen by others so, give it time.
  8. casajameli

    casajameli Registered Member


    All these links look very tempting, teasing almost. But I just cannot get my computer to start up properly (or look as though it has). The screensaver comes on as normal, but I cannot do anything with the computer, so I can't try any of this

    I really need to know how to get past "first base"

  9. Bubba

    Bubba Updates Team


    When you are in Regular mode or Safe mode....can you ctrl\alt\delete....and bring up Task Manager ?

    If you you see the Explorer process running ?
  10. casajameli

    casajameli Registered Member


    Yes, I can "Cntrl, Alt, Delete", and yes, it does bring up Task Mgr box.

    Under "User Name" there are lots of processes running, but it looks like Explorer is missing.

    How the heck do I get this restored?

  11. Bubba

    Bubba Updates Team

    Hmm....I was afraid of that.

    In Task manager click the New Task button on the General tab. In the dialogue box type OK. Does the Desktop appear ?

    If so....I would suggest you attempt a system restore to a date before this all started.

    We can then possibly attempt to remove smitfraud using the instructions Ron provided in post # 2 :doubt:
  12. casajameli

    casajameli Registered Member

    That doesn't work. I get an error message which says "Windows cannot find explorer.exe. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search"

    I've tried using the "browse" button in Task Manager, and I can find "Explorer" but it won't open.

    I suspect the problem (before I address Trojan) is due to running McAfee AV. This found various viruses, and dealt with all but 3. It told me to manually quarantine or delete them, and I deleted. I wonder now if one of those was a key oerating file

    How can I get into my Recycle Bin through the Task Manager - it isn't appearing when I look at my Desktop Items
  13. Bubba

    Bubba Updates Team

    I noticed you mentioned Administrator in an earlier post. I'll assume Win 2000 or XP ? If so....would you Please try again and instead of just explorer.exe....use the corresponding entry in bold.


  14. SteveKes

    SteveKes Registered Member


    got exactly same problem as Casajameli. Using XP Home SP1.

    Using C:\Windows\explorer.exe in Task MAnager just produces the error message "Windows cannot find.....etc..."

    Any ideas gratefully received.


  15. guidot

    guidot Registered Member

    I've tried everything. Spybot, AVG, Macafee, etc and no good. The mouse doesn't work but I've still run in all the above softwave with no positive results. Help!!
  16. I'm a computer consultant who has a client's PC doing the exact same thing. We did a spyware and virus cleanup on the machine from Safe Mode and rebooted. After the reboot none of the clients profiles will get beyond the desktop background. Screen savers come on, other programs run, etc but the taskbar and desktop icons never show.

    We've named a copy of explorer.exe and are able to get File Manager to load that way, but the system refuses to run explorer.exe. I also noticed that Internet Explorer (iexplore.exe) won't run either.

    I've gone so far as to copy explorer.exe from another PC onto a floppy disk and tried running it from there thinking perhaps the one on the computer is corrupt. Same error about "cannot find" blah blah blah.

    I have an SP2 CD and was able to install it through File Manager (I though MAYBE if there's a file or registry issue SP2 might correct it during it's install). That resulted in the same thing... which is pretty much nothing.

    I've tried system restore from before the virus/spyware cleanup. I've tried an XP repair, etc but nothing has worked.

    I've backed my clients data up but I'm desperately trying to avoid blowing away their system and reloading it.

    I found this info on another message board and was about doing backflips when I found out it worked.

    Here's how to fix this issue:

    1. CTRL-Alt-Del to bring up Task Manager.
    2. Click File | New Task(run).
    3. Type regedit in the Run box and click OK.
    4. Browse to the following registry key:

    Windows NT\CurrentVersion\Image File Execution.options

    5. Under this key there will be subkeys named explorer.exe and iexplorer.exe.
    These keys are pointing to files that have been removed (virus/spyware); explorer32dbg.exe and iexplore_dbg.exe. Delete the explorer and iexplorer keys entirely. The should not be listed under the Image File Execution.Options key.
    6. Close the Registry Editor.
    7. Restart the computer.

    The Windows desktop should load fine now. :)
  18. TheGeek

    TheGeek Guest

    Thanks. that worked great! I thought i was going to have to reinstall windows on this guys machine.
  19. RC1

    RC1 Guest

    Many thanks, found this and resolved my problem.

  20. deac

    deac Guest

    you rock. this worked for me as well :D
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    This fix is good. For Startpage.O

    Does not have one bit to do with Smitfraud however.


  22. i was hit by the same one last night and i also went to that help link on this site,hower my computer still functions but i still need and must get rid of it please help us!!
  23. UnhappyGirl

    UnhappyGirl Guest

    I have this exact virus on my computer.

    I've tried doing the steps here:
    And also here:

    Neither of these have worked. I do however, have another warning overlapping the first blue screen w/the virus warning on it that says:

    'System Stopped. System has stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer until all spyware removed.'

    I've also gone into the registry keys and manually deleted the items found by Spypot Search and Destroy.
    If anyone could help, I'd be extremely grateful.

    PS I do have all my desktop icons, just the blue background w/warnings.
  24. V3T_TOO

    V3T_TOO Guest

    I think that the trojan gets deleted when you run virus/spyware scan. The back ground is just a wallpaper. If you can't change it it might be due to a registry edit. Look under


    You can delete the "No" subkeys completly. If you have ran virus/spyware scans, youshould be ok.
  25. MacGuy

    MacGuy Guest

    Hey WayneAtDataware, it takes alot to impress me, but i am impressed with this solution. I spent an hour searhing the registry for the corrupted reg file, but after i saw ur post i was glad and i could not believe that the problem was in 'Image File Execution.options'. Thanks alot for posting the solution and not keeping it to yourself.
Thread Status:
Not open for further replies.