Have Trojan-spy.html.smitfraud.c need help removing

Discussion in 'malware problems & news' started by Mike devilboy, Apr 13, 2005.

Thread Status:
Not open for further replies.
  1. Mike devilboy

    Mike devilboy Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    2
    thanks for all the help you all provide. I have been struck by the troja-spy,html.smitfraud.c virus and need help removing it from my computer. It has taken over my desk top and will not let me replace the blue background with this message.
    SECURITY WARNING
    a fatal error in IE has occured at 0028:C001E36 in VXD VMM (01) + 00010E36. Error was caused by trojan_spy.html.smitfraud.c
    *system can not function in normal mode. Please check security settings.
    *Scan your pc with any antivirus/spyware remover program to remove the proble.
    I ran Spybot & Adware to no avail. I also tried housecall and that did not work either. Searched internet for hours trying to solve problem. Can anyone out here help me get this trojan off my system?
    Thanks for the help
    Mike
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    This one seems to be a Keylogger, used to steal banking details to commit online fraud, only a few AVs (eg Kaspersky and McAfee) can deal with it:- http://www.virusbtn.com/perlbin/vgrep/vgrep.cgi?terms=Trojan-Spy.HTML.Smitfraud.c&product=0

    You can find more info in this thread:- http://www.geekstogo.com/forum/Trojan_Spyhtmlsmitfraudc-t16219.html

    and here:- http://vil.nai.com/vil/content/v_127728.htm

    It might be worth doing an online scan with F-Secure, because it uses the KAV engine (whether it has the sig or not I don't know):- http://support.f-secure.com/enu/home/ols.shtml

    Other than that you could try Ewido:- http://www.ewido.net/en/
     
  3. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Kaspersky (trial download link) has this in it's signatures, if you decide to download and install it, do it this way:

    You will during the install of Kaspersky 5.0.227 be presented with this:"Operate according to recommended settings" uncheck this box and proceed

    http://img157.exs.cx/img157/1415/k47hg.jpg

    Next you will have the option to disable the networkmodule & IStreams (ADS) , you should do this!!! (by that i mean, they should not be checked)

    http://img157.exs.cx/img157/6915/k58gf.jpg

    finish the install.

    In settings: Configure on-demand scan push the slider to max protection and select "perform recommended action", under "configure updater" select this:

    http://img85.exs.cx/img85/2668/kav50configureupdater0zw.jpg

    Now manually update Kav, disconnect from the internet and do a scan in safemode. Report back.

    You also may want to take a look at the GENERAL Virus and Trojan removal Instructions (very comprehensive!). :)

    Edit: I see that Topper beat me to the post. ;)

    Edit#2: The F-Secure online scanner does not remove trojans:
     
    Last edited: Apr 13, 2005
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    True Don, but at least it can tell you what you've got and where it is; once you have the file path of your nasty you can manually delete. :)

    Not as good as having KAV I will agree ;)
     
  5. Mike devilboy

    Mike devilboy Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    2
    Thanks fellas I did the F-secure scan and found 4 lovely trojans
    C:\wp.exe Trojan.Win32.Agent.ct
    C:\WINDOWS\system32\ole32vbs.exeTrojan.Win32.Favadd.t
    C:\WINDOWS\system32\wldr.dll TrojanDownloader.Win32.Agent.le
    C:\WINDOWS\system32\msmsgs.exe Trojan-Downloader.Win32.Agent.lx
    I manually deleted three of four. The one that remains I can find the folder on the C:
    C:\wp.exe Trojan.Win32.Agent.ct
    I was not able as of yet to remove the warning from the desk top. There is no menu for it under properties by right clicking the desk top.
    Can I manually delete this last Trojan with out having do go the Kaspersky route?
    Guys I REALLLY appreciate your help. If it weren't like kind folks you the world would be thrown in to anarchy.
    Mike
     
  6. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Mike, it seems that Panda detects this under a different name http://www.viruslist.com/en/viruses/encyclopedia?virusid=78435, so try their free online service:

    http://www.pandasoftware.com/activescan/, it easier for you this way and will also provide you with a second opinion. :)
     
  7. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    You are absolutely right, i was not sure if mike were comfortable with manual-removal or if he would prefer a more automatic-removal procedure. ;) :)

    :cool: :D
     
  8. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Mike devilboy, if the Panda scan does the business all well and good, but if you still need to manually delete something go into 'safe mode' to do it - see here:- http://www.bleepingcomputer.com/forums/tutorial61.html
    You may also need to confirm that wp.exe (or whatever you are trying to delete) is not a running process in Task Manager, if it is you should end the process in TM before deletion. Actually, 'safe' mode should stop it from running, so this should not be necessary.

    We cannot be absolutely certain that the F-Secure scan found all the relevant files, so a second opinion scan is always a good idea. Indeed we cannot be sure you did not have more than one problem. So if you still have symptoms after your deletions we may have to try something else. In that case, if you wish to avoid the disruption of installing KAV, you should consider trying Ewido, which is a specialist Anti-Trojan.
     
  9. dmp

    dmp Guest

    Our computer picked this up somehow also.
    I think I got rid of it. Here is what I did.
    Uninstalled the probably bogus antispyware product that came along with the trojan
    Ran a full system scan using the free version of adaware and nuked everytihng it found.
    Found the process wp.exe in task manager and killed it.
    Deleted wp.exe and wp.someimageformatIcan't remember from c:/
    Rebooted
    Ran adaware again just to be sure.

    Things seem clean now and my desktop is back to normal.
    We will see in a day or to.
    dmp
     
  10. Randallkei

    Randallkei Guest

    This was very helpful--
    I had also had the trojan-spy.html.smitfraud.c blue screen of death appear, after and I am sure somehow related to a bout of trojan.startpage.f that I was removing. After having run both NAV and Microsoft Anti-spyware beta with no results, I looked on here and deleted that wp.exe and its related graphic of the blue screen itself. That seemed to do the trick, but now I do not have any background picute and cannot figure out how to change it, as the usual route of right-clicking on the desktop, going to properties and display only offers me screen saver and monitor settings now. Anyone got any ideas on how to restore my beautiful blue screen of windows xp life?
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    You could try running the System File Checker (sfc.exe), this will scan all protected Windows files to verify their versions have not been overwritten or damaged, and if so will replace the compromised version with a fresh copy.

    To run it, click Start/Run and type 'sfc.exe /scannow' (without the quotes but with the space between the 'e' and the '/').

    Alternatively, you can click start/Run and type in CMD and click O.K., when the black window opens type in "sfc /scannow".

    You will need to insert your Windows CD into the drive to enable sfc to effect the repair.
     
  12. jachymq

    jachymq Guest

    if u want black screen like i, u must go to C:/ (D:/ ) and there delete *****.bmp ( i dont know what is her name, but there is only one .bmp
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  14. Shaddy

    Shaddy Guest

    2 Pieter_Arntz
    Yes, it`s working. And it was really helpfull. Thank you.

    Small differences from your procedure were:

    0) Virtual Maid and Search Maid were not presented as programs.


    1) C:\Windows\System32\helper.exe - I was unable to locate. Wp.bmp I keep for my friend. :)

    2) C:\Program Files\Security IGuard - Nothing remained after Unistall. "Search Maid" folder was not located as well.

    3) Instead of Registrar Lite version 2.00 was used Regedit. And I did it in one step with Killbox without rebooting.


    P.S. CleanUp-Installation is excessive, IMHO.
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Shaddy,

    Thanks for your comments.

    sukiyaki99,

    Thanks for your mail saying it helped you as well.

    Regards,

    Pieter
     
  16. chuxpix

    chuxpix Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1
    follow pieter arntz advice IT WORKS!!!! THANKS PIETER
     
  17. Hi everyone, I've removed all the stuff but I can't get my background...:-(

    Tried the 'sfc.exe /scannow' method that was suggested but it did not work. Anyone has any idea?

    Thanks!
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Can you try if disabling Active Desktop gives you back your normal desktop?

    Regards,

    Pieter
     
  19. Marsha

    Marsha Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1
    I am new here but need your help. This morning I got the Smitfraud trojan virus. I have been reading here on solutions, but am a little confused about all of this. My first time with a blue screen!!! I ran adaware and AVG and also Panda.
    I am not in safe mode at the moment. Do I need to be to delete the wp.exe file. And I don't find virtual or slave maid. Hopefully you guys can help. Looks like Pieter helped everyone here. I'll check back soon and hope I can follow the instructions. Thanks so much. Marsha
     
  20. Thanks for your prompt reply!

    But no use, there is no option to disable active desktop. In fact there isn't the desktop tab at all. But i did add the 'fix.reg' that someone suggested, but that is spoilt....sigh. Any other methods? U mentioned the policy thing using Registrar Lite. What is it?

    Cheers....
     
  21. Apparently, the panda search calls the smitfraud virus a Searchmeup adware....its main cause is the new.exe file in c drive. You will have to be able to view hidden files to delete it. try taking pieter's advice on how to view invisble files...:p
     
  22. Hey, the Registrar Lite method works! yeah! Although it cranked up my display settings after reboot(I tot my vga card died), after rolling back the driver, the stuff are back to normal, and do use the hooster, somehow it can clear quite a bit of stuff...hehe

    Thanks Pieter!
     
  23. information

    information Guest

    hi guys,
    best way to remove it to run adaware and add remove all isp dialers from system then reinstall them.
    <snip>
    Mumbai India

    edited to remove email address to protect from harvesting - Detox
     
    Last edited by a moderator: Apr 19, 2005
  24. hvenky

    hvenky Guest

    Thanks a ton for the instructions, I finally got rid of that ugly torjan. Hats off to you!
     
  25. APK

    APK Guest

    can't seem to find c:\windows\system32\log files, otherwise followed the wilders recipe, and failed
     
Loading...
Thread Status:
Not open for further replies.