Have Trojan-spy.html.smitfraud.c need help removing

has anyone found solution to anoop's question ??

 

my yahoo messenger is not working because of Trojan-Spy.HTML.smitfraud.c
...what can i do ?

 

The last variant of Smitfraud that uses a BHO wipes out all other BHO's that are present on the system at the time of infection.

Unfortunately it not only removes them from the registry but deletes the files as well where it can.
The easiest solution is to re-install the software that stops functioning.

Regards,

 

I did the steps to remove the virus and it seems ok because the blue screen is gone, but my internet homepage is hxxp: //letgohome.com/hp.htm?id=346 and I can't undo this. I also have to restart my computer a couple of times in order for icons and start button to appear. While surfing, it automatically redirects me to a randome page and pop up windows keep appearing. does anyone have an idea on how to fix this? does this mean the trojan is still present?

 

I have the trojan-spy.html.smitfraud problem ...does anyone know a sure fire, quick and easy way to turn this $800 paperweight into a computer again..I've tried Norton's and it really didn't get me anywhere.

 

THanks jakie......you are a life saver..!!!!! this is the easiest way to solve the problem!

 

Jakie your awesome dude! thx!

 

Thanks everyone for your input on this subject. It has been a great help in getting my computer back after getting blasted. But I still have three problems that I was hoping you could help me with…

1. I can't reset my homepage on Internet Explorer. It is set as "http://195.95.218.172/index.php" and so is the default. I tried the tips from Spy1 on unlocking your browser's home page https://www.wilderssecurity.com/showthread.php?t=17397 but when I get to down to the Internet Explorer file I do not have a control panel file only a 'restrictions' folder?

2. I keep getting the 'this program has performed an illegal function' error message when I start up my computer. Sometimes it tells me the tool2.exe file has been corrupted and I need to reinstall it. Since I got my computer from my brother in-law I don't have any of the original software to reinstall the tool2.exe file. If that’s what I needed to do. This is what the details of the error message are:

TOOL2 caused an invalid page fault in
module TOOL2.EXE at 0167:0040402d.
Registers:
EAX=0040402d CS=0167 EIP=0040402d EFLGS=00010a86
EBX=00560000 SS=016f ESP=0066fe3c EBP=0066ff78
ECX=818fb60c DS=016f ESI=818fb5ec FS=38ff
EDX=818fb64c ES=016f EDI=00000000 GS=0000
Bytes at CS:EIP:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Stack dump:
bff8b560 00000000 818fb5ec 00560000 6c6f6f54 58450032 00000045 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

3. After I got rid of 'the trojan blue screen of death' the stretch to fit option for my wallpaper is gone. When I try to place pictures as my wallpaper all I get is a corner of them.

Any help on these items would be great! Thanks!

 

There might be something here that can help,

https://www.wilderssecurity.com/showthread.php?t=81894


snowbound

 

Snowbound - I didn't find anything there that would help. - Underdog

 

I need help in removing Trojan-Spy.HTML.Smitfraud.C, trojan is at my desktop, and I already ran the spy sweeper, and Norton Antivirus and still it didn't remove anything. Will someone please tell me how to remove this trojan of my desktop.

 

Hi Everyone,

I ran a few softwares and deleted some files after searching quite a few sites. I deleted the wp.bmp file which got rid of the message on my desktop but I could not get my tabbed settings back to set my background. Here is the most helpful info I found which did the trick:

------------------------------------------------------------------------

Delete these files, if found:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\system32\shnlog.exe

Download the following reg file to your desktop by right clicking on the link, and selecting save as.

http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Once it has downloaded, double-click on the smitfraud.reg file on your desktop and when it asks if you would like to merge the data, click on the Yes button.

Reboot your computer and you should now be able to change your desktop settings back to how you would like it. If your desktop still looks strange, go into your display properties and click on the Themes tab. Change the theme to Windows XP and you will now be using the default Windows XP settings. Then change them as you see fit.

--------------------------------------------------------------------------

I located the info at:
http://www.short-media.com/forum/showthread.php?t=31961

I have Windows 98 and it worked just fine.

 

There is an anti spyware program called Xoftspy which gets rid of the Smitfraud junk. I ran Spybot Search and Destroy, and Xoftspy and got rid of it.
I ran into this thread after running AVG, and Spybot Search and Destroy, CWShredder, HijackThis and failing to get rid of Smitfraud. When I started looking for some of the files that this thread suggested deleting, I couldn't find them although I did get into regedit and change the two values referencing the Smitfraud destop image to 0. I still had the desktop malfunction though.
I finally ran Xoftspy, a new program that I wasn't used to using. Its scan results definitely detected Smitfraud. The first time I tried to boot up afterward, I got this black screen and the boot up process seemed to stall. On the reboot I got the desktop and was able to restore my original settings with no problem. Sorry if this is a little disorganized. It's possible that running Xoftspy alone without all the other stuff will take care of the problem. I don't remember how or where I downloaded Xofspy. I think it is Free/Shareware.

 

I seem to have a major problem here. I have the same blue screen problem. But when I boot up my computer an Explorer window immediately appears with the message that "This program has performed an illegal operation and will be shut down. If the problem persists, contact the program vendor." When I close the window another one immediately reappears. With this window up I cannot access any of my anti-virus or anti-spyware programs, I cannot access the start menu, and I can't open anything! I'm sure I could more closely follow the previous posts and eliminate this problem if I could just have some range of use on my infected computer. Please......if anyone can give me some advice I'd be most grateful.

 

I don't know what any of the following means but it may help someone who knows how to solve my problem. If I click on "Details" on the Window mentioned in my previous post I get the following:

"EXPLORER caused an invalid page default in module OLE32.DLL at 0167:7ff21a32

Registers:
EAX=6ac3806f CS=0167 EIP=7ff21a32 EFLGS=00010212
ESX=00000000 SS=016f ESP=0059f654 EBP=00000000
ECX=0059fb2c DS=016f ESI-00000001 FS=2aaf
EDX=00000008 ES=016f EDI=7ff2b890 GS=2ace

Bytes at CS:EIP:
39 02 74 03 33 c0 c3 8b 41 04 39 42 04 75 f5 8b

Stack dump:
7ff54e37 0059f6f8 0059fb2c 7ff2b890 0059f6b8
7ff501df 0059fb2c 00000001 fffe132b 0059f868
80000000 0059fb48 008f464c 008f4648 00000000
008f0000"

 

hello,

I have big time trouble with this thread. I have been reading and following all the post in this and other forums. I just cant seem to find all these files and keys you guys talk about.....no trace of WP.exe or .bmp, sites.ini, Security Iguard, Virtual Maid, msmsgs.exe, hhk.dll, Zloader3...or any other file that was mentionned but yet i have the same symptoms, the blue screen and then the black screen the only thing i experience that nobody else seemed to is tha i keep on getting a "windows explorer has encountered a problem and needs to close...." message with the option sending or not the error Report. This box keeps on opening a few seconds after i close it and jams everything. I tried all the anti spyware programss and nothing works....Can somebody please help, thanks

 

Hi GGeorgge,

You can try the procedure outlined here:
https://www.wilderssecurity.com/showthread.php?t=75890
If that does not help then have your HijackThis log checked by someone who knows what to look for. Follow the links in ronjor's posts.

Regards,

Pieter

 

THank you Pieter, unfortunatly i had seen this page before and I tried to follow the instructions but it just dosent apply because i have no trace of any of the mentionned files. But yet i got the same blue page. and even the black page appears for a few second. I cant kill any of the mentionned processes because they just dont appear in any of the logs or even in task manager. I guess i might've caught a new variant of the virus. Thanks anyways

Ggeorgge

 

Hi

My mate has received this virus/trojan, he tells me he is getting the blue screen as described earlier by other users. However when he tries to clear it - it just bounces straight back up again, he is unable to get ctrl-alt-del to work. He has tried safe-mode but no difference.

Any ideas, I was thinking of opening in dos and deleting the wp.exe file and then trying to open.

Thanks

Davy C

 

Davy C,

Your friend has to get rid of all the running processes assoiciated with this.

Deleting the background or changing the desktop will have no lasting effect whatsoever before you get rid of those.

Regards,

 

Thanks for the reply

We are a bit new to this, but our main problem is that we cannot do anything in windows as it is blocked out, by this bouncing back up every time he tries to close it. Or is there a way around this, I have not seen the computer I am going on what I am told on the landline.

If we start using the F8 step by step is there anything that we should be looking for?

Any help is really appreciated.

Thanks

Davy C

 

Use Killbox on the files as outlined in the first post here:
https://www.wilderssecurity.com/showthread.php?t=75890
Also use the smitfraud.reg posted there.

If that does not enable you to work on that machine, you really need to post a HijackThis log on one of the forums that handles those.

Regards,

Pieter