Smitfraud.c trojan

Discussion in 'malware problems & news' started by rbw91, Jul 26, 2005.

Thread Status:
Not open for further replies.
  1. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Hi there,

    I have looked at the thread here for info on this trojan as I have a friend who is infected by it.

    I run XP, so no problems there, but I have been asked to help remove this infection.

    He runs Windows 98, and I am not familiar with that platform.

    Does anyone have some suggestions taking into account the windows 98 user platformto help me out?

    thanks
     
  2. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    run a free housecall scan from trend micro it will find and repair it. www.trendmicro.com you have to access the scan with internet explorer.
    or the spyware scan in the lower right corner is excellent.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Did you notice the second part of this post ?
    Starting with Windows 9X/ME (without Ewido)
    That should work for Windows 98.

    Regards,

    Pieter
     
  4. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Thankyou for the replies on this. I have tried to look at this earlier today and unfortunately it seems to be more complicated than anticipated.

    If I boot normally then I get to the desktop but no desktop icons are present. The windows toolbar at the bottom of the screen, with the "start" button etc is there but cannot be accessed or pressed. You sometimes get the hourglass, but that is it.

    I boot into "safe mode" and I see the desktop icons, but the same problem occurs. Nothing can be activated or accessed.

    I think the computer is completely buggered, but thought I would ask the question anyway. Even in "safe mode" nothing will work

    I went round armed with Kapersky AV, CWShredder, Adaware, SpywareBlaster, SpywareGuard and SpyBot S&D on a CD ready to run in "safe mode" but could not even get into "my computer".

    Ctrl+Alt+Del gives me the equivalent of task manager without the running tasks (it just tells me what is running). I get the folowing:

    spoolserv32 <------- which will be the printer drivero_O?
    Mdm <--------------- not sure about this.
    windows (not responding) <--------- herein lies the problem methinks.

    Any suggestions? I have already recommended a reload assuming that I get no joy on here.
     
  5. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    you need to restore your system to a time when it was running normally by restoring the registry. On the shutdown screen restart in msdos mode,
    a c:/ prompt will be there. type scanreg\restore it will bring up the registry checker and click on a date other than today where it says windows started normaly then reboot and your registry will be fresh again with no errors.
     
  6. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Ok, the problem was that the only way to get the PC to shut down was via pressing Ctrl+Alt+Del at the same time, offering me an option of "end task", "shutdown" and "cancel", and the 3 running programs detailed above.

    There was no "restart" button.

    However, if I were to boot the PC up pressing F8 in order to get to "safe mode" but chose a different one of the 6 options (cannot remember what all of them were) but chose one that went to the MSDOS mode - if I were to do that and type "scanreg\restore", followed your instructions and then rebooted normally I would be able to get into "safe mode" and apply all of the above programs?

    He currently runs Norton - which I always think is a mistake - I use AVG but read that Kapersky kills this infection. Any recommendation on AV once I have killed this off?

    As I said, I cannot even get into the PC at present so if the above works then thank you very much indeed.
     
  7. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    well I had norton on my windows 98 system and it made everything crawl to a stop. If you got into your pc with the restore. I would highly suggest running avg free and get rid of norton... for some reason norton Locks up and ruined my PC. If all else fails you might have to reformat the drive and start over.
    But to be honest with you norton is to blame for all this.
     
  8. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    Let us know if you get windows to run normal again. an Expert should be by soon to assist you further with this problem.....
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Press CTRL + ALT +DEL to start Task Manager.

    Click the Applications tab and then click the new task button.

    Type regedit.exe into the box when it pops up and press ok.

    This is going to start registry editor.
    Navigate to this key: (The registry left pane is a tree just like Windows Explorer is a tree. Clicking the + in front of each successive key will open the branch until you reach the final destination.)


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

    Right click on explorer.exe in the left pane and click on Delete from the menu.

    Then go down to this key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iexplore.exe

    Highlight Iexplore.exe in the left pane and look in the right pane for this Value:

    Debugger

    Right click on Debugger in the right pane and click Delete from the menu.

    Close the registry.

    Back in task manager, click the New Task Button again.

    Type Explorer.exe and click ok.

    Regards,
     
  10. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Hi Pieter,

    Thanks for the help. I do not recall seeing that option when I did the Ctrl+Alt+Del button. I do not think that it gave me the option of choosing "applications" otherwise I would have had a look in there.

    Whilst you are the expert and I am not, are you certain that on Windows 98 I am able to do this?

    Moreover, if I cannot, are there any other options available other than the one mentioned by beefcarver?

    I assume I need to select "command prompt" following pressing F8 as the PC is booting?
     
  11. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    I think he thinks your running windows 2000.... Can you get to a c:/ Prompt?
    I might have the / or \ wrong but thats the correct command. Scanreg/restore or scanreg\restore this will restore the registry to a time when it was running normal and will allow windows to run again.
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  13. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Guys I am really appreciating your help. I have note gone round yet to try to fix it, but just wanted one thing clarifying if that's OK?

    The following is copied from your latest link Pieter:

    Under normal circumstances, Windows is capable of detecting and recovering from registry errors automatically. If Windows is incapable of this, a previous copy of the registry can be restored manually. Windows makes and stores a backup of the registry when you start your computer successfully each day. By default, five previous copies or the registry are stored.

    Now we may have tried dstaring the machine more than 5 times since this infection - on rebooting and what have you. Does this mean that on Windows 98 the previous 5 restore points available will also be infected?

    Sorry for being so quizzical - it's just that I would like to have everything clear in my mind before going round saying that I may know how to fix it......
     
  14. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    In fact. I think I have my own answer..........

    It says "successfully".

    Now then, does a successful boot to a screen where explorer.exe is not responding count as a successful booto_O??

    Maybe I have just posed that question again!
     
  15. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Not good news I am afraid. I tried to roll back the registry as mentioned above but it simply said "operation failed".

    Therefore no further progress in getting this PC back up and running.

    This is Windows 98 - a platform I am not familiar with really. Does anyone have any further tips on how to remove this infection from this really quite knackered PC?

    Booting normally gets as far as the desktop but no icons show and whenever you try to press start - or anything else - it just hangs. Booting into Safe Mode shows the desktop icons but then exactly the same happens.

    I really do not know what to do - any ideas anyone? Please?
     
  16. WinAntiVirus_Guy

    WinAntiVirus_Guy Lurker

    Joined:
    Jun 14, 2005
    Posts:
    5
    Our Knoweledge base article on how to remove Smitfraud.c trojan from your computer. Look through it, it is not conplicated.
     
  17. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Thanks for the reply, but that is not helping me out at the moment I am afraid.

    Firstly the system is Windows 98 and the link you provide does not tell me which platform it is for.

    Furthermore, if you see my comments in this thread, you will see that I am unable to gain access to the computer whatsoever, so will need a solution using command prompt or something like that to restore some life to the PC before I can start running anything like the solution you suggest.
     
  18. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Can anyone help?

    The computer is completely locked out and I need to get it going again if possibly by using command prompts to bypass the infection before I can run the antivirus, anti-spyware and everything else.

    Thanks in advance if you can. :)
     
  19. zhenalv

    zhenalv Guest

    hi, i think i'm encountering about the same problem with my xp. if i log in normally, only my background shows up, no icons, no taskbar, nothing, even ctrl-alt-del doesn't work, only my mouse can move about.

    if i enter using safe mode, no icons appear too.
    if i enter using safe mode with cmd prompt, i can call explorer, but the moment i click on anything, everything hangs.

    i'm totally lost, the only thing i can do is use my cmd prompt. tried to use the regedit as suggested, but the explorer and Iexplore are not there.

    Can anyone help? before i shut down my comp, the smitfruad message appeared and psguard and the mssearchnet page too. before i could finish scanning, the comp hung and that's that.

    Really appreciate any advice that i can get. Thanks!
     
Loading...
Thread Status:
Not open for further replies.