Trojan-Spy.HTML.Smitfraud.c help!

Question

I have a Dimension L500r running Windows 98 SE.  When I try to boot up, I get a blue screen indicating an error caused by the above.  I don't get to my desktop.  When I hit control alt del, it shows no programs running.  The same thing happens when I try to boot up in safe mode.  I can't figure out how to run any programs or get to any of my files, so I can't run my anti-virus software.  Any suggestions?  Thanks in advance for your help.

ky331 · Answer

this is a very common, and nasty, problem, also known as Trojan.Desktophijack.

You can read all the details (and highly technical removal instructions) here:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.desktophijack.html

however, you might be better off getting some help from the Dell HiJackThis forum:

Download the latest version of HJT(hijackthis) (version 1.99.1) from

http://majorgeeks.com/download3155.html

you must create a separate folder and place it there.... people commonly use C:\HJT. Note: do *NOT* use a TEMP folder, nor a DESKTOP folder, as HJT will be generating log files and backup files in the folder from which it is run... you risk accidentally losing these if you use a TEMP folder, and you will generate extreme clutter if you use a DESKTOP folder.

The file above comes as a compressed .ZIP file... you have to UNzip it (hopefully, you have an UNzip utility built into your Windows Explorer).

After Unzipping, double click on HiJackThis.EXE

Click on Do a System Scan and Save a LogFile

This will automatically open NotePad

Copy the entire file from NotePad: EDIT/SelectAll, EDIT/Copy

Then go to the new forum dedicated for HiJack This logs (**NOT** back here), and PASTE the results there:

http://forums.us.dell.com/supportforums/board?board.id=si_hijack

Be sure to include a detailed description of any problems/errors/warnings you are encountering.

Hopefully, one of the HJT experts will get to it as quickly as possible.

WARNING: HiJack This is a VERY POWERFUL tool. Do *NOT* do anything else (in particular, do NOT use it to delete any entries) until you are advised to do so!! Improper use of this tool can severely damage your system.

eniblick · Answer

Thanks for the advice.  However, I can do nothing with my computer.  I get the blue screen and I literally can't do anything, open any files or run any programs, so I certainly can't download any software.  Any advice on how I can accomplish any of that, with the blue screen just sitting there?

ky331 · Answer

i'm gonna see if i can get someone else into this thread to advise you further....

eniblick · Answer

Thanks.  I don't seem to be able to anything with my computer now.  Can't even boot in safe mode without getting that fake blue screen.  Also, an Explorer.exe error window pops up.  When I do control-alt-del nothing seems to be running.  Thanks in advance for any help you can provide.

zbestwun2001 · Answer

eniblick,

I don't work problems here as a rule without a log. I will post the standard fix for the Smitfraud trojan.

If you can get it to work it should clear up your problem. Not seeing a log, I MAKE NO GUARANTEES:
Let's try and clear up the Smitfraud problem first.

Open this link and save it to your desktop in Notepad.

Smitfraud
Fix Reg File

After you have saved it to your desktop, double-click on the smitfraud.reg file
on your Desktop. When it asks if you want to merge the information, allow
it to do so.
Reboot and you can now change your desktop properties back to the way you
want to. If you have trouble with some settings, click on the Themes tab
in the display settings and change the theme to Windows 2000 to
use the default settings
Now post a new log and see if that Smitfraud has disappeared?

Then post a new log and we will go from there.

Steve

Then post a new log and we will go from there.

Steve

eniblick · Answer

Thanks also for the advice.  However, I can't do anything with my computer.  I can't download, I can't open any files, I can't run any programs.  All I get is the blue screen (I'm writing this from a different computer).  Can you please provide steps as to how  I can get some access to my computer's desktop to start the process you describe?

ky331 · Answer

eniblick,   since i've never personally had this particular infection on my system, it's difficult for me to understand your exact predicament.   all that i know is that, from reading many other posts in these forums, that the 'fix' suggested by zbestwun seems to have worked for most people.  i'm not exactly sure why/how they could do it, when you seem unable to do so....     this may not be the solution... but let me at least ask you this:...  when you boot up... i realize you get the blue screen rather than your normal desktop....  but do you at least have your START button available?   if so, can you run any programs from there?   in particular, if you can access/run Internet explorer from there, you should be able to download the 'fix' zbestwun indicated.     and if you can access/run Windows explorer, you can run the fix from there.   (note:  if for some reason, you can run Windows explorer but not Internet Explorer, you can go to your other computer, download the 'fix' there, copy it to a floppy, bring the floppy to the bad pc, run Windows Explorer to access/run the 'fix' from the floppy.)    hope this may help

eniblick · Answer

I don't even have a start button.   Just the blue screen and an Explorer.exe error box that pops up.  I literally can't do anything with the computer from the blue screen, nor can I boot up in safe mode.  I can boot up in DOS mode, but I don't know what I can do from there.

eniblick · Answer

Steve,

This is almost exactly what I am getting, with a couple of small diffferences. My screen says "Please check you security settings", not "Please check your security settings". My screen says "... to fix the problem" not "... to fix this problem". And it says Trojan-Spy.HTML.Smitfraud.c" in place of [name of program/file].

The blue screen takes up the entire screen. Hitting the Windows button on the keyboard does nothing. Right clicking on the screen does nothing.

zbestwun2001 · Answer

That fix that I posted, as you will see from my other logs, is the FIX for the Smitfraud trojan.

If in fact that is what your problem is, that should have cleared it up but I see you say it hasn't.

I am not sure what is going on?
A log is at this point a necessity for me to continue with you.

At this point I am totally flying blind and just don't feel comfortable doing that.
If you can give me a log somehow, that will help.

As far as the blue screen you are still getting, is it a small blue screen with writing on it? If so, what does the writing say.

Steve

ky331 · Answer

eniblick,

based on what zbestwun has said, perhaps maybe you have more than one problem (smithfraud, PLUS something else)... or perhaps you don't really have smithfraud?

here's the message you should be seeing if it's smithfraud... please confirm that this is exactly what you're seeing.... if not, let us know.

Security warning
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01) +
00010E36. Error was caused by [name of program/file]
* System cannot function in normal mode.
Please check your security settings.
* Scan your PC with any available antivirus / spyware remover program to fix this problem.

if it really is, i think there MAY be a possibility that we can run zbestwun's fix from DOS... at least, we can try. be advised, however, that doing so can be very risky. that is, if something goes wrong, the worst case scenario is that you won't be able to boot up your PC (in which case, you'll then have to hope you can still reformat and reinstall windows). however, given your current situation, it might be worth the gamble. your call on whether you want to try a potential DOS fix.

ky331 · Answer

eniblick,   unless someone else has another suggestion, there's nothing more i can do here.   i tried testing out the DOS idea i had, but unfortunately, i wasn't able to get anywhere with it.   sorry.

RKinner · Answer

This is Ron.  I was asked to see if I could help. I think the following will work to get you a bit further.   On your other computer go to   http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html   and get the UnHookExec.inf  file and save it to a floppy.    Also copy HijackThis.exe to the same floppy but name it HijackThis.com.  Move the floppy to the sick pc but don't insert it yet.   Boot the other PC into Safe Mode Command Prompt:   F8 to boot to Safe Mode and then select command prompt.   at the DOS prompt type:    cd \windows copy explorer.exe explorer.com copy regedit.exe regedit.com edit win.ini   the Edit window should appear.  Find the line where it says:  run= and make it say:   run= explorer.com   Then Alt, F,  X then Y  (and maybe one more Y)   Now exit or Ctrl + Alt + Del and reboot into normal mode.   It should bring up Windows Explorer.  View, Folder Options, View, Uncheck Hide File Extensions of Known Types and Under Hidden Files, check Show All Files.  OK   Insert the floppy.   Use Windows Explorer to navigate to the A:\ and double click on HijackThis.com (If it doesn't say HijackThis.com then right click on it and rename it.)   Does it run?  If so Save the log to the floppy.  If you see wp.exe down in the O4's then check it and Fix Checked.  IF you can't get it to run then navigate down to C:\ and delete wp.exe.   Then find C:\Windows\ and doubleclick on regedit.com   find HKey_Current_User->Software ->Microsoft->Windows->CurrentVersion>policies (Hit the + sign in front of each Key as you find them. That will open up the subkeys.) Under Policies is usually an entry named System. If you find it highlight it and press the Delete key. Then OK. Close the program and reboot.   You can also right click on the UnHookExe.inf file and select Install which might fix the registry problem so it will boot normally but we may have to kill off the other malware first or it will flip right back.   Ron

MistyWenders · Answer

Hi there,

I'm having the exact same problem but there doesn't seem to be any fixes!!

When I logon to the pc, the egg timer sits there and all I can do is Ctrl, Alt+Del and Popuper.exe is running loads of times and I cannot terminate them.

Has anyone a fix out there?? Have you got any more updates on this?

All I can think of is running the Windows CD repair and see if I can go from there.

MistyWenders · Answer