[Alex K]

Hey Guys,
great website you got going here, it helped me out quite a couple of times. Now I have a little problem though that I can't seem to solve on my own this time. I'm another victim of the "smitfraud.c" trojan. I tried to solve it the exact way " the user "Pele" been helped out - (topic: trojan-spy smitfraud.c solved"). I downloaded all the required programms but for some reason I can't open hijackthis. everytime a click on the folder there's only the dynamite icon showing which doesn't start anything when I click on it. My questions: how can I open it correctly and is it possible to solve the smitfraud problem, the exact same way as descriped in User "Pele's" thread? Or is this a individual guide suited to his particular trojan only?

thanks a lot in advance and keep up the good work.

[Advertisements]

Under Review

[RKinner]

Under Review

[Alex K]

Hi Ron, thank you so much for your quick reply, your time is really appreciated.

Unfortunately I couldn't apply all the steps given by you because when I rebooted my computer I was tapping F8 all the time but it simply did not react at all and booted just as usual. Since I'm a first time XP user I don't know any other way to reboot it into the safe mode.
I also tried to select 'start' - 'run' and typed del/f/q c:wp.exe anyways without being in safemode and it stated "wp.exe access denied". What shall I do? I'm lost.

Edited by Alex K, 24 April 2005 - 09:01 PM.

[RKinner]

Under Review

[nathan1314]

I have this trojan-spy.html.smitfraud.c problem. i have searched the web without much help. I found this site and this thread is this the best way to solve this problem right now?

[ScHwErV]

nathan1314

Please see this thread - http://www.geekstogo...?showtopic=2852

Also be sure you read the forum rules.

Do not post your problems into other open logs saying "I have the same issue, here is my log" etc. This is too confusing for everyone involved.

Alex K

Sorry for confusing your log with this.

ScHwErV

[Alex K]

Hi, no problem the only thing that's confusing me right now is my very own computer itself...

Alright, I've downloaded killbox successfully put it on my desktop, opened it and typed c:\wp.exe into the box and pressed the red button and yes. It said file deleted. Hope everything works out fine from now on. So what's next?

[RKinner]

Under Review

[don77]

Hi Alex and welcome
I m going to be helping you out here,

Lets get a look at the HJT log please,

everytime a click on the folder there's only the dynamite icon showing which doesn't start anything when I click on it

Double click on it

Click Here
Its an easy to follow tutorial for HJT,

Post back a log for me please,

Thanks
Don

[Alex K]

Hi Don,

How you doing, buddy? Thanks for helping me out. I have created a folder on my desktop and I "extracted all" into that particula folder. Again I tried to double click on the dynamite Icon but no window opend at all. Am I doing something wrong while extracting the hijack zip file? I checked out the link ("Quick start" introduction) you provided for me but I just can't figure out what I'm doing wrong...

Thanks again for your help, man your time and effort are really appreciated.

Edited by Alex K, 27 April 2005 - 05:22 AM.

[eireanninion]

Please refrain from replying to topics in the malware forum until you have been traind at GeekU
Thanks
Don

[don77]

Hi Alex,

Your welcome.
Please take your time and review each step as needed, If you have any questions at all, just ask, We are here to help.
with that said

Please see this Topic
Run through steps 1 and 2, After you have completed those see if you can open HJT please,

Let me know
Don

[Alex K]

Hi Don,

I really tried everything the last week but it just doesn't seem to work out. Everytime I try to download one of the programs you linked me to, the download stops at 50% and a message appears stating the" connection to the server was reset" I tried downloading each and every program from the page you refered me to - same deal every time, after 50% it stops downloading. What shall I do?

I feel kinda akward because everytime you guys give me instructions there's something new coming up but I hope we'll manage to fix it eventually. Sorry about the hassle.

Thanks again guys.

[don77]

OK Alex lets try some manual removal,

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

You said you were able to download killbox,

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.



Next, We need to see if we can atleast download the following
Dowload the following program
CWShredder
It should be the current version, but check for updates
Run Program cwshredder and have it fix anything it finds.
Make sure you click the “Fix” button

If you can't download it on your computer is there another computer you can download from and save it to a floppy and carry ot over to your computer


Let us know how you make out

[Alex K]

Hi Pal, thanks for the quick reply. I managed to download the cw shredder successfully. But what point of your instruction I don't quite get ist: "Open the Notepad file where you saved the file paths earlier". I can't recall having saved any file paths earlier and what Notepad file do you mean?