[Tu_mater]

Ok I hope someone will be able to help me with this problem.

Now, this problem is not on my computer, but it is on my buddies computer and I am not currently at his house. However I have been over there and checked out what was going on and I got nowhere with it.

Currently I cannot get IE to run on his computer because when you click the shortcut or the actual target it says the same thing. Something like: either the file has been moved or dosent exist OR you donot have clearence to access this file.

The larger problem however is the blue background that says an error has occured in IE and it is called Trojan-spy.HTML.smitfraud.c. When I first got onto his computer his desktop would load and all of the Icons were present so ofcourse thinking this was a "normal" virus/spyware/Trojan I ran the gauntlent of spyware programs. (Norton,AdAware,Microsoft AntiSpyware) When I ran these programs I found a few threats and deleted them (to get some of them I had boot into safe mode) however when I rebooted in normal mode I found that I had some how made something worse. Because when windows restarted I didn't get windows explorer. I remember the name of the two main file that I deleted, and they were: SMSSU.EXE and Tmntsrv32.EXE and were both located in C:/windows/system32 folder.

Because I am not able to access the internet from his house I was hoping that someone could give me some general information on what to do to remove this threat and if there are any programs that might be able to help me.

I am at the end of my freshman year of an Information Technology degree so I have about that much technological knowledge, if that will help you to know what level I am on compared to you smart people.

Thanks a lot to anyone who can help me with this problem

[Advertisements]

Ok sorry for the new post but edit didn't work.

I think it is important to note that I don't think that I will be able to add any programs to the computer, because I can't get the desktop icons or even the start menu to load up. I do have a jump drive that I could download the programs to but I don't know if it will let me install it through task manager.

However, even if I do get that hijackthis program to run I won't be able to post the log of it here.



*NEW*
I have just found out that my friends dad has a laptop that we can use to conect to the internet so that i will be able to post my logs if that will help.

Edited by Tu_mater, 03 May 2005 - 07:05 PM.

[Tu_mater]

Ok sorry for the new post but edit didn't work.

I think it is important to note that I don't think that I will be able to add any programs to the computer, because I can't get the desktop icons or even the start menu to load up. I do have a jump drive that I could download the programs to but I don't know if it will let me install it through task manager.

However, even if I do get that hijackthis program to run I won't be able to post the log of it here.



*NEW*
I have just found out that my friends dad has a laptop that we can use to conect to the internet so that i will be able to post my logs if that will help.

Edited by Tu_mater, 03 May 2005 - 07:05 PM.

[Metallica]

copy the part below into notepad and save it as unhko.reg

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{60371670-81B9-4d06-9C42-4DEC1AABE62B}]

[-HKEY_CLASSES_ROOT\TypeLib\{4947DDCC-D549-4D0B-9685-AA58B20E9642}]

[-HKEY_CLASSES_ROOT\Interface\{0B6EF17E-18E5-4449-86EA-64C82D596EAE}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ATLASSstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\HTASSstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\MSMsgSvc]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SEHLPstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\WTLBAstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

[-HKEY_CLASSES_ROOT\BHOASS.BHDP]

[-HKEY_CLASSES_ROOT\BHOASS.BHDP.1]

Doubleclick the file and confirm you want to merge it with the registry.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\Windows\explorer32dbg.exe
C:\Windows\iexplore_dbg.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
After the reboot run HijackThis again and check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
Then run HijackThis again and check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll

O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE

Reboot once more and post a new HijackThis log.

Maybe you can put the file I made and Killbox on a floppy and take it to theinfected computer. You should be able to get back on the net once you have performed the actions above.

Regards,