[backtomono74]

Hi, i'm new to the board and i hope someone can help. I recently had the blue screen and warning of smitfraud.c trojan. I deleted the wp.exe and wp.bmp files and changed hex values in 'regedit' which got rid of the blue screen.
Now i'm left with a black screen with WARNING! YOUR'E IN DANGER as a desktop which gives a link to bogus antispyware. I also have the yellow triangle warning in the bottom right corner. I have done several scans with adaware and spybot but just can't seem to get rid of this. I would really appreciate anyones help with this !

My HijackThis Log is as follows:


Logfile of HijackThis v1.99.1
Scan saved at 16:37:36, on 16/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\declan\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {AC0D15C8-68E8-46C9-85A3-7D3879E82277} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AC0D15C8-68E8-46C9-85A3-7D3879E82277} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Thankyou for your time BACKTOMONO74

[Advertisements]

Hello and welcome to Geeks To Go.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Delete the following file

C:\wp.exe

Boot into normal windows.

I noticed that you have HiJackThis running in a temp folder on your computer. I would suggest you move it to a more permanent location, in order for HiJackThis to keep its backups somewhere they wont be deleted if you clear your temp files. Just follow the instructions below to give HiJackThis a new home.

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Open HiJackThis and click Scan. Place a check next to this entry.

O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

Close all open windows except HJT and click Fix Checked. Then close HiJackThis.

Right click Here and select Save As to download Grinler's smitfraud.reg file. Please save the file somewhere you can find it like on the desktop. To run the reg file, double click on it and allow it to merge with your registry.

After that reboot and post back with a fresh HiJackThis log and let me know how thing worked out.

ScHwErV

[ScHwErV]

Hello and welcome to Geeks To Go.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Delete the following file

C:\wp.exe

Boot into normal windows.

I noticed that you have HiJackThis running in a temp folder on your computer. I would suggest you move it to a more permanent location, in order for HiJackThis to keep its backups somewhere they wont be deleted if you clear your temp files. Just follow the instructions below to give HiJackThis a new home.

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Open HiJackThis and click Scan. Place a check next to this entry.

O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

Close all open windows except HJT and click Fix Checked. Then close HiJackThis.

Right click Here and select Save As to download Grinler's smitfraud.reg file. Please save the file somewhere you can find it like on the desktop. To run the reg file, double click on it and allow it to merge with your registry.

After that reboot and post back with a fresh HiJackThis log and let me know how thing worked out.

ScHwErV

[backtomono74]

Hi,
have tried to reboot in safe mode but all that keeps happening is that i'm getting a black screen with white writing at the top and bottom saying safe mode. I can't move on from here as i've no start menu. Hoe do i delete c:\wp.exe from this stage ? Sorry, but i've never had this kind of problem before. Thanks backtomono74

[ScHwErV]

If you hold down Ctrl and hit Esc, does that bring up your start menu?

If that doesnt work, does the Windows Key still bring up the start menu?

ScHwErV

[backtomono74]

Hi ScHwErV, the windows key does nothing, but 'ill try Crtl and Esc now and i'll get back. Thanks Backtomono74

[backtomono74]

No nothing happening ScHwErV. Just the black screen with four safe modes in each corner and the operating system across the top.
Any ideas ? Can i not delete c:\wp.exe in normal mode ? How do i find it as i've looked in windows explorer to no avail. It was on Windows task manager when the blue screen was up and i jsut ended the process. I thought i'd deleted it then mmmmm... just wish i could get rid of this black warning screen. I can delete from the displaydesktop web tab but it just keeps on coming back.

[ScHwErV]

You can try to delete it in normal mode. Give it a shot and see what you come up with. If not, we can do it another way.

ScHwErV

[ScHwErV]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.