[tim_ezell]

I got hit with smitfraud.c yesterday. Spybot s&d found it, but was outsmarted by it and would not take it out. I downloaded the new MS Beta spyware remover, and it removed it, BUT, left me with the, now blank, HTML page overlaying my desktop. The active part of the trojan seems to have been removed, leaving me with the active HTML page.

I tried the geek squad, the BestBuy boys, and they tried to help, but came up with no other option left but reformatting.

I am a sculptor, not a computer tech. At best a shadetree mechanic.


NO subsequent virus scans find anything any more. What do i do?

[Advertisements]

Please Click here!, and follow the recommendations in the guide.

[phybyr0ptyk]

Please Click here!, and follow the recommendations in the guide.

[tim_ezell]

I tried earlier to download AVG 7.0 but it came in corrupted and was a no fly

[tim_ezell]

OK, i am downloading ad aware. While i do i will try to give you what i have already done.

I got hit and imediately went for my gun. I ran spybot s&d, which found it but the canny thing would recheck itself back on when i tried to turn it off and delete it from startup menu.

So I went to msn and downloaded thier new spyware beta program. It found the trojan, isolated it, and removed all or most of it.

I also loaded a mcaffee disc a friend of mine had on hand, also updating all previous wares i had.

After the ms beta did it's thing, i ran scans with spybot, mcaffee, and the beta again. They all came up clean.

As for functionality, the autodialer was definitely gone, the link on the html page was gone.

It appears the only thing left is the html loader, probably somewhere in the registry.

The Best Buy geek squad and I ran through the system, running the msconfig task manager and shutting off every thing running in that. This was done in safe mode.

On my own i tried to do a registry restore to a previous date, but it was unsuccessful. I presume that what was left of the trojan blocked that as well as blocking the download of the avg software.

The blank html page does not interfere with anything except for not being able to see the picture of my lovely gf on my desktop, which is a true crime.

So far, it all appears clean, so thier conclusion was that the remnant is in the registry and the only solution was a full reformat. The problem with this is, i do not own an xp disc, the computer is second hand and was given to me reformatted by an friend of mine living a thousand miles from me.

i think that about covers my trials so far.

[phybyr0ptyk]

Have you tried to download it directly from
http://www.grisoft.com

AVG, mcaffee is a resource hog

Edited by phybyr0ptyk, 12 July 2005 - 10:50 PM.

[phybyr0ptyk]

I am looking into some registry keys, I will get back to you shortly.

[tim_ezell]

yes, i went right to the grisoft site and tried to dl from there.

And, THANK YOU for helping and for speaking english, because alot of this is all geek to me.

[tim_ezell]

adaware went right into its scan upon updating without any prompt from me.

So far it has found 1 registry key (hilighted in red) and 9 registry values as well as 10 objects and 10 new critical objects.

oh yes, i also, in the midst of all this, downloaded all the security updates for sp1.

[phybyr0ptyk]

OK as far as I can tell XP has a key to automatically save the current desktop.
first we will want to open the registry editor
start--run (type) regedit press enter
navigate through the registry for this key

Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Modify/Create the Value Data Type(s) and Value Name(s) as detailed below.

Value Name: NoSaveSettings
(if this key doesn't exist right click in the right panel and select Dword Value
name the new key NoSaveSettings typed as seen
next set the value to "1" less the " "
Setting for Value Data: [0 = Disabled / 1 = Enabled]
Exit Registry and reboot

If the "blank is gone we have succedded and you just need to go reset your desktop and then go back to the registry editor and reset the same value to "0" so that XP will once again save your desktop settings.

[phybyr0ptyk]

Let all scans complete before doing the above


and glad to help if I can

[tim_ezell]

adaware finished it's scan. it tagged 10 data miner objects and 2 aol free trials, which i knew about and had ignored

[phybyr0ptyk]

OK do you feel comfortable working in the registry?
please back it up before you start changing anything.
Registry -- export registry file
name it sometning simple and save somewhere easy to find.

[tim_ezell]

ok, i have the registry editor up, i have created a NoSaveSettings string, but how do i set the value?

[phybyr0ptyk]

oh sorry right click the key you created and select modify
set it as posted above hit enter
close the registry and reboot.

[tim_ezell]

there are already 3 strings there, as follows

(default) REG_SZ (value not set)

NoActiveDesktopChanges REG_DWORD 0x00000001 (1)

NoDriveTypeAutoRun REG_DWORD 0x00000091 (145)


and, uhm, how do i back it up?