[bess]

When windows 98 loads to the desktop a dialog windows appears with the following message, "windows explorer has performed and illegal operation and will shutdown". When you close this windows , another message flash saying that the computer maybe infected by the trojan-spy.html smitfraud.c, the 1st dialog windows then reappears, this windows will not close. You cannot access anything from the desktop, the keyboard does not reponsed to the ctrl alt del command. Tried to boot in safe mode, but the keyboard does not respond, the only time the number lock key on the keyboard is lit is when the computer boots into windows. Also tried to boot to a dos prompt no such luck with out the keyboard. Tried to boot the computer with a windows 98 boot disk still no luck, still do not a have the keyboard to select an option. I am unable to attach a hijack log, cannot access any files or connect to the internet.
I would like to be able to at least reformat this drive if the trojan cannot be removed my any other method.
bess

Edited by bess, 14 July 2005 - 12:16 PM.

[Advertisements]

In the event you cannot download it then you have to use another computer then transfer it to your PC.  If you are not able to run it through desktop or C:\HJT then you have to use the Task Manager, available through CTRL+ALT+DELETE then choose New Task. Locate your HijacThis and run, it must be in NORMAL MODE. Copy all the scans results then post it here.

Do not lose hope, we can still fix it. Reformat should be the last resort. For now it is not yet our option 

[kool808]

In the event you cannot download it then you have to use another computer then transfer it to your PC.  If you are not able to run it through desktop or C:\HJT then you have to use the Task Manager, available through CTRL+ALT+DELETE then choose New Task. Locate your HijacThis and run, it must be in NORMAL MODE. Copy all the scans results then post it here.

Do not lose hope, we can still fix it. Reformat should be the last resort. For now it is not yet our option 

[bess]

As I previously stated I have no keyboard function the only way to restart the system is by a hard shutdown pressing and holding the power button, the mouse works it will allow you to close the open dialog box, but it does not work on anything else, start up button, desktop icon etc.

Edited by bess, 19 July 2005 - 04:02 PM.

[kool808]

Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.

++++++++ N O T I C E ++++++++

This will likely be a few step process in removing the malware that has infected your system.  I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further. Trust me!

Ok let us first try these solutions:

1. make sure you place your keyboard on the correct port at the back of the PC

2. find a known working functional keyboard, borrow it for a while then test it on your machine. If it works then that is good news, that means you had a non-functional keyboard.

3. download this file http://noahdfear.geekstogo.com/click%20cou.../click.php?id=1 from another computer, extract its contents (RunThis.bat <-- located inside its folder) then transfer this file to your PC through a CD or floppy disk.

4. try to boot to safe mode if possible then transfer the file to the desktop. Double-Click RunThis.bat
* You'll see a blue window now.
* Follow the prompts on screen.
* Wait for the tool to complete.

5. If you cannot boot to windows let us try the DOS Prompt mode.
* we need to copy the file RunThis.bat from CD or Floppy disk to this destination : C:\windows\startm~1\progra~1\startup\
* from either CD drive or floppy drive (this will depend on your system) type this :

A:\>copy [SPACE] RunThis.bat [SPACE] C:\windows\startm~1\progra~1\startup\

OR

D:\>copy [SPACE] RunThis.bat [SPACE] C:\windows\startm~1\progra~1\startup\

6. Reboot your computer to NORMAL MODE
* upon startup you'll see a blue window now.
* Follow the prompts on screen.
* Wait for the tool to complete.

Reboot your computer, browse thru Start > Programs > Startup > delete RunThis.bat

We need to delete this since it will be booting up each time we will start the computer.

When Everything is all fine please follow this steps:

• Close all windows, open HijackThis then SCAN.
• Post a NEW HijackThis Log.
• Please tell me how your system is working now.

Edited by kool808, 20 July 2005 - 11:59 AM.

[bess]

I have tried keyboards that work on other machines, I have tried ps2 and usb keyboard with the same results. I have check the plug everything is correct , no bent or missing pins.

[kool808]

Okay it seems that something is preventing you to have access with your keyboard.

Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++

This will likely be a few step process in removing the malware that has infected your system.  I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

• find clean computer with a functional floppy drive and an internet access to work on
  
• download this file http://noahdfear.geekstogo.com/click%20cou.../click.php?id=1 extract its contents (RunThis.bat <-- located inside its folder), save it to a place where you can easily remember it. (ie.: Desktop). Do NOT run it yet.
  
• on Windows, open up notepad copy the contents inside this quote then paste it.
  

  @echo off
  copy runthis.bat c:\windows\startm~1\progra~1\startup\
  pause

  
  Save this as autoexec.bat, set the file types as All Files. Save it to the location where you also saved the runthis.bat so it would be easy for you to locate later.
  
• Insert your floppy disk to the drive then follow these procedures:
  

  To create a startup disk in Windows 98

  • Start > Settings > Control Panel >  Add/Remove Programs > Startup Disk tab.
  • Click Create Disk.
  • Follow the instructions on your screen.

  Notes :
  To make a startup disk, you will need one floppy disk with at least 1.2 MB capacity.
  When you insert the startup disk in your computer before restarting, the computer starts from that disk, not from your hard drive.

  Do NOT reboot the computer yet.
  
• Through Windows Explorer, copy these files to your floppy disk ( A:\ )
  • locate RunThis.bat transfer it to the floppy disk
  • locate autoexec.bat that you created, transfer it too in the floppy disk.
  NOW GO BACK TO YOUR INFECTED PC.
  
• reboot your computer, as it boots up continuously press the DELETE key until you came to the BIOS setup screen. (blue background with several settings on it)
  
• find the RESTORE DEFAULTS settings then apply it.
  
• Exit and Save it to CMOS by confirming with it and choose "Y".
  
• now using this floppy disk we created, insert it on your infected computer then reboot your computer
  
• once the copy is successful, remove the floppy disk then reboot your computer to NORMAL MODE
  • upon startup you'll see a blue window now.
  • Follow the prompts on screen.
  • Wait for the tool to complete.
  Reboot your computer, browse thru Start > Programs > Startup > delete RunThis.bat
  

  We need to delete this since it will be booting up each time we will start the computer.

  
  When Everything is all fine please follow this steps:
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Please tell me how your system is working now.

[bess]

Again I get no response from the keyboard until the system loads the desktop, that is the only time that you can turn the number lock key on. I have tried to boot from a windows 98 boot floppy to boot into safe mode, but I donot not have access to the keyboard to select that option.

[kool808]

That is very odd, I just want to verify. Did you follow the steps in post#6? This should be done from another computer and not your PC. After you have made exactly what all the instructions did not require any keyboard actions. It just needs to insert the homemade boot floppy disk then its all up to the autoexec.bat to execute all the commands.

Please review post#6, secure a PRINT COPY of it then redo it.

Edited by kool808, 21 July 2005 - 04:52 PM.

[bess]

I will go through this process again and let you know.
Thanks

[bess]

I followed your instructions to the letter, I cannot enter the bios because the keyboard does not function. The lights on the keyboard flash and go out, i even left the boot disk in the drive it ignores it and boots from the harddrive, when I put the win98 cd in the cd drive its ask if you want to boot from the cd or the harddrive, but still I cannot select the cd because of the keyboard. This is the error: "A fatal error in i.e. has occured at: 0028:C0011E36 in vxd vmm(01) + 00010e36. Error was caused by Trojan-spy.HTML.Smitfraud.c. System cannot function in normal mode."

[kool808]

Okay I am now doubting that the malfunction of the keyboard seems to be coming from the port, a hardware problem. I still have to verify this after we can run the RunThis.bat.

I just want to verify, did you said you inserted the Win 98 CD? Can you please review the instructions in post#6, it was stated to make a HOMEMADE STARTUP FLOPPY DISK (This is the 1.44MB small square disk) with our homemade autoexec.bat and the RunThis.bat both inside it.

[bess]

Sorry, for the confusion, I was just letting you know that I had tried using the cd rom to boot the computer. I did indeed follow your instructions, I made a boot disk, and added the two bat. files. I even tried to get this machine to generate keyboard error, by not plugging in the keyboard, it does not. Will get the error if I leave the mouse unplugged. By the way I have also tried a usb keyboard, same results.

[kool808]

Ok let us have some diagnostics.

TEST 1: try to find a clean working hard disk, put that disk on your present system and observe if the keyboard now works.

TEST 2: remove your present hard disk, look for a computer with a good working keyboard, request the owner to test your hard disk on his/her system. Observe if the keyboard works.

Conclusions:

If test 1 fails and keyboard does not work, let the technician repair your system it might be hardware related. If test 1 succeeded that means that your harddisk has some infections trying to prevent us from using the keyboard.

If test 2 succeeded that confirms test 1 results that it is indeed hardware related. If test fails then it also confirms test 1 results that it is indeed infected.

Let me know how it goes. Good Luck!

[bess]

Since your last post this is where I am, I can now use the keyboard. I disconnected the harddrive and booted the system from a bootdisk, keyboard works fine when this is done. Reconnected the harddrive and tried to boot from the floppy, floppy is the 1st boot. The system does not boot from the floppy it bypasses it and boots into windows. How can I even reformat this drive?

[bess]

Finally I have been able to get the windows 98 cd rom to boot, it give me the option to boot from the hard drive or boot from the cd. I booted from the cd to the F5 option to boot to safe mode, this give me an a prompt, I was able to fdisk the drive and I am now reloading my operating system. Thanks for all your help I would have really like to have saved my documents (consider this one closed) Thanks again.