help needed to remove trojan.spy.smitfraud.c

By laffeg
Jul 27, 2005
Topic Status:
Not open for further replies.
  1. help needed to remove trojan-spy.smitfraud.c

    win xp sp2 home edition - initially got blue screen - have now got rid of that but still getting explorer.exe error and can only run tasks from new task

    safe mode hangs on black screen

    hijackthis log attached

    any help appreciated

    Attached Files:

  2. Panic_MD

    Panic_MD Newcomer, in training Posts: 51

    See if this help? I hope it do.

    Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

    Security IGuard
    Virtual Maid
    Search Maid

    Exit Add/Remove Programs.


    Make sure that you can VIEW ALL HIDDEN FILES.

    Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/



    Reboot your computer into SAFE MODE

    Then delete these files or directories (Do not be concerned if they do not exist)

    C:\wp.exe
    C:\wp.bmp
    C:\Windows\sites.ini
    C:\Windows\popuper.exe
    C:\WINDOWS\System32\wldr.dll
    C:\Windows\System32\helper.exe
    C:\Windows\System32\intmonp.exe
    C:\Windows\System32\msmsgs.exe
    C:\Windows\System32\ole32vbs.exe
    C:\Windows\system32\msole32.exe
    C:\Windows\System32\Log Files
    C:\Program Files\Search Maid
    C:\Program Files\Virtual Maid
    C:\Program Files\Security IGuard

    Reboot your computer to go back to normal mode.
  3. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Panic_MD
    you sure you posted in the right thread? Your post has NOTHING to do with his HJT-log!

    Laffeg
    Your smitfraud seems to have gone. HJT will fix some minor issues:

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
    O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll (file missing)
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,90/mcinsctl.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ppc.uksubnet.net/remote/msrdp.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
  4. Panic_MD

    Panic_MD Newcomer, in training Posts: 51

    You know what RBS? I probably did not post it in the right thread, sorry for the inaccurate information.
  5. prog4002

    prog4002 Newcomer, in training

    This might work...

    Go to control Panel, then Internet properties. in the general tab, click settings, and view objects.

    Pay close attention to ones that look like "{00018A84-3478} or something like that. Also ones that have no creation date, unknown status and size, and was never acsessed.

    Right click those and click on properties. if u know u didnt download it, its probably a virus. [some might be from microsoft, {don't delete those}]
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.