Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help w/ smitfraud.c trojan


  • This topic is locked This topic is locked
33 replies to this topic

#1 smarks

smarks

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 07 July 2005 - 06:08 PM

I have been infected w/ the smitfraud.c trojan and cannot perform any funtions. I have XP Home, and once I select a user, I get the error message "Explorer.EXE - Application error" and then the BSOD indicating the security warning. I have searched for other posts and have read about downloading hijackthis, etc., but I cannot even see my desktop, etc. to be able to download anything. I have tried running in safe mode, etc., but cannot seem to get around this. How can I scan my system w/ spybot, ad-aware, or mcafee when I cannot seem to get my PC to do anything?

Thanks in advance,
Spencer :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:55 AM

Posted 07 July 2005 - 07:18 PM

Hi Spencer... Ok, let's try something first..
Start up your system in safe mode.. Log in and close the errors you get.
Your desktop will be black, actually everything will be black. The only thing you will see is safe mode written in the corners of your screen.
Now press CTRL-ALT-DEL together and tell me if your taskmanager opens.
That's what I want to know. If that works, then we can deal with it and find a solution for you. :thumbsup:
Let me know. :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 smarks

smarks
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 07 July 2005 - 08:30 PM

Thanks for the reply. :thumbsup:

Yes, I can open the task manager. The processes running are as follows:

taskmgr.exe
svchost.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
System
System Idle Process

I don't know if you needed the above info, but I thought that I would include it. Any ideas?

Thanks again for your help w/ this pain in the @ss!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:55 AM

Posted 08 July 2005 - 04:16 AM

Great.. now we can fix it.

We'll need to transport some files from the computer you are now posting to your infected computer.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd or floppy or usb-stick.

On your infected computer, boot again in safe mode and open your taskmanager again.
now use the cd or floppy or usbstick where you saved the smitremfolder and put it in the appropiate drive (cdromdrive, floppy, usb..) on your infected computer.

In your taskmanager, click 'applications' (first tab)
Click new task
Cick browse
Now browse to the drive where your floppy, usbstick or cd is present (could be A or D or E or F.. you'll see..)
Search for that smitremfolder.
Rightclick on the smitrem-folder and choose: Copy
Now browse via taskmanager to My Documents or Program Files.
Rightclick somewhere in there and choose Paste
Now open that smitremfolder you just copied and pasted and click:
RunThis.bat
Choose open.
In that window where it says 'Create new task', click OK
Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of eachother and you wont see the window that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

When done, in taskmanager, click 'shut down' on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a hijackthislog in your next reply.

Edited by miekiemoes, 08 July 2005 - 04:18 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 smarks

smarks
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 08 July 2005 - 09:43 AM

Ok, I did as you suggested and copied the smitrem folder and pasted to my desktop, ran the tool and disc cleanup and restarted the computer. I am still continuing to get the two duplicate error messages, BUT I am not security warning message anymore. I do still have the blue screen though. Any thoughts? I have tried it several times with the same results. :thumbsup:

Also, while the process is running, I noticed that there are a lot of lines indicating that certain files cannot be found....are these normal scripts seen when it is running?

Thanks again for your help!

Spencer

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:55 AM

Posted 08 July 2005 - 09:48 AM

yes, that's normal about the files that are not found.
Try to run smitrem again. Reboot afterwards.
If that doesn't work, search in your C:\Windows\System32-folder and search if there is a wininet.dll present.
Let me know.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 smarks

smarks
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 08 July 2005 - 10:12 AM

I attempted again to no avail. I looked into the System32 folder and there is not a wininet.dll file.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:55 AM

Posted 08 July 2005 - 10:35 AM

Ok.. that's the cause.. you're missing wininet.dll there.
Hmm.. smitrem normally replaces other copies from wininet.dll to the system32-folder, but it seems like those ones are also missing.
What servicepack do you have? SP1 or SP2?
The computer you are now on.. is that also XPhome?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 smarks

smarks
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 08 July 2005 - 10:43 AM

How do I determine the service pack? (sorry for the stupidity!?!) :thumbsup:

Yes, it is XP Home edition as well.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:55 AM

Posted 08 July 2005 - 11:03 AM

If you're in safe mode with the infected computer, normally it will show you on top (black background where the safe mode is in the corners)

Maybe you can copy the wininet.dll from the system you're on now to cd or floppy or usbstick and put it in the system32 folder again on the infected computer. Normally that must work.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 smarks

smarks
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 08 July 2005 - 04:43 PM

I am running servive pack 2. I also found the wininet.dll on this work PC that I am now using. Should I copy and transfer that file to the System32 folder of the infected PC the same as I did the smitrem file?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:55 AM

Posted 08 July 2005 - 04:50 PM

Yes, exactly. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 smarks

smarks
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 08 July 2005 - 05:49 PM

OK, I had made an oversight and the wininet.dll file was/is there (I was only looking at programs, not all files). Anywho, I ran the smitrem function again, and I again got the explorer.exe - application error. Once I cancel out of those, it is just the blue screen....

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:55 AM

Posted 08 July 2005 - 05:58 PM

Ok, so the wininet.dll is in the system32-folder already before.
That one is infected. Let's first try this...

Go to your C:\Windows\system32-folder (on the infected computer ofcourse) and rightclick on the wininet.dll and choose rename and rename the bad wininet.dll to wininet.old
REBOOT

After reboot, look if you have your explorer back.

If not, then you need to use a copy if the wininet.dll present on the good computer (where you're typing from now) and place it in the system32-folder of the infected computer.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:55 AM

Posted 08 July 2005 - 06:43 PM

If anything is unclear for you or you're in doubt somewhere, please let me know. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users