Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-Spy.HTML.Smitfraud.c


  • Please log in to reply
80 replies to this topic

#1 60jasp

60jasp

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 25 August 2005 - 08:00 PM

Where do I start!

Computer runs Win'98. I have the dreaded Blue Screen with the following message:

Security Warning
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01) + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c
* System can not function in normal mode. Please check your security settings.
*Scan your PC with any available antivirus/spyware remover program to fix the problem.

On top of this message I also get error message:
Explorer
This program has performed an illegal operation and will be shut down.
If the problem persists, contact the program vendor.

This error message doesn't worry me as much as the Blue Screen.

Let me tell you what I have tried so far:

* Have been talking on Microsoft forums, have been given numerous things to try,
but nothing works.
* The Blue Screen will not be moved by 'dragging down' OR 'Ctrl Esc' OR
'Alt Spacebar M' OR 'Arrow keys'.
* Can not get 'Start' by any method.

Therefore:
* Can not download any antivirus removal program, OR run any type of scan.
* No, there is not a task bar and when I press Ctrl Alt Del at the same time
to start the Task Manager, there is not a tab or button for 'New Process'

I have:
* read pages and pages of solutions
* downloaded and copied HijackThis.exe to a floppy

BUT none of this helps if I can't get beyond this Blue Screen so that I can start a fix.

Hoping desperately that you can help!

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:32 AM

Posted 28 August 2005 - 12:08 AM

Hello 60jasp and welcome to the BC HijackThis forum. Unfortunately, without a HijackThis log there is not alot that we can do at this point. We must be able to see what is going on with the system to determine what to do.

What about Safe Mode. Can you boot to Safe Mode and then run HijackThis from there. That is not the best option because it doesn't show us enough information to develop a fix from but it could be a start. If the machine can be booted to Safe Mode then a better scanner to use is WinPFind along with HijackThis. WinPFind will give us a better look at more information in Safe Mode than HijackThis does so let's try that.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 60jasp

60jasp
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 28 August 2005 - 05:43 AM

Thanks 'Old Timer' for repyling.

I should have mentioned that I have already tried Safe Mode but I still can't make anything work.

Am I missing an important step?

Also, don't know if it is relevant but when I start up the computer it seems to repeat itself. For instance, after pushing F8 and I'm given the various options, I use arrows to start in Safe Mode. I then get the Windows 98 screen, but instead of going to my desktop, it then goes back to the black screen that you get after pushing F8, and then continues into safe mode.

I don't know anything about DOS, but should I be trying to intercept at this stage.

Desperately need help with this computer! Too many kids fighting over one computer at the moment.

Thanks

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:32 AM

Posted 28 August 2005 - 11:57 PM

Hi 60jasp. Unfortunately, like I said earlier, if you cannot get into any windows mode to get a scan done then there is not alot that we can do. We need to have a glimps of what seetings and files are on the system and without it we don't know what has to be fixed and/or removed. At this point we don't even know if there is an infection and what it is.

You could try a repair install to see if it can get you to a Windows desktop. I don't know if it would work or not. If there is an infection it will not remove it, but it might be enough to get a desktop to run the scanners from. You can check out the directions here: http://www.windows98.windowsreinstall.com/

That's about all the advice that I can give to you at this point. Otherwise the machine will probably require a complete wipe of the hard drive and reinstallation.

Cheers..

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:32 AM

Posted 29 August 2005 - 11:04 AM

Lets start over. So that we are all on the same page you start your computer in safe mode, and it attempts to start, but seems to go back to the boot options menu, starts safe mode, etc and loops like this?

Then when you try to boot into normal mode, you get your error background on the desktop but explorer.exe crashes and you never get your desktop?

Unfortunately the task manager in Windows 98 does not have the ability to launch a new process or start a program from it like the later versions of windows do which is why that is not working.

Get back to me with the confirmation to these questions and we will continue trying an alternate method. A lot of this may be redundant but I want to make sure I know exactly what is going on.

#6 60jasp

60jasp
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 29 August 2005 - 08:17 PM

Thanks 'Grinler'

Whether or not I am starting in Safe Mode or Normal, it loops only once.
Then it goes straight to the Blue Screen with Security Warning message and couple seconds later I get the Explorer error message on top of that. I can get rid of the Explorer error message but that's as far as I can go.

As mentioned, I cannot get Start by pushing the Window key, I cannot drag down this blue screen (in any direction), when I push Ctrl Alt Del there are no taks for me to close and there is not a Processes button.

It does not respond to the CDRom or the Floppy from this page.

In other words, no matter what button(s) I push I get no response.

Perhaps I should take to it with an axe!

Getting desperate now.

Hope you can help.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:32 AM

Posted 30 August 2005 - 01:06 PM

Ok I am assuming that you have access to another computer, as you have been posting here. I will need you to create a boot disk to proceed with the next steps. You can find a tutorial I just made on how to create a boot disk here:

How to create a floppy boot disk in Windows

Follow the instructions here to make a boot disk.

Insert the floppy you just made and download the following files and save them onto the floppy:

http://www.bleepingcomputer.com/60jasp/scan.bat - You may need to right click this link and select save as to download it to the a:\ drive.

http://www.bleepingcomputer.com/60jasp/zip.exe

Now go to the problem computer and insert this floppy and start your computer with the floppy inserted. It should boot up into a command prompt.

Type scan.bat and press enter.

When it is done, it will say Scan Complete. Now take this floppy to another computer that works, and post as a reply to this topic the contents of a:\scan.txt

Also upload the backup.zip file at the following address:

http://www.bleepingcomputer.com/submit-malware.php

This is a lot to do, so please do not hesitate to ask any questions that you may have during this process.

#8 60jasp

60jasp
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 30 August 2005 - 07:56 PM

Ok
I inserted Boot Disk in stuffed computer and typed scan.bat and pressed enter.
It then said 'File not found'
The computer talked for a while then said
'This program cannot be run in DOS mode.'

The computer that is working runs XP. Does this make a difference when I made the Boot Disk. I do have a Microsoft Win 98 Book Disk.

Thanks for your time.

#9 60jasp

60jasp
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 30 August 2005 - 08:03 PM

This is the contents of scan.txt as this stage:

explorer.exe and wininet*.*

Volume in drive C has no label
Volume Serial Number is 0C3F-1101
Directory of C:\WINDOWS

EXPLORER EXE 180,224 04-23-99 10:22p
1 file(s) 180,224 bytes
0 dir(s) 371.30 MB free

Volume in drive C has no label
Volume Serial Number is 0C3F-1101
Directory of C:\WINDOWS\SYSTEM

WININET DLL 589,312 07-17-05 12:33a
1 file(s) 589,312 bytes
0 dir(s) 371.30 MB free
--
--
Files Found
--
--
oleadm.dll
wp.bmp
ole32vbs.exe
sites.ini
popuper.exe

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:32 AM

Posted 30 August 2005 - 08:38 PM

Ok...you are infected with what may be a new strain of smitfraud as there have been some reports of behaviour like whats happened to you.

You can delete zip.exe, scan.bat, scan.txt, and backup.zip if they exist on the floppy. Now download the following files to the floppy:

http://www.bleepingcomputer.com/60jasp/smitscan.bat (may need to right click, save as on this)

http://www.bleepingcomputer.com/60jasp/wininet.dll

Once they are downloaded to the floppy, put the floppy back into the problem machine and reboot with it inserted.

When at the command prompt, type a:\smitscan.bat and press enter.

This will back up some files for me and replace your possibly infected wininet.dll with the newest uninfected copy.

When it is done, it will tell you. You should now remove the floppy and reboot. If you can now get to your desktop. Download the following file to your desktop:


http://www.bleepingcomputer.com/files/reg/smitfraud.reg


Once downloaded, double-click on the file and allow it to merge the information.

Reboot your computer and tell me how it went.

#11 60jasp

60jasp
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 30 August 2005 - 10:51 PM

Bad news!

After typing smitscan.bat and enter.
7 files were copied, 6 Bad command or file name, 1 File not found, and
c:\windows\wp.bmp not found or copied.

When I rebooted, I was back to the BLUE SCREEN !!!!! and the Explorer error message.

Please don't give up on me.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:32 AM

Posted 31 August 2005 - 08:21 AM

I will not give up on you. I am heading into the office soon and will give you the next set of instructions. Btw, what is a good time to bang through this because we are doing about one response per day and I am going away on Friday for the weekend and dont want to leave you hanging. Is there a time that you can be by the computer and we can start really going back and forth with various instructions until we get you cleaned up?

If you see this before i get you the new instructions, please download scan.bat to the floppy again and run it when booted off the boot disk. Then post as a reply the resulting scan.txt that will be found on the floppy.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:32 AM

Posted 31 August 2005 - 11:09 AM

Ok lets do this:

Download scan.bat again and save it to the floppy:

http://www.bleepingcomputer.com/60jasp/scan.bat

Next download the following two files (these are from fully patched clean win98 se) and save them onto the floppy:

http://www.bleepingcomputer.com/60jasp/explorer.exe
http://www.bleepingcomputer.com/60jasp/wininet.dll

If it prompts to overwrite any files on the floppy, let it do so.

Start the computer with the bootdisk.

At the command prompt type:

scan.bat and press enter

Then type ren scan.txt scan1.txt and press enter

Then type ren c:\windows\explorer.exe explorer.old and press enter.

Then type copy a:\explorer.exe c:\windows and press enter.

Then type ren c:\windows\system\wininet.dll wininet.old and press enter.

Then type copy a:\wininet.dll c:\windows\system and press enter.

Keep track of any errors. The ren commands should just give you back the prompt without any output if they worked. The copy commands should say something like 1 file copied.

Now type scan.bat and press enter.

When thats done, type the following commands as well:

copy c:\smitback\c.txt a:\ and press enter
copy c:\smitback\system.txt a:\ and press enter
copy c:\smitback\windows.txt a:\ and press enter

Reboot and post the contents of scan1.txt and scan.txt as a reply to this post.

Submit the files a:\c.txt, a:\system.txt, and a:\windows.txt to http://www.bleepingcomputer.com/submit-malware.php

Finally reboot your computer and tell me if its any better.

I know these are a lot of commands, so be patient and careful as you type them. As this is a new variant, it is potentially going to get more frustrating before it gets better, as we clean this up together.

Edited by Grinler, 31 August 2005 - 11:13 AM.


#14 60jasp

60jasp
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 31 August 2005 - 06:57 PM

Thanks Grinler. Just got both your messages.

Unfortunately I'm trying to fix this problem in between 4 kids and a busy week. Sorry I can't set aside a particular time. I really appreciate your efforts and will have to just slog it out when you're available.

I will do as you have asked and get back to you hopefully soon.

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:32 AM

Posted 31 August 2005 - 08:38 PM

Ok ... I fully understand. Just wanted to make sure that was ok with you. When you have a chance get back to me with the results of above.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users