Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 23074
  • Last Modified:

Smit Fraud Virus

My laptop has been infected with the Smit Fraud virus and I believe I have the virus removed but I can no longer get to my desktop.  I just get a blue window.  I can get to the task manager and manually execute some windo commands.  I can not execute Windows Explorer or Browser but I can run word.   Can someone please help!!!!!!
0
Hojoformo
Asked:
Hojoformo
1 Solution
 
Aland CoonsSystems EngineerCommented:
Use F8 at powerup and boot safe mode with networking.

Get out your OS CD and Run from a command prompt (DOS windows)

SFC /SCANNOW

See: http://www.networkclue.com/os/Windows/commands/sfc.php

I also suggest you download and run spyware software (like SpySweeper from webroot.com)
0
 
Rich RumbleSecurity SamuraiCommented:
If your unable to see icon's and or the start bar, then explorer.exe is likely not running. Open task manager and go to File... new task and type
explorer.exe  or if you need the full path try C:\WINDOWS\Explorer.exe
Iexplore.exe will open IE, and you can use it to browse your HD as well if explorer is being killed.

You can actually use word to browse the internet also, go to file and open, and type
http://google.com and word will load google as a page, and if you type in the search line and click search, you should see a google page.
-rich
0
 
memoryinmotionCommented:
How did you remove the virus?  Smitfraud is pretty difficult, and involves repairing the registry.  I just got done compiling a removal protocol from several sources - this is what I found worked best:

Before you start, get deldomains.inf from http://mvps.org/winhelp2002/
and a registry fix from http://www.bleepingcomputer.com/files/reg/smitfraud.reg

----
* First of all, set the system to view hidden/system files

** Disable System Restore

*** If you see the following in HijackThis!, it's most likely Smitfraud.c  Other symptoms include weird display settings, and only having two tabs available in display properties.

1.)  In Add/Remove Programs, remove the following (If possible)

      Security IGuard
      Virtual Maid
      Search Maid


2.)  Try to end the following processes:
      POPUPER
      HELPER
      INTMONP
      MSMSGS
      OLE32VBS
      MSOLE32

      (These may not all be in there at the same time, but they seem to take turns)



3.)  Grab Killbox, and set it to the Delete on Reboot option, and delete the following:

            C:\wp.exe
            C:\wp.bmp
            C:\Windows\sites.ini
            C:\Windows\popuper.exe
            C:\Windows\System32\helper.exe
            C:\Windows\System32\intmonp.exe
            C:\Windows\System32\msmsgs.exe
            C:\Windows\System32\ole32vbs.exe
            C:\Windows\system32\msole32.exe
            c:\bsw.exe

4.) Reboot into safe mode, then kill the following folders:

            C:\Program Files\Search Maid
            C:\Program Files\Virtual Maid
            C:\Windows\System32\Log Files
            C:\Program Files\Security IGuard

      Reboot into normal mode.

5.) Add the SMITFRAUD reg file into the registry by doubleclick and accepting.

      Reboot again.

6.) Fire up HOSTER (from www.funkytoad.com) and hit "Restore Original Hosts".  Then hit the make this "read only" button.  (You could also just remove the 100 or so pieces of junk that are in the LMHOSTS file and write protect that badboy yourself.)

7.) Install DELDOMAINS.INF to remove all the domains the bug puts in the "Trusted Zones" area

8.) Run a cleanup program to get rid of temp files and directories where things like to hide.

Do a remote virus scan (Trend micro has a good one at www.antivirus.com) and when everything comes up all clear, enable the System Restore and set a restore point.

I'm not sure if it's specific to smitfraud, but the LAN connection was disabled in the instance I saw,  Re-enable the LAN Connection, and you should be good to go.
-----

You may have deleted the files and directories already, if your only sign of infection is the screen settings.  Merge the smitfraud.reg with your registry and that should do it.  Don't neglect that hosts file though!

MiM
0
 
HojoformoAuthor Commented:
thanks everyone for your help!  I was able to recover from this virus with your help.  THanks again!!!!
0
 
thewordtheCommented:
Additional comment may help someone, maybe.

Using the above Experts's recipe I was able to get rid of smitfraud and lots of other malware, it took ages but thanks.
If you want an Anti-Virus tool that will get rid of it quickly and you don't mind paying for it, the only one I found that could remove it was Xoftspy, do a google search to find download site. It will scan your system for free, but you can't remove unless you register, costs about $40 ??? If you do register, remember that you must install it to your hard drive in order to use the Remove Button as part of Xoftspy Application.

It does seem the best on the market at the moment.

Frankie (the wordthe)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now