MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Another smitfraud, except this one is real tricky
April 05, 2020, 10:22:53 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
April 05, 2020, 10:22:53 PM

Login with username, password and session length
 Featured Sites:
News
New  New Poll on our main page!
"My experience with Vista..."
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Another smitfraud, except this one is real tricky  (Read 1329 times)
comet_rider
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« on: July 09, 2005, 08:56:55 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: win98
Problem Application Name & Version: smitfraud (wat else is new?)
Problem Hardware Make & Model:
Error Messages:


     Okey then... I'll skip all the talks about this being a great site and greeetings cuz I've already done those on previous posts and get right to the prob...
     It's our old friend smitfraud again... I've fixed one before with the help of my friend, and now it's back. Except this time, instead of just restricting the control panel and putting a blue screen onto the background of my desktop, it produces a REAL blue screen! ><
     Okay... starting from the beginning... the one I got rid of before was fixed by deleting all the restriction keys in the registry that weren't suppose to be there and some other ones containing words suc;h  as viruses and trojans and ads and so on. A few files were deleted after killing the proccess (unfortuanately I don't remember what they were).
     This new one *might* be built on pieces of the old one that we left lying around in my comp, because I was merely on google searching for some site (and talking on MSN) and then the hard drive started working like ~CRAZY~ and the explorer closed down on its own (my explorer is called MyIE, developed by some crazy programers, not the usual Ie)and after like half a minute, a red X appeared in my task bar and the desktop background was changed to the usual security warning that comes with smitfraud telling you to get some antivirus program, except this time the background was not j;ust a picture (as it was last time) it's web content, meaning i can like highlight words and click buttons and stuff. Then I clicked the red X to see wat it was (i kno i was stupid) and it brought me to this AVgold website saying "buy our AV or do a free scan!", then this other weird icon appeared in the task bar. I ended both of them with ctrl-alt-del but then the comp froze and when I restarted it, the most dreadful part was in evidence.
     When the desktop and start menu bar appeared, the illegal process msgbox also appeared along with it, saying Explorer (which, to the best of my narrow knowledge, was windows itself) had performed an illegal proccess. Then when i click close, the desktop and everything refreshes and the msgbox appears again. This goes on and on and on, then after a LONG while of pressing close, a blue screen appears saying there's a fatal exception OD, and that's it, I can go no further with my computer. If I restarted it, wheich I've already tried, the same thing happens. I'm currently typing this on my OLD computer (32mb ram XD).
     PLEASE HELP ME!!!!!!! Important datas on that computer!!! (and i'm not just talking about saved games and music and pictures) I'll be SOOOOOOOOO grateful if you can fix the problem, might even donate Smiley!
     Thank you again!!!!
P.S. it's kinda obvious that i can't get any hijackthis logs off of my comp cuz i can't even get into the system! But I don't think it's nessacery in this case cuz we already know what we're dealing with........rite....? (hopeful look)
     {sigh} anyway, thanks alot, if you can fix it i'll be REALLY REALLY grateful!
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #1 on: July 10, 2005, 01:38:34 PM »

Hello comet_rider

Can you boot into Safe Mode at all? (By repeatedly tapping the F8 key until the menu appears).

The hard drive definately has some issues. I think we should start by trying to rid of the nasties and then determine if your files are still in tact.
This is what I want you to do.
Take out the hard drive and place it in the computer you are writing this from and set it as a slave drive. Make sure to check the jumpers and set them correctly.

Next Scan your pc with both of these free online scanners, it will scan all harddrives or you can select it to only scan the D: drive which will now be the hard drive you set as slave:
Panda ActiveScan

Housecall  Be sure to put a check the box beside AutoClean

Also Download / Install / Update / and Run:
Adaware SE check for any updates before running it. You can select what you want to scan with this program also, point it to the D: once again.

Place the drive back in the original computer and try to boot. Let me know what happens.
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
comet_rider
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« Reply #2 on: July 10, 2005, 07:21:14 PM »

Hi!!
     Thanks for replying!
     Your idea won't work though, cuz this is an ~~ANCIENT~~ computer, the HD won't work here. I can try it on my friend's computer, but that will be very troublesome and if anything happens to their comp it'll be really bad.
     I did, however, came up with a rather absurd idea, but it *might* work... (again, this judgement is made with my pitifully small amount of computer knowledge)
     Here's my wild idea: we plant another virus in the comp to race with smitfraud. We can use something like Sub7 and modify it (somehow) to make it run even before smitfraud, so then we can remote access that computer from this ancient one with sub7 and destroy smitfraud from here (or do it from a better comp so i can backup everything first... this way we won't even have to try to destroy smitfraud, just backup everything and wipe the comp clean!)
     This seems like a very wild idea (maybe I'm writing a bit too much mysteries and sci-fi's XD) i know...
     The problem is: 1. would this really work?
                     2. where can i find Sub7 or something similiar?
                     3. how do i modify it to make it become the first program ran?

Thanks!! Wink
P.S. If you think the idea is bull (it's understandable Tongue) simply ignore it (or use it for your english homwork Tongue) and suggest something else. ThankS!!!
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #3 on: July 10, 2005, 07:27:57 PM »

Can you boot into Safe Mode at all? (By repeatedly tapping the F8 key until the menu appears).
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
comet_rider
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« Reply #4 on: July 10, 2005, 08:13:07 PM »

Nope... same thing happens... ><
Logged

 
comet_rider
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« Reply #5 on: July 11, 2005, 10:25:26 PM »

um is it possible for you to contact someone who might know what to do?? (assuming you gave up cuz you didn't write a reply)
Logged

 
comet_rider
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« Reply #6 on: July 11, 2005, 10:26:49 PM »

Or can I PM somone my self?
(is that against forum rules?)
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #7 on: July 11, 2005, 11:58:40 PM »

I apologize, I do have another life outside this forum. I try to reply a.s.a.p.

I went over this thread again, and you may not be able to save anything if it is that infected.

Did you have professional help removing smitfraud the first time?

Did you have a HJT log analyst look over your HJT log?

Can you post the exact error if and when it crashes?

AVgold is one of the 3 other infections that tend to be linked, or installed with  Smitfraud / Quicknavigate / VirtualMaid infections.

Clicking on the X was a very huge mistake.

The only thing I would suggest that might help you get it up would be a repair installation. But you may have a bad install because of the infection on the hard drive.

If your friend has a good firewall like Zone Alarm it would be safe to install on his as a slave drive as long as he kept his firewall up.
Grab what important data you want and fdisk/format and reinstall 98.
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
comet_rider
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« Reply #8 on: July 12, 2005, 01:05:34 AM »

Hi!

Thanks for replying, and sorry for pressing for a reply, it's just that I'm not used to life without a proper comp... :S

It sounds like you've came to a conclusive solution.... but I'm going to answer your questions and tell you what I can anyway...

 
quote:
Did you have professional help removing smitfraud the first time?

Partially... that one was not harmful in the sense that all it did was some access restrictions and an annoying desktop background. I posted something in this section asking for help on some other issues (i think it was homepage lock or something) and I think it was Cactus that got me started. He read my HJT logs and told me what to do (of course I later told him of the not-so-well-known programs which he considered to be hostile such as MyIE browser and Kingsoft) and the problem I was asking about was fixed (thanks Cactus Cheesy) back then I thought everything - the access restriction, desktop, homepage lock - was just 1 big virus, but then after I got rid of the homepage lock the other problems remained untouched. So I started trying to fix it myself (rather blindly I must admit) and I actually did it! I found out where smitfraud was hidden in the registry (a question here: they call themselves trojans but aren't they technically supposed to be not in the registry?) and deleted it and it went. Then I used some proccess killer to delete some other files in the "system" folder, not sure if those are related to smitfraud though.

 
quote:
Did you have a HJT log analyst look over your HJT log?

See above

 
quote:
Clicking on the X was a very huge mistake.

I know XD that was stupid... curiosity killed my comp Cry

 
quote:
If your friend has a good firewall like Zone Alarm it would be safe to install on his as a slave drive as long as he kept his firewall up.
Grab what important data you want and fdisk/format and reinstall 98.

I've heard... I'm not sure... but I've heard that all firewalls can be easily tricked? I think it was something about putting a specific extra symbol at the beginning of each line of code... I don't know, it's just that it would be my responsibility if the comp broke down...
is there no safer way?

 
quote:
AVgold is one of the 3 other infections that tend to be linked, or installed with Smitfraud / Quicknavigate / VirtualMaid infections.

Shocked I thoght AVgold was a much respected AV!! I think I even read about it somehwere on this site....

 
quote:
Can you post the exact error if and when it crashes?

The background (NOT the same as  the blue screen if I remember correctly):
                    Security Warning
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010E36. Error was caused by Trojan-Spy.HTML.smitfraud.c

The More Info part for the msgbox:
{the error was at} Explorer at 0107:7rr21a32, OLE32.DLL
-- this is not exactly what it is but the system is in another language so I have to make it as English as possible --
Then a bunch of Registers
Then Bytes at CS:EIP
Then Stack dump.

Thx again Wink
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page September 19, 2018, 06:56:26 PM