Need help with smitfraud removal

And oh yeah, if you don't think Microsoft sucks, wait until you get this one. Anybody try to create a simple bootable floppy with XP lately?

Right.

Your buddy has a particularly nasty critter there - one which generally is accompanied by a few other particularly nasty nasties, all of which more or less hang out together and look out for each other. Removal likely is gonna be pretty involved. Doing it wrong can cripple the machine, even to the point of necessitating a full re-install of Windows, with all the headache and heartache that goes along with that game.

Lets get some basic info, and we'll see what we can do.

What operating system is your buddy running?

When you say your buddy's machine "complains about smitfraud and will not come up", just exactly what does the computer say (word for word)?

Does the desktop look like this?


I suspect your buddy's machine boots, but smitfraud has highjacked the desktop. That can be a real teethgrinder, for sure.



Oh, and a plain old Win98 boot floppy will get you into an XP machine so you can fuss with directories and files - its handy if you know which directories and files to fuss with. The Win XP floppy set consists of 6 disks, different ones for Home and Pro - and then there's the Service Packs to consider - but thats another issue.

That's exactly what the screen says Timber. He's running XPSP2, unsure if Home or Pro version.

I did manage to boot into "Safe mode with command prompt" (no other safe mode works), and run a Hijackthis but I have no way to post the log. I also ran Stinger and it found nothing. I installed Ad-Aware from a CD but I couldn't get it to run once installed. Argh.

I'm about to reinstall the whole thing.

Thank god is isn't my machine.

Is there any software/antivirus that will detect and prevent it ?

Well, after following some of the instructions from bleepingcomputer.com, I have managed to get to boot to a black screeen with a mouse pointer instead of the virus message. I guess that's progress.

It won't even boot properly into safe mode - I can only get into "safe mode with command prompt".

Still stuck at the blank screen.

I'm thinking reinstall.

Have you tried Recovery Console?

No, I haven't. Of course I'd have to boot from the XP installation CD as I cannot "Start-Run" anything.

Then what would I do?

It's weird because some programs, like HijackThis, work fine in "Safe mode with command prompt" while others, like MS malicisous software remover and Ad-Aware SE never present a window. MRT.exe backgrounded, ran for hours, and never wrote a thing to the logfile I specified.

I have a feeling that the reason only Timber has responded to this thread is that everyone else who got this Trojan wound up throwing their computer in the trash.

smitfraud drops some registry keys that make it tricky recognize, track down and defeat. Going after it the wrong way can screw up a buncha stuff, including boot.ini, NTLDR, and ntdetect.com. You might wanna try pulling thosefrom the I386 intall disk for SP2, putting them on a floppy, putting the foloppy in place on the problem machine, and trying to boot - might work.

As far as what you can do with Recovery Console - well, you can do just about anything if you want to, including change/remove passwords and permissions. Its particularly useful for replacing corrupted or missing files, and it offers the entire range of registry editing options - it more or less puts you "inside the engine" so you can poke around from the inside.

Oh - BTW - you might wanna take a look at BartPE - set it up right, and what you'll have is a bootable WinXP optical disk, with a few handy tools like antivirus, Ad-Aware SE, Stinger ... pretty much whatever you can fit on the CD/DVD. Windows runs from the optical disk (sorta slowly - but it runs), not from the problem machine's root drive, and it has really good network support which more or less configures itself with very little input from you. One thing its great for is deleting those pesky "in use" files - since the hard drive's OS isn't booted, those files simply are not "in use". I've found it a pretty handy thing to have.

Rats, I tried to use that BartPE thingy and it won't work - says I have to have SP1 or 2003 Server - in all cases I have XP SP2.

That's odd - I use it w/SP2 - sliptreamed the SP2 download into WinXP Home, OEM, which was vintage 2002 out-of-the-box raw, no service packs or updates, works fine. In fact, I've slipstreamed all critical updates into it, I have HJT, Ewido, Silent Runners, MS MAlicious Software Removal Tool, MS Antispyware, McAfee Antivirus, CWShredder, CCleaner, Belarc Advisor, Stinger, and a couple other tools on the disk. I've run it on all sortsa machines - the machine's installed OS is immaterial; it isn't used.

I had a similar problem with my computer. Got a virus, worm of some sort and couldn't get pass the wallpaper on the desk top. Could not get to the desk top. I tried everything, safe mode, windows system recovery from the cd but was not successful.
The only thing I could do to recover the important data from the hard driven was to put it in a different computer as a slave. I was able to read and copy the important info to a cd disk. After all that I then formatted the hard drive and started over with a fresh system.
This is the best way to save your data but if what you have on the computer is not all that important than the best thing to do is reformat you hard drive.

Reformatting works, yeah, but its sorta like building a new house because you've lost your door keys. With the right tools and techniques, most Windows installations can be repaired. On the other hand, the woes to which Windows is prone are precisely why its a great idea to maintain a good external backup routine. If you've got data you don't wanna lose, keep a current copy of it elsewhere than on your machine's root drive - preferably somewhere physically separate from your machine, but at the very least on a distinct partition on your machine's root drive.

OK, I tried Recovery mode from the CD - couldn't figure that out, so I decided to run Setup from the CD and reinstall - lo and behold there is yet another automated recovery option after you run Setup. I ran it - it ran for over an hour - and guess what? The system came back to life! Still, Spyware popping up all over the place, but the system was usable. I was able to get rid of most of the Spyware either manually, or by using both Ewido and Ad-Aware Se. Oddly, Spybot S&D would run and immunize, but when I tried scanning with it the PC crashed and core dumped.

Anyway, lots of good progress and a usable system at this point.

Anybody know anything about Stopzilla!? He bought this software and I'm thinking it may be more hindrance than help. I am planning to install McAfee VSE Home instead.

Thoughts?

When I tried to run the BartPE tool, it asks where the Windows system installation files are. I can't get past that as it says "source files are wrong version".

You are absolutely right timberlandko. If a person can keep a system recovery on a separate drive that would be ideal but unfortunately that wasn't avaliable when I had the computer problem. Now I do a routine backup and did many steps to prevent a computer crash.

The problem with getting the computer to run like new is if there is a virus dug deep into the windows system, it is difficult to get it remove from there. Some of these viruses can reinstate themselves and it is the most annoying thing to deal with. Things that I've read and experience is that the computer can develope what you would call Windows operating system rot. I know that some people do not want to format their hard drive but this will make your computer run faster and more efficiently.

I have three computers, two of which I built, and I'm cautious at what I download for fear of picking up a virus. I've read that some people do not like the McAfee VSE Home. I've always used the AVG anti virus and haven't had a problem with them. I also use Zone Alarm becuase I want to know who is trying to get to my computer. If the ***.exe is not familiar then I do a google search to see what security risk it is. I like the www.liutilities.com site.

What caused the one computer to crash was when my wife downloaded some kind of video download in order to see something. When they splash a screen on your computer, "You can trust this site", that is when I would start worrying. They are loaded with spyware.

I have a pretty fair sized herd of my own, lookman, and tend quite a flock owned by others. Some folks differ, but I like to keep the operating system on a separate partition. Yeah, once in a while, its good housekeeping to reinstall the operating system, and life is so much easier if thats all you hafta reinstall. Good housekeeping as regards general data maintenance also is a good idea; get rid of unused applications and drivers, clean out junk files and the registry, and defrag, all on a regular schedule, keep current on all updates, maintain effective security/privacy software and routines, externally backup everything, including root drive images, and just plain use common sense. Experience, though sometimes cruel, is a great teacher.

cj - I dunno what is causing your grief - just to see, I just built a BartPE disk using a WinXP SP2 retail disk - works fine.