Trojan-Spy.HTML.Smitfraud.c and Blue screen

Re: Trojan-Spy.HTML.Smitfraud.c

Andrea,

You should be posting this problem in your own thread not in http://forums.majorgeeks.com/showthread.php?t=60473

I'm moving you to your own thread.

Did you complete all the steps in the Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If not, please do so to the best of your ability and let me know any problems you have trying to do them.

If you have completed the sticky thread, and you still have a problem, perform the steps below.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

First, please download and install Erunt. Use it to create a backup of your registry. We will have to do some registry editing at a point so it is best to do the back up first.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Look in Add/Remove Programs for the below and uninstall if found:
SecurityIGuard or Security IGuard

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
c:\wp.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\wp.exe
c:\wp.bmp
c:\windows\web\desktop.html

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and continue with the below.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

Now post a new HJT log. And tell me how things are working.

 

You're log is clean now. You should complete the steps in the below link to help keep it that way:

How to Protect yourself from malware!

Make sure you install a firewall and then disable the one in Win XP SP2 as it does not provide sufficient protection and you must only have one firewall.

Not sure where you picked this up. It is typically a matter of where you surf, what you dowload, what you click yes to etc. Also make sure you read the license agreements of anything you are installing before you install them. You would be surprised how many of these agreements even tell you that there will be some other baggage installed.