TrojanDownloader.xs (trojan-downloader.xs)

1. Please use SmitfraudFix to remove this threat.

Thanks, SmitFraud works well with my Dell Inspiron who got infected with trojandownloader.xs. Good job!

THANKS!! Worked great for removing trojandownloader.xs This is a life saver!!

SmitFraudFix
What If You Dont Want To Do The “disk cleanup”?
Because I read through the instructions.
Another Question How Do You Go Back to normal mode afterwards.

Jacob, you may not perform Disk Cleanup if you want but there may be some remnants of the malware that are inside your machine particularly in temp folders.

Booting normaly is just the usual booting you do when opening your computer. No more keys to press.

It doesnt show it on my desktop after i go into safe mode…what do I do then? I have tried everything! Please help, before another laptop flies out the window…im very frustrated!

Hi, I’ve got the same problem and nothing I’ve downloaded or purchased so far has managed to remove it. Does SmitfraudFix work for Vista?

It shows on my desktop, i tried to changed my desktop setting many time but not successful, runned antivirus so many times what do I do then? I have tried everything! Please help, …im very frustrated!

i have done the Smitfraudfix and the screen has gone back to normal, however after doing all my scans, AVG 8 Spybot Adaware. i still get the yellow triangle saying i have been infected with spyware and click here to remove the problem. i still also get the security warning window pop up sating that i have to download pc cleaner to remove the problem. i dont know what eose to do. Help would be great

Ive got the exact same problem as James I think, the little yellow triangle exclamation mark pops up sayin warning, I get abebot pop ups and fake security system protection control panel popping up aswell as a fake system intefrity scan wizard. ive used a whole range of differnt stuff, but nothing works. any help on the matter would be grateful.

i got just the same problem, tried everything
removing registry values, scanned with spywaredoctor, spybot, avg,norton, i have it all, none works. even that smitfraudfix doesnt work.it just keeps on coming back, its just frustrating

Yesterday, 03-29-08, I was hit with several viruses at once. Took me all day, but got them fixed. What happened was:

- “Task manager” was diabled with a message saying “Task Manager disabled by Administrator”.
- Desktop hijacked with a message across it saying the PC is infected, with a popup requiring a click to a link bringing you to a webpage selling garbage spyware, to get rid of the error message.
- Another popup calling itself a “Scan WIzard”, comes up every 15 minutes or so.
- A yellow warning triangle on the “task bar” also saying the PC is infected.

What I first did was:

- While I got Norton, I installed PC-Tool antivirus, and it identified and fixed over 600 infections. The above problems remained though.
- Went on the net to look for fixes, but also check to see if I can do a fix without major hassles.

What I finally did was:

- Identified the location in the registry which blocked the “Task Manager”, deleted the entry. Task Manager came back up. I need the “task manager” to do further diagnoses.

- As to the hijacked “desktop”, turns out the virus replaced my wallpaper with its own HTML file. I went to “Control Pane”=>”Display”=>Desktop, then “browse”, and restored the original wallpaper. When I browsed the wallpaper files, I found and deleted the HTML file called “def” (containing the links), so it won’t come back up. So far, it has not reinstalled itself. I realize whatever is activating “def” might be laying around somewhere, unless deleted by PC-tools.

- For the “Scan Wizard”, I found it’s activated by a “process” in the user “startup”, with the executable sitting in Programs=>Windows=>system32 area. What I did was

– I idientified the process via the Task Manager, and the process consists of a “name” generated with random letters and numbers, something like “kkuyzptx”. To see what woould happen, I ended the procees, and the “scan wizard” went away.
– To see where this process came in from, and prevent it reloading (I have XP)I use the “Startup Control Panel” available as freeware at “www.mlin.net”. I found two startup processes with names that are randomly generated, one the same as what I saw in the Task Manager, and deleted both. Using this freeware, I didn’t have to locate and edit the registries.
– These processes point to two “executables” sitting in “system32″ which I already identified. I did so by going into the “system32″ directory, sorting the list in “date modified” order, and found the two offending files dated 03-28-08, 8:330PM and 11:30PM, which is when the problem started. As I couldn’t delete these files immediately, I was able to “rename” the files to zzspyware001 and zzspyware002, so the processes can’t locate it. So far so good. I will use some freeware to delete the stubborn files.
– After I did these steps, the “yellow triangle” came up once, went away, and never came back up again. The hijacked destop is back to normal, and the “scan wizard” is gone.

The cause of the problem was I let my Norton susbscription lapse for quite a while. I understand Norton can prevent the infections, but can’t cure it once the PC is infected. It’s since been updated.

I spent a whole day on it yesterday, and hope this post may help others.

This is for the scan wizard problem. I got the “Startup Control Panel” like you said, but I don’t know what to do from there. Is there any other way to distinguish the difference between the processes? And I also keep getting a warning against Abebot. And I’m not sure what this is, but around the same time this all started happening, whenever I open a new tab after searching something in yahoo, I get redirected to another page. If I close ithe tab and open the same link again, it goes where it’s supposed to. Should I be worried about this. Please help. I can’t szrew up another computer!

that abebot,trojandowloader and that exe file are all the same stuff, they come on your screen in a particulary order. so i dont think you can delete one of the problems to fix it. i think you need to delete them all to fix it. but first try malwarebytes. it found some trojans with fake messages wich 7 other programs didnt found so try to use that

ill try to solve the problem with your steps frank, ill let you know something
first hack antivirus from pctools:d

mean crack:p

i identified the proces: cfshmvmp
but that control panel doesnt work, i have vista
i went to the registry and found 3 cfshmvmp.exe keys, deleted them all and the maps they refer to. i will see if it works

tnx for your help, you killed it!

A few more thoughts on comments above.

- For Gerard who got does not know what to look for in the “startup control panel”, another way to identify the errant process is via “msConfig.exe”, which can be activated by way of “Run” on the start menu. In “msconfig” click the tab that says “startup”, go down the list, look for a suspicious “process”, identified by a name that looks like a jumbo of letters.

- Two ways to knock this out. One is editing the appropriate registry entries. The other is through the “startup control panel” I mentioned above. It has several tabs, depending on how the startup took place. I recall it was in the HKCU tab, though you might want to check the others. When you see the process, select, right click, and select “delete”.

- Just to make sure I identified the correct process, I first went into the “Task Manager” to “end the process” just to make sure that it was identified correctly.

- As to Vista, according to the “mlin.net” site, Vista has it’s own “startup control panel” built in (it’s called something else), but as I wanted to wait for upgrading my machines in the upgrade to Vista, haven’t used it, so I can’t comment on it.

- I was connected to the internet while downloading PC-tools, updating Nortons, and apparently, the virus rssurrected itself twice during that time. So check the startup processes more than once. The virus did not come back in after updating of the virus programs.

- Executables that loaded into the “system32″ directory I still have to delete though it’s rendered harmless by a “rename”, and eliminating the proceess that pointed to it. These executables can be easily located if the directory is put into “date modiifed” order.

- I was a bit leery of loading more software such as “Smithfraudfix”, so I did some detective work on my own, to avoid stuffing my machine with more unnecessary stuff. PC-tools apparently did not eliminate the problem.

- Oliver, glad it worked out for you.

- Gerard, wish you luck.

for gerard, just press ctrl+alt+del to open task manager, go to processes and there you see all the working processes, do that when the fake screen pops up.

and for deleting the registry keys, type regedit in run as described by frank and search the keys with the same name as the process that causes the fake pop ups.

before doing that, always make back up!!!

smithfraudfix, combofix and another tool didnt work with me and they screwed up some settings of my pc

norton 360, spyware dorctor, avg antispyware, spybot, ad-aware nor superantispyware works for killing that fake pop up

and for renaming some hard to delete files, you can use avg antispyware , use paranoid mode it overwrites files 10 times if i remember correct

I had the same problem with the Task Manager being disabled, with a pop up message saying ” Disabled By The Admin” This is how we solved the problem. Go to the Microsoft web site and follow the directions.
http://support.microsoft.com/kb/913623/en-us It will take you into the registery thru series of folder and then you will come to a folder named System. In the right plane, double click “DisableTaskMgr and in the Value data box, type O and then click OK. When you first get to the Value data there will be a “1″ that has to be changed to a “O”. SEE BELOW

RESOLUTION
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows
To resolve this issue, set the value of the DisableTaskMgr registry entry to 0 (zero).

Note This registry entry will revert to its original setting, and Task Manager will be disabled again unless one of the following actions is performed: • The Group Policy setting is changed on the domain.
• The local policy setting is changed on the client.
To set the DisableTaskMgr registry entry value to 0 for a specific user, follow these steps:1. Log off from the computer.
2. Log on to the computer by using a user account that has administrative permissions.
3. Click Start, click Run, type regedit in the Open box, and then click OK.
4. In the left pane, click the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
5. In the right pane, double-click DisableTaskMgr.
6. In the Value data box, type 0, and then click OK.
7. On the File menu, click Exit.
8. Restart the computer.

Is anyone working on putting these clowns out of business? There have been some fines and banishment from future spyware scams, but I think putting a few of these creeps away for 5-10 years would be noteworthy and the news would spread.

How did you find the registry entry that enabled the task manager again? What was the entry?

Lynn:

Try this link for further info:

http://windowsxp.mvps.org/Taskmanager_error.htm

The registry entry is:

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System

Frank, thanks a bunch! After following your advice exactly, the pop-ups died instantly. Now I’m only left with a minor problem: the yahoo thing were anything searched will take me somewhere the first time. Any cure for that?

I have Vista. I had a mess; trojandownloader.xs and other nasty stuff. All seems to be gone. I ran smitFraudfix TWICE. Now I don’t seem to get any security issues but at reboot I get 3 RunDLL windows. They state: Error loading C:\Users\David\AppData\Local\Temp\hyGwUmlj.dll; and rqBIBtst.dll; and jklmdlgp.dll. I assume these are remnants of the fix. Anyone know what to do to get rid of these windows at bootup? I’d be so happy.

the triangle went away but my background still changed without requesting……….please is anyone can help me??

I used several of the above comments to aid me in my successful removal of this bug… one additional thing that I think you may find helpful is to open up your task manager (if you have disabled the disable!) and look at your processes…if you were like me…you had a hard time deciding which were legit and which were bogus…go to google and just type in the names of any suspicious .exe files. If they come up totally unknown…they are bogus…some of them even come up as “known trojans/malware” go into your “system32″ directory and delete or rename those…the other thing i found and deleted/renamed was all files that were modified/created at the time when everything started to go wrong (for me 4/6 at about 3:30.. also make sure you use the link Frank posted for the startup control panel and remove all those again from that..next time you reboot…problem solved…

P.S. Thank you especially Frank and Ray…

I’ve been going through the process of removing a slew of Trojans and this one appears to be among them, but I’m having a problem in that every time i try to use regedit a window pops up saying that registy editing has been disabled by my administrator. I am my administrator. Any ideas?

Deacon:

Refer to the following link for directions re-activating “regedit” at

http://windowsxp.mvps.org/tweakuirest.htm

Ammori:

As to the desktop background, I went to “Control Panel”=>”Display”=>Desktop, then “browse”, and restored the original wallpaper.

The background wallpaper that it was changed to was via a HTML file, replacing the wallpaper that the desktop was pointing to when I browsed, and I then deleted the HTML file.

After I wrote the above posts, I went to MyComputer=>”C Drive”=>”Documents and settings”, then to various user folders, and found numerous “malware executables” starting with “desktop” such as desktopxxxx and desktopyyyy hiding in there. Wished I copied the names but didn’t, and I beleive these are the executables that loaded and “hijacked” the desktop background. The desktop returned to normal when I deleletd the infected “HTML wallpaper malware”, so these executables were rendered useless. I deleted them none-the-less.

Thank’s Frank
I have followed u r idea & it works..
But, i cant remove the virus in the registry files like trojan.2nd thought_com, 2020search and etc

Frank,

you saved my life.

Okay so I’ve been arguing with the trojandownloader.xs for nearly 24 hours now… I tried Smitfraud three times and every time I ran it it would tell me that it couldn’t scan a file in the Temp files because it was being used. When I found the file and tried to delete it i’d say it was being used, and therefore it wouldn’t go away.

My wallpaper’s been wiped, I’m getting the ad-popups and the balloon alerts about how the computer’s been infected with spyware.

I’ve tried reseting the disabletskmgr to zero, but whenever I restart it goes right back to 1 again. I’ve tried deleting the registry, and still I get the alert that the administrator has disabled the Task Manager.

I’ve tried Adaware at least half a dozen times and Scan Spyware as well, but neither are getting rid of the problem. Any idea on what I can do now?

Rachel:

I found the Trojan tried to re-establish itself on my Machine a number of times while I was updating my Virus and Spyware susbsription, but stopped after I had it updated. The Trojan reloaded several times in the space of two to three hours.

The Trojan is annoying, but does not stop your machine from working.

My suggestion is if you have this problem, and you’re not updating spyware, then temporarily disconncet yourself from the internet. This may explain why you reset the Task Manger, and it gets undone, as the Trojan reloads.

Without the Taskmanager, you can do a few things to diaable the Trojan such as disabling the executables in “system32″.

I found the “rougue executable” themselves in Windows/system32, and these files does not allow themselves to be deleted (which might be your problem), but I easily “renamed” them, which means when the process activating them comes looking for it, it could not be found.

To easily located the “rougue file” in Windows/system32, I suggest you sort the file directory in “date modified” order, and when you do this, you’ll find files with the date and time stamp corresponding to the time of the virus infection. If it happened recently, it should be at the bottom when the directory is in date order. Highlight the files, and rename them.

I found the wallpaper problem the simplest to handle. The virus replaced your original wallpaper with it’s own. What you simply do is go into the “Control Panel”=>display+>desktop, then browse and reset back to your “original wallpaper”, or just to another wallpaper if you don’t rememeber what the original one is. But make sure you “delete” the “rougue” wallpaper, which is a HTML file containing links to the “virus software” being peddled”.

Once you crippled the Trojan, such as renaming files, and prevent it’s reloading, such as disconnecting from the internet, then you can leisurely reset the Task Manager and delete the processes via the “Task Manager”, and the “Startup Manager” available at http://www.mlin.net“.

If you have more than one user set up on your machine, I found when the TaskManager is disabled under one user, it still works for another user. But, if you switch to another user, you’ll have about 15 minutes to work before that gets infected.

sir .. my pc has been inflected by Torjandownloader.xs plz say me how can i remove tht virus …

So ive tried many of the steps above, I have tried restoring the task manager using the windows method setting value to zero and restarting, with no luck. any other ideas there. and while doing all this are u using safe mode, or just running reg windows?

smitfraudfix, workd fine for me… and i does work on vista

Thank you very much Frank, Olivier, and Ray.

The tojandownloader.xs seems to be gone RIGHT now.. I had a couple of funny names like the letter exe filed you were talking about.

THANK you very much, the spams and pop ups and triangle and FAKE spyware and abebot hasnt come up for about 1 hour!!

IM SO GLAD YOU GUYS WERE BORN IN THIS WORLD. SPECIALLY “FRANK”!!!!

for anyone else who needs help on this virus, please SCROLL up and find all of Frank’s posts!!!
THEY were very helpful!!!
Thank goodness i didnt have to scan so long.. THANK YOU GUYS..

Not sure if virus is still here
BUT ive been able to locate 3 funny letter exe files on the START up control panel thing!! thank you guys. you guys are my hero!!!!!!

Oliver, thank you so much for the Malwarebytes suggestion!!! I couldn’t believe it but it found nearly 100 items on my system and got rid of them all, including the TrojanDownloader.XS and it was easy to use. The SmitfraudFix never did work.

As the former owner of a small pc repair shop (former thanks to Hurricanes Katrina and Rita) I highly recommend using the Malwarebytes for anyone who has been affected by these malicious attacks. I will continue to use it along with my Ad-Aware and SystemSuites to keep all of my pcs in top performing condition. I can’t thank you enough!! So how about a hug and a KOTC lol (no worries…I’m female *grins*)

The Smitfraudfix worked perfect on my Dell Inspiron to remove the Trojandownloader.xs where nothing else could. Too bad I wasted money on buying two worthless anti-spyware programs. Thanks so much!!!

I would like to thank everyone in this thread.

I caught this super sick virus on May 10th. I felt so helpless. I had to shut the pc down for a few days and try again. I fought with this virus all day yesterday (may 12th) and doing some minor tweaking today.

Smitfraudfix didnt work for me.

Franks steps worked for me But i had to do them in another order.
I was unable to get task manager back nor my desktop until after everything else was done. (maybe because i gave up trying for a bit.)

I checked the registry and start up. Everything I didnt recognize i googled on a seperate pc. (this virus had me so crippled. Even basic surfing for info about the virus i was redirected.)

I renamed every file i thought was suspicious within my windows folder and System32 folder. (simply added “suspect” behind them). That went to every DLL, EXE, TXT all files created after the time of my infection got changed. Those that couldnt be changed I rebooted and came back for them. I had to do all this OFFLINE.

I used that start up tool mentioned in this thread. (www.mlin.net) Very user friendly. Made lookin at start up alot easier.

After all this fighting with the virus and realized i had some room to finally breathe again ( little alerts was gone, pops up gone,virus stopped putting itself back)I tinkled with the desktop,.. suprise! it didnt turn itsself back. Then used that program mentioned about about taskbarfix. It worked,.. and i was able to use it once again. (Yes i kissed the screen when i finally seen it, I had missed it sooo much)

I am not finished messing with the pc. Currently running scans to try and rid myself of the little stuff that may still be laying around.

But i do have a few questions with things that i just cant seem to locate.

At boot up,.. I get 2 errors about rundll.exe attached to 2 files that i had removed from start up and renamed in the folders. How do i stop the errors from showing up?

I still have 2 dll programs that are “currently being used” that i suspect being part of this madness. I cant find the roots of them. I dont know what they are attached too. Any help in this area would be appreciated.

I am not out the woods yet,. But i do see a clearing ahead. Thanks to Frank and Oliver!

I have this downloader virus if i use my recovery and applications disk and formate my hard drive and reinstall vista as it says will that get rid of the virus??

I have this trojandownloader virus… if I use the recovery and applications disk that came with it to formate the harddrive and reinstall Vista like it says…. will that get rid of the virus????? please answer asap if you can.

I just finish restoring my Desktop using the advice of Frank and a couple of others but I had a twist with my restore session. Just before I found this website my internet connection was lost. It looks like I had something call webhancer installed as a third party proxy. It was blocking my network card from connecting and getting an IP address from my ISP. I researched microsoft and found this with the error. http://support.microsoft.com/kb/811259/en-us “How to determine and to recover from Winsock2 corruption in Windows Server 2003, in Windows XP, and in Windows Vista” (my sympton was I was unable to release or renew my IP address). I had to use my laptop to update norton and some other software plus it helped me by removing my hard drive and putting it into and external enclosure and running virus scan from my laptop. I followed the steps in the procedure above and my winsock was fixed and network connection restored. I can now take out the new Network adapter I bought. LOL I had to reinstall Internet Explorer but all others seem to be working great. Thanks to all for the research it saved me. I deal with servers and VoIP phone systems so I know a little bit about PC’s but this saved me a whole lot of crunch time. Thanks again.

for those who are still having this problem, i just faced this problem yesterday, spent the whole day fighting it, in the end, i just formatted my C drive since i’ve been wanting to do that for awhile.. but here’s a few good tips for those who are trying to fight it still.

I don’t have the solution to kill the source, but i know how to disable it while you find the solution

1. Taskmanager disabled, but tasklist isn’t,
start -> run -> cmd, at command prompt, type tasklist. It’ll list down all the processes, similar to taskmanager, now the tricky part is knowing which to kill
those with funny names like numbers.. 1067.exe or something like that, you should kill them immediately,there’s at leas 4-5 of them i thinki, some with alphabets.
to kill the task, type tskill [pid]
PID is the process ID, when you do tasklist, you should see the name + process id next to it. Kill all those buggers then your desktop will be more quieter while you find the solution

2. DO NOT restart your pc!
Start -> run -> msconfig, under startup section, you’ll notice these exact same things in the tasklist are there too, even if you deactivate them, they’ll still restart at start up. So disable all of them while you backup / find the solution

3) Every pop up that says, your system has been infected or something like that, IGNORE them. DO NOT Click yes or no! only the X button on the top right conner, that one i think you can click. ALl these things are mainly fake messages by the trojan. Even the icon that looks like windows security, that’s fake also. DO NOT click it. ignore all of them. IF you wallpaper changes to something else, DO NOT click the link. just ignore it, or drag it to the side

4) unplug your internet if possible. It’ll keep trying to sync itself with the net. THis should slow it down or starve it awhile at least

i got this trojan while i was changing antivirus from avgfree to kaspersky… talk about good timing… :(

i have the same problem with the task manager disabled and i cannot run smitfraudfix or spybote on my computer. My background is replaced with the same stuff that frank had, Warning: spyware threat has been detected on your PC. and some other info and a link with it. i also get that triangle pop ups ever few minutes…can you tell me how to get my task manager back please?

and i try to change the taskmanager regristry thing to 0, but it will change back to 1 again

After restarting my computer in safe mode, I’m not able to open the Smitfraudfix program. I double click, but nothing happens.

Help!?

Well i have followed all of franks directions, and i am glad to say i destroyed most of this trojan, but that are still some stuff i cant seem to destroy.. i cant update my virus protection (AVG) either.. Most of the sites that can help me are “shut down” on me.. i think it was due to the trojan but i cant seem to fix it. Can anyone help me out of this?

@ frustrated if its not starting just try to follow what frank said. the smitfraudfix also did that to me and i assume it just doesnt work

Been fighting this thing all week on my home computer. Really a nasty thing. (Fortunately my work PC is clean so I can search for solutions as I don’t want to be on the internet at home until I feel the system is clean.)

Going to print this whole page out and try some of the suggestions.

For those trying to get task manager going, I thought I would note that I had previously been struggling with trying to get the task manager to come on. I would edit the registry to remove the entry which was disabling task manager, (as noted above, in regedit go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System and delete or modify DisableTaskMgr)
and try to open task manager again and would get the same “task manager disbable by admin….” message. I would check the registry again and see it had promptly had the disable entry put back in.

I finally managed to open Task manager by being in DOS, typed in taskmgr (without pressing return) removed the disable entry in the resigtry, then immediately clicked on the dos window and pressed return which opened the task manager. I checked the registry again and the disable entry was back again, but the task manager remained open and running.

Thanks to everyone above for all their advice which hopefully will help me get my home system back up and running again. Frank’s solutions look promising, but it should be noted that I have an up to date version of Norton and it seemed to totally miss catching this trojan and it can’t find it when I do a full system scan. (Even after briefly connecting to the internet long enough to load the new definitions.)

Hopefully I’ll be back here after the weekend with some good news.

Hi! I found out that i have some trojan downloader on my cmputer, please help!
At about 10:20 pm yesterday (which was 20/06/08) I was browsing the internet and clicked on a link, then suddenely the screen went black and when it came up again, I exited out of the internet and found that the desktop had changed to a blue one with a yellow rectangle box in the middle of the screen saying
“Windows has detected Spyware!
Install an anti-virus or spyware remover to clean-up your computer”

Now, everytime I go to change the desktop, there are only the options ” themes” “appearance” and “settings”, so i can’t remove the wallpaper (which comes back on even when I change it after i restart the computer) through the methods everybody here has mentioned.

Also, about every 5 or so minutes or just continouosely, the screen goes black again and then a dark blue screen full of writing comes up , saying stuff like

“..windows is shutting down to prevent further damage to your computer.
BOGUS_DRIVER
….”
And it always has something like BOGUS_DRIVER on the screen but i don’t know what that means. In addition, there was an anti virus software that somehow installed intself on the computer, that poped up after the blue screen of writing, but i managed to get rid of that, as that was part of this virus

Somebody please help me rid my computer of the trojan downloader, since i have no idea where it is on my computer, and the black screen-then-blue screen keeps on happening, and the wallpaper is still there too!

ohh it’s gooood now!
sorry, i just fixed everything, but with the help of frank’s notes

thanks frank! i just need a freeware to get rid of the trojandownloader now that i’ve located it..

Thanks to everyone here for their insight and knowledge.

I made a lot of progress over the weekend. Managed to get rid of most of the corruption and feel somewhat safer using the system now. I think I have all the corrupted applications removed from my Windows and Windows/System32 directories and have my task manager back. And of course the computer runs about 10 times faster. Still believe I likely have a few quirky entries in the registry, but they apparently can’t find the applications to run when I boot up.

One thing that threw me off course when starting to troubleshoot things is that the particular version I had had a couple of rogue applications in the Windows/System32 directory, but I also had about 30 or so rouge files with EXE and DLL extensions in the Windowws directory. When I would try to remove the files with windows explorer, I would be told they were being used. I could go into DOS and remove them IF I closed explorer first, but they would re-appear a couple of minutes later.

Good luck to everyone in removing this beast.

Hmm i got a lot of spyware when i was looking at lyrics on a website.Then i got this frozen pop up that i cant close and all these spyware start popping up saying infected.

Like :: CoolWebSearch, TrojanDownloader.xs, Malware crap..

i used the SmitFraudFix and the TrojanDownloader.xs still pops up saying infected file.

And also i can’t access my desktop on my profile, it only shows my background.

And also i cant fix my Ctrl + Alt + Delete for my task manager.
Keeps saying Disable by Administrator.
I cant open my own ad-aware remover, they want me to download there’s which im not guna do.

And i dont know if anyone is still looking at this post. But i would appreciate it if someone helps me.

I changed the ” DisableTaskMgr ” of the Registry Editor from 0 -> 1
but it doesnt let me change it…

It stays at 1 and does not let me change to 0.
Any solutions?

Frank/All,
I have windows XP professional, some of the files you mentioned could not find in the location you stated. maybe because I have XP Pro. Would you have a fix for XP Pro? I also have trojandownloader.xs and also disable my task mngr. Went to regedit and switch parameters for current and all users to zero and still revert to value of 1. I also disco my enthernet connection and still revert to value of 1. thx..

Is there another way to change the desktop background with the registry editor? because i found the desktop and its background with the registry editor but i dont know which one to delete?

anyone help me with that?

I dont know if anyone is paying attention to these posts lately..since the last one was posted in june, but i was infected by the trojandownloader.xs 2 days ago and my computer is completely messed up. I have been reading everyones opinions and ideas, but i am unable to do any of them.
for one, I still have my normal wallpaper, but it switches on me every 45 seconds to the alert that there is a virus.. I have no desktop icons, no start menu, this website opened on its own, if i close it, i wont be able to get back in. I have tried downloading spyware removal online and it wont let me download anything onto the comp. I am getting so fustrated. I tried the smitfraudfix, it downloaded but it didnt do anything, it opened, scaned, i guess? but it didnt say there was a problem or anything. Can someone PLEASE help me!

Amy,

With the level of denied access you have to your pc you have very few choices. If you can put smitfraudfix in a place that is easy to find in DOS, start your pc in “Safe Mode with Command Prompt”. Navigate to where you put the program and run it. Option 2&3 are the only ones you need to run. Answer yes to the questions then quit and reboot. 90% success with just doing that. Of course if that doesn’t work it time to be a slave drive and start an all out find and delete….. all the temp files, startup items, junk programs, should all be eliminated but if your lucky this will free up some function for you. Good Luck

Jeff

I have a problem similar to those above. Was able to smitfraudfix to get around most of it and I isolated/renamed the files in system32. Ran malwarebytes and AVG. both removed trojans. I think (hope) that i am in the clear for the trojan coming back. But I am still having a couple of annoying issues:

1. the “all programs” link is missing from my start menu. so i have no way to access the rest of my programs. it was there prior to the virus so i assume that this was something that it disabled to try to thwart its removal.

2. The “My Computer” icon is now missing from my desktop and when i try to add it back under the customization menu it is greyed out so i can’t select it.

I figure that both of these things are controlled in the registry but i can’t for the life of me find the right keys to change.

Any suggestions/help would be greatly appreciated. BTW, I am running Windows Vista Ultimate.

WOW!!! What a life saver!!!!! THANK YOU SO MUCH I CAN KISS YOU WOW IM SO RELIEVED ITS GONE !!!