0

my desktop has been hijacked and a "Security Warning" is permanently displayed on my desktop. The warning states "A fatal error in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c....* System can not function in normal mode. Please check you security settings...* Scan your PC with any available antivirus/spyware remover program to fix the problem."

When going to Display properties and try to change the background on my desk top, several taps are missing from the dialog box, including the background tap.

Also, from time to time I get a pop up Microsoft error #317 message instructing me to click to have they system scanned for spyware, i assume this is fake, this links me to a page which has MSN across the top.

This is a new one on me? i have tried all manor of programs, Mcafee, microsoft antispyware, xoftspy, adware proffesional,

5
Contributors
11
Replies
12
Views
12 Years
Discussion Span
Last Post by Jasonsebi
Featured Replies
  • This is what HJT give me, when i right click for the display properties the only tabs i have are "screensaver" and "settings" tabs, all the others are simply not there. Logfile of HijackThis v1.99.1 Scan saved at 14:02:50, on 13/04/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer … Read More

0

Right click on your desktop and go to properties. Select the web tab and place a check in any entries below the My Current Home Page and delete them.

Download HijackThis selfextracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

1

This is what HJT give me,

when i right click for the display properties the only tabs i have are "screensaver" and "settings" tabs, all the others are simply not there.

Logfile of HijackThis v1.99.1
Scan saved at 14:02:50, on 13/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\helper.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\SFNUploader.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SUService] C:\WINDOWS\SYSTEM32\SUService.exe
O4 - HKLM\..\Run: [AdobeFonts] C:\WINDOWS\Fonts\fonts.hta
O4 - HKLM\..\Run: [d3mu32.exe] C:\WINDOWS\system32\d3mu32.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Startup: WindowsUpdate23587[1].exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba1383.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Thanks

0

Can you do the following please.

First, download HSFix from here.

After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

Reboot into safe mode following the instructions here

Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"

A log will be produced which you can close out of.

Then run HijackThis again, close any open windows and browsers and fix these:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [SUService] C:\WINDOWS\SYSTEM32\SUService.exe
O4 - HKLM\..\Run: [AdobeFonts] C:\WINDOWS\Fonts\fonts.hta
O4 - HKLM\..\Run: [d3mu32.exe] C:\WINDOWS\system32\d3mu32.exe
O4 - Startup: WindowsUpdate23587[1].exe

O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba1383.exe

Restart your computer into normal mode and run at least one of the following free, online virus scans:

http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/activescan...ncipal.htm
http://www3.ca.com/threatinfo/virusinfo/scan.aspx

Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt

0

I did as you said but was unable to find

O4 - Startup: WindowsUpdate23587[1].exe

in the safe mode


Heres HJT log

Logfile of HijackThis v1.99.1
Scan saved at 15:14:40, on 13/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\helper.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Apoint\Apntex.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
WindowsUpdate
-

The online virus checker picked up 3 virus that mcafee didnt,

0

my desktop has been hijacked and a "Security Warning" is permanently displayed on my desktop. The warning states "A fatal error in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c....* System can not function in normal mode. Please check you security settings...* Scan your PC with any available antivirus/spyware remover program to fix the problem."

I have shifted this but am now left with a black wallpaper

When going to Display properties and try to change the background on my desk top, several taps are missing from the dialog box, including the background tap. I now Only have "Screen saver" and "settings" tabs

Also, from time to time I get a pop up Microsoft error #317 message instructing me to click to have they system scanned for spyware, i assume this is fake, this links me to a page which has MSN across the top.

This is a new one on me? i have tried all manor of programs, Mcafee, microsoft antispyware, xoftspy, adware proffesional,

anyone else having this trouble

(reposted title didn't come out) :?:

0

First of all, please uninstall Spyware Begone. The program is bogus in that is known to "warn" you of infections that may not even be present on your system in an attempt to scare you into paying $$ for their full package. More on that and other bogus "anti-spyware" programs can be found here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm


I have more info on your original problem also, but I won't have time to post that until tomorrow- please hang in there until then.

0

Thanks for that link sukiyaki99. :)

I found the original thread (at Geeks To Go) that the instructions in your link were distilled from, but now I don't have to go through that thread and re-distill the instructions myself.


jackolos,

If you have any questions about the procedure sukiyaki99 linked to, please ask us for help; if you accidentally delete the wrong file or make some other such mistake you could cause more problems than you have now.

0

I have followed the instructions in the link up to where i have to execute the deldomains.inf. however when i do so i get the following error:

deldomain.inf is not a valid Win32 application.

i dont know if this problem is related, cheers

Jack

0

Hi there – after having the same problem and searching the web for hours I have finally found the solution!!!

1. Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

2. Download Killbox
(if link does not work – simply search for the program in google).

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field) MAKE SURE TO ENTER ALL FILE PATHS!:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. If you recieve an error message "PendingRenameOperation...." and your computer doesn't restart, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.


3. Deletion of a few files

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files <-WILL be there!
C:\Program Files\Security IGuard

Reboot into normal mode.


4. Installation of Registrar
(if link does not work – simply search for the program in google).

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Alternatively you can simply go int0 regedit and search the file “by hand and delete it.

Reboot your computer again.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Ending all your efforts you should still run a virus scan. If you do not have an AV installed, use ActiveScan - Save the results from the scan!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.