Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan-Spy.HTML.Smit-Fraud.c

Started by Batt-Man , Apr 20 2005 03:25 PM

  • This topic is locked This topic is locked

#16
Guest_Andy_veal_*
Posted 21 April 2005 - 03:39 PM

Guest_Andy_veal_*
  • Guest
:tazz: Good news.

Your logfile is clean.

Do you have any other problems?

To keep your computer safe
-Make sure you have all critical updates installed.
-To make sure that you have got a firewall running when your connected to the internet and Anti-virus software which has the latest updates.

Two great sites to check for good advice and top rated software are http://members.acces...ntomPhixer.html and http://www.spywareai...p?file=toprated


Keep us updated ;)
  • 0

Advertisements

#17
Batt-Man
Posted 21 April 2005 - 03:56 PM

Batt-Man

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Andy,

Thanks so much for you help! :tazz:
I thought it looked good.

I have a couple of odds-and-ends, but maybe it's better suited as a Malware removal topic, I'll let you tell me........

- I still have the blue screen with the "Security Warning", reference to the stupid "Trojan-Spy.HTML.Smitfraud.c", and I'm locked out of being able to change the background.

- When I access the internet, I get two seperate messages from Norton Antivirus saying it automatically fixed something, everything should be normal. I didn't do a good job writing down the info, so I'll try and get it to happen again and I will record exactly what it says. It seems to happen after everytime reboot my computer. (maybe something lingering).

Let me know what you think.

Thanks,
Erik
  • 0

#18
Guest_Andy_veal_*
Posted 21 April 2005 - 04:04 PM

Guest_Andy_veal_*
  • Guest
Have you tried a online scan?


Panda

Symantec

McAfee

TrendMicro Recommended

F-secure


Also is the error message this:

Security warning

A fatal error in IE has occured at 0028:C0011E36 in VDX VMM(01) +
00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c

*  System can not function in normal mode.
  Please check you security settings.

*  Scan your PC with any available antivirus / spyware remover
  program to fix the problem.


Thanks

Andy

Edited by Andy_veal, 21 April 2005 - 04:04 PM.

  • 0

#19
Batt-Man
Posted 21 April 2005 - 04:23 PM

Batt-Man

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Andy,

That is exactly the message pasted on the blue background.... Any ideas?

I will try and use some of the online scan sites you've listed and let you know how it goes.........
  • 0

#20
Guest_Andy_veal_*
Posted 21 April 2005 - 04:25 PM

Guest_Andy_veal_*
  • Guest
If you could scan with one of the online scans,

TrendMicro is Recommended

Then if you post if it found anything or was able to delete anything we can hopefully solve this virus.

:tazz:
  • 0

#21
Batt-Man
Posted 21 April 2005 - 05:24 PM

Batt-Man

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I'm on another computer right now. The infected computer is running the online scan from F-secure right now.....

I wanted to use the recommended TrendMicro, but when I click on the link with the infected computer, it opens a new window and starts to download the TrendMicro homepage and then I get a message like...

"Internet Explorer has encountered a problem and needs to shut down"

There are no details available or no "error in xxxx.dll" message, just an option to restart Explorer.

I didn't have any problems with F-secure homepage. Kind of odd.
  • 0

#22
Batt-Man
Posted 22 April 2005 - 09:19 AM

Batt-Man

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here are the results of the online virus scan using F-secure. :tazz:
It looks like some of these are tied up with Norton AV? During the scan I received several messages from Norton (one for each of the entries you see) saying:

"Repair Successful
It is now safe to use your computer
Norton Anti-Virus has successfully removed the problem
C:\windows\TEMP\AVP5032.TMP"

For each message the "AVP" would be followed by some 4-char string like 13B3 or 5207, etc.

Here are the results of the F-secure online scan:

Scanned files: 26249 Warning: 22 file(s) still infected!

c:\RECYCLED\Q330995.exe Trojan-Downloader.Win32.Small.amb

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP0.DLL Trojan.Win32.StartPage.ix

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP0.exe Trojan-Downloader.Win32.Small.vq

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP1.exe Trojan-Downloader.Win32.Small.vq

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP2.exe Trojan-Downloader.Win32.Small.vq

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP0.bin Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP1.dll Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP1.bin Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP2.dll Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP2.bin Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP3.bin Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP3.dll Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP4.bin Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP4.dll Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP5.bin Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP5.dll Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP6.bin Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP6.dll Trojan.Win32.StartPage.vr

c:\Program Files\Norton AntiVirus\Quarantine\4C685668.exe Trojan-Downloader.Win32.Small.vq

c:\Program Files\Norton AntiVirus\Quarantine\3ED153BC Trojan-Downloader.Win32.Domcom.b

c:\Program Files\Norton AntiVirus\Quarantine\40A447BA Trojan.Java.ClassLoader.i

c:\Program Files\Norton AntiVirus\Quarantine\4FA33795 Trojan.Java.ClassLoader.k
  • 0

#23
Guest_Andy_veal_*
Posted 22 April 2005 - 09:38 AM

Guest_Andy_veal_*
  • Guest

c:\Program Files\Norton AntiVirus\Quarantine


Its ok, Those files are in the Quarentine :tazz: Safe!

summary

Behavior
Joke.Smitfraudoid is a joke program that changes the desktop wallpaper and several settings.

Symptoms
Presence of the file C:\wp.bmp.

Desktop wallpaper is changed to blue screen with the following message:

Security warning    A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01) + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c.


I found the above Symantec Hopefully this is the same problems as you are having.

The virus names may be different

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: Backing up the Windows Registry .

  1. Click Start > Run.
  2. Type regedit
  3. Click OK.

  4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  5. In the right pane, delete the value:

      "WindowsFY" = "[program name]"

  6. Navigate to and delete the subkey:

      HKEY_CLASSES_ROOT\CLSID\{145E6FB1-1256-44ed-A336-8BBA43373BE6}

  7. Navigate to the subkey:

      HKEY_CURRENT_USER\Software\Micorsoft\Windows\CurrentVersion\Policies\Explorer

  8. In the right page, delete the value:

      "NoActiveDesktopChanges" = "1"

  9. Navigate to the subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

  10. In the right pane, delete the values, if they are not required:

      "NoDispBackgroundPage" = "1"
      "NoDispAppearancePage" = "1"

  11. Exit the Registry Editor.

5. To change display settings

  1. Right click on desktop
  2. Select Properties
  3. In the Desktop tab, set the following properties:

          * Background
          * Position
          * Color

  4. Click OK


If you have any problems with the above advise, then please do not follow the instructions.

PLEASE MAKE SURE YOU BACKUP THE REGISTRY

Good luck


Andy
  • 0

#24
Batt-Man
Posted 22 April 2005 - 03:38 PM

Batt-Man

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Woo Hoo! Success! :tazz:

Andy_veal is the man!


As a side note to anyone who is using any of the info. here to help with their problem.....

In the instructions provided by Symantec to edit the registers to remove the Joke.Smitfaudoid (some joke, it's taken me a week to get rid of it! :mad: )

The 1'st subkey they have you navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

did not contain the value "WindowsFY" = "[program name]"
it was located under:

My Computer\HKEY_USERS\Default\Software\Microsoft\Windows\Current Version\Run

Maybe it's this way just in my computer or it has something to do with Win98, I'm not sure. I used the find option in the Registry Editor to look for "WindowsFY"

Thanks Geeks To Go!
  • 0

#25
Batt-Man
Posted 22 April 2005 - 03:47 PM

Batt-Man

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Another question.....

Now that I've gone through all of this and installed all of these adware and spyware scanners, etc. my start-up configuration is loaded with stuff, half of which, I don't know anything about.

I believe it's eating up my system resources though. When I try to open an MS Word document from a file location, my computer locks up. If I already have MS Word open and then open the document it works o.k.

What's the best way to:
1) Figure out what all the stuff is.
2) Figure out if I need it.
3) Clean the things I don't need out permenantly, instead of just switching them off (I still see referance to the stupid Security iGuard, that magically appeared on my computer along with Trojan-Spy.HTML.Smitfraud.c)

Thanks again!
-Erik
  • 0

Advertisements

#26
Guest_Andy_veal_*
Posted 22 April 2005 - 05:01 PM

Guest_Andy_veal_*
  • Guest
:tazz: So glad that it worked.

To keep your computer safe
-Make sure you have all critical updates installed.
-To make sure that you have got a firewall running when your connected to the internet and Anti-virus software which has the latest updates.

Two great sites to check for good advice and top rated software are http://members.acces...ntomPhixer.html and http://www.spywareai...p?file=toprated

I would recommend that you keep the program CCleaner, this helps keep your computer clean! ;)

Not to sure about your MS word problem but i will contact the team.

A good idea is to try searching for unknown things.

http://www.processlibrary.com/ - For Processes.

This program might be some help to you.

StartupList : A simple tool that lists all and every auto starting program on your system. You might be surprised what it finds, this is way  better than Msconfig. Commonly used to troubleshoot malfunctioning systems, trojan/viral infections, new spyware/malware breed and the likes.

http://www.spywarein.../downloads.html

I hope this helps.

Post back ;)


Andy
  • 0
Back to Lavasoft Support (Ad-aware) · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Retired Forums
  3. Lavasoft Support (Ad-aware)

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP