[ExOtiC_SwEeTs]

Hello, I happened to come across this forum (Thank Goodness!) while using the google search engine in attempt to find some type of anti-virus. I for one, am not the brightest at computers when it comes down to situations like this, so PLEASE bare with me!

But anyhow, here's my problem: While using the web, out of nowhere, I got a pop-up message stating that my computer had been infected with a trojan or some type of spyware, and they suggested that I download any available anti-virus program. Right after that, I got numerous pornographic pop-ups, the web browswer I was using kept on redirecting me to adult links/webpages, I had many unwanted and uncalled for icons on my desktop that I couldn't/can't remove and, lastly, my desktop wallpaper now has a plain bright blue background that says:

"Security Warning:
A fatal error has occured at 0028:C0011E36 in VXD VMM (01). Error was caused by Trojan-Spy.HTML.Smitfraud.c.
-System cannot function in normal mode. Please check your security settings.
-Scan your PC with any available anti-virus/spyware remover program to fix the problem."

I did everything that was asked in the "Before posting a Hijackthis Log" thread and it didn't seem to work. I also tried using numerous anti-virus programs (norton anti-virus, avast, xoftspy, etc.) one of which I even purchased (xoftspy 4.12) and installed SP2. I'm STUMPED! I don't know what to do anymore, so I went ahead and got a Hijackthis log in hopes that you guys can help me.

Logfile of HijackThis v1.99.1
Scan saved at 12:00:19 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Documents and Settings\Gloria ((Mom))\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCD4FC6A-D92D-4B1F-8D65-26C736B2F991}: NameServer = 63.200.115.40 206.13.28.12
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Well, there it is. I hope to hear from you guys soon, thanks!

Edited by ExOtiC_SwEeTs, 26 April 2005 - 02:30 PM.

[Advertisements]

Unlucky same thing happened to me a couple of days ago. I've managed to get rid of the virus itself but I've still got the bright blue background. The staff in this forum are extremely good though so they'll help you through it easy.

[longlivemonkeys]

Unlucky same thing happened to me a couple of days ago. I've managed to get rid of the virus itself but I've still got the bright blue background. The staff in this forum are extremely good though so they'll help you through it easy.

[Michelle]

Welcome to Geeks to Go!
I would be happy to help you with your system

I'll be back as soon as possible!

[ExOtiC_SwEeTs]

That's very relieving information, thank you longlivemonkeys!

It makes me happy to know that someone out there is actually willing to help out people, such as me, on their own free time without asking anything but a simple "thanks" in return. It's clear that they have nothing but good intentions and I really do appreciate that. I appreciate anything I get from anyone on this forum.

So here's a big ol' THANK YOU to everyone at Geeks To Go!

You guys are the best!

[longlivemonkeys]

Lol

[ExOtiC_SwEeTs]

Wow, I had barely finished my last post and I already got a response!

You guys are AMAZING!

Thanks for wanting to help me with my problem bananafanafo!! I really do appreciate it, so much that I'm gonna make a toast specially for you! haha, THANKS!

[Michelle]

The first thing I need you to do is run this online virus scan:

ActiveScan

Copy the results from ActiveScan and paste them here.

[Michelle]

And you're welcome!

[ExOtiC_SwEeTs]

Okay I'm running the scan, it's been running for about 15-20mins. and it just about half way done. Not sure how long it's gonna take to finish though.

[Michelle]

That's fine, I'll be in and out (have to do some housework, fun lol)

[Jad]

You must have friends in high places or something, I've been waiting over a day and you got a response in a couple of hours! Maybe it's my cologne or something...

[ExOtiC_SwEeTs]

LOL! Nope, not friends just luck, and kind people! I'm sure you'll get your response, don't worry! I was just fortunate enough to have posted when an expert was online.....
......and happened to be wearing good smelling perfume. LOL

Edited by ExOtiC_SwEeTs, 26 April 2005 - 03:31 PM.

[ExOtiC_SwEeTs]

Whoopti-Woo.... housework.... why aren't you quite the fortune one! Eh, housework, it's not quite what I would consider the highlight of the day, it's more like the "err-its-time-to-clean-again-ugh!!" time of the day!

If I could, I'd do your housework since you're helping me fix my computer. BUT..... since we both know we're merely impossible, I'll just have Taz do his peachy little dance for you hehe

Okay, well going back to the trojan thing, I did what you said to do with ActiveScan and these were the results:

I found that the last way I had copied and pasted the results looked rather confusing, hopfully the way I semi-reorganized makes it a bit better.

From Left to Right it is as follows:
Icident Type . Status . Icident Location

Adware:Adware/Hotoffers . No disinfected . C:\WINDOWS\System32\param32.dll

Spyware:Spyware/Spyblocs . No disinfected . C:\Documents and Settings\Gloria ((Mom))\Desktop\Remove Spyware.url

Adware:Adware/CWS.Aboutblank . No disinfected . Windows Registry

Adware:Adware/IGuard . No disinfected . C:\WINDOWS\System32\wldr.dll

Adware:Adware/Hotoffers . No disinfected . C:\WINDOWS\System32\param32.dll

Adware:Adware/BlueScreenWarning . No disinfected . C:\wp.bmp

Spyware:Spyware/Spyblocs . No disinfected . C:\Documents and Settings\Gloria ((Mom))\Desktop\Remove Spyware.url

Adware:Adware/Hotoffers . No disinfected . C:\WINDOWS\system32\guninst.exe

Adware:Adware/Hotoffers . No disinfected . C:\WINDOWS\system32\param32.dll

Adware:Adware/IGuard . No disinfected . C:\WINDOWS\system32\wldr.dll

Adware:Adware/BlueScreenWarning . No disinfected . C:\wp.bmp

Edited by ExOtiC_SwEeTs, 26 April 2005 - 04:15 PM.

[Michelle]

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox instructions below and paste them into Notepad (you can access notepad, by going to Start > All Programs > Accessories > Notepad) and save it for use while in Safe Mode.

* Please download the Killbox by Option^Explicit.
Unzip it to the desktop but do NOT run it yet.

* Please reboot into Safe Mode by restarting your computer and tapping F8 continuously as your computer is booting up until a menu appears. use your up arrow key to highlight "Safe Mode", then hit enter

* Once in Safe Mode, please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting them and pressing CTRL + C:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\System32\param32.dll
C:\Documents and Settings\Gloria ((Mom))\Desktop\Remove Spyware.url
C:\WINDOWS\System32\wldr.dll
C:\WINDOWS\system32\guninst.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Yes, we need you to go back into Safe Mode!

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

Post a new HiJackThis log.

Edited by bananafanafo, 26 April 2005 - 04:15 PM.

[ExOtiC_SwEeTs]

I did all of the above and this is what I got for my HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:05:49 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Documents and Settings\Gloria ((Mom))\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCD4FC6A-D92D-4B1F-8D65-26C736B2F991}: NameServer = 63.200.115.40 206.13.28.12
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe