Sign in with
Sign up | Sign in
Your question

Trojan

Last response: in Windows XP
Share
Anonymous
May 16, 2005 9:08:05 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have this message right in the center of my screen that says "A fatal error
in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
caused by Trojan-Spy.HTML.Smitfraud.c
* System cannot function in normal mode....."
I think I have eliminated the Trojan with the help of Panda and Microsoft
AntiSpyware BUT the message remains, my favorites folder is empty and in my
control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
I ran Hijack This and everything there looked normal so what do I do next?

More about : trojan

Anonymous
May 17, 2005 12:28:15 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Click Start, Run and enter REGEDIT Look in both

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

And

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

for the following value:

NoDispBackgroundPage
NoDispAppearancePage

If they exist, they're probably set to 1. If so, double click the values you find and set them to 0 (zero).

Next, check

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

and

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

For NoThemesTab. If found, ensure that its set to 0.

Once this is done, all your tabs should be back. Go to the Desktop, Customize Desktop, Web tab and uncheck any Web content.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Teri" <Teri@discussions.microsoft.com> wrote in message news:4DA05F29-233A-40BD-BEF9-CBF834E0F65A@microsoft.com...
>I have this message right in the center of my screen that says "A fatal error
> in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
> caused by Trojan-Spy.HTML.Smitfraud.c
> * System cannot function in normal mode....."
> I think I have eliminated the Trojan with the help of Panda and Microsoft
> AntiSpyware BUT the message remains, my favorites folder is empty and in my
> control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
> I ran Hijack This and everything there looked normal so what do I do next?
Anonymous
May 17, 2005 12:28:37 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Teri" <Teri@discussions.microsoft.com>

| I have this message right in the center of my screen that says "A fatal error
| in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
| caused by Trojan-Spy.HTML.Smitfraud.c
| * System cannot function in normal mode....."
| I think I have eliminated the Trojan with the help of Panda and Microsoft
| AntiSpyware BUT the message remains, my favorites folder is empty and in my
| control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
| I ran Hijack This and everything there looked normal so what do I do next?

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

I am curious as to what generated that error message. MS AS ? Panda ?

Trojan-Spy.HTML.Smitfraud.c

http://www.viruslist.com/en/viruses/encyclopedia?virusi...


Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

1) Download the TrendMicro Sysclean Front End

Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe


2) Download and install Ad-aware SE
(free personal version v1.05)
http://www.lavasoftusa.com/
Update Ad-aware with the latest definitions and then exit the software.

3) Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close


Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
when you get to the menu dhoose [1] so you can boot into Safe Mode.

4) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...

5) Reboot your PC into Safe Mode and shutdown as many applications as possible.

6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a full scan of your PC and delete
all objects found.

7) Restart your PC and perform a "final" Full Scan of your platform
Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a final scan of your PC and delete
all objects found.


8) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),

9) Reboot your PC.

10) Create a new Restore point


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Related resources
Anonymous
May 17, 2005 12:44:37 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I think its an Active Desktop item.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:u1WwfdnWFHA.2060@tk2msftngp13.phx.gbl...
> From: "Teri" <Teri@discussions.microsoft.com>
>
> | I have this message right in the center of my screen that says "A fatal error
> | in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
> | caused by Trojan-Spy.HTML.Smitfraud.c
> | * System cannot function in normal mode....."
> | I think I have eliminated the Trojan with the help of Panda and Microsoft
> | AntiSpyware BUT the message remains, my favorites folder is empty and in my
> | control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
> | I ran Hijack This and everything there looked normal so what do I do next?
>
> There are anti virus News Groups specifically for this type of discussion.
>
> microsoft.public.scripting.virus.discussion
> microsoft.public.security.virus
> alt.comp.virus
> alt.comp.anti-virus
>
> I am curious as to what generated that error message. MS AS ? Panda ?
>
> Trojan-Spy.HTML.Smitfraud.c
>
> http://www.viruslist.com/en/viruses/encyclopedia?virusi...
>
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> 1) Download the TrendMicro Sysclean Front End
>
> Download the utility SYSCLEAN_FE at the following URL --
> http://www.ik-cs.com/got-a-virus.htm
> SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
> Direct URL --
> http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
>
>
> 2) Download and install Ad-aware SE
> (free personal version v1.05)
> http://www.lavasoftusa.com/
> Update Ad-aware with the latest definitions and then exit the software.
>
> 3) Execute; SYSCLEAN_FE.EXE
> Choose; Unzip
> Choose; Close
>
>
> Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> when you get to the menu dhoose [1] so you can boot into Safe Mode.
>
> 4) Disable System Restore
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
>
> 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
>
> 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> when done, execute Ad-aware SE and perform a full scan of your PC and delete
> all objects found.
>
> 7) Restart your PC and perform a "final" Full Scan of your platform
> Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> when done, execute Ad-aware SE and perform a final scan of your PC and delete
> all objects found.
>
>
> 8) Re-enable System Restore and re-apply any System Restore preferences,
> (e.g. HD space to use suggested 400 ~ 600MB),
>
> 9) Reboot your PC.
>
> 10) Create a new Restore point
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
Anonymous
May 17, 2005 12:44:38 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

It is an active desktop item and at the same time it came up my screen went
to a blue background and 20 new advertising icons appeared on my desktop.
Now I do not have an option of restoring my active desktop although I'm not
sure I ever did in XP.
I went to regedit and in HKCU it had ( nodisplayappearancepage,
nodisplaybackgroundpage, and wallpaperstyle). There was one other one which
I deleted immediately (I should have written it down) but I remembered seeing
it on every site I had been to about this trojan something about wp.bmp.
On HKLM it showed (dontdisplaylastusername, legalnoticecaption,
legalnoticetext, shutdownwithoutlogon, undockwithlogon). I think I need a
little guidance on this before I start deleting everything

"Doug Knox MS-MVP" wrote:

> I think its an Active Desktop item.
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:u1WwfdnWFHA.2060@tk2msftngp13.phx.gbl...
> > From: "Teri" <Teri@discussions.microsoft.com>
> >
> > | I have this message right in the center of my screen that says "A fatal error
> > | in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
> > | caused by Trojan-Spy.HTML.Smitfraud.c
> > | * System cannot function in normal mode....."
> > | I think I have eliminated the Trojan with the help of Panda and Microsoft
> > | AntiSpyware BUT the message remains, my favorites folder is empty and in my
> > | control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
> > | I ran Hijack This and everything there looked normal so what do I do next?
> >
> > There are anti virus News Groups specifically for this type of discussion.
> >
> > microsoft.public.scripting.virus.discussion
> > microsoft.public.security.virus
> > alt.comp.virus
> > alt.comp.anti-virus
> >
> > I am curious as to what generated that error message. MS AS ? Panda ?
> >
> > Trojan-Spy.HTML.Smitfraud.c
> >
> > http://www.viruslist.com/en/viruses/encyclopedia?virusi...
> >
> >
> > Dump the contents of the IE Temporary Internet Folder cache (TIF)
> > Start --> Settings --> Control Panel --> Internet Options --> Delete Files
> >
> > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> > Tools --> Options --> Privacy --> Cache --> Clear
> >
> > 1) Download the TrendMicro Sysclean Front End
> >
> > Download the utility SYSCLEAN_FE at the following URL --
> > http://www.ik-cs.com/got-a-virus.htm
> > SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
> > Direct URL --
> > http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
> >
> >
> > 2) Download and install Ad-aware SE
> > (free personal version v1.05)
> > http://www.lavasoftusa.com/
> > Update Ad-aware with the latest definitions and then exit the software.
> >
> > 3) Execute; SYSCLEAN_FE.EXE
> > Choose; Unzip
> > Choose; Close
> >
> >
> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> > when you get to the menu dhoose [1] so you can boot into Safe Mode.
> >
> > 4) Disable System Restore
> > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
> >
> > 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
> >
> > 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> > when done, execute Ad-aware SE and perform a full scan of your PC and delete
> > all objects found.
> >
> > 7) Restart your PC and perform a "final" Full Scan of your platform
> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> > when done, execute Ad-aware SE and perform a final scan of your PC and delete
> > all objects found.
> >
> >
> > 8) Re-enable System Restore and re-apply any System Restore preferences,
> > (e.g. HD space to use suggested 400 ~ 600MB),
> >
> > 9) Reboot your PC.
> >
> > 10) Create a new Restore point
> >
> >
> > * * * Please report back your results * * *
> >
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
>
Anonymous
May 17, 2005 1:00:19 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Doug Knox MS-MVP" <dknox@mvps.org>

| I think its an Active Desktop item.
|
| --
| Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
| Win 95/98/Me/XP Tweaks and Fixes
| http://www.dougknox.com
| --------------------------------

Why would Active DeskTop cause the error she note with the following "Error is
caused by Trojan-Spy.HTML.Smitfraud.c" and adds "...BUT the message remains...".

In theory "Trojan-Spy.HTML.Smitfraud.c" is just a HTML email phishing attempt message. For
exaple to update your CitiBank account but you have no CitiBank account and the URL takes
you to Korea. Why it is referred to as a Trojan I don't know but there is no resident code.
McAfee calls this "Phish-BankFraud.eml.a". On my LAN I had a user who received a phishing
attempt and I received an administrative pop-up on "Phish-BankFraud.eml". It was nothing
but a HTML email message caught by Mcafee's MAPI email scanner in Outlook 2000.

You may be right, I don't know. However I would still like to see the person scan with
Trend Sysclean and Asd-aware SE as somthing is going on.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
May 17, 2005 2:39:15 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

That's why I didn't recommend deleting anything, I said change them from 1 to 0, if they existed.

The values you mention in HKLM are not in the key I originally said to check. They are in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

Not

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

The Policies\Explorer key may not exist on your system. Its just a good idea to check because some values are machine wide settings if they're in HKLM, and per user if they're in HKCU.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Teri" <Teri@discussions.microsoft.com> wrote in message news:ED489893-D909-4FA4-9ACF-F92D7F970EB1@microsoft.com...
> It is an active desktop item and at the same time it came up my screen went
> to a blue background and 20 new advertising icons appeared on my desktop.
> Now I do not have an option of restoring my active desktop although I'm not
> sure I ever did in XP.
> I went to regedit and in HKCU it had ( nodisplayappearancepage,
> nodisplaybackgroundpage, and wallpaperstyle). There was one other one which
> I deleted immediately (I should have written it down) but I remembered seeing
> it on every site I had been to about this trojan something about wp.bmp.
> On HKLM it showed (dontdisplaylastusername, legalnoticecaption,
> legalnoticetext, shutdownwithoutlogon, undockwithlogon). I think I need a
> little guidance on this before I start deleting everything
>
> "Doug Knox MS-MVP" wrote:
>
>> I think its an Active Desktop item.
>>
>> --
>> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> Win 95/98/Me/XP Tweaks and Fixes
>> http://www.dougknox.com
>> --------------------------------
>> Per user Group Policy Restrictions for XP Home and XP Pro
>> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> --------------------------------
>> Please reply only to the newsgroup so all may benefit.
>> Unsolicited e-mail is not answered.
>>
>> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:u1WwfdnWFHA.2060@tk2msftngp13.phx.gbl...
>> > From: "Teri" <Teri@discussions.microsoft.com>
>> >
>> > | I have this message right in the center of my screen that says "A fatal error
>> > | in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
>> > | caused by Trojan-Spy.HTML.Smitfraud.c
>> > | * System cannot function in normal mode....."
>> > | I think I have eliminated the Trojan with the help of Panda and Microsoft
>> > | AntiSpyware BUT the message remains, my favorites folder is empty and in my
>> > | control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
>> > | I ran Hijack This and everything there looked normal so what do I do next?
>> >
>> > There are anti virus News Groups specifically for this type of discussion.
>> >
>> > microsoft.public.scripting.virus.discussion
>> > microsoft.public.security.virus
>> > alt.comp.virus
>> > alt.comp.anti-virus
>> >
>> > I am curious as to what generated that error message. MS AS ? Panda ?
>> >
>> > Trojan-Spy.HTML.Smitfraud.c
>> >
>> > http://www.viruslist.com/en/viruses/encyclopedia?virusi...
>> >
>> >
>> > Dump the contents of the IE Temporary Internet Folder cache (TIF)
>> > Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>> >
>> > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
>> > Tools --> Options --> Privacy --> Cache --> Clear
>> >
>> > 1) Download the TrendMicro Sysclean Front End
>> >
>> > Download the utility SYSCLEAN_FE at the following URL --
>> > http://www.ik-cs.com/got-a-virus.htm
>> > SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
>> > Direct URL --
>> > http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
>> >
>> >
>> > 2) Download and install Ad-aware SE
>> > (free personal version v1.05)
>> > http://www.lavasoftusa.com/
>> > Update Ad-aware with the latest definitions and then exit the software.
>> >
>> > 3) Execute; SYSCLEAN_FE.EXE
>> > Choose; Unzip
>> > Choose; Close
>> >
>> >
>> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
>> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
>> > when you get to the menu dhoose [1] so you can boot into Safe Mode.
>> >
>> > 4) Disable System Restore
>> > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
>> >
>> > 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
>> >
>> > 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
>> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
>> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
>> > when done, execute Ad-aware SE and perform a full scan of your PC and delete
>> > all objects found.
>> >
>> > 7) Restart your PC and perform a "final" Full Scan of your platform
>> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
>> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
>> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
>> > when done, execute Ad-aware SE and perform a final scan of your PC and delete
>> > all objects found.
>> >
>> >
>> > 8) Re-enable System Restore and re-apply any System Restore preferences,
>> > (e.g. HD space to use suggested 400 ~ 600MB),
>> >
>> > 9) Reboot your PC.
>> >
>> > 10) Create a new Restore point
>> >
>> >
>> > * * * Please report back your results * * *
>> >
>> >
>> > --
>> > Dave
>> > http://www.claymania.com/removal-trojan-adware.html
>> > http://www.ik-cs.com/got-a-virus.htm
>> >
>> >
>>
Anonymous
May 17, 2005 2:39:16 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Sorry about that, I think I got in too big of a hurry to cure the problem. I
do go back and follow your instructions to the letter and it worked. Thank
you

"Doug Knox MS-MVP" wrote:

> That's why I didn't recommend deleting anything, I said change them from 1 to 0, if they existed.
>
> The values you mention in HKLM are not in the key I originally said to check. They are in:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
>
> Not
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
>
> The Policies\Explorer key may not exist on your system. Its just a good idea to check because some values are machine wide settings if they're in HKLM, and per user if they're in HKCU.
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "Teri" <Teri@discussions.microsoft.com> wrote in message news:ED489893-D909-4FA4-9ACF-F92D7F970EB1@microsoft.com...
> > It is an active desktop item and at the same time it came up my screen went
> > to a blue background and 20 new advertising icons appeared on my desktop.
> > Now I do not have an option of restoring my active desktop although I'm not
> > sure I ever did in XP.
> > I went to regedit and in HKCU it had ( nodisplayappearancepage,
> > nodisplaybackgroundpage, and wallpaperstyle). There was one other one which
> > I deleted immediately (I should have written it down) but I remembered seeing
> > it on every site I had been to about this trojan something about wp.bmp.
> > On HKLM it showed (dontdisplaylastusername, legalnoticecaption,
> > legalnoticetext, shutdownwithoutlogon, undockwithlogon). I think I need a
> > little guidance on this before I start deleting everything
> >
> > "Doug Knox MS-MVP" wrote:
> >
> >> I think its an Active Desktop item.
> >>
> >> --
> >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> >> Win 95/98/Me/XP Tweaks and Fixes
> >> http://www.dougknox.com
> >> --------------------------------
> >> Per user Group Policy Restrictions for XP Home and XP Pro
> >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> >> --------------------------------
> >> Please reply only to the newsgroup so all may benefit.
> >> Unsolicited e-mail is not answered.
> >>
> >> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:u1WwfdnWFHA.2060@tk2msftngp13.phx.gbl...
> >> > From: "Teri" <Teri@discussions.microsoft.com>
> >> >
> >> > | I have this message right in the center of my screen that says "A fatal error
> >> > | in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
> >> > | caused by Trojan-Spy.HTML.Smitfraud.c
> >> > | * System cannot function in normal mode....."
> >> > | I think I have eliminated the Trojan with the help of Panda and Microsoft
> >> > | AntiSpyware BUT the message remains, my favorites folder is empty and in my
> >> > | control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
> >> > | I ran Hijack This and everything there looked normal so what do I do next?
> >> >
> >> > There are anti virus News Groups specifically for this type of discussion.
> >> >
> >> > microsoft.public.scripting.virus.discussion
> >> > microsoft.public.security.virus
> >> > alt.comp.virus
> >> > alt.comp.anti-virus
> >> >
> >> > I am curious as to what generated that error message. MS AS ? Panda ?
> >> >
> >> > Trojan-Spy.HTML.Smitfraud.c
> >> >
> >> > http://www.viruslist.com/en/viruses/encyclopedia?virusi...
> >> >
> >> >
> >> > Dump the contents of the IE Temporary Internet Folder cache (TIF)
> >> > Start --> Settings --> Control Panel --> Internet Options --> Delete Files
> >> >
> >> > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> >> > Tools --> Options --> Privacy --> Cache --> Clear
> >> >
> >> > 1) Download the TrendMicro Sysclean Front End
> >> >
> >> > Download the utility SYSCLEAN_FE at the following URL --
> >> > http://www.ik-cs.com/got-a-virus.htm
> >> > SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
> >> > Direct URL --
> >> > http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
> >> >
> >> >
> >> > 2) Download and install Ad-aware SE
> >> > (free personal version v1.05)
> >> > http://www.lavasoftusa.com/
> >> > Update Ad-aware with the latest definitions and then exit the software.
> >> >
> >> > 3) Execute; SYSCLEAN_FE.EXE
> >> > Choose; Unzip
> >> > Choose; Close
> >> >
> >> >
> >> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
> >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> >> > when you get to the menu dhoose [1] so you can boot into Safe Mode.
> >> >
> >> > 4) Disable System Restore
> >> > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
> >> >
> >> > 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
> >> >
> >> > 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
> >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> >> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> >> > when done, execute Ad-aware SE and perform a full scan of your PC and delete
> >> > all objects found.
> >> >
> >> > 7) Restart your PC and perform a "final" Full Scan of your platform
> >> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
> >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> >> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> >> > when done, execute Ad-aware SE and perform a final scan of your PC and delete
> >> > all objects found.
> >> >
> >> >
> >> > 8) Re-enable System Restore and re-apply any System Restore preferences,
> >> > (e.g. HD space to use suggested 400 ~ 600MB),
> >> >
> >> > 9) Reboot your PC.
> >> >
> >> > 10) Create a new Restore point
> >> >
> >> >
> >> > * * * Please report back your results * * *
> >> >
> >> >
> >> > --
> >> > Dave
> >> > http://www.claymania.com/removal-trojan-adware.html
> >> > http://www.ik-cs.com/got-a-virus.htm
> >> >
> >> >
> >>
>
Anonymous
May 17, 2005 4:46:14 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You're welcome :-)

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Teri" <Teri@discussions.microsoft.com> wrote in message news:D 1620EB4-A93E-4740-AE27-6C1476A6B8BC@microsoft.com...
> Sorry about that, I think I got in too big of a hurry to cure the problem. I
> do go back and follow your instructions to the letter and it worked. Thank
> you
>
> "Doug Knox MS-MVP" wrote:
>
>> That's why I didn't recommend deleting anything, I said change them from 1 to 0, if they existed.
>>
>> The values you mention in HKLM are not in the key I originally said to check. They are in:
>>
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
>>
>> Not
>>
>> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
>>
>> The Policies\Explorer key may not exist on your system. Its just a good idea to check because some values are machine wide settings if they're in HKLM, and per user if they're in HKCU.
>>
>> --
>> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> Win 95/98/Me/XP Tweaks and Fixes
>> http://www.dougknox.com
>> --------------------------------
>> Per user Group Policy Restrictions for XP Home and XP Pro
>> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> --------------------------------
>> Please reply only to the newsgroup so all may benefit.
>> Unsolicited e-mail is not answered.
>>
>> "Teri" <Teri@discussions.microsoft.com> wrote in message news:ED489893-D909-4FA4-9ACF-F92D7F970EB1@microsoft.com...
>> > It is an active desktop item and at the same time it came up my screen went
>> > to a blue background and 20 new advertising icons appeared on my desktop.
>> > Now I do not have an option of restoring my active desktop although I'm not
>> > sure I ever did in XP.
>> > I went to regedit and in HKCU it had ( nodisplayappearancepage,
>> > nodisplaybackgroundpage, and wallpaperstyle). There was one other one which
>> > I deleted immediately (I should have written it down) but I remembered seeing
>> > it on every site I had been to about this trojan something about wp.bmp.
>> > On HKLM it showed (dontdisplaylastusername, legalnoticecaption,
>> > legalnoticetext, shutdownwithoutlogon, undockwithlogon). I think I need a
>> > little guidance on this before I start deleting everything
>> >
>> > "Doug Knox MS-MVP" wrote:
>> >
>> >> I think its an Active Desktop item.
>> >>
>> >> --
>> >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> >> Win 95/98/Me/XP Tweaks and Fixes
>> >> http://www.dougknox.com
>> >> --------------------------------
>> >> Per user Group Policy Restrictions for XP Home and XP Pro
>> >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> >> --------------------------------
>> >> Please reply only to the newsgroup so all may benefit.
>> >> Unsolicited e-mail is not answered.
>> >>
>> >> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:u1WwfdnWFHA.2060@tk2msftngp13.phx.gbl...
>> >> > From: "Teri" <Teri@discussions.microsoft.com>
>> >> >
>> >> > | I have this message right in the center of my screen that says "A fatal error
>> >> > | in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
>> >> > | caused by Trojan-Spy.HTML.Smitfraud.c
>> >> > | * System cannot function in normal mode....."
>> >> > | I think I have eliminated the Trojan with the help of Panda and Microsoft
>> >> > | AntiSpyware BUT the message remains, my favorites folder is empty and in my
>> >> > | control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
>> >> > | I ran Hijack This and everything there looked normal so what do I do next?
>> >> >
>> >> > There are anti virus News Groups specifically for this type of discussion.
>> >> >
>> >> > microsoft.public.scripting.virus.discussion
>> >> > microsoft.public.security.virus
>> >> > alt.comp.virus
>> >> > alt.comp.anti-virus
>> >> >
>> >> > I am curious as to what generated that error message. MS AS ? Panda ?
>> >> >
>> >> > Trojan-Spy.HTML.Smitfraud.c
>> >> >
>> >> > http://www.viruslist.com/en/viruses/encyclopedia?virusi...
>> >> >
>> >> >
>> >> > Dump the contents of the IE Temporary Internet Folder cache (TIF)
>> >> > Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>> >> >
>> >> > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
>> >> > Tools --> Options --> Privacy --> Cache --> Clear
>> >> >
>> >> > 1) Download the TrendMicro Sysclean Front End
>> >> >
>> >> > Download the utility SYSCLEAN_FE at the following URL --
>> >> > http://www.ik-cs.com/got-a-virus.htm
>> >> > SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
>> >> > Direct URL --
>> >> > http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
>> >> >
>> >> >
>> >> > 2) Download and install Ad-aware SE
>> >> > (free personal version v1.05)
>> >> > http://www.lavasoftusa.com/
>> >> > Update Ad-aware with the latest definitions and then exit the software.
>> >> >
>> >> > 3) Execute; SYSCLEAN_FE.EXE
>> >> > Choose; Unzip
>> >> > Choose; Close
>> >> >
>> >> >
>> >> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
>> >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
>> >> > when you get to the menu dhoose [1] so you can boot into Safe Mode.
>> >> >
>> >> > 4) Disable System Restore
>> >> > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
>> >> >
>> >> > 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
>> >> >
>> >> > 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
>> >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
>> >> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
>> >> > when done, execute Ad-aware SE and perform a full scan of your PC and delete
>> >> > all objects found.
>> >> >
>> >> > 7) Restart your PC and perform a "final" Full Scan of your platform
>> >> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
>> >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
>> >> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
>> >> > when done, execute Ad-aware SE and perform a final scan of your PC and delete
>> >> > all objects found.
>> >> >
>> >> >
>> >> > 8) Re-enable System Restore and re-apply any System Restore preferences,
>> >> > (e.g. HD space to use suggested 400 ~ 600MB),
>> >> >
>> >> > 9) Reboot your PC.
>> >> >
>> >> > 10) Create a new Restore point
>> >> >
>> >> >
>> >> > * * * Please report back your results * * *
>> >> >
>> >> >
>> >> > --
>> >> > Dave
>> >> > http://www.claymania.com/removal-trojan-adware.html
>> >> > http://www.ik-cs.com/got-a-virus.htm
>> >> >
>> >> >
>> >>
>>
!