Trojan

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have this message right in the center of my screen that says "A fatal error
in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
caused by Trojan-Spy.HTML.Smitfraud.c
* System cannot function in normal mode....."
I think I have eliminated the Trojan with the help of Panda and Microsoft
AntiSpyware BUT the message remains, my favorites folder is empty and in my
control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
I ran Hijack This and everything there looked normal so what do I do next?
8 answers Last reply
More about trojan
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Click Start, Run and enter REGEDIT Look in both

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

    And

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

    for the following value:

    NoDispBackgroundPage
    NoDispAppearancePage

    If they exist, they're probably set to 1. If so, double click the values you find and set them to 0 (zero).

    Next, check

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

    and

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

    For NoThemesTab. If found, ensure that its set to 0.

    Once this is done, all your tabs should be back. Go to the Desktop, Customize Desktop, Web tab and uncheck any Web content.

    --
    Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
    Win 95/98/Me/XP Tweaks and Fixes
    http://www.dougknox.com
    --------------------------------
    Per user Group Policy Restrictions for XP Home and XP Pro
    http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    --------------------------------
    Please reply only to the newsgroup so all may benefit.
    Unsolicited e-mail is not answered.

    "Teri" <Teri@discussions.microsoft.com> wrote in message news:4DA05F29-233A-40BD-BEF9-CBF834E0F65A@microsoft.com...
    >I have this message right in the center of my screen that says "A fatal error
    > in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
    > caused by Trojan-Spy.HTML.Smitfraud.c
    > * System cannot function in normal mode....."
    > I think I have eliminated the Trojan with the help of Panda and Microsoft
    > AntiSpyware BUT the message remains, my favorites folder is empty and in my
    > control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
    > I ran Hijack This and everything there looked normal so what do I do next?
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Teri" <Teri@discussions.microsoft.com>

    | I have this message right in the center of my screen that says "A fatal error
    | in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
    | caused by Trojan-Spy.HTML.Smitfraud.c
    | * System cannot function in normal mode....."
    | I think I have eliminated the Trojan with the help of Panda and Microsoft
    | AntiSpyware BUT the message remains, my favorites folder is empty and in my
    | control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
    | I ran Hijack This and everything there looked normal so what do I do next?

    There are anti virus News Groups specifically for this type of discussion.

    microsoft.public.scripting.virus.discussion
    microsoft.public.security.virus
    alt.comp.virus
    alt.comp.anti-virus

    I am curious as to what generated that error message. MS AS ? Panda ?

    Trojan-Spy.HTML.Smitfraud.c

    http://www.viruslist.com/en/viruses/encyclopedia?virusid=73615


    Dump the contents of the IE Temporary Internet Folder cache (TIF)
    Start --> Settings --> Control Panel --> Internet Options --> Delete Files

    Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    Tools --> Options --> Privacy --> Cache --> Clear

    1) Download the TrendMicro Sysclean Front End

    Download the utility SYSCLEAN_FE at the following URL --
    http://www.ik-cs.com/got-a-virus.htm
    SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
    Direct URL --
    http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe


    2) Download and install Ad-aware SE
    (free personal version v1.05)
    http://www.lavasoftusa.com/
    Update Ad-aware with the latest definitions and then exit the software.

    3) Execute; SYSCLEAN_FE.EXE
    Choose; Unzip
    Choose; Close


    Execute; c:\sysclean\SYSCLEAN_FE.BAT
    { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    when you get to the menu dhoose [1] so you can boot into Safe Mode.

    4) Disable System Restore
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

    5) Reboot your PC into Safe Mode and shutdown as many applications as possible.

    6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
    { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    when done, execute Ad-aware SE and perform a full scan of your PC and delete
    all objects found.

    7) Restart your PC and perform a "final" Full Scan of your platform
    Execute; c:\sysclean\SYSCLEAN_FE.BAT
    { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    when done, execute Ad-aware SE and perform a final scan of your PC and delete
    all objects found.


    8) Re-enable System Restore and re-apply any System Restore preferences,
    (e.g. HD space to use suggested 400 ~ 600MB),

    9) Reboot your PC.

    10) Create a new Restore point


    * * * Please report back your results * * *


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I think its an Active Desktop item.

    --
    Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
    Win 95/98/Me/XP Tweaks and Fixes
    http://www.dougknox.com
    --------------------------------
    Per user Group Policy Restrictions for XP Home and XP Pro
    http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    --------------------------------
    Please reply only to the newsgroup so all may benefit.
    Unsolicited e-mail is not answered.

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:u1WwfdnWFHA.2060@tk2msftngp13.phx.gbl...
    > From: "Teri" <Teri@discussions.microsoft.com>
    >
    > | I have this message right in the center of my screen that says "A fatal error
    > | in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
    > | caused by Trojan-Spy.HTML.Smitfraud.c
    > | * System cannot function in normal mode....."
    > | I think I have eliminated the Trojan with the help of Panda and Microsoft
    > | AntiSpyware BUT the message remains, my favorites folder is empty and in my
    > | control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
    > | I ran Hijack This and everything there looked normal so what do I do next?
    >
    > There are anti virus News Groups specifically for this type of discussion.
    >
    > microsoft.public.scripting.virus.discussion
    > microsoft.public.security.virus
    > alt.comp.virus
    > alt.comp.anti-virus
    >
    > I am curious as to what generated that error message. MS AS ? Panda ?
    >
    > Trojan-Spy.HTML.Smitfraud.c
    >
    > http://www.viruslist.com/en/viruses/encyclopedia?virusid=73615
    >
    >
    > Dump the contents of the IE Temporary Internet Folder cache (TIF)
    > Start --> Settings --> Control Panel --> Internet Options --> Delete Files
    >
    > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    > Tools --> Options --> Privacy --> Cache --> Clear
    >
    > 1) Download the TrendMicro Sysclean Front End
    >
    > Download the utility SYSCLEAN_FE at the following URL --
    > http://www.ik-cs.com/got-a-virus.htm
    > SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
    > Direct URL --
    > http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
    >
    >
    > 2) Download and install Ad-aware SE
    > (free personal version v1.05)
    > http://www.lavasoftusa.com/
    > Update Ad-aware with the latest definitions and then exit the software.
    >
    > 3) Execute; SYSCLEAN_FE.EXE
    > Choose; Unzip
    > Choose; Close
    >
    >
    > Execute; c:\sysclean\SYSCLEAN_FE.BAT
    > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    > when you get to the menu dhoose [1] so you can boot into Safe Mode.
    >
    > 4) Disable System Restore
    > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    >
    > 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
    >
    > 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
    > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    > when done, execute Ad-aware SE and perform a full scan of your PC and delete
    > all objects found.
    >
    > 7) Restart your PC and perform a "final" Full Scan of your platform
    > Execute; c:\sysclean\SYSCLEAN_FE.BAT
    > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    > when done, execute Ad-aware SE and perform a final scan of your PC and delete
    > all objects found.
    >
    >
    > 8) Re-enable System Restore and re-apply any System Restore preferences,
    > (e.g. HD space to use suggested 400 ~ 600MB),
    >
    > 9) Reboot your PC.
    >
    > 10) Create a new Restore point
    >
    >
    > * * * Please report back your results * * *
    >
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    It is an active desktop item and at the same time it came up my screen went
    to a blue background and 20 new advertising icons appeared on my desktop.
    Now I do not have an option of restoring my active desktop although I'm not
    sure I ever did in XP.
    I went to regedit and in HKCU it had ( nodisplayappearancepage,
    nodisplaybackgroundpage, and wallpaperstyle). There was one other one which
    I deleted immediately (I should have written it down) but I remembered seeing
    it on every site I had been to about this trojan something about wp.bmp.
    On HKLM it showed (dontdisplaylastusername, legalnoticecaption,
    legalnoticetext, shutdownwithoutlogon, undockwithlogon). I think I need a
    little guidance on this before I start deleting everything

    "Doug Knox MS-MVP" wrote:

    > I think its an Active Desktop item.
    >
    > --
    > Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
    > Win 95/98/Me/XP Tweaks and Fixes
    > http://www.dougknox.com
    > --------------------------------
    > Per user Group Policy Restrictions for XP Home and XP Pro
    > http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    > --------------------------------
    > Please reply only to the newsgroup so all may benefit.
    > Unsolicited e-mail is not answered.
    >
    > "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:u1WwfdnWFHA.2060@tk2msftngp13.phx.gbl...
    > > From: "Teri" <Teri@discussions.microsoft.com>
    > >
    > > | I have this message right in the center of my screen that says "A fatal error
    > > | in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
    > > | caused by Trojan-Spy.HTML.Smitfraud.c
    > > | * System cannot function in normal mode....."
    > > | I think I have eliminated the Trojan with the help of Panda and Microsoft
    > > | AntiSpyware BUT the message remains, my favorites folder is empty and in my
    > > | control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
    > > | I ran Hijack This and everything there looked normal so what do I do next?
    > >
    > > There are anti virus News Groups specifically for this type of discussion.
    > >
    > > microsoft.public.scripting.virus.discussion
    > > microsoft.public.security.virus
    > > alt.comp.virus
    > > alt.comp.anti-virus
    > >
    > > I am curious as to what generated that error message. MS AS ? Panda ?
    > >
    > > Trojan-Spy.HTML.Smitfraud.c
    > >
    > > http://www.viruslist.com/en/viruses/encyclopedia?virusid=73615
    > >
    > >
    > > Dump the contents of the IE Temporary Internet Folder cache (TIF)
    > > Start --> Settings --> Control Panel --> Internet Options --> Delete Files
    > >
    > > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    > > Tools --> Options --> Privacy --> Cache --> Clear
    > >
    > > 1) Download the TrendMicro Sysclean Front End
    > >
    > > Download the utility SYSCLEAN_FE at the following URL --
    > > http://www.ik-cs.com/got-a-virus.htm
    > > SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
    > > Direct URL --
    > > http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
    > >
    > >
    > > 2) Download and install Ad-aware SE
    > > (free personal version v1.05)
    > > http://www.lavasoftusa.com/
    > > Update Ad-aware with the latest definitions and then exit the software.
    > >
    > > 3) Execute; SYSCLEAN_FE.EXE
    > > Choose; Unzip
    > > Choose; Close
    > >
    > >
    > > Execute; c:\sysclean\SYSCLEAN_FE.BAT
    > > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    > > when you get to the menu dhoose [1] so you can boot into Safe Mode.
    > >
    > > 4) Disable System Restore
    > > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    > >
    > > 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
    > >
    > > 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
    > > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    > > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    > > when done, execute Ad-aware SE and perform a full scan of your PC and delete
    > > all objects found.
    > >
    > > 7) Restart your PC and perform a "final" Full Scan of your platform
    > > Execute; c:\sysclean\SYSCLEAN_FE.BAT
    > > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    > > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    > > when done, execute Ad-aware SE and perform a final scan of your PC and delete
    > > all objects found.
    > >
    > >
    > > 8) Re-enable System Restore and re-apply any System Restore preferences,
    > > (e.g. HD space to use suggested 400 ~ 600MB),
    > >
    > > 9) Reboot your PC.
    > >
    > > 10) Create a new Restore point
    > >
    > >
    > > * * * Please report back your results * * *
    > >
    > >
    > > --
    > > Dave
    > > http://www.claymania.com/removal-trojan-adware.html
    > > http://www.ik-cs.com/got-a-virus.htm
    > >
    > >
    >
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Doug Knox MS-MVP" <dknox@mvps.org>

    | I think its an Active Desktop item.
    |
    | --
    | Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
    | Win 95/98/Me/XP Tweaks and Fixes
    | http://www.dougknox.com
    | --------------------------------

    Why would Active DeskTop cause the error she note with the following "Error is
    caused by Trojan-Spy.HTML.Smitfraud.c" and adds "...BUT the message remains...".

    In theory "Trojan-Spy.HTML.Smitfraud.c" is just a HTML email phishing attempt message. For
    exaple to update your CitiBank account but you have no CitiBank account and the URL takes
    you to Korea. Why it is referred to as a Trojan I don't know but there is no resident code.
    McAfee calls this "Phish-BankFraud.eml.a". On my LAN I had a user who received a phishing
    attempt and I received an administrative pop-up on "Phish-BankFraud.eml". It was nothing
    but a HTML email message caught by Mcafee's MAPI email scanner in Outlook 2000.

    You may be right, I don't know. However I would still like to see the person scan with
    Trend Sysclean and Asd-aware SE as somthing is going on.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    That's why I didn't recommend deleting anything, I said change them from 1 to 0, if they existed.

    The values you mention in HKLM are not in the key I originally said to check. They are in:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

    Not

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

    The Policies\Explorer key may not exist on your system. Its just a good idea to check because some values are machine wide settings if they're in HKLM, and per user if they're in HKCU.

    --
    Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
    Win 95/98/Me/XP Tweaks and Fixes
    http://www.dougknox.com
    --------------------------------
    Per user Group Policy Restrictions for XP Home and XP Pro
    http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    --------------------------------
    Please reply only to the newsgroup so all may benefit.
    Unsolicited e-mail is not answered.

    "Teri" <Teri@discussions.microsoft.com> wrote in message news:ED489893-D909-4FA4-9ACF-F92D7F970EB1@microsoft.com...
    > It is an active desktop item and at the same time it came up my screen went
    > to a blue background and 20 new advertising icons appeared on my desktop.
    > Now I do not have an option of restoring my active desktop although I'm not
    > sure I ever did in XP.
    > I went to regedit and in HKCU it had ( nodisplayappearancepage,
    > nodisplaybackgroundpage, and wallpaperstyle). There was one other one which
    > I deleted immediately (I should have written it down) but I remembered seeing
    > it on every site I had been to about this trojan something about wp.bmp.
    > On HKLM it showed (dontdisplaylastusername, legalnoticecaption,
    > legalnoticetext, shutdownwithoutlogon, undockwithlogon). I think I need a
    > little guidance on this before I start deleting everything
    >
    > "Doug Knox MS-MVP" wrote:
    >
    >> I think its an Active Desktop item.
    >>
    >> --
    >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
    >> Win 95/98/Me/XP Tweaks and Fixes
    >> http://www.dougknox.com
    >> --------------------------------
    >> Per user Group Policy Restrictions for XP Home and XP Pro
    >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    >> --------------------------------
    >> Please reply only to the newsgroup so all may benefit.
    >> Unsolicited e-mail is not answered.
    >>
    >> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:u1WwfdnWFHA.2060@tk2msftngp13.phx.gbl...
    >> > From: "Teri" <Teri@discussions.microsoft.com>
    >> >
    >> > | I have this message right in the center of my screen that says "A fatal error
    >> > | in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
    >> > | caused by Trojan-Spy.HTML.Smitfraud.c
    >> > | * System cannot function in normal mode....."
    >> > | I think I have eliminated the Trojan with the help of Panda and Microsoft
    >> > | AntiSpyware BUT the message remains, my favorites folder is empty and in my
    >> > | control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
    >> > | I ran Hijack This and everything there looked normal so what do I do next?
    >> >
    >> > There are anti virus News Groups specifically for this type of discussion.
    >> >
    >> > microsoft.public.scripting.virus.discussion
    >> > microsoft.public.security.virus
    >> > alt.comp.virus
    >> > alt.comp.anti-virus
    >> >
    >> > I am curious as to what generated that error message. MS AS ? Panda ?
    >> >
    >> > Trojan-Spy.HTML.Smitfraud.c
    >> >
    >> > http://www.viruslist.com/en/viruses/encyclopedia?virusid=73615
    >> >
    >> >
    >> > Dump the contents of the IE Temporary Internet Folder cache (TIF)
    >> > Start --> Settings --> Control Panel --> Internet Options --> Delete Files
    >> >
    >> > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    >> > Tools --> Options --> Privacy --> Cache --> Clear
    >> >
    >> > 1) Download the TrendMicro Sysclean Front End
    >> >
    >> > Download the utility SYSCLEAN_FE at the following URL --
    >> > http://www.ik-cs.com/got-a-virus.htm
    >> > SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
    >> > Direct URL --
    >> > http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
    >> >
    >> >
    >> > 2) Download and install Ad-aware SE
    >> > (free personal version v1.05)
    >> > http://www.lavasoftusa.com/
    >> > Update Ad-aware with the latest definitions and then exit the software.
    >> >
    >> > 3) Execute; SYSCLEAN_FE.EXE
    >> > Choose; Unzip
    >> > Choose; Close
    >> >
    >> >
    >> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
    >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    >> > when you get to the menu dhoose [1] so you can boot into Safe Mode.
    >> >
    >> > 4) Disable System Restore
    >> > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    >> >
    >> > 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
    >> >
    >> > 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
    >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    >> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    >> > when done, execute Ad-aware SE and perform a full scan of your PC and delete
    >> > all objects found.
    >> >
    >> > 7) Restart your PC and perform a "final" Full Scan of your platform
    >> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
    >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    >> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    >> > when done, execute Ad-aware SE and perform a final scan of your PC and delete
    >> > all objects found.
    >> >
    >> >
    >> > 8) Re-enable System Restore and re-apply any System Restore preferences,
    >> > (e.g. HD space to use suggested 400 ~ 600MB),
    >> >
    >> > 9) Reboot your PC.
    >> >
    >> > 10) Create a new Restore point
    >> >
    >> >
    >> > * * * Please report back your results * * *
    >> >
    >> >
    >> > --
    >> > Dave
    >> > http://www.claymania.com/removal-trojan-adware.html
    >> > http://www.ik-cs.com/got-a-virus.htm
    >> >
    >> >
    >>
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Sorry about that, I think I got in too big of a hurry to cure the problem. I
    do go back and follow your instructions to the letter and it worked. Thank
    you

    "Doug Knox MS-MVP" wrote:

    > That's why I didn't recommend deleting anything, I said change them from 1 to 0, if they existed.
    >
    > The values you mention in HKLM are not in the key I originally said to check. They are in:
    >
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    >
    > Not
    >
    > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    >
    > The Policies\Explorer key may not exist on your system. Its just a good idea to check because some values are machine wide settings if they're in HKLM, and per user if they're in HKCU.
    >
    > --
    > Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
    > Win 95/98/Me/XP Tweaks and Fixes
    > http://www.dougknox.com
    > --------------------------------
    > Per user Group Policy Restrictions for XP Home and XP Pro
    > http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    > --------------------------------
    > Please reply only to the newsgroup so all may benefit.
    > Unsolicited e-mail is not answered.
    >
    > "Teri" <Teri@discussions.microsoft.com> wrote in message news:ED489893-D909-4FA4-9ACF-F92D7F970EB1@microsoft.com...
    > > It is an active desktop item and at the same time it came up my screen went
    > > to a blue background and 20 new advertising icons appeared on my desktop.
    > > Now I do not have an option of restoring my active desktop although I'm not
    > > sure I ever did in XP.
    > > I went to regedit and in HKCU it had ( nodisplayappearancepage,
    > > nodisplaybackgroundpage, and wallpaperstyle). There was one other one which
    > > I deleted immediately (I should have written it down) but I remembered seeing
    > > it on every site I had been to about this trojan something about wp.bmp.
    > > On HKLM it showed (dontdisplaylastusername, legalnoticecaption,
    > > legalnoticetext, shutdownwithoutlogon, undockwithlogon). I think I need a
    > > little guidance on this before I start deleting everything
    > >
    > > "Doug Knox MS-MVP" wrote:
    > >
    > >> I think its an Active Desktop item.
    > >>
    > >> --
    > >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
    > >> Win 95/98/Me/XP Tweaks and Fixes
    > >> http://www.dougknox.com
    > >> --------------------------------
    > >> Per user Group Policy Restrictions for XP Home and XP Pro
    > >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    > >> --------------------------------
    > >> Please reply only to the newsgroup so all may benefit.
    > >> Unsolicited e-mail is not answered.
    > >>
    > >> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:u1WwfdnWFHA.2060@tk2msftngp13.phx.gbl...
    > >> > From: "Teri" <Teri@discussions.microsoft.com>
    > >> >
    > >> > | I have this message right in the center of my screen that says "A fatal error
    > >> > | in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
    > >> > | caused by Trojan-Spy.HTML.Smitfraud.c
    > >> > | * System cannot function in normal mode....."
    > >> > | I think I have eliminated the Trojan with the help of Panda and Microsoft
    > >> > | AntiSpyware BUT the message remains, my favorites folder is empty and in my
    > >> > | control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
    > >> > | I ran Hijack This and everything there looked normal so what do I do next?
    > >> >
    > >> > There are anti virus News Groups specifically for this type of discussion.
    > >> >
    > >> > microsoft.public.scripting.virus.discussion
    > >> > microsoft.public.security.virus
    > >> > alt.comp.virus
    > >> > alt.comp.anti-virus
    > >> >
    > >> > I am curious as to what generated that error message. MS AS ? Panda ?
    > >> >
    > >> > Trojan-Spy.HTML.Smitfraud.c
    > >> >
    > >> > http://www.viruslist.com/en/viruses/encyclopedia?virusid=73615
    > >> >
    > >> >
    > >> > Dump the contents of the IE Temporary Internet Folder cache (TIF)
    > >> > Start --> Settings --> Control Panel --> Internet Options --> Delete Files
    > >> >
    > >> > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    > >> > Tools --> Options --> Privacy --> Cache --> Clear
    > >> >
    > >> > 1) Download the TrendMicro Sysclean Front End
    > >> >
    > >> > Download the utility SYSCLEAN_FE at the following URL --
    > >> > http://www.ik-cs.com/got-a-virus.htm
    > >> > SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
    > >> > Direct URL --
    > >> > http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
    > >> >
    > >> >
    > >> > 2) Download and install Ad-aware SE
    > >> > (free personal version v1.05)
    > >> > http://www.lavasoftusa.com/
    > >> > Update Ad-aware with the latest definitions and then exit the software.
    > >> >
    > >> > 3) Execute; SYSCLEAN_FE.EXE
    > >> > Choose; Unzip
    > >> > Choose; Close
    > >> >
    > >> >
    > >> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
    > >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    > >> > when you get to the menu dhoose [1] so you can boot into Safe Mode.
    > >> >
    > >> > 4) Disable System Restore
    > >> > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    > >> >
    > >> > 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
    > >> >
    > >> > 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
    > >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    > >> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    > >> > when done, execute Ad-aware SE and perform a full scan of your PC and delete
    > >> > all objects found.
    > >> >
    > >> > 7) Restart your PC and perform a "final" Full Scan of your platform
    > >> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
    > >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    > >> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    > >> > when done, execute Ad-aware SE and perform a final scan of your PC and delete
    > >> > all objects found.
    > >> >
    > >> >
    > >> > 8) Re-enable System Restore and re-apply any System Restore preferences,
    > >> > (e.g. HD space to use suggested 400 ~ 600MB),
    > >> >
    > >> > 9) Reboot your PC.
    > >> >
    > >> > 10) Create a new Restore point
    > >> >
    > >> >
    > >> > * * * Please report back your results * * *
    > >> >
    > >> >
    > >> > --
    > >> > Dave
    > >> > http://www.claymania.com/removal-trojan-adware.html
    > >> > http://www.ik-cs.com/got-a-virus.htm
    > >> >
    > >> >
    > >>
    >
  8. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    You're welcome :-)

    --
    Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
    Win 95/98/Me/XP Tweaks and Fixes
    http://www.dougknox.com
    --------------------------------
    Per user Group Policy Restrictions for XP Home and XP Pro
    http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    --------------------------------
    Please reply only to the newsgroup so all may benefit.
    Unsolicited e-mail is not answered.

    "Teri" <Teri@discussions.microsoft.com> wrote in message news:D1620EB4-A93E-4740-AE27-6C1476A6B8BC@microsoft.com...
    > Sorry about that, I think I got in too big of a hurry to cure the problem. I
    > do go back and follow your instructions to the letter and it worked. Thank
    > you
    >
    > "Doug Knox MS-MVP" wrote:
    >
    >> That's why I didn't recommend deleting anything, I said change them from 1 to 0, if they existed.
    >>
    >> The values you mention in HKLM are not in the key I originally said to check. They are in:
    >>
    >> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    >>
    >> Not
    >>
    >> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    >>
    >> The Policies\Explorer key may not exist on your system. Its just a good idea to check because some values are machine wide settings if they're in HKLM, and per user if they're in HKCU.
    >>
    >> --
    >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
    >> Win 95/98/Me/XP Tweaks and Fixes
    >> http://www.dougknox.com
    >> --------------------------------
    >> Per user Group Policy Restrictions for XP Home and XP Pro
    >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    >> --------------------------------
    >> Please reply only to the newsgroup so all may benefit.
    >> Unsolicited e-mail is not answered.
    >>
    >> "Teri" <Teri@discussions.microsoft.com> wrote in message news:ED489893-D909-4FA4-9ACF-F92D7F970EB1@microsoft.com...
    >> > It is an active desktop item and at the same time it came up my screen went
    >> > to a blue background and 20 new advertising icons appeared on my desktop.
    >> > Now I do not have an option of restoring my active desktop although I'm not
    >> > sure I ever did in XP.
    >> > I went to regedit and in HKCU it had ( nodisplayappearancepage,
    >> > nodisplaybackgroundpage, and wallpaperstyle). There was one other one which
    >> > I deleted immediately (I should have written it down) but I remembered seeing
    >> > it on every site I had been to about this trojan something about wp.bmp.
    >> > On HKLM it showed (dontdisplaylastusername, legalnoticecaption,
    >> > legalnoticetext, shutdownwithoutlogon, undockwithlogon). I think I need a
    >> > little guidance on this before I start deleting everything
    >> >
    >> > "Doug Knox MS-MVP" wrote:
    >> >
    >> >> I think its an Active Desktop item.
    >> >>
    >> >> --
    >> >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
    >> >> Win 95/98/Me/XP Tweaks and Fixes
    >> >> http://www.dougknox.com
    >> >> --------------------------------
    >> >> Per user Group Policy Restrictions for XP Home and XP Pro
    >> >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    >> >> --------------------------------
    >> >> Please reply only to the newsgroup so all may benefit.
    >> >> Unsolicited e-mail is not answered.
    >> >>
    >> >> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:u1WwfdnWFHA.2060@tk2msftngp13.phx.gbl...
    >> >> > From: "Teri" <Teri@discussions.microsoft.com>
    >> >> >
    >> >> > | I have this message right in the center of my screen that says "A fatal error
    >> >> > | in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010F36. Error is
    >> >> > | caused by Trojan-Spy.HTML.Smitfraud.c
    >> >> > | * System cannot function in normal mode....."
    >> >> > | I think I have eliminated the Trojan with the help of Panda and Microsoft
    >> >> > | AntiSpyware BUT the message remains, my favorites folder is empty and in my
    >> >> > | control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
    >> >> > | I ran Hijack This and everything there looked normal so what do I do next?
    >> >> >
    >> >> > There are anti virus News Groups specifically for this type of discussion.
    >> >> >
    >> >> > microsoft.public.scripting.virus.discussion
    >> >> > microsoft.public.security.virus
    >> >> > alt.comp.virus
    >> >> > alt.comp.anti-virus
    >> >> >
    >> >> > I am curious as to what generated that error message. MS AS ? Panda ?
    >> >> >
    >> >> > Trojan-Spy.HTML.Smitfraud.c
    >> >> >
    >> >> > http://www.viruslist.com/en/viruses/encyclopedia?virusid=73615
    >> >> >
    >> >> >
    >> >> > Dump the contents of the IE Temporary Internet Folder cache (TIF)
    >> >> > Start --> Settings --> Control Panel --> Internet Options --> Delete Files
    >> >> >
    >> >> > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    >> >> > Tools --> Options --> Privacy --> Cache --> Clear
    >> >> >
    >> >> > 1) Download the TrendMicro Sysclean Front End
    >> >> >
    >> >> > Download the utility SYSCLEAN_FE at the following URL --
    >> >> > http://www.ik-cs.com/got-a-virus.htm
    >> >> > SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
    >> >> > Direct URL --
    >> >> > http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
    >> >> >
    >> >> >
    >> >> > 2) Download and install Ad-aware SE
    >> >> > (free personal version v1.05)
    >> >> > http://www.lavasoftusa.com/
    >> >> > Update Ad-aware with the latest definitions and then exit the software.
    >> >> >
    >> >> > 3) Execute; SYSCLEAN_FE.EXE
    >> >> > Choose; Unzip
    >> >> > Choose; Close
    >> >> >
    >> >> >
    >> >> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
    >> >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    >> >> > when you get to the menu dhoose [1] so you can boot into Safe Mode.
    >> >> >
    >> >> > 4) Disable System Restore
    >> >> > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    >> >> >
    >> >> > 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
    >> >> >
    >> >> > 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
    >> >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    >> >> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    >> >> > when done, execute Ad-aware SE and perform a full scan of your PC and delete
    >> >> > all objects found.
    >> >> >
    >> >> > 7) Restart your PC and perform a "final" Full Scan of your platform
    >> >> > Execute; c:\sysclean\SYSCLEAN_FE.BAT
    >> >> > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    >> >> > Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    >> >> > when done, execute Ad-aware SE and perform a final scan of your PC and delete
    >> >> > all objects found.
    >> >> >
    >> >> >
    >> >> > 8) Re-enable System Restore and re-apply any System Restore preferences,
    >> >> > (e.g. HD space to use suggested 400 ~ 600MB),
    >> >> >
    >> >> > 9) Reboot your PC.
    >> >> >
    >> >> > 10) Create a new Restore point
    >> >> >
    >> >> >
    >> >> > * * * Please report back your results * * *
    >> >> >
    >> >> >
    >> >> > --
    >> >> > Dave
    >> >> > http://www.claymania.com/removal-trojan-adware.html
    >> >> > http://www.ik-cs.com/got-a-virus.htm
    >> >> >
    >> >> >
    >> >>
    >>
Ask a new question

Read More

Trojan Microsoft Windows XP