1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

"smitfraud": A Fatal Error in IE has occurred at 0028:C0011E36 in VXD VMM(01)...

Discussion in 'Virus & Other Malware Removal' started by pinhi200, Jun 15, 2005.

Thread Status:
Not open for further replies.
  1. pinhi200

    pinhi200 Thread Starter

    Joined:
    Jun 15, 2005
    Messages:
    1
    Hi all, I picked up this site while searching for info that pertained to this thread, seems like dvk knows hes stuff!!

    I have the same message on my desktop but the files are different than chm had...this is what I got can ya help dvk plzzzzzzz

    I read your instructions to the point where ya gotta put the pc in safe mode and check off the boxs...what do i check off??
    thanks,
    pinhi200

    Logfile of HijackThis v1.99.1
    Scan saved at 6:39:00 PM, on 6/15/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\WINDOWS\system32\msg32.exe
    C:\Program Files\Daily Weather Forecast\weather.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\sistray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\WINDOWS\system32\msg32.exe
    C:\Program Files\Daily Weather Forecast\weather.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\sistray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\WINDOWS\system32\dwwin.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\scrnsave.scr
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [EW Message Server] msg32.exe
    O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
    O4 - HKLM\..\Run: [C2aQS2OX] C:\WINDOWS\nvoch.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_EN_XP.cab
    O16 - DPF: {54C75FB0-6B8B-4278-BF7B-77036F15A69E} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1041_EN_XP.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109224734281
    O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,220
    First Name:
    Derek
    Download AdAware SE from http://www.lavasoft.de/support/download and install it if you haven't already got it. If you have it, then make sure it is updated and configured as described later in this post

    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    Download SmitFraud Reg (<=click on this link) to your desktop.

    Locate smitfraud.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

    Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs, if found:

    Security IGuard
    Virtual Maid
    Search Maid
    PSGuard

    Exit Add/Remove Programs.


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

    O4 - HKLM\..\Run: [C2aQS2OX] C:\WINDOWS\nvoch.exe

    O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

    O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binari...net32_EN_XP.cab
    O16 - DPF: {54C75FB0-6B8B-4278-BF7B-77036F15A69E} - http://akamai.downloadv3.com/binari..._1041_EN_XP.cab



    now Start killbox paste the first file listed below into the full pathname and file to delete box

    The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file delete, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

    NOTE: some of these might not exist so don't panic if a not found message comes up with killbox

    C:\windows\system32\intmon.exe
    C:\windows\system32\intmonp.exe
    C:\windows\system32\msole32.exe
    C:\windows\system32\ole32vbs.exe
    C:\windows\System32\winnook.exe
    C:\windows\System32\helper.exe
    C:\windows\System32\msmsgs.exe
    C:\windows\System32\shnlog.exe
    C:\windows\popuper.exe
    C:\windows\system32\hhk.dll
    C:\windows\System32\wldr.dll
    C:\windows\SYSTEM32\ntfs32.dll
    C:\WINDOWS\System32\LogFiles
    C:\WINDOWS\desktop.html
    C:\wp.exe
    C:\wp.bmp
    C:\bsw.exe
    C:\WINDOWS\SYSTEM32\oleadm.dll.
    C:\WINDOWS\SYSTEM32\oleadm32.dll.
    C:\WINDOWS\nvoch.exe



    Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

    then as some of the folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Navigate in Wiondows Explorer to and delete, if found (please do NOT try to find them by "search" because they will not show up that way):

    C:\Program Files\Search Maid <=this folder
    C:\Program Files\Virtual Maid <this folder
    C:\windows\System32\Log Files <=this folder
    C:\Program Files\Security IGuard <=this folder
    C:\Program Files\PSGuard <=this folder

    then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R50 13.06.2005 or a higher number/later date

    Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    Click on "Scan Now"

    Run the scanner using the Full Scan (Perform full system scan) mode.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.


    Reboot & Download the Hoster from here . UnZip the file and run hoster then press "Restore Original Hosts" and press "OK". Exit Program.

    download http://www.mvps.org/winhelp2002/DelDomains.inf and place it of desktop
    right click the file and select install, that will reset the trusted zone domains that have been wrongly placed there



    Run an online antivirus check from at least one and preferably 2 of the following sites

    http://www.kaspersky.com/beta?product=161744315 ( with this one as it's abeta product, they ask for a name & email, just put any email in and any name and company it isn't checked on and they have just used the standard beta page as a doorway to it )
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/
    http://www.bitdefender.com/scan/licence.php
    http://www.commandondemand.com/eval/index.cfm
    http://www.freedom.net/viruscenter/onlineviruscheck.html
    http://info.ahnlab.com/english/
    http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

    reboot again and post a fresah HJT log please
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/372101

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice