Re: Trojan

From: Doug Knox MS-MVP (dknox_at_mvps.org)
Date: 05/17/05


Date: Tue, 17 May 2005 00:46:14 -0400

You're welcome :-)

-- 
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
 
"Teri" <Teri@discussions.microsoft.com> wrote in message news:D1620EB4-A93E-4740-AE27-6C1476A6B8BC@microsoft.com...
> Sorry about that, I think I got in too big of a hurry to cure the problem.  I 
> do go back and follow your instructions to the letter and it worked.  Thank 
> you
> 
> "Doug Knox MS-MVP" wrote:
> 
>> That's why I didn't recommend deleting anything, I said change them from 1 to 0, if they existed.
>> 
>> The values you mention in HKLM are not in the key I originally said to check.  They are in:
>> 
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
>> 
>> Not
>> 
>> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
>> 
>> The Policies\Explorer key may not exist on your system.  Its just a good idea to check because some values are machine wide settings if they're in HKLM, and per user if they're in HKCU.
>> 
>> -- 
>> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> Win 95/98/Me/XP Tweaks and Fixes
>> http://www.dougknox.com
>> --------------------------------
>> Per user Group Policy Restrictions for XP Home and XP Pro
>> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> --------------------------------
>> Please reply only to the newsgroup so all may benefit.
>> Unsolicited e-mail is not answered.
>>  
>> "Teri" <Teri@discussions.microsoft.com> wrote in message news:ED489893-D909-4FA4-9ACF-F92D7F970EB1@microsoft.com...
>> > It is an active desktop item and at the same time it came up my screen went 
>> > to a blue background and 20 new advertising icons appeared on my desktop.  
>> > Now I do not have an option of restoring my active desktop although I'm not 
>> > sure I ever did in XP. 
>> > I went to regedit and in HKCU it  had ( nodisplayappearancepage, 
>> > nodisplaybackgroundpage, and wallpaperstyle).  There was one other one which 
>> > I deleted immediately (I should have written it down) but I remembered seeing 
>> > it on every site I had been to about this trojan something about wp.bmp.  
>> > On HKLM it showed (dontdisplaylastusername, legalnoticecaption, 
>> > legalnoticetext, shutdownwithoutlogon, undockwithlogon).  I think I need a 
>> > little guidance on this before I start deleting everything
>> > 
>> > "Doug Knox MS-MVP" wrote:
>> > 
>> >> I think its an Active Desktop item.
>> >> 
>> >> -- 
>> >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> >> Win 95/98/Me/XP Tweaks and Fixes
>> >> http://www.dougknox.com
>> >> --------------------------------
>> >> Per user Group Policy Restrictions for XP Home and XP Pro
>> >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> >> --------------------------------
>> >> Please reply only to the newsgroup so all may benefit.
>> >> Unsolicited e-mail is not answered.
>> >>  
>> >> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:u1WwfdnWFHA.2060@tk2msftngp13.phx.gbl...
>> >> > From: "Teri" <Teri@discussions.microsoft.com>
>> >> > 
>> >> > | I have this message right in the center of my screen that says "A fatal error
>> >> > | in IE has occured at 0028:C0011E36 in VXD  VMM<01> + 00010F36.  Error is
>> >> > | caused by  Trojan-Spy.HTML.Smitfraud.c
>> >> > | * System cannot function in normal mode....."
>> >> > | I think I have eliminated the Trojan with the help of Panda and Microsoft
>> >> > | AntiSpyware BUT the message remains, my favorites folder is empty and in my
>> >> > | control panel/DISPLAY I have only 2 tabs which is screen saver and settings.
>> >> > | I ran Hijack This and everything there looked normal so what do I do next?
>> >> > 
>> >> > There are anti virus News Groups specifically for this type of discussion.
>> >> > 
>> >> >    microsoft.public.scripting.virus.discussion
>> >> >    microsoft.public.security.virus
>> >> >    alt.comp.virus
>> >> >    alt.comp.anti-virus
>> >> > 
>> >> > I am curious as to what generated that error message.  MS AS ?  Panda ?
>> >> > 
>> >> > Trojan-Spy.HTML.Smitfraud.c
>> >> > 
>> >> > http://www.viruslist.com/en/viruses/encyclopedia?virusid=73615
>> >> > 
>> >> > 
>> >> > Dump the contents of the IE Temporary Internet Folder cache (TIF)
>> >> > Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>> >> > 
>> >> > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
>> >> > Tools --> Options --> Privacy --> Cache --> Clear
>> >> > 
>> >> > 1)    Download the TrendMicro Sysclean Front End
>> >> > 
>> >> > Download the utility SYSCLEAN_FE at the following URL --
>> >> > http://www.ik-cs.com/got-a-virus.htm
>> >> > SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
>> >> > Direct URL --
>> >> > http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
>> >> > 
>> >> > 
>> >> > 2)      Download and install Ad-aware SE
>> >> >        (free personal version v1.05)
>> >> >        http://www.lavasoftusa.com/
>> >> >        Update Ad-aware with the latest definitions and then exit the software.
>> >> > 
>> >> > 3)      Execute;  SYSCLEAN_FE.EXE
>> >> >        Choose;   Unzip
>> >> >        Choose;   Close
>> >> > 
>> >> > 
>> >> >        Execute; c:\sysclean\SYSCLEAN_FE.BAT
>> >> >        { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
>> >> >        when you get to the menu dhoose [1] so you can boot into Safe Mode.
>> >> > 
>> >> > 4)     Disable System Restore
>> >> >        http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
>> >> > 
>> >> > 5)     Reboot your PC into Safe Mode and shutdown as many applications as possible.
>> >> > 
>> >> > 6)     Execute; c:\sysclean\SYSCLEAN_FE.BAT
>> >> >        { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
>> >> >       Choose [2] on the menu and let SYCLEAN.COM scan your computer.
>> >> >       when done, execute Ad-aware SE and perform a full scan of your PC and delete
>> >> >       all objects found.
>> >> > 
>> >> > 7)     Restart your PC and perform a "final" Full Scan of your platform
>> >> >       Execute; c:\sysclean\SYSCLEAN_FE.BAT
>> >> >       { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
>> >> >       Choose [2] on the menu and let SYCLEAN.COM scan your computer.
>> >> >       when done, execute Ad-aware SE and perform a final scan of your PC and delete
>> >> >       all objects found.
>> >> > 
>> >> > 
>> >> > 8)     Re-enable System Restore and re-apply any System Restore preferences,
>> >> >        (e.g. HD space to use suggested 400 ~ 600MB),
>> >> > 
>> >> > 9)     Reboot your PC.
>> >> > 
>> >> > 10)    Create a new Restore point
>> >> > 
>> >> > 
>> >> > * * *    Please report back your results  * * *
>> >> > 
>> >> > 
>> >> > -- 
>> >> > Dave
>> >> > http://www.claymania.com/removal-trojan-adware.html
>> >> > http://www.ik-cs.com/got-a-virus.htm
>> >> > 
>> >> >
>> >>
>>


Relevant Pages

  • Re: Netware changed log in settings, help to put them back please?
    ... Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart ... Per user Group Policy Restrictions for XP Home and XP Pro ...
    (microsoft.public.windows.mediacenter)
  • Re: restrict internet access to administrator account only
    ... Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security ... MS-MVP Windows Media Center\Windows Powered Smart Display\Security ... >> Per user Group Policy Restrictions for XP Home and XP Pro ...
    (microsoft.public.windowsxp.security_admin)
  • Re: registry editing has been disabled
    ... Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display ... MS-MVP Windows Media Center\Windows Powered Smart Display ... >> Per user Group Policy Restrictions for XP Home and XP Pro ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Enabling Automated Screensaver Lock
    ... Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display ... MS-MVP Windows Media Center\Windows Powered Smart Display ... >> Per user Group Policy Restrictions for XP Home and XP Pro ...
    (microsoft.public.windowsxp.security_admin)
  • Re: windows log-on screen
    ... Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart ... Per user Group Policy Restrictions for XP Home and XP Pro ...
    (microsoft.public.windows.mediacenter)