big problem, I think, please help

Question

geoss 0 Junior Poster in Training

19 Years Ago

While on some health site, a bunch of warnings kept poping in, and I had Nod32 and counterspy installed....i thought everything would be o.k.
Anyway, here is the problem.......
My opening page has all the icons except the screen is blue and in the middle there is a Security Warning which says:
A fatal error in IE has occured at 0028:c0011E36 in VXD VNM (01) + 00010E36 error was caused by Trojan-Spy.HTML.Smitfraud.c
system cannot function in normal mode......check security settings
scan with antivirus/spyware remover to fix problem

I ran ActiveScan from Panda and ran Counterspy in Full mode, and restarted computer, but the blue screen still comes up.
Can someone please guide me to the correct fix........
Thanks
George

windows-virus

3 Contributors
5 Replies
169 Views
9 Hours Discussion Span
Latest Post 19 Years Ago Latest Post by JANINE

JANINE 33 Practically a Posting Shark

19 Years Ago

While on some health site, a bunch of warnings kept poping in, and I had Nod32 and counterspy installed....i thought everything would be o.k.
Anyway, here is the problem.......
My opening page has all the icons except the screen is blue and in the middle there is a Security Warning which says:
A fatal error in IE has occured at 0028:c0011E36 in VXD VNM (01) + 00010E36 error was caused by Trojan-Spy.HTML.Smitfraud.c
system cannot function in normal mode......check security settings
scan with antivirus/spyware remover to fix problem
I ran ActiveScan from Panda and ran Counterspy in Full mode, and restarted computer, but the blue screen still comes up.
Can someone please guide me to the correct fix........
Thanks
George

judging by what you have written it seems that you have at somepoint picked up this trojan horse virus while looking at web pages. trojans and other viruses do damage to your pc in some way and this one it seems is a spyware trojan. basically what it does is it is allowing the author of the trojan program to gain access to your PC by freezing your desktop.
my reccomendation for you is to get hold of a good antivirus program and spyware program pronto and install them then run to kill this virus.
try these sites
www.symantec.co.uk norton antivirus 2005
www.mcafee.com mcafee antivirus
www.lavasoft.com Adaware or adaware se:)

JANINE 33 Practically a Posting Shark

19 Years Ago

im sorry to have to say this but panda isnt really much good in this instance. i had it installed before norton and i got every virus going.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

geoss 0 Junior Poster in Training · Answer 1 · 2005-05-01T21:42:38+00:00

I'm sorry I forgot to include HiJack This scan;

Logfile of HijackThis v1.99.1
Scan saved at 11:40:47 AM, on 01/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\mgabg.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe

George

dlh6213 27 Posting Maven Team Colleague · Answer 2 · 2005-05-02T00:27:27+00:00

First of all, you should go to Windows Update and get SP1a for XP.

That error message is related to Joke.Smitfraudoid, which is related to HotOffers, NEWGENLOOK, and Error Message 317, so I would recommend doing the following:

Boot into Safe Mode and do a search for these files:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

Delete them, reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

If any of those files could not be deleted (most likely param32.dll):

Turn off System Restore

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed.

Run Pocket Killbox and paste the full file path of the below file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter the file path.

C:\WINDOWS\System32\param32.dll

Reboot afterwards if the file was successfully deleted.

If the file was not deleted, do not reboot yet. Run Pocket Killbox again, and again paste the full file path in the box, but this time click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot.

Update Nod32 and do a full system scan.

Post a new hijackthis log and let us know if you still have the problem.

JANINE 33 Practically a Posting Shark · Answer 3 · 2005-05-02T00:38:06+00:00

First of all, you should go to Windows Update and get SP1a for XP.
That error message is related to Joke.Smitfraudoid, which is related to HotOffers, NEWGENLOOK, and Error Message 317, so I would recommend doing the following:
Boot into Safe Mode and do a search for these files:
param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe
Delete them, reboot normally and delete any unwanted icons from your desktop.
Empty your Recycle Bin.
If any of those files could not be deleted (most likely param32.dll):
Turn off System Restore
Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip
Unzip the file to your desktop.
Go offline until this is completed.
Run Pocket Killbox and paste the full file path of the below file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter the file path.
C:\WINDOWS\System32\param32.dll
Reboot afterwards if the file was successfully deleted.
If the file was not deleted, do not reboot yet. Run Pocket Killbox again, and again paste the full file path in the box, but this time click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot.
Update Nod32 and do a full system scan.
Post a new hijackthis log and let us know if you still have the problem.

i didnt think of that. thanku 4 reminding me.:D