Trojan-Spy.html.smitfraud.c

same problem HELP

I can say that i have the same problem. My IE dosen't work. My homepage has been delated. And i have some kind of pop up that keeps poping up every 5 min, oh yeah and my desktop is blue with some white message that says:

''A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01) + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c

- System can not function in normal mode.
Please check you security settings.
- Scan your PC with any available antivirus / spyware remover program to fix problem.

here is my log file

Logfile of HijackThis v1.99.1
Scan saved at 18:35:32, on 15.5.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\PROGRA~1\LeapFrogMessenger\LeapFrogMessenger.exe
C:\windows\system32\ildmdt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\windows\system32\calc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Tina\LOCALS~1\Temp\Rar$EX01.817\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)
O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe
O4 - HKLM\..\Run: [Renovate] C:\WINDOWS\System32\Renovate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ winsystem.sys] C:\WINDOWS\msagent\win32\smss.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [Bonus Ringer] C:\Documents and Settings\Tina\Local Settings\Temporary Internet Files\Content.IE5\KFST6XAX\BonusRinger[1].exe
O4 - HKLM\..\Run: [LFM] C:\PROGRA~1\LeapFrogMessenger\LeapFrogMessenger.exe
O4 - HKLM\..\Run: [kdypwz] c:\windows\system32\wrbcdyw.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [ildmdt] c:\windows\system32\ildmdt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [_winsystem.sys] C:\WINDOWS\msagent\win32\smss.exe
O4 - HKCU\..\Run: [CasinoDownloader] C:\casinodownloader.exe
O4 - HKCU\..\Run: [Bonus Ringer] C:\Documents and Settings\Tina\Local Settings\Temporary Internet Files\Content.IE5\KFST6XAX\BonusRinger[1].exe
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O4 - HKCU\..\Run: [Fortune Lounge Personal Messenger] "C:\Program Files\Fortune Lounge Personal Messenger\Fortune Lounge Personal Messenger.exe" -r
O4 - Startup: AusVegas Games Update.lnk = C:\Program Files\Ausvegas\WiseUpdt.exe
O4 - Startup: DLHelperEXE.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {012F24D4-35B0-11D0-BF2D-0000E8D0D156} (InstallControl Class) - http://activex.casinosupportservice.com/Version3.0/InstallHelper.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {11111111-1111-1111-1111-111111111111} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...71b0834b3328:522a1c137ec85ca995271ab95b94951b
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v46/skillgam/skillgam.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://prizeamerica.aavalue.com/PrizeMachine/PA_live.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinner.com/games/v49/bjattack/bjattack.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v40/freecell/freecell.cab
O16 - DPF: {7565A160-5C60-4866-A120-F4D5B2BA3AAE} (FSLoaderCtrl Class) - http://www.clickedyclick.com/Download_Helper/fsloader_v3.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v44/sol/sol.cab
O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) - http://www.worldwinner.com/games/v49/haunted/haunted.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v61/swapit/swapit.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://showdown.microgaming.com/showdown/FlashAX.cab
O16 - DPF: {EAADA0C1-8C81-4038-B48E-62C54546CB18} (CDCertX Control) - http://www.carribeangold.com/games/iFlashEH.CAB
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

I've been having this problem for abouth a week. And I can say that I'm going nuts, I can't stand it any more. PLEASE HELP!!

 

Welcome to WindowsBBS sanja

I split your post off into a thread of it's own. Please post future responses here.

You've got several very nasty infections going there. It's going to take me a while to get a write-up done for you, and I have some other business I need to take care of. Check back this evening and I'll get something posted to help get your problems resolved. Hang in there!

 

Ok. I'll be vaiting.
I'm up all night.

 

Sorry for the delay. Lots of irons in the fire.

You should print this out and/or save it to text where you can access it in safe mode.

You have HijackThis in a temporary folder, and still in a zipped file. Please create a new folder, such as C:\HJT, then either extract HijackThis.exe to it or download HijackThis.exe from here and save it to that folder.

Copy the contents of the quote box below to a blank notepad. Close it, saving to your desktop as

File name: delfiles.bat
Save As Type: All Files

Please download smitfraud.zip, saving it to your desktop. If it saves as attachment.php, right click and rename to smitfraud.zip, then right click and extract the smitfraud folder.

Open the control panel>Add/Remove programs and uninstall if present.
Security IGuard
Virtual Maid
Search Maid
LeapFrogMessenger
Fortune Lounge Personal Messenger
Ausvegas

Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

Double click the delfiles.bat to run it.


Open the smitfraud folder and double click the RunThis.bat file to start the tool. Follow the prompts. This will delete some of the known smitfraud associated files and repair the registry changes it makes. When the tool completes, scan again with HijackThis and place a check next the following entries if present.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home <<< OK if this is your own page, otherwise fix.
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)
O4 - HKLM\..\Run: [ winsystem.sys] C:\WINDOWS\msagent\win32\smss.exe
O4 - HKLM\..\Run: [Bonus Ringer] C:\Documents and Settings\Tina\Local Settings\Temporary Internet Files\Content.IE5\KFST6XAX\BonusRinger[1].exe
O4 - HKLM\..\Run: [kdypwz] c:\windows\system32\wrbcdyw.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [ildmdt] c:\windows\system32\ildmdt.exe
O4 - HKCU\..\Run: [_winsystem.sys] C:\WINDOWS\msagent\win32\smss.exe
O4 - HKCU\..\Run: [CasinoDownloader] C:\casinodownloader.exe
O4 - HKCU\..\Run: [Bonus Ringer] C:\Documents and Settings\Tina\Local Settings\Temporary Internet Files\Content.IE5\KFST6XAX\BonusRinger[1].exe
O4 - HKLM\..\Run: [LFM] C:\PROGRA~1\LeapFrogMessenger\LeapFrogMessenger.ex e
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O4 - HKCU\..\Run: [Fortune Lounge Personal Messenger] "C:\Program Files\Fortune Lounge Personal Messenger\Fortune Lounge Personal Messenger.exe" -r
O4 - Startup: AusVegas Games Update.lnk = C:\Program Files\Ausvegas\WiseUpdt.exe
O4 - Startup: DLHelperEXE.exe
O16 - DPF: {012F24D4-35B0-11D0-BF2D-0000E8D0D156} (InstallControl Class) - http://activex.casinosupportservice...stallHelper.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {11111111-1111-1111-1111-111111111111} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...71 ab95b94951b
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://prizeamerica.aavalue.com/Pri...ine/PA_live.cab
O16 - DPF: {7565A160-5C60-4866-A120-F4D5B2BA3AAE} (FSLoaderCtrl Class) - http://www.clickedyclick.com/Downlo...fsloader_v3.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Now click the config button, then misc tools. Click the Delete an NT
Service button, then type or paste in SvcProc and click OK. Close HijackThis.


Delete the Ausvegas, Fortune Lounge Personal Messenger, LeapFrogMessenger, Security IGuard, Virtual Maid and Search Maid folders in C:\Program Files if present.

Open C:\WINDOWS and delete the folder msagent

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

If you used msconfig, uncheck the /safeboot box and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows. Your desktop should be reset to the MS default blue background by the smitfraud tool, and can be changed to whatever you like.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log. Report any problems and/or successes.

 

As you can see I am a beginner. So I have a question. What is the 'advanced button?'

 

My bad.........just noticed I told you the General tab. It's the BOOT.INI tab and check the /safeboot box.