OT: computer virusses

Sint Nikolaas

Diabloii.Net Member
OT: computer virusses

So I need some help and I know alot of you will know more about computers then I do.. Why post here? Well, I'm surfing here anyway and I figured at least at this place alot of people will read it.

So, I'm sitting behind my sisters pc (my pc is about half a meter away but I don't have internet :rolleyes: untill suddenly I'm swarmed by pop-ups. And more annoyingly, one won't go away. I can alt-f4 it all I want I just hear *bling* and it doesn't leave. Suddenly my desktop background dissapears and turns into a darkish blue screen saying this:

Security warning
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c
  • System cannot function in normal mode. Please check your security settings.
  • Scan your PC with any available antivirus / spyware remover program to fix the problem.

Suddenly I appear to have an anti spyware software program called SE (something like spyware - exit or whatever..) it starts running on it's own. Also, I appear to have a new homepage (starter page) called http://www.vip-se.com/?said=382 (might be a virus page, please be carefull).
I immediately press it away and look trough my pc what the program is. Unfortunately I didn't realise it might be handy to keep it around to give specifics.. but I found a folder, looked trough it and found an uninstall.exe, used it and then deleted the entire program and the folder it was sitting in. I ran Ad-aware which found some file corruptions but nothing major (my sister has a virus on her pc which is annoying but can't be deleted for some reason.. ad-aware picked up on that but nothing new). I also ran Norton virus checks which found the same virus but nothing new also.

So thinking I nibbed the thing in the butt I restarted my pc..

Great.. the blue background is still here. So I go to my configuration screen and then to monitor to change the background. Impossible.. the entire ''background'' tab isn't there. Just dissapeared. So I go rightclick on my desktop and hit ''active desktop'' -> modify -> properties -> advanced.
Surprisingly I appear to have SiS 300/305 software running my background. The menu has 11 tabs from ''main'' to ''gammaprojection'' and they all work.. except one... ''properties manager'' if I click that tab *bling* alt-f4.

I go to my internet properties which all seem normal except for two things.. 1: my internet homepage is different.. well ok I allready knew that.
2: I somehow have ''SIXA'' under my connections tab. IIRC there just wasn't a connections tab.. we have an E-TECH PCI56RWM Modem which is running my internet with a Speedtouch 510 modem. So... that SIXA is completely new right?

For some reason I also have a new toolbar at the top of my internet screen.. I can click it away, but the next time I start up internet or open something in a new window it's there again.

Can someone help me out? It's a pretty old machine and sadly I can't just do a format so.. if you're going to advice something like that I'll shoot you. Seriously though.. my virusscanners didn't pick anything up but my pc is messed up. It seems fine but when it comes to some small things like ''background'', ''an extra toolbar'' and stuff like that it's just irritating.
Anyone know anything to do? Thanks in advance.

Oh ps. I also immediately cleared out my entire coockies / saved files and history so.. yeah

EDIT:
found some stuff on SiS on in my windows file:
;INF file for SiS 300/305 display driver.
;Copyright 1998, Silicon Integrated Systems Corporation
It seems to be pretty thoroughly into my pc.. so it might belong there hehe.. spread trough windows / program files etc.
2nd EDIT: I found a ''desktop.ini'' in a random map..
3rd EDIT: (also @za below) I just can't format the thing, my sister has alot of stuff on it and I don't know which can go away and which can't. She isn't here now and she doesn't have a CD burner in her pc so .. I can't save everything on 3.5's :rolleyes: besides I doubt if she still has her windows CD and stuff like that so if I format the thing I'll probably shut myself of the internet for about 2 weeks..
 

Zavior

Diabloii.Net Member
I'd just format whole comp, since there's virus you cant get rid of :p

You might want to ask your sister if she has downloaded anything.
To me that sounds like spyware. I'd blame Internet Explorer.(and durf)

First, the ONE AND ONLY reason to use IE is to download windows patches.
Never use it after that.

Why cant you format?
 

EnerSense

Diabloii.Net Member
Your computer shows signs of spyware infection. The only thing I can suggest is go to a store and buy an anti-spyware cd. Install it and let it run. I personally use SpySweeper. Not trying to advertise for them here but you're asking for help. You can use your sis computer to look them up on webroot.com. They offer a free 30 day trial. You can try to download it on yours but the spyware may block you. This SE program is fake and is your spyware or virus problem. It could be something else but the evidence shows it to be the above. Good luck!
 

water_moon

Diabloii.Net Member
desktop.ini is supposed to be there (if you have windows)

Boot into safe mode to do any of this properly.
1st. go into registry using regedit; find anything that has the name of the offending program or software and delete it. If you're not sure make a backup of the registry.
2nd go to run, ms config, check each tab but esp. the start up tab, uncheck anything to do with the offending program. In win.ini & system.ini, be careful, don't do whole sale deletion. In the startup tab, you can uncheck anything you don't recognize, and if it's important, just recheck it later.
3rd Under IE tool, 'net connection, disable or delete the connection to SiS.
then Reboot into normal and rerun adware and norton. You may have to repeat this process a few times, but it should take care of the problem.
Also, keep a close eye on your phone bill, the connection could be an autodialer.

as per goltar
 
It sounds like spyware to me. no need to format your HDD, that seems rather drastic unless you have a external HDD with a recent backup on.
Xoftspy is a good anti-spyware, and f-secure can be good for viruses.
EDIT: Found it. here's your problem. been around a month of so, so the big anti-bad-stuff programs should find it.
 

water_moon

Diabloii.Net Member
Also, you might try a new version of Norton, as this a newer virus.

Goltar also says be very careful in the registry, if you aren't sure, look it up on google.
 

Twoflower

Banned
surf whit mozilla firefox, not whit IE

then, dl the following programs and let them run :

adaware
spybot search & destroy
antivir (it s called antivir )
xpclean ( if you use win xp, of course, a great program to set alot of things straight )

all 3 are free programs to which i can t link ( forum rules, i think... if this aint true, tell me please and i ll gladly guve you links ) but can easily be googled and are working great :clap:

if you still have problems after that check all running processes in your task manager, google for them and check if they are supposed to be running :)

then post again :)

hope this helps
 

Noodle

Moderator
I hated Norton, for two reasons:

1) When I upgraded my soundcard, for some reason Norton conflicted with teh associated software and called it a known issue. This meant little to me, considering it disabled key functions of Norton, and allowed my pc to become massivle infected.

2) Norton could identify a virus on my pc, but failed over and over again to quarantine or delete it. I ended up getting McAfee, and have had nothing but positive results since. (Also using Adaware, Spybot, and both Microsoft's and AOL's spyware protection.) Result= clean machine, given daily scans.

- Noodle
 

sunbearie

Diabloii.Net Member
If you can still connect to the internet, use TrendMicro's online scan. Type it on Google and choose I feel lucky. IMO, It's one of the better anti-virus scans around since its updated everyday.

The spyware will probably be fixed by any of the spyware programs the others mentioned.
 

Sint Nikolaas

Diabloii.Net Member
Thanks guys, I'm slowely clearing out this pc (about 850 spyware files found on first scan).. I got rid of the blue background thanks to Silo (at some other place harrr) and it's a spyware infestation. Thanks WM (and goltar) and twoflower and bob for the links and getting me to remember the msconfig.. Silo linked me a site about the attack that had occured, got alot of info there on how to restore stuff. :) It's going to be fine.. now I still need to come around to hosting hehe. I'm such a computer geek.
 

Chiastic

Diabloii.Net Member
Generic Disclaimer: Playing with your system internals can break stuff. If you decide to do it, don't blame me if something bad happens ;p

Anyway, to give the generic fix for this thing, here's the bad stuff that needs to die (whatever ones are present on your system):

First, hit control panel>add/remove programs and kill:

Security IGuard
Virtual Maid
Search Maid

Then, give the rest of this crap the axe:

FILES:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
c:\bsw.exe

FOLDERS:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

REG KEYS

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System (kill the whole "system" folder but ONLY the one in the "policies" folder if it's there)

After you get rid of all that, you're gonna have to redo default start/search/etc. pages through either regedit or control panel>internet properties. Also, you'll probably have to regedit all your menus/control panels /etc. back to default. I'll stick a reg hack at the bottom of this post that should fix most of it.

The actual step-by-step for removing this junk (in such a way that it won't immediately come back) is pretty involved, but if you need me to go through it, I will. Good luck!

Oh, there's a variant that I'm aware of that has additional files at:

Sysdir%\\shnlog.exe
Sysdir%\\intmon.exe
Sysdir%\\msmsgs.exe

(Sysdir% on a standard Windows install is C:\windows\system32)

Promised Reg Hack (just copy the text to notepad and save it as a .reg file, double-click, and select "merge into registry" or whatever). And for some reason, my copy/paste job adds random doublespaces to the code ("current version," for instance, should be one word). I can't seem to get them to go away, so you'll have to edit them out after you paste to notepad. Sorry about that.

Code:
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=-
"Wallpaper"=-
"WallpaperStyle"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="0 78 152"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-
"paint.exe"=-

[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage.1]

[-HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\VMHomepage]

[-HKEY_CLASSES_ROOT\VMHomepage.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\r]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000
 
Top