Latest Diablo 3 News
DiabloWiki Updates
Support the site! Become a Diablo: IncGamers PAL - Remove ads and more!

OT: computer virusses

Discussion in 'Single Player Forum' started by Sint Nikolaas, May 8, 2005.

  1. Sint Nikolaas

    Sint Nikolaas IncGamers Member

    Joined:
    Apr 9, 2004
    Messages:
    3,937
    Likes Received:
    8
    Trophy Points:
    256
    OT: computer virusses

    So I need some help and I know alot of you will know more about computers then I do.. Why post here? Well, I'm surfing here anyway and I figured at least at this place alot of people will read it.

    So, I'm sitting behind my sisters pc (my pc is about half a meter away but I don't have internet :rolleyes: untill suddenly I'm swarmed by pop-ups. And more annoyingly, one won't go away. I can alt-f4 it all I want I just hear *bling* and it doesn't leave. Suddenly my desktop background dissapears and turns into a darkish blue screen saying this:

    Security warning
    A fatal error in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c
    • System cannot function in normal mode. Please check your security settings.
    • Scan your PC with any available antivirus / spyware remover program to fix the problem.

    Suddenly I appear to have an anti spyware software program called SE (something like spyware - exit or whatever..) it starts running on it's own. Also, I appear to have a new homepage (starter page) called http://www.vip-se.com/?said=382 (might be a virus page, please be carefull).
    I immediately press it away and look trough my pc what the program is. Unfortunately I didn't realise it might be handy to keep it around to give specifics.. but I found a folder, looked trough it and found an uninstall.exe, used it and then deleted the entire program and the folder it was sitting in. I ran Ad-aware which found some file corruptions but nothing major (my sister has a virus on her pc which is annoying but can't be deleted for some reason.. ad-aware picked up on that but nothing new). I also ran Norton virus checks which found the same virus but nothing new also.

    So thinking I nibbed the thing in the butt I restarted my pc..

    Great.. the blue background is still here. So I go to my configuration screen and then to monitor to change the background. Impossible.. the entire ''background'' tab isn't there. Just dissapeared. So I go rightclick on my desktop and hit ''active desktop'' -> modify -> properties -> advanced.
    Surprisingly I appear to have SiS 300/305 software running my background. The menu has 11 tabs from ''main'' to ''gammaprojection'' and they all work.. except one... ''properties manager'' if I click that tab *bling* alt-f4.

    I go to my internet properties which all seem normal except for two things.. 1: my internet homepage is different.. well ok I allready knew that.
    2: I somehow have ''SIXA'' under my connections tab. IIRC there just wasn't a connections tab.. we have an E-TECH PCI56RWM Modem which is running my internet with a Speedtouch 510 modem. So... that SIXA is completely new right?

    For some reason I also have a new toolbar at the top of my internet screen.. I can click it away, but the next time I start up internet or open something in a new window it's there again.

    Can someone help me out? It's a pretty old machine and sadly I can't just do a format so.. if you're going to advice something like that I'll shoot you. Seriously though.. my virusscanners didn't pick anything up but my pc is messed up. It seems fine but when it comes to some small things like ''background'', ''an extra toolbar'' and stuff like that it's just irritating.
    Anyone know anything to do? Thanks in advance.

    Oh ps. I also immediately cleared out my entire coockies / saved files and history so.. yeah

    EDIT:
    found some stuff on SiS on in my windows file:
    ;INF file for SiS 300/305 display driver.
    ;Copyright 1998, Silicon Integrated Systems Corporation
    It seems to be pretty thoroughly into my pc.. so it might belong there hehe.. spread trough windows / program files etc.
    2nd EDIT: I found a ''desktop.ini'' in a random map..
    3rd EDIT: (also @za below) I just can't format the thing, my sister has alot of stuff on it and I don't know which can go away and which can't. She isn't here now and she doesn't have a CD burner in her pc so .. I can't save everything on 3.5's :rolleyes: besides I doubt if she still has her windows CD and stuff like that so if I format the thing I'll probably shut myself of the internet for about 2 weeks..
     
  2. Zavior

    Zavior IncGamers Member

    Joined:
    Jun 28, 2003
    Messages:
    1,116
    Likes Received:
    0
    Trophy Points:
    165
    I'd just format whole comp, since there's virus you cant get rid of :p

    You might want to ask your sister if she has downloaded anything.
    To me that sounds like spyware. I'd blame Internet Explorer.(and durf)

    First, the ONE AND ONLY reason to use IE is to download windows patches.
    Never use it after that.

    Why cant you format?
     
  3. EnerSense

    EnerSense IncGamers Member

    Joined:
    Feb 28, 2005
    Messages:
    1,281
    Likes Received:
    0
    Trophy Points:
    165
    Your computer shows signs of spyware infection. The only thing I can suggest is go to a store and buy an anti-spyware cd. Install it and let it run. I personally use SpySweeper. Not trying to advertise for them here but you're asking for help. You can use your sis computer to look them up on webroot.com. They offer a free 30 day trial. You can try to download it on yours but the spyware may block you. This SE program is fake and is your spyware or virus problem. It could be something else but the evidence shows it to be the above. Good luck!
     
  4. water_moon

    water_moon IncGamers Member

    Joined:
    Jul 19, 2004
    Messages:
    4,555
    Likes Received:
    0
    Trophy Points:
    120
    desktop.ini is supposed to be there (if you have windows)

    Boot into safe mode to do any of this properly.
    1st. go into registry using regedit; find anything that has the name of the offending program or software and delete it. If you're not sure make a backup of the registry.
    2nd go to run, ms config, check each tab but esp. the start up tab, uncheck anything to do with the offending program. In win.ini & system.ini, be careful, don't do whole sale deletion. In the startup tab, you can uncheck anything you don't recognize, and if it's important, just recheck it later.
    3rd Under IE tool, 'net connection, disable or delete the connection to SiS.
    then Reboot into normal and rerun adware and norton. You may have to repeat this process a few times, but it should take care of the problem.
    Also, keep a close eye on your phone bill, the connection could be an autodialer.

    as per goltar
     
  5. farting bob

    farting bob Banned

    Joined:
    Sep 16, 2003
    Messages:
    6,129
    Likes Received:
    0
    Trophy Points:
    0
    It sounds like spyware to me. no need to format your HDD, that seems rather drastic unless you have a external HDD with a recent backup on.
    Xoftspy is a good anti-spyware, and f-secure can be good for viruses.
    EDIT: Found it. here's your problem. been around a month of so, so the big anti-bad-stuff programs should find it.
     
  6. water_moon

    water_moon IncGamers Member

    Joined:
    Jul 19, 2004
    Messages:
    4,555
    Likes Received:
    0
    Trophy Points:
    120
    Also, you might try a new version of Norton, as this a newer virus.

    Goltar also says be very careful in the registry, if you aren't sure, look it up on google.
     
  7. Twoflower

    Twoflower Banned

    Joined:
    May 22, 2004
    Messages:
    1,584
    Likes Received:
    0
    Trophy Points:
    0
    surf whit mozilla firefox, not whit IE

    then, dl the following programs and let them run :

    adaware
    spybot search & destroy
    antivir (it s called antivir )
    xpclean ( if you use win xp, of course, a great program to set alot of things straight )

    all 3 are free programs to which i can t link ( forum rules, i think... if this aint true, tell me please and i ll gladly guve you links ) but can easily be googled and are working great :clap:

    if you still have problems after that check all running processes in your task manager, google for them and check if they are supposed to be running :)

    then post again :)

    hope this helps
     
  8. Sledge

    Sledge IncGamers Member

    Joined:
    Jun 26, 2004
    Messages:
    684
    Likes Received:
    0
    Trophy Points:
    105
    low level format your hdd
    your bios can do it i think :D

    (don't)
     
  9. farting bob

    farting bob Banned

    Joined:
    Sep 16, 2003
    Messages:
    6,129
    Likes Received:
    0
    Trophy Points:
    0
    You can link to stuff, as long as its not a competing froum or a D2 hacking site or something bad in general.
    Ad-aware
    Spybot - search and destroy
    Antivir
    And the only official xpclean site i could find was in german, and its here.
     
  10. Twoflower

    Twoflower Banned

    Joined:
    May 22, 2004
    Messages:
    1,584
    Likes Received:
    0
    Trophy Points:
    0
    yeah, xpclean is a german site (edit : product, even )

    sry :)
     
  11. Noodle

    Noodle Moderator

    Joined:
    Jul 18, 2003
    Messages:
    9,186
    Likes Received:
    556
    Trophy Points:
    222
    I hated Norton, for two reasons:

    1) When I upgraded my soundcard, for some reason Norton conflicted with teh associated software and called it a known issue. This meant little to me, considering it disabled key functions of Norton, and allowed my pc to become massivle infected.

    2) Norton could identify a virus on my pc, but failed over and over again to quarantine or delete it. I ended up getting McAfee, and have had nothing but positive results since. (Also using Adaware, Spybot, and both Microsoft's and AOL's spyware protection.) Result= clean machine, given daily scans.

    - Noodle
     
  12. sunbearie

    sunbearie IncGamers Member

    Joined:
    Jun 25, 2003
    Messages:
    1,785
    Likes Received:
    0
    Trophy Points:
    120
    If you can still connect to the internet, use TrendMicro's online scan. Type it on Google and choose I feel lucky. IMO, It's one of the better anti-virus scans around since its updated everyday.

    The spyware will probably be fixed by any of the spyware programs the others mentioned.
     
  13. Sint Nikolaas

    Sint Nikolaas IncGamers Member

    Joined:
    Apr 9, 2004
    Messages:
    3,937
    Likes Received:
    8
    Trophy Points:
    256
    Thanks guys, I'm slowely clearing out this pc (about 850 spyware files found on first scan).. I got rid of the blue background thanks to Silo (at some other place harrr) and it's a spyware infestation. Thanks WM (and goltar) and twoflower and bob for the links and getting me to remember the msconfig.. Silo linked me a site about the attack that had occured, got alot of info there on how to restore stuff. :) It's going to be fine.. now I still need to come around to hosting hehe. I'm such a computer geek.
     
  14. NSXdreamer

    NSXdreamer IncGamers Member

    Joined:
    Dec 7, 2003
    Messages:
    2,940
    Likes Received:
    0
    Trophy Points:
    255
    Yeah, you might want to stop using IE, and get a free firewall from now on. :lol:

    Zone alarm has a nice free firewall, I use the pro version.
     
  15. Chiastic

    Chiastic IncGamers Member

    Joined:
    Mar 26, 2005
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    5
    Generic Disclaimer: Playing with your system internals can break stuff. If you decide to do it, don't blame me if something bad happens ;p

    Anyway, to give the generic fix for this thing, here's the bad stuff that needs to die (whatever ones are present on your system):

    First, hit control panel>add/remove programs and kill:

    Security IGuard
    Virtual Maid
    Search Maid

    Then, give the rest of this crap the axe:

    FILES:

    C:\wp.exe
    C:\wp.bmp
    C:\Windows\sites.ini
    C:\Windows\popuper.exe
    C:\Windows\System32\helper.exe
    C:\Windows\System32\intmonp.exe
    C:\Windows\System32\msmsgs.exe
    C:\Windows\System32\ole32vbs.exe
    C:\Windows\system32\msole32.exe
    c:\bsw.exe

    FOLDERS:

    C:\Program Files\Search Maid
    C:\Program Files\Virtual Maid
    C:\Windows\System32\Log Files
    C:\Program Files\Security IGuard

    REG KEYS

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System (kill the whole "system" folder but ONLY the one in the "policies" folder if it's there)

    After you get rid of all that, you're gonna have to redo default start/search/etc. pages through either regedit or control panel>internet properties. Also, you'll probably have to regedit all your menus/control panels /etc. back to default. I'll stick a reg hack at the bottom of this post that should fix most of it.

    The actual step-by-step for removing this junk (in such a way that it won't immediately come back) is pretty involved, but if you need me to go through it, I will. Good luck!

    Oh, there's a variant that I'm aware of that has additional files at:

    Sysdir%\\shnlog.exe
    Sysdir%\\intmon.exe
    Sysdir%\\msmsgs.exe

    (Sysdir% on a standard Windows install is C:\windows\system32)

    Promised Reg Hack (just copy the text to notepad and save it as a .reg file, double-click, and select "merge into registry" or whatever). And for some reason, my copy/paste job adds random doublespaces to the code ("current version," for instance, should be one word). I can't seem to get them to go away, so you'll have to edit them out after you paste to notepad. Sorry about that.

    Code:
    REGEDIT4
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "NoDispAppearancePage"=-
    "Wallpaper"=-
    "WallpaperStyle"=-
    "NoDispBackgroundPage"=-
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoActiveDesktopChanges"=-
    
    [HKEY_CURRENT_USER\Control Panel\Desktop]
    "Wallpaper"=-
    "WallpaperStyle"=-
    
    [HKEY_CURRENT_USER\Control Panel\Colors]
    "Background"="0 78 152"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    "notepad.exe"=-
    "notepad2.exe"=-
    "winlogon.exe"=-
    "paint.exe"=-
    
    [-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]
    
    [-HKEY_CLASSES_ROOT\CLSID\VMHomepage]
    
    [-HKEY_CLASSES_ROOT\CLSID\VMHomepage.1]
    
    [-HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}]
    
    [-HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}]
    
    [-HKEY_CLASSES_ROOT\VMHomepage]
    
    [-HKEY_CLASSES_ROOT\VMHomepage.1]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\r]
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]
    
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
    "SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
    "CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
    "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
    "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
    "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    "Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
    ""="http://home.microsoft.com/access/autosearch.asp?p=%s"
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
    "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    "Search Bar"="http://search.msn.com/spbasic.htm"
    "Use Custom Search URL"= dword:00000000
     

Share This Page