Fatal error warning in IE. Need help!

Question

I have a message on my desktop which says that I have a fatal error in IE in vxd vmm(01) + 000100e36. This error was caused by trojan-spy.html.smitfraud.c. I have scanned with norton & spybot. My operating system is windows xp.   Here's my HiJackThis log Logfile of HijackThis v1.99.1 Scan saved at 1:32:43 PM, on 6/4/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE C:\WINDOWS
tri.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\sdkyc32.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Norton AntiVirus
avapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\explorer.exe C:\hjt2\hijackthis2\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\maknl.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\maknl.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\maknl.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\maknl.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\maknl.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\maknl.dll/sp.html#28129 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {70B6D242-A76A-A3E8-4E2F-D03FF4541BA9} - C:\WINDOWS\system32\apifj32.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 'EPSON Stylus C84 Series' /O6 'USB001' /M 'Stylus C84' O4 - HKLM\..\Run: [ntri.exe] C:\WINDOWS
tri.exe O4 - HKCU\..\Run: [DellSupport] 'C:\Program Files\Dell Support\DSAgnt.exe' /startup O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Microsoft AntiSpyware helper - {6F4AA1A4-78EC-435E-AB2D-12A8EE20C6E0} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6F4AA1A4-78EC-435E-AB2D-12A8EE20C6E0} - (no file) (HKCU) O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} - http://dm.cometsystems.com/dm/dm_286.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdkyc32.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

dobhar · Answer

Hi vloiler...

My name is dobhar and I will be looking over your log. Please give me some time to go look it over. I will post back as soon as possible.

If you have any questions post them back in this thread do not start another.

Thanks,

dobhar · Answer

Hi vloiler...   You are infected with multiple infections (About:Blank & Trojan Smitfraud...)...We need to clean one at a time and we will start with the 'About Blank' infection...   Please print out or copy these instructions	utorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.   Step 1.==========- Create a folder called Antispyware on your C: Drive - Download the following tools but do not run programs until asked1. Download cwsserviceremove.zip from http://ralphcaddell.com/Uploads/cwsserviceremove.zip. Extract\Unzip it into its own folder in C:\Antispyware. Call it cwsservice2. Download About:Buster from http://downloads.malwareremoval.com/AboutBuster.zip. Extract\Unzip it into its own folder in C:\Antispyware. Call it aboutbuster. Once extracted you will need to update it. A tutorial can be found at http://www.besttechie.net/forums/index.php?showtopic=1488 3. Download CWShredder from http://cwshredder.net/bin/CWShredder.exe. Save it to its own folder in C:\Antispyware. Call it cws 4. Download Silent Runners from http://www.silentrunners.org/Silent%20Runners.zip. Extract\Unzip it into its own folder in C:\Antispyware. Call it silentrunners5. Download RKFiles from http://skads.org/special/rkfiles.zip. Extract\Unzip it into its own folder in C:\Antispyware. Call it rkfiles 6. Please download and install the program Registrar Lite from http://www.resplendence.com/download/reglite.exe   Step 2.==========We need to stop a service... - Click ' Start' button then select ' Run' -  Type ' services.msc' (without quotes) then hit OK- Scroll down and find the service called   Network Security Service   - Right-click on the service and choose ' Properties' - On the ' General' tab under ' Service Status' click the ' Stop' button to stop the service - Beside ' Startup Type' in the dropdown menu select ' Disabled' - Click Apply then OK. Exit the Services utility (Note: If the service isn't listed proceed with the rest of these instructions)   Step 3.==========Disconnect from the internet <<<= Very ImportantReboot computer into ' Safe Mode' Using the F8 method... - Restart the computer - As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears - Use the arrow keys to select the Safe Mode menu item - Press the Enter key   Step 4.==========We need to make sure all hidden files are showing... - Open ' My Computer' - Click on ' Tools' and from the drop down menu select ' Folder Options' - Select the ' View' tab - Under the ' Hidden files and folders' heading SELECT ' Show hidden files and folders' - UNCHECK the ' Hide file extensions for known types option' - UNCHECK the ' Hide protected operating system files (recommended) option' - Click ' Yes' to confirm - Click ' OK'   Step 5.==========We need to stop some Windows Processes - Start  HiJackThis... 1. Click ' Config...' button 2. Click ' Misc Tools' button 3. Click ' Open process manager' button 4. While holding down the CTRL key, locate (if present) and click on (highlight) each of the following...   C:\WINDOWS
tri.exeC:\WINDOWS\sdkyc32.exe   5. Double-check to make sure that only those item(s) above are highlighted, then click ' Kill process' button 6. Click ' Refresh'. Check to make sure they are not listed 7. Repeat this step if any remain. - Close HijackThis   Step 6.==========- Browse to C:\Antispyware\cwsservice folder - Double click on the cwsserviceemove.reg file to start it - Grant it permission to add the registry items   Step 7.==========- Browse to C:\Antispware\cws folder - Double-click on CWShredder.exe file to start it - click the ' Fix ->' button - You will be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows. click ' OK' to continue - Let it run completely to delete anything it finds - After its scan, click ' Next', then ' Exit'   Step 8.========== Delete the following file(s) and folder(s) in BOLD only. (Don't be concern if they do not exist but advise what files could not be found or deleted)C:\WINDOWS\ ntri.exe <<<= Delete This File C:\WINDOWS\ sdkyc32.exe <<<= Delete This File C:\WINDOWS\system32\ maknl.dll <<<= Delete This File C:\WINDOWS\system32\ apifj32.dll <<<= Delete This File   Step 9.==========- Close all Windows and programs - Start HijackThis... - Select\check the following entries, Double-check to make sure that only these entries are checked...   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\maknl.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\maknl.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\maknl.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\maknl.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\maknl.dll/sp.html#28129R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\maknl.dll/sp.html#28129R3 - Default URLSearchHook is missingO2 - BHO: (no name) - {70B6D242-A76A-A3E8-4E2F-D03FF4541BA9} - C:\WINDOWS\system32\apifj32.dllO4 - HKLM\..\Run: [ntri.exe] C:\WINDOWS
tri.exeO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htmO16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} - http://dm.cometsystems.com/dm/dm_286.cab O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdkyc32.exe   - Click the ' Fix checked' button...   Step 10.==========We now need to cleanup all the Temp files and such - Click the ' Start' button, then select ' Run' - Enter cleanmgr in the ' Run' menu to start XP's ' Disk Cleanup' tool - Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are selected then click OK- When done close ' Disk Cleanup'   - Browse to C:\Windows\Prefetch folder. Delete All files within the Prefetch folder <<<= Not the Prefetch folder itself   Step 11.==========- Browse to C:\Antispware\aboutuster folder - Double-click AboutBuster.exe to start it - Click ' OK' at the directions Read: Important! prompt - Click 'Start' and then ' OK' to allow AboutBuster to scan for Alternate Data Streams - Click ' Yes' at the About:Buster prompt to allow it to shutdown explorer.exe. - Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so. - When it has finished, click ' Save Log...'. Make sure you save it as I will need a copy of it. - Click ' Exit' and ' Exit' again to exit AboutBuster.   Step 12.==========- Browse to  C:\Antispware\silentrunners folder - Double-click the SilentRunners.vbs file to start it (Note: It will start scanning your computer and could take a little time. Be patient.)- If your antivirus complains, tell it to allow this script - Copy and paste the contents of the Silent Runners log in your next reply   Step 13.==========- Browse to  C:\Antispywarekfiles folder - Double-click the RKFiles.bat file to start it (Note: It will start scanning your computer and could take a little time. Be patient.)- Copy and paste the contents of the RKFiles log in your next reply   Step 14.========== - Reboot computer into 'Normal Mode' - Connect up to the Internet Step 15.==========- Double click on the ' Registrar Lite' icon on your desktop (Note: If not there start it from the 'Start Menu.') - After the program opens copy and paste the below line, into the address field of Registrar Lite.   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\   - Now press ' Enter'. You will now be presented with new information in the bottom Left and Right sections - On the right-hand section right-click on 11Fßä#·ºÄÖ`I and delete it. (Note: If not found continue on with the rest of the fixes) - Close program - Reboot computer   Step 17.==========- Post back a new fresh ' HijackThis' log - Post back the ' About:Buster' log - Post back ' Silent Runners' log - Post back ' RKFiles' log Message Edited by dobhar on 06-06-2005 06:08 PM

dobhar · Answer

Because of lack of activity I have considered this Topic closed and have stopped monitoring it for replies. If you still require help please submit a brand new post and a volunteer like myself will help you out.

Thank You... :)

Virus & Spyware

Fatal error warning in IE. Need help!

Was this post helpful?