Any help on this would be greatly appreciated as it is an ever so nagging problem at work.

First, virus defs out of date since January,
I agree this is the #1 cause.

Second, we started getting popups that state your computer contains spyware and the sites to go to get rid of the spyware.

****Also the desktop wallpaper was hijacked by a black screen containing the message "your computer is infected with smitfraud virus/spyware, click here for removal" which brings you to a search screen with several sites listed as if you had done a google search.

Well we did a search for removal antedote, took out registry entries, found files, deleted, etc., it removed windows start and end screens and replaced them with the notification blue screens you are infected, lalala.

We found the html file that was named "desktop.html" which is the exact screen saver we can not remove informing us we have the Smitfraud spyware, we deleted same and it comes back, even with system restore turned off.

We have ran Adaware, Spybot, and CWShredder,
and did an online house call free virus scan and it found and fixed:

T Spy Agent.EB
Troj Agent.P
T Spy Agent.EA

Bkdr ADBREAK
Troj Keenvale.e
Imiserve.C

**********I know this is caused by out of date virus ware, any suggestions on removal and unlocking the background.

Any help would be appreciated as we delete some of the files and they come right back.
House call online free scan says we are now free of anything after removing entries from the registry, .dll files and other files associated with same.

But what lags behind is the nagging replacement of the desktop background and the beginning and ending windows windows logo files that were replaced with the blue screens to inform us of the infection.

I have searched in almost every file format,
jpg, .bmp, and every other picture file, found one of the blue screens which has not come back.

Please help from the "Big Easy" New Orleans.

Virgie1, Right click your desktop, choose properties, under the desktop tab click the "Customize desktop" button under the Web tab remove all the pages entries from there except the "My Current Home Page" and OK your way out.

Tufenuf

Unfortunately, when we right clicke on the desktop, it does not have that option, it
just comes up with box that has a "general" button on it.

I believe it is Win2k Server.

Thanks, any help would be most appreciated.

Sorry guys, hers is XP Home Edition, mine is Windows 2000.

Virgie1, I'm still not sure if the problem computer is Windows XP or Windows 2000 but if the problem computer is running Windows XP go to the link below and scroll down to line 128 right column and download the "Restore Desktop and Screensaver Tabs" .reg file. Save the REG File to your hard disk. Double click it and answer yes to the import prompt. This should at least get the desktop tab back into your display properties where you could try what I recommended in my Response Number 1.

Restore Desktop and Screensaver Tabs Fix

Tufenuf

http://computing.net/windowsxp/wwwboard/forum/132440.html

Please keep us updated so we know if we helped you or not.

Hi, everyone, thanks for all.

Have tried all fixes even from Kelly's-Korner
but nothing works. The screensaver tab options do not come back and the nagging buck of a desktop background comes back.

Any other suggestions would be much appreciated. We have worked 2 weeks on
this nagging bug.

Thanks!!!

Virgie1, The best advice I can offer is to go to the link below and sign up for Free then post your problem along with your HijackThis log on the "HijackThis Logfiles" forum. Make sure that you read the "HijackThis log rules" sticky before posting in this forum. There are a couple of real sharp gurus at this forum who will help you get rid of that garbage. Be patient as some of them live in Australia and in a different time zone.

VirtualDr HijackThis Forum

Tufenuf

Adding some last minute tips.

http://www.wilderssecurity.com/showthread.php?t=75890

Thanks everyone. Will post back results.

Ok guys tried spybot, adaware, cwshredder, multiple solutions to rid the problem as suggested in this post, now as suggested here is the hijack this log file:

Logfile of HijackThis v1.99.1
Scan saved at 1:47:07 PM, on 5/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Sean\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [anticab] C:\WINDOWS\Driver Cache\anticab.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CoGu92e] C:\WINDOWS\whwluq.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: NETPRN.lnk = ?
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: NETPRN.lnk = ?
O4 - Global Startup: webSetup.exe.lnk = C:\WEBBRDGE\webSetup.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {EA18E03E-5143-4229-9145-710CF5000A12} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EA18E03E-5143-4229-9145-710CF5000A12} - (no file) (HKCU)
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://quote.charterins.com/CFIDE/classes/CFJava.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://www1.foragentsonly.com/internaluse/installfromtheweb2/IFTW_client/iftwclix.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aig4auto.webex.com/client/latest/support/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Any help would be greatly appreciated, have spent 2 weeks on this nagging problem.

Thanks

Virgie1, They don't like HijackThis logs posted on this forum. See my Response Number 7 above before this entire thread gets deleted.

Tufenuf

Sorry, looked up rules in the post from KTTD
in his post:

http://www.computing.net/security/wwwboard/forum/6897.html

And thought I had followed the rules and exhausted and tried my fingers and brains and anything inbetween by using Spybot, Adaware, CWShredder, manual registry removal, removal of files in regular and safe modes, reg fixes, tweaks, etc. all have been exausted 2 weeks worth of gruesomeness
on this pesky bug, we are determined.

Thanks.

delete these:
R3 - Default URLSearchHook is missing
(Description: This will fix the search mechanism in IE.)

O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
(Description: YourSiteBar)

O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
(Description: Topantispyware.com malware, recognized by Kaspersky antivirus as Trojan-Clicker.Win32.Spyre.b )

O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
(Description: Topantispyware.com malware, recognized by Kaspersky antivirus as Trojan-Clicker.Win32.Spyre.b )

dont have to but you can delete these:

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
(Description: RealPlayer system tray application. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
(Description: AOL system tray icon. Not necessary. Removing this entry will free up a small amount of system resources.)

Please keep us updated so we know if we helped you or not.

Some more tips

Your search - whwluq.exe - did not match any documents.
Your search - anticab.exe - did not match any documents.

Upload these files to check for infection.
http://virusscan.jotti.dhs.org/

O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

http://www.bleepingcomputer.com/startups/spoolsrv32.exe-5162.html:

Thanks guys, you all have been so quick to respond.

I will post back once these are done when I get to work tomorrow, burning the midnight
oil tonight.

Again thanks for the quick response and great help this forum provides.

Will post back results.

Thanks everyone.

We ended up installing AVG which knocked out 24 of the 25 viruses we had, one we could not find all the files and if we did it is believed it renamed itself or VB script was being used to lock the desktop wallpaper.

Ended up consulting a computer friend, who could not even find this stubborn virus.

It was suggested since we are networked and backed up on another server to wipe and put xp pro instead of xp home edition back on the unit. And of course a firewall wil1 be needed or our efforts and nil. A hardware firewall was suggested, but resources probably won't allow it as we thing Norton is also needed, but we are unfortunately not in charge of company funds, so the decision of what antivirus we put on is not ours to make. However, I would go with Norton and a firewall either hard or soft firewall to block the intrusions at the entry level and keep all windows updates done, patches, etc.
The unit was not updated with windows updates and had not been updated with virus defs since 1/05 and no firewall, those three factors, here we are.

Thanks everyone, it has been most interesting and we have learned a great
deal from this encounter.

Hi Guys, I'm another that got "bitten" by this fn thing while using XP Pro. I tried the fix in Response #4 using Kellys-Korner and it worked sweet. I have to admit I felt like a dumb @ss to start with as I thought the left hand side of the page as the 'link' and the right side was the description.... maybe others are doing that as well.
Regardless, I'm a happy camper - thanks heaps for your help.
- cheers Nath

Well...I surely got the smitfraud virus just like virgie1, but my PC doesn't load the destop icons nor the taskbar, so I am stuck. They wouldn't even load in Safe Mode.

Any ideas?

Please help,
Having used my firms pc to check my bank account, i've infected the bloody thing with smitfraud virus. Can anyone out there come up with a fix how to sort this before i'm out of a job . thanks to you all clever folk for your help

what a great site that kellys corner is!
got my screensaver and desktop tabs back at last. Thank you very much! (I would still like to know where all those desktop pictures are stored...as there appears to be no option to delete them from the desktop management section in control panel??) ...still at least my wallpaper is back.

I spent sometime trying everything to remove the Smitfraud piece of crap. McAfee doesn't recognise it and neither do adaware or most of the other spyware detectors. Eventually discovered Spyware Doctor on www.downloads.com freeware its amazing - deleted 87 bits of spyware including Smitfraud. All clean now and running sweet with no pop ups

Regards,
Jinjer

hope this helps

help i have the virus aswe;l some one give me some advice please

SGODFRY