# Cabinet file cannot be trusted



## hunters (Jun 13, 2005)

When I try to download Direct x it will get to the end and then it says that cabinet file cannot be trusted. I have search for about a week and can't find an answer to this problem. I can't even access my cryptographic services (unless I am doing this wrong) I would like some guidance in this error. Thanks so much


----------



## Rollin' Rog (Dec 9, 2000)

Can you post the exact error message, I've never heard of such a thing? And are you sure you are in the right forum? Cryptographic service is an XP/2K service, not Win98/ME


----------



## pr0t3st (Apr 17, 2005)

hunters said:


> When I try to download Direct x it will get to the end and then it says that cabinet file cannot be trusted.


This is a pretty common error while running DirectX "web setup" on 2K/XP systems due to Crypto service being disabled or not in a running state.

DirectX 9.0c Redistributable


----------



## hunters (Jun 13, 2005)

I guess this why I cannot find the solution to this problem. I am running ME and everything that I find is for XP. After I attempt to load Direct x from microsoft i get this error message after it has gone through the entire downloading process. 
This file cannot be loaded. The cabinet file cannot be trusted.
I had a virus on my computer that affected my desktop. It shut down everything that was running. I corrected it. But believe that this might still be the problem.


----------



## Rollin' Rog (Dec 9, 2000)

I know I've seen similar isues in XP before, but no such error messages in WinME.

Is the download from the same site as posted above, or this one?

http://www.microsoft.com/downloads/...aba1-914185249413&displaylang=en&Hash=4VY93L8

Also post a HijackThis scanlog following directions below:

Download and install HijackThis using the "self extractor". Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe


----------



## hunters (Jun 13, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 4:56:23 PM, on 6/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ONTRACK\FIX-IT\MXTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: Fix-It.lnk = C:\Program Files\Ontrack\Fix-It\mxtask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file) (HKCU)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O18 - Filter: text/plain - {63BCEA67-58C5-48A0-AD2D-2F8BCBFE79CA} - (no file)
O21 - SSODL: System - {11FD51AC-6FA0-4DFB-8827-F64E41148C17} - v_sys.dll (file missing)


----------



## hunters (Jun 13, 2005)

I have not tried the web site you all recommended but I did try to download directly from microsoft. It was just a direct x download. 
I wish I could remember the name of the desktop virus that I had. It turned the screen blue and shut down everything that was running. I am sure that it took out some files. I got most of what I have done from here. http://ask-leo.com/a_cabinet_file_cannot_be_trusted_why.html
I did a scanreg and that seemed to help but not much.


----------



## Rollin' Rog (Dec 9, 2000)

I'm going to move you to the Security forum and request additional help for you. I can't guarantee it will resolve your DirectX install problems, but you need to clean up this mess before going further.


----------



## hunters (Jun 13, 2005)

thanks I know it is a mess.
new log I did get some out.
Logfile of HijackThis v1.99.1
Scan saved at 6:20:14 PM, on 6/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ONTRACK\FIX-IT\MXTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: Fix-It.lnk = C:\Program Files\Ontrack\Fix-It\mxtask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file) (HKCU)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O18 - Filter: text/plain - {63BCEA67-58C5-48A0-AD2D-2F8BCBFE79CA} - (no file)
O21 - SSODL: System - {11FD51AC-6FA0-4DFB-8827-F64E41148C17} - v_sys.dll (file missing)

Wow and thanks for all the help. Your are my Hero!!!


----------



## Cookiegal (Aug 27, 2003)

Download CCleaner and have it ready to run later in safe mode:

http://www.filehippo.com/download_ccleaner.html

Download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/

Install Ewido.

During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch the program.

It will prompt you to update click the OK button and it will go to the main screen. On the left side of the main screen click update. Click on Start and let it update.

*DO NOT * run a scan yet. You will do that later in safe mode.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

F1 - win.ini: run=hpfsched

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file)

O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file) (HKCU)

O18 - Filter: text/plain - {63BCEA67-58C5-48A0-AD2D-2F8BCBFE79CA} - (no file)

O21 - SSODL: System - {11FD51AC-6FA0-4DFB-8827-F64E41148C17} - v_sys.dll (file missing)*

Then boot to safe mode:

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Run Ewido:

Click on scanner 
Put a check by the following before you scan:

*Binder 
Crypter 
Archives*

Click the Start Scan button to start the scan. 
During the scan it will prompt you to clean files, click OK 
When the scan is finished, look at the bottom of the screen and click the Save report button.

Save the report to your desktop

Start CCleaner and click Run Cleaner

Boot back to Windows normally.

Download The Hoster from: http://www.funkytoad.com/download/hoster.zip. UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

Do an on-line scan from Panda and save the log it creates.

http://www.pandasoftware.com/activescan/

Reboot and post another HijackThis log, the log from Ewido and the Panda scan log please.


----------



## hunters (Jun 13, 2005)

I have downloaded ccleaner but cannot download ewido. It is for 2000 or above and I am running ME. I finish the rest and get back to you.


----------



## Cookiegal (Aug 27, 2003)

Sorry, forgot you were running ME.


----------



## hunters (Jun 13, 2005)

Sorry?!! You have been a great help!! When i tried to run ccleaner I got an error message cannot run error 486 application x cannot open.
Here is my new log Logfile of HijackThis v1.99.1
Scan saved at 9:02:50 PM, on 6/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ONTRACK\FIX-IT\MXTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: Fix-It.lnk = C:\Program Files\Ontrack\Fix-It\mxtask.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file) (HKCU)
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409


----------



## Cookiegal (Aug 27, 2003)

Did the Panda active scan find anything? If so, please post the log it created.


----------



## hunters (Jun 13, 2005)

Tried to scan and again i got an error message. Any active x things will not download.
*Not allowing the application's ActiveX control to be downloaded.
Problems with the Internet connection.
Other causes (consult the FAQs).*
I think this goes back to the original problem.


----------



## hunters (Jun 13, 2005)

I looked up the virus I had it was the smitfraud. These are the steps that I used to clean it up.
http://www.bleepingcomputer.com/for...vigate_VirtualMaid-tx17258-0.html#entry103417
This is what prompted my problem.
I tried Direct x again and Again it said 
*The cabinet file neccessary for installation cannot be trusted.*
I will keep researching. 
Thanks


----------



## Cookiegal (Aug 27, 2003)

The link doesn't work. I know the fix for this one but want to see what you did so if you can give me the correct link please.


----------



## hunters (Jun 13, 2005)

Here is another link
http://www.bleepingcomputer.com/for...vigate_VirtualMaid-tx17258-0.html#entry103417


----------



## hunters (Jun 13, 2005)

If the link still doesn't work 
How to remove the Smitfraud / Quicknavigate / Virtual Maid

What this program does:

These infections change your desktop to say an alert which acts as a goad to use the antispyware software it installs (usually Security iGuard) and disables the screens that allow you to change your desktop. They also hijack your Internet Explorer start page, produce popups, and hijack search queries at popular search engines.

Security Warning

A fatal error in IE has occurred at 0028:C0011E36 in VXD VMM(01) +
00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c

* System can not function in normal mode.
Please check your security settings.

* Scan your PC with any availabel antivirus / spyware remover
program fix the problem.

Smitfraud Desktop Background

Tools Needed for this fix:

HijackThis 
Killbox 
Smitfraud.reg 
Hoster 
Deldomains.inf 
Cleanup! 
ActiveScan

Related Tutorials:

How to use HijackThis to remove Browser Hijackers & Spyware

Symptoms in a HijackThis Log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http:://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:://www.startsearches.net/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp6DD8.tmp
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O9 - Extra button: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)

Note: Security iGuard is not always present.

--------------------------------------------------------------------------------

Removal Instructions:

In order to remove this infection we will need to use HijackThis to manually remove the infection:

Print out these instructions as we will need to shutdown every window that is open later in the fix.

Download HijackThis and save it to your C:\ folder. Extract the hijackthis.zip file to c:\hijackthis. We will use this program later.

Enter the Windows Control Panel and double-click on Add/Remove Programs.

When the installed programs list appears, double-click on the following entries if they exists and allow them to uninstall.

Security IGuard
Virtual Maid
Search Maid

Then exit the Add/Remove Programs screen and the Control Panel.

Right-click: HERE and select Save As (in Internet Explorer it's labeled Save Target As) in order to download the Smitfraud.reg file. Save this file to your desktop. 
Locate the smitfraud.reg file on your desktop and double-click it. When asked if you want to merge with the registry, click the YES button. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Configure your computer so you can see all hidden files.

How to see hidden files in Windows

Download the Killbox by Option^Explicit and save it to your desktop. Extract killbox.zip to your desktop. Then double-click on the killbox.exe program.

When the program is open, select the option labeled Delete on reboot.

Do not close killbox, and open open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.

When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\system32\perfcii.ini
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

Return to Killbox, go to the File menu and select Paste from Clipboard.

Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then press the enter button on your keyboard.

Using Windows Explorer, delete the following files, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found: 
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

While still in Safe Mode, do the following: 
Make sure all programs and windows are closed. Double-click on C:\hijackthis\hijackthis.exe that you had downloaded and extracted earlier. When the program starts place a check next to each of the following bolded entries, if found, then click FIX CHECKED button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http:://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http:://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:://www.startsearches.net/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp6DD8.tmp
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O9 - Extra button: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)

When it is done fixing the entries, exit the HijackThis program and restart your computer so its back into normal mode.

Download The Hoster and run hoster.exe. Press the Restore Original Hosts button and then press the press OK button. When it is done, exit the program.

Right-Click HERE and select Save As to download DelDomains.inf to your desktop.

Now RIGHT-CLICK on the DelDomains.inf file on your desktop and select the Install option.

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Download, install, and run CleanUp!

Run this online virus scan ActiveScan to clean up any left over traces of these infections.

Follow the steps here:

Simple and easy ways to keep your computer safe and secure on the Internet

Your computer should now be free of the Smitfraud / Quicknavigate / VirtualMaid infections. It is likely, though, that this infection was installed with other malware. If you need help removing it, post a hijackthis log in the forums.

--------------------------------------------------------------------------------

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and will someone will help you.


----------



## hunters (Jun 13, 2005)

I found this but since I am running ME I don't know where this is 

Under Windows XP, ensure that the Cryptographic Services are enabled and running: 
Right-click on My Computer 
Click on Manage 
Expand Services and Applications 
Click on Services 
Right-click on Cryptographic Services 
Click on Properties 
Set the Startup type to Automatic 
OK and close your way back out.
(This service is required for the validation to work.)


----------



## Cookiegal (Aug 27, 2003)

By any chance did you save a copy of a Hijack This log before you did the clean-up? That fix should work but there are some newer files that have been added to the smithfraud.reg fix recently. 

Your ActiveX controls should be set like this:

Go to Internet Options/Security/Internet, press 'default level', then OK. 
Now press "Custom Level." 

In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'. 

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.

If you made some changes then try the Panda scan again and see if you can get it to run.


----------



## Jeff1986 (May 29, 2005)

Hey I am trying to install that too, but no luck... question to the original poster.. did it help??


----------



## hunters (Jun 13, 2005)

I went to the activex and followed all directions and then even tried it with the Initalize and script activex set to prompt. Nothing is working. I have come to the conclusion that I may have to reformat. However my cd rom is not working as a result of all of this mess. i can't even get into the bios to boot from the cd.


----------



## Cookiegal (Aug 27, 2003)

Have you tried to do an on-line scan from Trend Micro's Housecall? You may have the same problem but it's worth a try.

http://housecall.trendmicro.com/ - be sure to check auto clean before scanning,

Go to: http://www.microsoft.com/athome/security/spyware/software/default.mspx and download Microsoft Antispyware Beta.

First in the top menu click File then Check for updates to download the definitions updates.

After updating look in the right side of the main window under "Run Quick Scan Now" and click Spyware scan options. In that window put a tick by Run a full system scan and then put a check by all three options below that then click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it quarantine the items that have that option rather than delete just in case. It is a beta program and there may be false positives).


----------



## hunters (Jun 13, 2005)

Well I tryed both :down: No results. I think I need to reformat my hard drive. My desktop is right any more and my cd player won't work and I can't get into the BIos. I need to think some more. I don't know. Maybe in the cleanup process i did something wrong.


----------



## pr0t3st (Apr 17, 2005)

For those of you receiving the _Cabinet file cannot be trusted_ error while trying to download and install DirectX, forget the "websetup" feature and download the full (redist) package HERE.


----------



## hunters (Jun 13, 2005)

Thanks I will give this a shot!!!


----------



## Cookiegal (Aug 27, 2003)

For the desktop problem:

Download and Save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe and double click on the cleandesktop.exe

It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script.

If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to.

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

If you get a message when you first run it "Can not find script file "blah blah blah" then don't worry just double click the cleandesktop.vbs script again as you sometimes get that message when a script blocker blocks the script.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

Included another vbs to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your preferred picture press apply & then ok to exit and then press F5.

You will need to do this step for every user account


----------



## hunters (Jun 13, 2005)

Thank you so very much!!! My desktop is back to normal. Wow super thanks so much!! I am sooo excited. :up:


----------



## hunters (Jun 13, 2005)

I am workin on the direct x download. I have it on my computer but I don't know how to get it to run


----------



## Cookiegal (Aug 27, 2003)

Are you still getting the same cabinet file cannot be trusted message?


----------



## hunters (Jun 13, 2005)

yes I am.


----------



## Cookiegal (Aug 27, 2003)

Are you up to date on your Microsoft updates? I understand that some updates may take care of the problem.


----------



## hunters (Jun 13, 2005)

Sorry I have been watching lots of baseball!!! Yes I am current. I think that I may have to re-install! I am not sure if there is one update that is better than the rest most just say security updates at this point.


----------



## Cookiegal (Aug 27, 2003)

there is a new version of the smitrem removal file so let's try running that:

*Click here* to download smitRem.zip. 
Save the file to your desktop. 
Unzip smitRem.zip to extract the files it contains. 
Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

Now boot to safe mode.

Open the *smitRem* folder, then double click the *RunThis.bat* file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.


----------



## hunters (Jun 13, 2005)

I download the file and started in safe mode. It ask me if I wanted to run the program in safe mode as it could corrupt the monitor. (running a msdos in safe) should I still say that it is ok to do this? 
By the way thanks for all of your help


----------



## Cookiegal (Aug 27, 2003)

We have not had any problems running this fix in safe mode and we've run lots.


----------



## hunters (Jun 13, 2005)

Thanks I will get on it.


----------



## Cookiegal (Aug 27, 2003)

:up:


----------



## hunters (Jun 13, 2005)

It has been a while since I posted Sorry went back to school and whew
Finished this step and I still get the same error. 
I have searched the web and books and not have found any new ideas.
Any other ideas?


----------



## Cookiegal (Aug 27, 2003)

Please post a current HijackThis log.


----------



## hunters (Jun 13, 2005)

Here it is
Logfile of HijackThis v1.99.1
Scan saved at 5:23:18 PM, on 11/3/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\SYSTEM\WVWXW.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunOnce: [*WVWXW] rundll32.exe C:\WINDOWS\SYSTEM\WVWXW.DLL,CreateProtectProc rerun
O4 - Startup: PowerReg SchedulerV2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file) (HKCU)
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab

You are gracious. Thanks for your patience.


----------



## Cookiegal (Aug 27, 2003)

Run this removal tool please and then post a new HijackThis log:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html


----------



## hunters (Jun 13, 2005)

Ran the scan 
Message said did not find anything - But said can not scan winlog plugins

Logfile of HijackThis v1.99.1
Scan saved at 9:12:38 PM, on 11/3/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\SYSTEM\WVWXW.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunOnce: [*WVWXW] rundll32.exe C:\WINDOWS\SYSTEM\WVWXW.DLL,CreateProtectProc rerun
O4 - Startup: PowerReg SchedulerV2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file) (HKCU)
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab


----------



## Cookiegal (Aug 27, 2003)

Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to extract the files
This will create a *VundoFix* folder on your desktop.
After the files are extracted, please reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the *VundoFix* folder and doubleclick on *KillVundo.bat*
You will first be presented with a warning.
It should look like this


> VundoFix V2.15 by Atri
> By using VundoFix you agree that you are doing so at your own risk
> Press enter to continue....



 At this point press enter one time.
 Next you will see:


> Please Type in the file path as instructed by the forum staff
> and then press enter:



At this point please type the following file path (make sure to enter it exactly as below!):

* C:\WINDOWS\SYSTEM\WVWXW.DLL*

Press *Enter* to continue with the fix.
 Next you will see:


> Please type in the second file path as instructed by the forum
> staff then press enter:



At this point please type the following file path (make sure to enter it exactly as below!):

* C:\WINDOWS\wxwvw.**

Press *Enter* to continue with the fix.
The fix will run then HijackThis will open, if it does not open automatically please open it manually.
In HijackThis, please place a check next to the following items and click *FIX CHECKED*:

* R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R3 - Default URLSearchHook is missing

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\SYSTEM\WVWXW.DLL

O4 - HKLM\..\RunOnce: [*WVWXW] rundll32.exe C:\WINDOWS\SYSTEM\WVWXW.DLL,CreateProtectProc rerun

O4 - Startup: PowerReg SchedulerV2.exe

O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - (no file) (HKCU)
*

After you have fixed these items, close HijackThis.
Press enter to exit the program then manually reboot your computer.

The fix will tell you to shutdown using the Power button. Hold in your power button until the computer shuts down. Wait about 15 seconds and then restart the computer into regular windows.

Chkdsk will run. This is normal. It will take a few minutes and is checking your file system because of the Bad Shutdown we caused.

Once your machine reboots please continue with the instructions below.
Download and install *CleanUp!*

Open *Cleanup!* by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "*Options...*"
Move the arrow down to "*Custom CleanUp!*"
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click *OK*
Press the *CleanUp!* button to start the program.

It may ask you to reboot at the end, click NO.

Now please run an online scan from this site:

http://www.pandasoftware.com/products/activescan.htm

Be sure to save the log and post it back here in your next reply.


----------



## hunters (Jun 13, 2005)

Did everything. However the program would not let me type in the paths.It just went to Hijack this and I checked all fixed items. Ran clean up and re-started. I noticed right away that the scan disk would not run. It just keeps restarting. 
I ran through this twice. Here is my log. Can't run panda (have ME)
Logfile of HijackThis v1.99.1
Scan saved at 8:44:01 PM, on 11/8/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\SYSTEM\WVWXW.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunOnce: [*WVWXW] rundll32.exe C:\WINDOWS\SYSTEM\WVWXW.DLL,CreateProtectProc rerun
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab

should I turn off my system restore


----------



## Cookiegal (Aug 27, 2003)

I have attached a *vundoh.zip* file to this post. Unzip the vundoh.zip file and save it to your desktop.

Restart your computer into safe mode now. Perform the following steps in safe mode:

Double click on the vundoh.reg file and at the prompt, allow it to merge into the registry.

Run HijackThis and put checkmarks by these two lines:

*O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\SYSTEM\WVWXW.DLL

O4 - HKLM\..\RunOnce: [*WVWXW] rundll32.exe C:\WINDOWS\SYSTEM\WVWXW.DLL,CreateProtectProc rerun*

Now start Killbox and paste the first file listed below into the full pathname and file to delete box.

The file name will appear in the window and if the file exists it will appear in blue under that window. Then select *standard file kill*, press the red X button, say yes to the prompt and once the file deleted message comes up, then repeat for each file in turn.

Note: Killbox makes backups of all deleted files in a folder called C:\!submit ] If Killbox tells you any files are missing don't worry.

C:\WINDOWS\SYSTEM\WVWXW.DLL
C:\WINDOWS\SYSTEM\WXWVW.BAK1
C:\WINDOWS\SYSTEM\WXWVW.BAK2
C:\WINDOWS\SYSTEM\WXWVW.INI1
C:\WINDOWS\SYSTEM\WXWVW.INI2
C:\WINDOWS\SYSTEM\WVWXW.TMP

Then on the top bar of Killbox press tools/delete temp files and follow those prompts and say yes to everything.

Reboot and post another HijackThis log please.


----------



## hunters (Jun 13, 2005)

This is tough
Won't let me delete 
C:\WINDOWS\SYSTEM\WVWXW.DLL
the rest did not exsit
New Hijack log
Logfile of HijackThis v1.99.1
Scan saved at 3:56:55 PM, on 11/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\SYSTEM\WVWXW.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunOnce: [*WVWXW] rundll32.exe C:\WINDOWS\SYSTEM\WVWXW.DLL,CreateProtectProc rerun
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab


----------



## khazars (Feb 15, 2004)

you don't have a anti virus or firewall, your wide open to attacks!

Etrust I year free trial

http://www.my-etrust.com/microsoft/

free anti-virus tools

Anti-vir

http://www.free-av.com/

Avast 4 from

www.avast.com

Filseclab Personal Firewall Professional Edition

http://www.filseclab.com/eng/download/downloads.htm

http://www.wilderssecurity.com/showthread.php?t=92710


----------



## Cookiegal (Aug 27, 2003)

You definitely need to do what khazars said.

Boot to safe mode.

Run Killbox again but following these instructions, which are different than the previous ones.

Next Double-click on Killbox.exe to run it. Now put a tick by *Replace on Reboot*. Under that also put a check in the box by *Use Dummy*. In the "Full Path of File to Delete" box, copy and paste the following line then click on the button that has the red circle with the X in the middle. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click Yes and let the computer reboot.

*C:\WINDOWS\SYSTEM\WVWXW.DLL*

Rescan with HijackThis and have it fix this entry:

*O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\SYSTEM\WVWXW.DLL*

Then reboot and post a new HijackThis log please.


----------



## hunters (Jun 13, 2005)

Here it is. I do have NoAdawre but my childeren shut it down. Is this strong enough. I used to run with Zone Alarm. 
Logfile of HijackThis v1.99.1
Scan saved at 5:58:59 PM, on 11/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\SYSTEM\WVWXW.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunOnce: [*WVWXW] rundll32.exe C:\WINDOWS\SYSTEM\WVWXW.DLL,CreateProtectProc rerun
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab


----------



## Cookiegal (Aug 27, 2003)

Download & run http://www.sysinternals.com/Utilities/RootkitRevealer.html 
Save its log and post back with the log.

DO NOT attempt to fix anything it finds as most entries will be legitimate.


----------



## hunters (Jun 13, 2005)

could not run
Error message said 
a required ddl.file PSAPIDll is missing
looking for updates at the website


----------



## hunters (Jun 13, 2005)

can't find anything at the website that will help fix the error i am still getting.
any suggestions?


----------



## Cookiegal (Aug 27, 2003)

Go to the following site and download the missing .dll:

http://www.dll-files.com/dllindex/dll-files.shtml?psapi

Save it to: C:\Windows\System32

Then see if it works please.


----------



## hunters (Jun 13, 2005)

OK so I thought I was going to have to reformat and I started dumping files.
I dumped my childrens files. One child had downloaded Limewire and then Morpheus which i had him unistall the next day. While dumping files last night I found some leftover files of those two above. I deleted them as I could not uninstall (in safe mode) rebooted and I thought I had shut it down altogether. It went blue and shut down. I restarted it and it did not say reconfiguring or anything. Run scan disk disk defrag and on, It had to be embedded in one of those files. Explorer stays on and it runs fine 
New hjt log
Logfile of HijackThis v1.99.1
Scan saved at 9:12:13 PM, on 11/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab

Gone !!!!
See anything else?


----------



## Cookiegal (Aug 27, 2003)

The log is fine but you still have no anti-virus program. You need to get one immediately.


----------



## hunters (Jun 13, 2005)

I am downloading now 
In the meantime I will keep trying to figure out why I can't download direct x or any updates from microsoft.


----------



## hunters (Jun 13, 2005)

I found the problem for microsoft downloads

This is the error message I got
and I used suggestion 1 and solved that problem 
I will try to download directx 9 again.

Problem Description: 
Unable to access the Windows Update site. The Windows Update.log file contains the following error message(s):

Error IUCTL Digital Signatures on file C:\Program 
Files\WindowsUpdate\V4\iuident.cab are not trusted (Error 0x800B0003: The form 
specified for the subject is not one supported or known by the specified trust 
provider.)

Error IUCTL Digital Signatures on file C:\Program
Files\WindowsUpdate\V4\iuident.cab are not trusted (Error 0x800B0004: The 
subject is not trusted for the specified action.)

Resolutions: 
There are several potential causes for this error. First of all, make sure you are running the current version of Internet Explorer. At this time, the current version is IE 6 SP1. You can install IE 6 SP1 from this link:

http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp

Secondly, if you are using a proxy server ask your network administrator to make sure that the proxy server is set to allow anonymous connections to the Internet.

Some more specific steps you can try to resolve this issue:

Suggestion 1
============
Register the following files with these steps:

1. Click on Start, Run and type "REGSVR32 SOFTPUB.DLL" (w/o the quotes). You should see a popup message that this process succeeded.
2. Click on Start, Run and type "REGSVR32 INITPKI.DLL" (w/o the quotes). You should see a popup message that this process succeeded.
3. Click on Start, Run and type "REGSVR32 MSSIP32.DLL" (w/o the quotes). You should see a popup message that this process succeeded.
4. Now try the Windows Update site and see if you get the same error.
--------------------------------------------------------------------------------
Suggestion 2
============
Open Internet Explorer
Click "Tools" and then click "Internet Options".
Click "Advanced," and then check "Use HTTP 1.1 through Proxy Connections" check box.
Click the OK button.
--------------------------------------------------------------------------------
Suggestion 3
============
If there is a HOSTS (or HOSTS.SAM) file on your system that has an entry for the Windows Update site, then comment out or delete the entry. The IP addresses of the site change constantly so you don't want to have any static IP entries.
--------------------------------------------------------------------------------

Issue Applies To: 
Windows 2000
Windows 98 and Windows 98 Second Edition
Windows Millennium Edition
Windows XP


----------



## hunters (Jun 13, 2005)

GOT IT!!!!!!!!!!!!! after running the fixes I went to windows updates and downloaded it with no problems!!!!!! What a long way around I went.   
Thank you so much for all your time and effort!!!!!!!!!
Now i have another problem to fix. I will get right on it!


----------



## Cookiegal (Aug 27, 2003)

So is everything fine now?


----------



## hunters (Jun 13, 2005)

Yes it is. Direct x downloaded but it is missing a D3D9.dll file, but i am thinking that this is a common error. I am just not sure what site to download the dll from.


----------



## hunters (Jun 13, 2005)

so i downloaded the dll file but now it is sitting in a zip file waiting to be extracted. do I send it to c:\windows\system and overwrite files. I am stumped on this one.


----------



## Cookiegal (Aug 27, 2003)

Extract it to the directory where the program is located. If that doesn't work, extract it to C:\Windows\System.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

First, click on Start, go to Programs, then System Tools, and click on System Restore.

The System Restore window will open and give you a brief description of what the System Restore utility does.

Click on Create a Restore Point and then click Next.

It will ask you to give a Restore Point description. Give it a description that will be easy to identify in case you need to restore the computer in the future. It automatically records the date and time that the restore point was created so there is no need to include that in the description.

When finished click Next.

It will take you to a screen asking you to confirm the new Restore Point. Click OK. 
The System Restore window will close and you are now finished.

I also recommend downloading  *SPYWAREBLASTER & SPYWAREGUARD* for added protection.

*Read here* for info on how to tighten your security.

DELETE YOUR TEMPORARY FILES:

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


----------



## hunters (Jun 13, 2005)

Wow your wonderful and precise. I got all done cleaned up and thanks for the reading. Everything is solved!!! :up:


----------



## Cookiegal (Aug 27, 2003)

You're welcome.


----------



## hunters (Jun 13, 2005)

You are truly a good mentor!!  
Should I mark this as closed?!!!!!!!!!!!! Wahoooo


----------



## Cookiegal (Aug 27, 2003)

Are you still having a problem with your desktop? I see you posted that in another thread.


----------



## hunters (Jun 13, 2005)

Yes i am 
Before i found you all I had contracted the smitfraud. I download as per instructions from another forum. I think the "fix" for the desktop was for w98. I fixed it from another source but when I was trying to clean up things I hit the reg fix for smitfraud again (instead of moving it) and it went back. See attachment from other thread. I can't find the link again.


----------



## Cookiegal (Aug 27, 2003)

Closing thread. Anyone else with a similar problem please start a new one.


----------

