CastleCops® quicknavigate.com, yellow triangle, warning popups

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Forum FAQ

Usergroups

Profile

Select FavForums

quicknavigate.com, yellow triangle, warning popups

All -> FavForums -> Trend Micro HijackThis Logs

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

darky

Cadet
Cadet

Joined: May 12, 2005
Posts: 7
Location: Australia

Posted: Thu May 12, 2005 10:44 am Post subject: quicknavigate.com, yellow triangle, warning popups

The other day i found my desktop had disappeared to be replaced with a fatal error message and from there on i have been bombarded with warning notices, popups and my IE keeps changing to quicknavigate.com. I cant access anything that is msn related, but i keep getting very dodgy msn style warning messages. There is a yellow warning triangle in the taskbar periodically. Ive run antivirus and anti spyware programs with no luck. I need help!!! HJT log reads like this Logfile of HijackThis v1.99.1 Scan saved at 8:43:59 PM, on 5/12/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\VetMsgNT.exe C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\popuper.exe C:\WINDOWS\Downloaded Program Files\spvic.exe C:\Vet\VetTray.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\intmonp.exe C:\WINDOWS\System32\intmon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavigate.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavigate.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.mel.connect.com.au:8080 O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpF939.tmp (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IC_KEY_3] C:\WINDOWS\Downloaded Program Files\spvic.exe O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Microsoft� JavaScript� Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra 'Tools' menuitem: JavaScript Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\something.dll (file missing) (HKCU) O9 - Extra button: Microsoft� JavaScript� Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O9 - Extra 'Tools' menuitem: JavaScript Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/reader/live/Disk1/isetupml.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{858D82AF-7548-4918-BC55-39BD6E5468A0}: NameServer = 192.189.54.17 203.8.183.1 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe any help would be most appreciated thanks MATT

HappyShiner

General

Premium Member

Joined: Jul 02, 2004
Posts: 7205
Location: Uk

Posted: Tue May 17, 2005 11:14 pm Post subject:

Thank you for your patience. If you still require help then we would ask that you 1/ post a fresh log into this thread 2/ cut and paste the link of this thread into /postitle72668-0-0-.html and someone will help you ASAP _________________ [img]http://serve.dynasig.net/926.gif[/img] DynaSig: Free Dynamic Forum Signatures "Dogs are Running wild in the street...I just can't take it anymore!"

darky

Cadet
Cadet

Joined: May 12, 2005
Posts: 7
Location: Australia

Posted: Wed May 18, 2005 1:47 am Post subject:

yes, still having problems, still in need of help

taz71498

Forums Admin
Premium Member

Joined: Jan 30, 2004
Posts: 20096

Posted: Thu May 19, 2005 11:16 pm Post subject:

Hello,

I am sorry for the delay.

I would like you to download the file that I have attached at the bottom. Save it on your desktop, then unzip it. Don't do anything with it yet.

Reboot the computer into safe mode

Run HJT again and check these items and then on Fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/

O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpF939.tmp (file missing)

Now, go to the file you downloaded on your desktop called smit.reg and double-click on it. Allow it to merge with the registry.

Reboot your computer and post a new HJT log here.

smit.zip

Description:

Download

Filename:

smit.zip

Filesize:

401 Bytes

Downloaded:

461 Time(s)

darky

Cadet
Cadet

Joined: May 12, 2005
Posts: 7
Location: Australia

Posted: Fri May 20, 2005 8:40 am Post subject:

Thanks again heres the new HJT log Logfile of HijackThis v1.99.1 Scan saved at 6:39:23 PM, on 5/20/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\VetMsgNT.exe C:\WINDOWS\Downloaded Program Files\spvic.exe C:\Vet\VetTray.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\Lara\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.mel.connect.com.au:8080 F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IC_KEY_3] C:\WINDOWS\Downloaded Program Files\spvic.exe O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Microsoft� JavaScript� Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra 'Tools' menuitem: JavaScript Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\something.dll (file missing) (HKCU) O9 - Extra button: Microsoft� JavaScript� Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O9 - Extra 'Tools' menuitem: JavaScript Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/reader/live/Disk1/isetupml.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{858D82AF-7548-4918-BC55-39BD6E5468A0}: NameServer = 192.189.54.17 203.8.183.1 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

taz71498

Forums Admin
Premium Member

Joined: Jan 30, 2004
Posts: 20096

Posted: Sat May 21, 2005 12:07 am Post subject:

Well, that looks pretty good. How are things working? I also suggest you do this: download Spybot S&D Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button. Reboot the computer. Download Adaware. On the main screen you will see "Check for Updates Now". Check that first. You need to be logged on as Adminstrator through the installation. Just download it to your desktop and then to install click on the file you just downloaded (aawsepersonal.exe). You will be guided through the installation. It is recommended to use the default setting of "Protect anyone who uses this computer". On the main screen of Adaware please look for the check for updates now link, just above the start button in the bottom right corner or you can click on the Webupdate button that looks like a globe icon at the top. Press * connect* to let it check for any recent updates. If any are found, please let it download and install them. Now, configure your settings. Click the gear icon at the top. These are the recommended settings: AAW SE settings General Button Safety: Check (Green) all three. Advanced Button Logfile Detail Level: All options under this should be checked (Green). Tweak Button Check (Green) the following: Log Files Include basic Ad-Aware settings in logfile: Include additional Ad-Aware settings in logfile: Please do not check (Green): Include Module list in logfile: On your first scan, use the Full Scan (Perform full system scan) mode. Let Adaware remove any bad objects found. Reboot your PC and scan again. Repeat this process until no more bad items are found. It may take several scans to clean everything, depending on the type of infections found. Reboot. Then, Please download, install and run this disk cleanup utility called Cleanup version 4.0! http://downloads.stevengould.org/cleanup/CleanUp40.exe It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingcomputer.com/forums/tutorial93.html Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin. Reboot when prompted to let it clean out the remaining files.

darky

Cadet
Cadet

Joined: May 12, 2005
Posts: 7
Location: Australia

Posted: Wed May 25, 2005 11:10 am Post subject:

it seemed to be ok for a day or two however.... I have just had a red x appear in the toolbar tray with a message "your computer is infected. The background has changed to a black screen saying 'your computer is infected etc - to fix click here" and i have had a program called "AntivirusGold" installed on my desktop. Have removed the antivirus gold through control panel - cant get wallpaper back though. I also seem to have many files in c:\windows\system32 that dont belong there, things like files called pharmacy & dating . iam not getting the popups though. Have run adaware spybot etc etc - they keep finding some trojans though - im stuck! latest HJT Logfile of HijackThis v1.99.1 Scan saved at 9:08:58 PM, on 5/25/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Downloaded Program Files\spvic.exe C:\Vet\VetTray.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\winnook.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\VetMsgNT.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.mel.connect.com.au:8080 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IC_KEY_3] C:\WINDOWS\Downloaded Program Files\spvic.exe O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Microsoft� JavaScript� Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra 'Tools' menuitem: JavaScript Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\something.dll (file missing) (HKCU) O9 - Extra button: Microsoft� JavaScript� Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O9 - Extra 'Tools' menuitem: JavaScript Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/reader/live/Disk1/isetupml.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{858D82AF-7548-4918-BC55-39BD6E5468A0}: NameServer = 192.189.54.17 203.8.183.1 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe thanks in advance

taz71498

Forums Admin
Premium Member

Joined: Jan 30, 2004
Posts: 20096

Posted: Wed May 25, 2005 2:34 pm Post subject:

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop. Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below. Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if they found: Security IGuard Virtual Maid Search Maid Exit Add/Remove Programs. Please download the Killbox. Save it to your desktop. Please double-click Killbox.exe to run it. Select "Delete on Reboot". Now, open the program NotePad. Copy and paste all of these files at once into NotePad: C:\wp.exe C:\wp.bmp C:\bsw.exe C:\Windows\sites.ini C:\Windows\popuper.exe C:\Windows\System32\wldr.dll C:\Windows\System32\helper.exe C:\Windows\System32\intmon.exe C:\Windows\System32\shnlog.exe C:\Windows\System32\intmonp.exe C:\Windows\System32\msmsgs.exe C:\Windows\system32\msole32.exe C:\Windows\System32\ole32vbs.exe C:\WINDOWS\System32\hpADF3.tmp C:\WINDOWS\System32\wldr.dll Now, go back to Killbox, go to the File menu, and choose "Paste from Clipboard. Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart your computer manually and boot into Safe Mode. Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way) FOLDERS to delete (in bold) if found: D:\Program Files\Search Maid D:\Program Files\Virtual Maid D:\Windows\System32\Log Files D:\Program Files\Security IGuard While still in Safe Mode, do the following: Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following item, then click FIX CHECKED: O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe Do a search now for this file and delete if found: C:\WINDOWS\System32\winnook.exe Reboot normally Now, Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. Download the zip file here and unzip it to your desktop. Right-click on the deldomains.inf file and select 'Install' Once it is finished your Zones should be reset. Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection. Now run the program CleanUp again. Reboot and post a new HJT log here. Tell me how things are now.

darky

Cadet
Cadet

Joined: May 12, 2005
Posts: 7
Location: Australia

Posted: Sat May 28, 2005 11:34 am Post subject:

Have done as said, found plenty of those files that needed to be deleted Still having problems, wallpaper is still the same says: WARNING! YOU'RE IN DANGER! ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN. Every site you or somebody or even something, like spyware, opened in your browser, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life! SECURE YOURSELF RIGHT NOW! REMOVE ALL SPYWARE FROM YOUR PC! Removal instructions this links to a web page: http://www.antivirus-gold.com/?wm= New HJT log Logfile of HijackThis v1.99.1 Scan saved at 9:29:01 PM, on 5/28/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Downloaded Program Files\spvic.exe C:\Vet\VetTray.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\VetMsgNT.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.mel.connect.com.au:8080 F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IC_KEY_3] C:\WINDOWS\Downloaded Program Files\spvic.exe O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Microsoft� JavaScript� Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra 'Tools' menuitem: JavaScript Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\something.dll (file missing) (HKCU) O9 - Extra button: Microsoft� JavaScript� Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O9 - Extra 'Tools' menuitem: JavaScript Console - {2FC8DB3D-3230-4E2A-B878-2A001A14A486} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/reader/live/Disk1/isetupml.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{858D82AF-7548-4918-BC55-39BD6E5468A0}: NameServer = 192.189.54.17 203.8.183.1 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

taz71498

Forums Admin
Premium Member

Joined: Jan 30, 2004
Posts: 20096

Posted: Sun May 29, 2005 4:48 pm Post subject:

Well, first I would like you to go to Add/Remove programs and see if you see Antivirus Gold in the list and if so, uninstall. Let me know if it was there. Next, Download Ewido Security Suite: http://www.ewido.net/en/download/ 1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". 2. When running it the first time, you will get a warning "Database could not be found" 3. Click OK. 4. From the main screen, click on update in the menu, then click the Start update button. 5. After the update finishes the status bar at the bottom will display "Update successful" 6. Click on the Scanner button in the left menu, then click on the Start button to begin scan. [This scan can take some time to run so be patient] 7. If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. Reboot the computer. Tell me how things are now.

CutiHana

Trooper
Trooper

Joined: Jun 02, 2005
Posts: 13
Location: USA

Posted: Thu Jun 02, 2005 9:47 pm Post subject: Same Problem

Hey...I don't know if I'm allowerd to give advice because I'm not a system manager or anything, but I empathize with you because i had that EXACT SAME background. However, I found a link that helped me get rid of it...here it is: "Right click on http://www.greyknight17.com/spy/RepairDesktop.reg and download that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, restart your computer. Login as usual and now right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK. " **this was a post from " /p553162-pls_help_me_im_getting_quot_warning_youre_in_danger_quot.html"

darky

Cadet
Cadet

Joined: May 12, 2005
Posts: 7
Location: Australia

Posted: Thu Jun 09, 2005 3:53 am Post subject: thanks

all seems to be working well now, thanks for your help however..... when i try and shut down i am getting a program not responding / end program now prompt for a file called ctfmon.exe and explorer.exe (even if i have not been using explorer) any ideas on that? computer seems to be still running a little slow

taz71498

Forums Admin
Premium Member

Joined: Jan 30, 2004
Posts: 20096

Posted: Sat Jun 11, 2005 10:42 pm Post subject:

Post a new HJT log

	All -> FavForums -> Trend Micro HijackThis Logs	All times are GMT
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 167ppm 0.738s (0.273s) Making cybercriminals unhappy since 2002*