Desktop and internet problems..

[byepeeps]

Hi,

I'm using XP and have recently had problems. I think something has downloaded on to my pc and I can't get rid of it. Tried using AVG, Adaware and Spybot but with no luck.

The symptoms:

1) 3 unidentified objects in the desktop toolbar (where the time is). The objects are a yellow triangle with exclamation mark in it, a red circle with a white cross in it and a red circle with a white exclamation mark in it. They have these annoying speech bubble pop ups, like other xp programmes, that say something like you are "Protect your computer from viruses. You need to use antivirus software.". One of the speech bubble pop ups says my pc is infected with iworm.attck.v122.02a. When I click on these symbols they link to:

http://www.antivirus-gold.com/?wm=&swm=
http://www.psguard.com/?aff=9&sub=0
and a site selling regfreeze

2) The desktop background has changed to black with writing saying "Warning - You're in danger" and then goes on to say how I should protect my computer.

3) When I shut down i get a quick flash which i think says I have a page fault but it disappears so quickly i can't get the code or any info.

I would really appreciate your help to get my pc working normally again.

Alex

 

[inane5]

Ouch. The general cure is to

turn off system restore,
delete all files in temp folders,
clear internet cookies, files, and objects,
remove the obvious crap with hijackthis
use msconfig and remove the obvious crap from startup
update your avg, spybot, adaware

restart in safe mode
go to add/remove programs and remove any crap
do the hijackthis routine again
delete all system restore files
scan for ads and viruses, clean them

reboot in normal mode

and assuming everything is working again,
turn system restore back on
create a system restore point
install a HOST file to get rid of ads
immunize your computer with spybot
get windows updates
defragment your hard drive

---

if you're super geek, you can run bart pe,
or take your hard drive out and scan it with another computer,
and if all else fails, rename your "windows" directory to "windows1" and then copy a working "windows" folder onto your drive. That works very well sometimes. It's freakin' ingenious!

 

[byepeeps]

Hi,

thanks for your reply - much appreciated. I'm not sure how to do a lot of the remedies you mentioned i.e.:

turn off restore
use msconfig and remove the obvious crap from startup
remove the obvious crap with hijack this
delete all system restore files
turn system restore back on
create a system restore point
install a HOST file to get rid of ads
defragment your hard drive (what does this do?)

Sorry about this - pretty much a novice

 

[inane5]

turn off restore
right click MY COMPUTER, properties, system restore tab, check "turn off system restore on all drives"

use msconfig and remove the obvious crap from startup
startbutton+R to open up a RUN window. Type "msconfig", go to the startup tab, uncheck useless and malware programs. As a novice, you should be careful not to uncheck important programs.

remove the obvious crap with hijack this
get the program called hijackthis, run it, hit the scan button, and remove bad stuff. As a novice, you should probably just post the hijackthis log first before removing stuff.

delete all system restore files
they are under the "system volume information" directory, but I'm not sure if you can delete it in windows.

turn system restore back on
uncheck that box that you checked

create a system restore point
run this "C:\WINDOWS\system32\Restore\rstrui.exe" and follow the menue

install a HOST file to get rid of ads
get this http://www.mvps.org/winhelp2002/hosts.zip
then extract it and put it here: C:\WINDOWS\SYSTEM32\DRIVERS\ETC

defragment your hard drive (what does this do?)
run this "%SystemRoot%\System32\dfrg.msc" and hit "defragment." It's optional and hard to explain.

 

[byepeeps]

In doing something I now can't load windows at all. Trying to load safe mode but f8 only brings up boot option for IDE, floppy or CD. How do i get to advanced options?

 

[byepeeps]

turn off restore
right click MY COMPUTER, properties, system restore tab, check "turn off system restore on all drives"

done this

use msconfig and remove the obvious crap from startup
startbutton+R to open up a RUN window. Type "msconfig", go to the startup tab, uncheck useless and malware programs. As a novice, you should be careful not to uncheck important programs.

i did this and the attached shows what came up - not sure what to uncheck?

remove the obvious crap with hijack this
get the program called hijackthis, run it, hit the scan button, and remove bad stuff. As a novice, you should probably just post the hijackthis log first before removing stuff.

Logfile of HijackThis v1.99.1
Scan saved at 01:26:11, on 08/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msole32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\intel32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system32\DeltTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\hookdump.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...k/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/uk/*http://www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/uk/*http://www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...k/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/uk/*http://www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/uk/*http://www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\system32\intel32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/yregucfg/2004_10_11_1/yregucfg.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/10157fe963502a6aab22/netzip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1865.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{86685904-8496-4EA9-A0AE-5E6467851F0C}: NameServer = 194.74.65.87 194.72.9.38
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe



delete all system restore files
they are under the "system volume information" directory, but I'm not sure if you can delete it in windows.

not sure how to do this

turn system restore back on
uncheck that box that you checked

I'll await to see what you or anyone else says about the result of the msconfig and hijackthis result

create a system restore point
run this "C:\WINDOWS\system32\Restore\rstrui.exe" and follow the menue

install a HOST file to get rid of ads
get this http://www.mvps.org/winhelp2002/hosts.zip
then extract it and put it here: C:\WINDOWS\SYSTEM32\DRIVERS\ETC

defragment your hard drive (what does this do?)
run this "%SystemRoot%\System32\dfrg.msc" and hit "defragment." It's optional and hard to explain.

 

[byepeeps]

All the info is above, it's still giving me problems. Can you see anything wrong with the msconfig start up results and hijackthis results.

Any help appreciated,
Alex