.: ugh, there's this annoying yellow triangle thing...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by geek_j2, Apr 27, 2005.

  1. geek_j2

    geek_j2 Private E-2

    .: hi, I'll try to explain my problem as clearly as possible. Around Sunday Night, all of sudden, my screen did this brief odd freeze. I minimize all my windows and there's this blue screen that's replaced my desktop wallpaper and on the blue screen is this white text w/ random warning bullcrap. I tried to change it by right-clicking and selecting properties, but 3 OF MY TABS WERE MISSING!!! I only had a tab for screen saver and the resolution size of my screen. Also, there were these 3 new desktop icons, online casino, online something else, and like this Security iGuard whatever. At this point I immediately pulled the internet cable out. In my favorites folder (in my IE browser) were all these new folders like Health, Career, Car, etc. And in My Documents and My Computer, there were also new folders and what not. I also have this very annoying lil yellow triangle w/ an exclamation point blinking in my taskbar tray that randomly says I have 4 exploits something or adult material found blah blah click here to find info on how to remove it. Also, these windows that seem like the typical Windows Error type pop-up saying I have malicious spyware, I need to click it to receive info on removal methods, etc.
    I initially Downloaded Spyware Doctor and ran that. It found stuff and cleared a few things. I then downloaded Spy Sweeper which also found other stuff. I Downloaded TDS-3 and ran that as well. I had an old version of Spyware Blaster, but I uninstalled that and installed the newest one. I already had Ad Aware Personal SE and updated and did a full system scan. I also have Symantec Antivirus Corporate Edition and ran that for viruses. I uninstalled my old copy of SpyBot and installed the new one, got the updates and checked for problems. THEN! I came across this forum, and followed all the directions in your READ ME FIRST post. The HouseCall scanner found I think like 1 thing and removed it. Symantec Security Check Virus Detection found like 180Search and PurityScan and I went to Symantec Response and did the removal procedures in their Database. Stinger found some stuff and removed them. argh yeah so basically, I did everything, up to the the end of the HiJackThis tutorial, and, nothing's changed. tabs still missing, friggin blinkin yellow triangle still there, random stupid pop-ups, it's very frustrating......
    PLEASE HELP It'd be HIGHLY APPRECIATED!!!
     
  2. geek_j2

    geek_j2 Private E-2

    .: oops and also, I deleted all those desktop icons, those folders in my Favorites, the few folders I found/noticed in My Documents and my C:\ Drive and I went to taskbar manager and wrote down the processes and googled most of them, and I don't kno what this popuper.exe thing and intmonp.exe is. They seemed to be linked according to what I read. Smifraud or whatever it is, well I can't end those 2. I also have uninstalled spysweeper. I dunno, I personally think spyware doctor is causing pop-ups but what do I kno, that's why I'm asking you =P O, and I've been using FireFox up until now b/c I read that IE is bad. Um I think that's it.
     
  3. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    I apologize for the delay, we have been really busy here lately!

    [​IMG] Download HijackThis 1.99.1

    [​IMG] Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    [​IMG] Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

    [​IMG]Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    [​IMG]Run HijackThis and save your log file.

    [​IMG] Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

    [​IMG]Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting
     
  4. Chubbs

    Chubbs Private E-2

    i am having a couple similar problems, would there be a problem if i posted a HJT log as well? i have followed all the steps in the readme and HJT this tutorial. thanks for your time.
     
  5. Bobo

    Bobo Private E-2

    I have EXACTLY the same kind of crap on my machine - I also have a HJT log for somebody to have a quick look at.
     

    Attached Files:

  6. mindgames

    mindgames Private E-2

    Me too. Could I post my Hijack This log for one of you kind souls to help me with, please?

    Have done all the checks in the READ THIS, but still getting the flashing yellow triangle and the occasional pop-up.

    Thank you very much...
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Doesn't anyone READ!!!!!! PLEASE READ THE ANNOUNCEMENT AND THE STICKY THREAD.
    Also please do not post in a thread that belongs to someone else.

    Mindgames, Bobo, & Chubbs,
    Please start your own threads.
     
  8. geek_j2

    geek_j2 Private E-2

    .: hey, sorry I took so long to reply and post my hijackthis log. been takin finals and haven't been around the comp lately. but here's my hijackthis file
     

    Attached Files:

  9. geek_j2

    geek_j2 Private E-2

    .: also, I dunno exactly when, but sometime after I my original posts, I read from somewhere (possibly in these posts?) that the microsoft version of java was bad, like security probs or whatever, so I uninstalled that, I didn't install the sun version... I dunno if that has any relevance to anything, but I thought I'd let ya'll know. um... I also put deleteled my IE application thing cuz I figure if I did that, the pop-ups would stop cuz they all open in an IE window, but that didn't do anything, IE still works... so the IE application (iexplore.exe) is still in my recycle bin. man these pop-ups are REALLY annoying..... >_<
     
  10. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    geek_j2,

    Run these online scans posting your results of what was found and if it was removed or not.

    TrendMicro Online Scan
    Bitdefender online scan
    RavAntivirus online scan <-- select Auto Clean then click Scan My PC
    TrojanScan online scan

    After running these scans, reboot and post a fresh HJT log.
     
  11. geek_j2

    geek_j2 Private E-2

    .: hi, sorry about for the delayed response -_-, I ran all 4 programs. From the BitDefender Online Scanner - Real Time Virus Report:
    Scan Info: Scanned Files = 302227; Infected Files 1
    Virus Detected: Application.Remotexec.A 1

    From the BifDefender Online Scanner - Scan Report (at the bottom):
    D:\Documents and Settings\ykim2\pskill.exe
    ---> Detected with: Application.Remotexec.A
    D:\Documents and Settings\ykim2\pskill.exe
    ---> Disinfection failed
    D:\Documents and Settings\ykim2\pskill.exe
    ---> Deleted

    I've attached the RAV log, and a fresh copy of the hijackthis log. The TrendMicro Housecall thing had only one popup that said:
    Housecall has found and cleaned a malware.WORM_AGOBOT-11

    Finally, the TrojanScan brought up:
    C:\WINDOWS\System32\intmonp.exe
    ---> Trojan.Win32.Puper.c
    C:\WINDOWS\system32\intmonp.exe
    ---> Trojan.Win32.Puper.c
    C:\WINDOWS\system32\olc32vbs.exe
    ---> Trojan.Win32.Favadd.u

    Also, I've also noticed that when I restart up my computer, MSN Messenger starts up. It's never done that before, and I don't use it, and usually a popup about do I want to install a new version of it w/ a YES or NO option. I just right click and exit it from the system tray thing. Also, hmm... I don't kno if this is helpful info but, I while back I had tried to reinstall my Windows XP b/c stuff wasn't working on my laptop. well, in the process, I created a 2nd operating system. eventually, I got it to fix my original OS, but now when I reboot, I have 2 Windows XP options, the first is my normal one, and the second is a fresh XP OS which I never use. Does that make sense? Ok, welps, I'll patiently wait ur reply
     

    Attached Files:

  12. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

    Now scan with HijackThis and Check the Boxes for the following:

    Make sure All Browser Windows are Closed when you Click FIX.

    F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

    O3 - Toolbar: (no name) - {C5723D39-4AEB-5726-6A6B-276546051998} - (no file)

    O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
    O4 - HKLM\..\Run: [Microsoft HTTP SSL Service] mssl.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunServices: [MSN Messenger] msnmssgr.exe
    O4 - HKLM\..\RunServices: [Microsoft HTTP SSL Service] mssl.exe

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Microsoft AntiSpyware helper - {64030124-953D-43FC-9E89-0DC08114C133} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {64030124-953D-43FC-9E89-0DC08114C133} - (no file) (HKCU)

    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} -

    O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE (file missing)

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Navigate to and DELETE the following if they should remain:

    C:\WINDOWS\System32\msole32.exe

    C:\WINDOWS\System32\msmsgs.exe

    C:\WINDOWS\System32\intmonp.exe

    C:\WINDOWS\popuper.exe

    mssl.exe <-- Search for this file and delete when found, be sure you have hidden files and folder ENABLED!

    msnmssgr.exe <-- Search for this file and delete when found, be sure you have hidden files and folder ENABLED!

    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.
    Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.


    Reboot to Normal Windows , Scan with HijackThis and attach the new log.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

    Good Luck!:)
     
  13. geek_j2

    geek_j2 Private E-2

    .:hey bjgarrick,
    Ok! I did all that you said to do, and so far almost all good =P I've posted the hijackthis log. The problems I encountered/still persist:

    Ok, when I ran the hijackthis in safe mood, the
    F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
    wasn't listed. Also, the msmsgs.exe wasn't in the C:\WINDOWS\System32\ file. I did a search for mssl.exe and msnmssgr.exe with hidden files and folder enabled and the computer didn't find anything. I did everything else. BUT! when I restarted my computer in normal mode, MSN Messenger started up again. So I closed that and from the system tray and then ran HiJackThis.
    + Also, the 3 tabs in my display settings are still missing. I kno there's 5 of them, I'm pretty sure, but it only shows 2, so I can't change my background unless I right-click some image and set that as wallpaper. And um.... I think that's it.

    Thanks so much for all your help so far, I sincerely appreciate it! I'm taking extra precautions from now on and stuff to prevent this from happening again.
     

    Attached Files:

  14. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    First off, the file msmsgs.exe is not related to MSN/Windows Messenger. However there is a file called msnmsgr.exe and its located in the C:\Program Files\MSN Messenger directory. This one is legit. The other file msmsgs.exe is part of a virus and should be deleted immediately!

    Reboot into Safe Mode

    Now, Scan with Hijack This and have it fix these entries:

    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} -

    O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE (file missing)

    Be sure you have ALL browsers closed before clicking FIX.

    Reboot into Normal Mode and tell me what problems remain. Also, about your desktop wallpaper. Is the option to change your wallpaper in Display Properties greyed out or whats going on in there?
     
  15. geek_j2

    geek_j2 Private E-2

    .: hey bjgarrick,

    Ok, so since you said anything msmsgs.exe was bad, I did a search on msmsgs.exe. It pulled up the following:
    C:\I386\MMSETUP.CAB\
    C:\Program Files\Messenger\
    C:\WINDOWS\Prefetch\

    I also did hijackthis in safe mood and I noticed:
    O4 - HKCU\..\Run: [MSMSGS]"C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    Well, I checked those 3 along w/ the 4 you posted. I then clicked Fix Checked. Then I navigated to and deleted the following:
    C:\I386\MMSSETUP.CAB (the whole cab thing)
    C:\Program Files\Messenger (this whole folder)
    and from the Prefetch folder I deleted:
    msmsgs.exe, msmsgsin.exe, & iexplorer.exe

    I restarted my computer in normal mood, and yay, that msn messenger thing doesn't start-up any more, and since my last post, there's been no pop-ups or annoying yellow triangles. Also, after I posted my last post, I did a few windows updates, I didn't download/install service pack 2 though.

    So I ran hijackthis in normal mood, and guess what? the 4 things you posted didn't go away, the 2 O4's, that O16, and that O23 are still there...
    also, I was wondering what this was and whether I should check it for fix or not:
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    And lastly, for the wallpaper thing, I've attached a jpg file. One shows my Display Properties window and how it's missing tabs. The other in the next post shows that I AM able to right-click and change my wallpaper properties, but why can't I do it in my display properties? And I've attached the hijackthis log
     

    Attached Files:

  16. geek_j2

    geek_j2 Private E-2

    .: here's the the right click jpg
     

    Attached Files:

  17. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    About the file msmsgs.exe, this is a legit process. You have to pay attention to its location. If the file msmsgs.exe is in the directory C:\Program Files\MSN Messenger then its legit. If the file msmsgs.exe is located in the C:\WINDOWS\System32 it is a baddie and should be deleted.

    No, this is legit! Its part of the Broadcom Wireless Network Tray Applet.

    For this problem follow in my next post! Lets try and get the tabs back first.
     
  18. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Click Start > Run > type in GPEDIT.MSC

    Now, Expand USER CONFIG, click on Administrative Templates, then Control Panel. Now open the Display key. On the right-hand pane, all the items should be 'not configured'. To change, just click on the disabled/enabled items and change to 'not configured'

    If the above does NOT work then follow the below.

    Download and install FreshUI

    This program will allow you to get the tabs back. Let me know of any problems you have and if this problem remains.
     
  19. geek_j2

    geek_j2 Private E-2

    .: YES! YAY! my tabs are back! woot~ you're a genius bjgarrick! you're the man, I REALLY appreciate all the help that you've done for me man. If there were more smart and nice ppl like you out there, the world would def be a better place. thx again for erething

    ...in closing, should I or should I not download and install service pack 2, is it necessary? cuz I've had a few friends that did dl & install sp2, and it gave them probs and stuff. ok after this, no more questions and bothering
     
  20. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your Welcome!

    As far as SP2, you should definitely download and install it. SP2 is a critical update for WindowsXP. Before you install SP2 your system must not have Malware/Virus infections or else it will cause major problems. However, if you are clean then you shouldnt have any.

    You should see this article on How to Protect yourself from malware!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds