Background/Startup Problems

Well its a few problems. Last night I got a black background covering my desktop saying things about removing spyware etc. So I followed the READ ME FIRST section (as I had a few other problems to) and its made it no better. I still have my webpages hijacked I still have countless errors on startup I still have this (now white and flashing grey) background which I can't remove. Its also removed a number of things that I had (which I used) on startup. The worst of the lot is now my computer sticks on memory testing (at memory testi) for about 5 minutes before loading then takes ages to load. I no longer have any of my smartmedia drives for some reason. A similar thing happened a while ago but using various removal tools I got it working again. No such luck this time. Anyway here is my log. Any help is greatly appreciated. Im out of ideas.

 

Right Click on your desktop, click properties, click the Desktop Tab, click Customize Desktop, click the Web Tab. Now, uncheck everything in this tab.

Download Pocket KillBox
(Don't run it yet)

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://searchcat.info/?a=2&b=test1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://searchcat.info/?a=2&b=test1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpC3FA.tmp

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)

O4 - Global Startup: Microsoft Office.hta

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.uclan.ac.uk/other/iss/remote/wficat.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\system32\shnlog.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msole32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\intmon.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\hpC3FA.tmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click [COLOR=DarkRedYES[/COLOR].

Now Allow Killbox to reboot your system, after you have rebooted, Scan with HJT and attach a fresh HJT log.

 

Thanks. Everything seems to be ok now. Except its still sticking on memory testi and my media centre is still missing. I just remembered that last time this happened I just took out and put back my RAM and this seemed to solve the problems. I'll give that a whirl anyway. Heres my latest log.

 

Scan with HijackThis and Check the Boxes for the following:

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

Make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

Reboot and let me know what problems if any remain!

 

Thanks. I did that and I fixed the memory testing thing. But Im still having problems. I keep getting popups on the desktop and just now I have had another background. This time its blue and says about a security warning I can right click to get to the display properties but for some reason I now only have two tabs (this includes in the control panel display options to) so to remove it I cant do the same as last time (web tab, remove). I can repeat the steps (which I've now done twice) but its not making a difference.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file desktopfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the desktopfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!
Now, Navigate to and delete the following file:

C:\WINDOWS\Web\wallpaper.html

C:\wp.exe

C:\wp.html


Final Step:

Right Click on your desktop, click properties, click the Desktop Tab, click Customize Desktop, click the Web Tab. Now, uncheck everything in this tab.

After you complete the above, click on the link below to download a registry patch.

After you download it, extract it to your desktop. Once complete double click the smitfraud.reg file merge it. After you merge click OK and then REBOOT. Let me know how things are running now!

Download Patch here!

 

Non of these items were present:
C:\WINDOWS\Web\wallpaper.html
C:\wp.exe
C:\wp.html

"Right Click on your desktop, click properties, click the Desktop Tab, click Customize Desktop, click the Web Tab. Now, uncheck everything in this tab."

The web tab still isn't present. Although all the other normal tabs now are?

 

Did you download the patch and merge the registry file as requested?

What problems are you still having?

 

Ok, sorry yeah its sorted now. But Im still getting desktop popups and I have a program called spywareremover stuck in the tray at the bottom of the screen. AGGHHH!

 

Go ahead and post me a current HJT log.

 

Voila

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Security iGuard


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.uclan.ac.uk/other/iss/remote/wficat.cab

O20 - AppInit_DLLs: c:\windows\system32\hk.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Security iGuard ←–– Delete this whole folder if it exist!

C:\bsw.exe

C:\wp.html

C:\wp.exe

C:\WINDOWS\Web\desktop.html

c:\windows\system32\hk.dll

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Ok done. However, when I tried to fix hk.dll in hjt I got an 'invalid procedure call or argument' error. Then when I tried to delete it the system32 folder it wouldn't and said access was denied. I have this odd feeling that within the next day I will randomly get programs appearing and my desktop altering. I really hope not but....

 

Download Pocket KillBox

Now, Copy and Paste c:\windows\system32\hk.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. After you have rebooted post a fresh HJT log.

 

Ok, so everything is running fine and as per usual out of no where everything goes wrong again (I had just downloaded kazaa though) I've tried going through all the usual procedures but I dunno what I'm looking for. Am I ever gonna be shut?

 

Thats where your problems are coming from. Kazaa is loaded with spyware and should be removed immediately.

Your log is worse now than it was before?

After you get rid of Kazaa, attach a fresh HJT log and we will start the cleanup again.

 

That log is after I removed kazaa.

 

I didnt want you to think I was telling you what you can and cant install. But I will recommend Kazaa staying far away from your system as its the #1 cause of spyware.

Go ahead and attach a new HJT log and we will start from there.

 

Oh no its cool. As soon as I did it I realised my error. Anyway....

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpDEF0.tmp

O17 - HKLM\System\CCS\Services\Tcpip\..\{82785F50-CF45-4860-9FF8-9F53060F3198}: NameServer = 80.225.252.178 80.225.252.186

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\popuper.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msole32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\shnlog.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\intmonp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\intmon.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\hpDEF0.tmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. After you have rebooted and windows has loaded scan with HJT and attach the new log.

 

Right um.. I've been away for a few days but the computer has been in use by family and whatnot. I was about to sort everything and I now find I can't actually do anything. As soon as the machine loads I get an error saying windows explorer has encountered a problem and needs to close. I get a window of about a second to open up my documents and this is how I've been able to get online. If I try to do anything that isn't in this window I just get the error and eventually the machine crashes. So I went into safe mode anyway but this is even worse errors appear constantly until I get an error about from dr watsons post mortem or something and then it just crashes completely. So I've followed the steps you have stated as best I can in normal mode but its not made any difference. I am tempted to format c: and start again but this is a major hassle for a number of reasons. Is there anyway to avoid this. I dunno if this is in the right section anymore but I'll attach a log in my next post in case its of any help - EDIT I can't actually attach a log because the popup causes the machine to crash. Thanks

 

You MUST do these fixes I post for you in a timely manner or you will be in the situation your in now. The longer these infections stay on a computer, espcially when users are using them more and more...the worse the infections mutate.

It sounds like you have triple the infections due to the delayed responses, so what your going need to do most likely is a repair reinstall of windows, then we will begin cleaning processes.

Let me know what your plans are!