Has this happened to you????

trulyred · 05-01-05, 11:51 AM

Howdy,
I have a problem I cannot seem to get rid of. I was out on the net one day, when my pc started to bog down and get real sluggish .then all of a sudden there came up this screen that was black and yellow and stated that I was in imediate danger that there was a virus infection that can rek-havoc on my pc.Also that not all virus can be removed . I couldn't get the screen off so I did several scans with all the different spyware/adware finders and the only av I have , to no avail.Finally I gave in and clicked onthe stop button that was on the screen and it took me to a another screen that was selling what looked like av programs! Once on that screen I ran my arsonel again and most of what was on there disappeared. What I have now is some kind of blocker going on,I cannot see my wallpaper, It is blocked from being viewed. I only see it when I first turn on the pc and when it shuts down, so I know I have a wall paper on. It also tells me that what ever is on my pc is on my start up menu but I have been through it, and I cannot tell you where or what it is.After having relpaced my drivers for my vidio card, gone thru with a windows repair disk ,it's still there ,annoying as *#@$.
So I am asking if anyone here has come across this,and if so ,how did you fix? What bothers me about this is that All my stuff was on, ms antispy,spycatcher protecter,ghost surf and panda platinum, all with the latest versions there of. It still got thru.

.
So any help or info would be greatly appreciated. thanks a bunch

TR

David · 05-01-05, 12:10 PM

Mmm sounds odd. Start-Run-services.msc-(enter) will show you what services start with your PC.

nebben · 05-01-05, 12:27 PM

You may have a trojan root kit type thing on your system. Reformat/reinstall Windows, or try your luck with HijackThis. It will be difficult, but not necessarily impossible.

I have had good luck with AVG antivirus too. There is a free version available that usually gets stuff that my McAfee will skip.

That, or try looking through add/remove programs and remove the program that you agreed to install!

-ben

trulyred · 05-01-05, 12:31 PM

okay. but what am I looking for there?thats a place I rarely go to so I am not sure at all what would be out of place.........TR

coin · 05-02-05, 02:35 AM

use HijackThis and print the log here.

trulyred · 05-09-05, 12:19 AM

alright then i'll try it.....
Logfile of HijackThis v1.99.1
Scan saved at 10:11:25 PM, on 5/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\GhostSurf 2005\Protector.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\welder97\My Documents\My Received Files\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:7212
O1 - Hosts: 221.10.242.104 ibank.barclays.co.uk
O1 - Hosts: 221.10.242.104 online-business.lloydstsb.co.uk
O1 - Hosts: 221.10.242.104 online.lloydstsb.co.uk
O1 - Hosts: 221.10.242.104 www.halifax-online.co.uk
O1 - Hosts: 221.10.242.104 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 221.10.242.104 www.nwolb.com
O1 - Hosts: 221.10.242.104 banesnet.banesto.es
O1 - Hosts: 221.10.242.104 extranet.banesto.es
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Updatess] mspingfix.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MS Office32cb Startup] OfficeGUI32cb.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Startup: Protector.lnk = C:\Program Files\GhostSurf 2005\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113031035863
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\Resources\IntraLaunch.CAB
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35DD933D-B469-4433-97B0-1BF13F4ED14A}: NameServer = 198.6.100.140 198.6.1.140
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

sorry had to copy and paste this so you can see it.........tr

matttaylor · 05-10-05, 11:32 AM

Try this to remove the message:
right click desktop, select properties
select desktop tab
select customize desktop
select web tab
uncheck any thing that is there and/or delete everything in the box.
click apply/close
and that will remove the message.
After that remove the following entries in Hijackthis:
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\Resources\IntraLaunch.CAB
and only if this is not your ip address info!
O17 - HKLM\System\CCS\Services\Tcpip\..\{35DD933D-B469-4433-97B0-1BF13F4ED14A}: NameServer = 198.6.100.140 198.6.1.140

and next time you may want to hide the ip info

trulyred · 05-10-05, 10:41 PM

Ah yes! that was the ticket! wohoo, as soon as I unchecked and erased the box tagged security the blocker went away.interestingly so did line 017 when I ran that hijackthis program.as far as that other line 016 D happens to be my cd drive so I imagine eradicating that line wont hurt....Again mad props to you Matt for coming up with that fix. I feel much better now.........................tr

matttaylor · 05-11-05, 11:06 AM

glad i could help. I've delt with that problem before on customers computers and that fix is the only way ive found to remove it.

05-01-05, 11:51 AM	Thread Starter #1
trulyred Member Join Date: Oct 2001 Location: ah, maple falls , wa.	Has this happened to you???? Howdy, I have a problem I cannot seem to get rid of. I was out on the net one day, when my pc started to bog down and get real sluggish .then all of a sudden there came up this screen that was black and yellow and stated that I was in imediate danger that there was a virus infection that can rek-havoc on my pc.Also that not all virus can be removed . I couldn't get the screen off so I did several scans with all the different spyware/adware finders and the only av I have , to no avail.Finally I gave in and clicked onthe stop button that was on the screen and it took me to a another screen that was selling what looked like av programs! Once on that screen I ran my arsonel again and most of what was on there disappeared. What I have now is some kind of blocker going on,I cannot see my wallpaper, It is blocked from being viewed. I only see it when I first turn on the pc and when it shuts down, so I know I have a wall paper on. It also tells me that what ever is on my pc is on my start up menu but I have been through it, and I cannot tell you where or what it is.After having relpaced my drivers for my vidio card, gone thru with a windows repair disk ,it's still there ,annoying as *#@$. So I am asking if anyone here has come across this,and if so ,how did you fix? What bothers me about this is that All my stuff was on, ms antispy,spycatcher protecter,ghost surf and panda platinum, all with the latest versions there of. It still got thru. . So any help or info would be greatly appreciated. thanks a bunch TR
	QUOTE Thanks

05-01-05, 12:10 PM	#2
David Forums Super Moderator Overclockers.com Lead Editor Join Date: Feb 2001 Location: Hiding from Americans and making pretty colours in a drybox in St Andrews	Mmm sounds odd. Start-Run-services.msc-(enter) will show you what services start with your PC. __________________ David J. Nelson MChem(Edin) PhD(Strath) AMRSC [Academia Profile] OC Forums Super Moderator // Overclockers.com Editor The Workhorse: [Lenovo W510] Intel Core i7-720QM / 8 GB DDR3 / nVidia Quadro FX880M / Crucial M4 256 GB SSD / Windows 7 The HTPC/Server: AMD Phenom X4 9650 / 6 GB DDR2 / nVidia 8300 / 5 TB of HDDs / Antec Solo II Case / Windows 7 The Gaming Rig: AMD Llano A6-3650 / 4 GB DDR3 / nVidia GTX260 / 2x 500 GB HDD in RAID0 / Antec Dark Fleet DF-85 Case / Windows 7 The Benchmarking Setup: Various LGA775 chips / Asus Rampage Formula / 2 GB OCZ 1066 MHz DDR2 / nVidia Quadro NVS 285 / 320 GB HDD / Windows 7 My research fellowship is eating all my time, so I may be slow to reply to emails and private messages.
	QUOTE Thanks

05-01-05, 12:27 PM	#3
nebben Member Join Date: May 2002 Location: Salt Lick City, UT	You may have a trojan root kit type thing on your system. Reformat/reinstall Windows, or try your luck with HijackThis. It will be difficult, but not necessarily impossible. I have had good luck with AVG antivirus too. There is a free version available that usually gets stuff that my McAfee will skip. That, or try looking through add/remove programs and remove the program that you agreed to install! -ben
	QUOTE Thanks

05-01-05, 12:31 PM	Thread Starter #4
trulyred Member Join Date: Oct 2001 Location: ah, maple falls , wa.	okay. but what am I looking for there?thats a place I rarely go to so I am not sure at all what would be out of place.........TR
	QUOTE Thanks

05-02-05, 02:35 AM	#5
coin Member Join Date: Jan 2003 Location: Denmark	use HijackThis and print the log here.
	QUOTE Thanks

Has this happened to you????

Internet Services

Website Development

Tech Hardware

05-10-05, 11:32 AM	#7
matttaylor Member Join Date: Mar 2004 Location: Rocklin CA	Try this to remove the message: right click desktop, select properties select desktop tab select customize desktop select web tab uncheck any thing that is there and/or delete everything in the box. click apply/close and that will remove the message. After that remove the following entries in Hijackthis: O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\Resources\IntraLaunch.CAB and only if this is not your ip address info! O17 - HKLM\System\CCS\Services\Tcpip\..\{35DD933D-B469-4433-97B0-1BF13F4ED14A}: NameServer = 198.6.100.140 198.6.1.140 and next time you may want to hide the ip info
	QUOTE Thanks

05-10-05, 10:41 PM	Thread Starter #8
trulyred Member Join Date: Oct 2001 Location: ah, maple falls , wa.	Ah yes! that was the ticket! wohoo, as soon as I unchecked and erased the box tagged security the blocker went away.interestingly so did line 017 when I ran that hijackthis program.as far as that other line 016 D happens to be my cd drive so I imagine eradicating that line wont hurt....Again mad props to you Matt for coming up with that fix. I feel much better now.........................tr
	QUOTE Thanks

05-11-05, 11:06 AM	#9
matttaylor Member Join Date: Mar 2004 Location: Rocklin CA	glad i could help. I've delt with that problem before on customers computers and that fix is the only way ive found to remove it.
	QUOTE Thanks

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search