Tech Support Forum - View Single Post - Technicolor screen, Popups, Error messages running programs, random programs starting

Bob4 · 10-03-2007, 03:59 PM

From here on in when I ask for a hJT log
Navigate to and find C:\Program Files\Trend Micro\HijackThis\Owner.exe
You can right click that file and choose send to :
Desktop (create shortcut) for your convenience.

This will post just the HJT portion of the log. No reason for me to see all that DSS see's more than once.

_____________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\vtustqo.dll
O2 - BHO: (no name) - {D40A2633-1554-4CE9-B1BB-14B18F7BD1ED} - C:\WINDOWS\system32\ddayw.dll
O3 - Toolbar: (no name) - - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKEY_LOCAL_MACHINE\..\RunOnceEx: [Flag] 2
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker\RunApp.exe (file missing)
O15 - Trusted Zone: <https://turbotax.com> (HKCU)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} () - <http://cabs.elitemediagroup.net/cabs/mediaview.cab>
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} () - http://static.zangocash.com/cab/Seek...dae853c5219026 <http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab?0993688dc438777ffae64d31307a794694621c798d4971bf08fb991261a3b92a4407e2e8b2e1e238a16956b34f14128d9f08516218e990ace940b6dbfd8e5f:3a9fb66615443315d3dae853c5219026>
O20 - Winlogon Notify: vtustqo - C:\WINDOWS\system32\vtustqo.dll

_______________________________________________

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
___________________________________
Download AVG Anti-Spyware.

Install AVG Anti-Spyware.
Launch AVG by double-clicking on the icon.
The program will now open to the main screen.
You will need to update AVG to the latest definition files.
- At the top of the main screen click Update.
  - Then in the Manual Update section, click on Start Update.
The update will start and a progress bar will show the updates being installed.
When updates are completed, close AVG.

If you are having problems with the updater, you can use this link to manually update AVG.
AVG manual updates
Do not use it yet.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
___________________________

Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Do not automatically generate reports
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.

IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot normaly
__________________________
Please post:

c:\rapport.txt
AVG log
A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

______________________________________________

10-03-2007, 03:59 PM	#6 (permalink)
Bob4 Analyst, Security Team Join Date: Aug 2005 Posts: 147 OS: XP pro	Re: Technicolor screen, Popups, Error messages running programs, random programs star From here on in when I ask for a hJT log Navigate to and find C:\Program Files\Trend Micro\HijackThis\Owner.exe You can right click that file and choose send to : Desktop (create shortcut) for your convenience. This will post just the HJT portion of the log. No reason for me to see all that DSS see's more than once. _____________________________ HJT Run hijackthis and choose scan only and place a check by the following lines if present. Close all other windows and browsers except HJT before clicking on Fix Checked O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\vtustqo.dll O2 - BHO: (no name) - {D40A2633-1554-4CE9-B1BB-14B18F7BD1ED} - C:\WINDOWS\system32\ddayw.dll O3 - Toolbar: (no name) - - (no file) O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file) O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O4 - HKEY_LOCAL_MACHINE\..\RunOnceEx: [Flag] 2 O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker\RunApp.exe (file missing) O15 - Trusted Zone: <https://turbotax.com> (HKCU) O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} () - <http://cabs.elitemediagroup.net/cabs/mediaview.cab> O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} () - http://static.zangocash.com/cab/Seek...dae853c5219026 <http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab?0993688dc438777ffae64d31307a794694621c798d4971bf08fb991261a3b92a4407e2e8b2e1e238a16956b34f14128d9f08516218e990ace940b6dbfd8e5f:3a9fb66615443315d3dae853c5219026> O20 - Winlogon Notify: vtustqo - C:\WINDOWS\system32\vtustqo.dll _______________________________________________ Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. ___________________________________ Download AVG Anti-Spyware. Install AVG Anti-Spyware. Launch AVG by double-clicking on the icon. The program will now open to the main screen. You will need to update AVG to the latest definition files. At the top of the main screen click Update. Then in the Manual Update section, click on Start Update. The update will start and a progress bar will show the updates being installed. When updates are completed, close AVG. If you are having problems with the updater, you can use this link to manually update AVG. AVG manual updates Do not use it yet. Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. ______________________________ Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ______________________________ Navigate to C:\Windows\Temp Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin. Navigate to *C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp* Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin. Clean out your Temporary Internet files. Proceed like this: Quit Internet Explorer and quit any instances of Windows Explorer. Click Start, click Control Panel, and then double-click Internet Options. On the General tab, click Delete Files under Temporary Internet Files. In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK. On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK. Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK. Click OK. Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. ______________________________ Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter. Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ___________________________ Run AVG Anti-Spyware Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan. Click on Scanner on the toolbar. Click on the Settings tab. Under How to act? Click on Recommended Action and choose Quarantine from the popup menu. Under How to scan? All checkboxes should be ticked. Under Possibly unwanted software: All checkboxes should be ticked. Under Reports: Select Do not automatically generate reports Under What to scan? Select Scan every file. Click on the Scan tab. Click on Complete System Scan to start the scan process. Let the program scan the machine. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button. Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2) At the bottom of the window click on the Apply all Actions button. (3) When done, click the Save Scan Report button. (4) Click the Save Report as button. Save the report to your Desktop. Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes. Reboot normaly __________________________ Please post: c:\rapport.txt AVG log A new HijackThis log Your may need several replies to post the requested logs, otherwise they might get cut off. ______________________________________________ __________________