Heartland

A couple of minutes ago my friend sent me a message on MSN saying:
"Hey, is this a picture of you?" followed by a URL.

Obviously I was curious, so I clicked on the link and suddenly all manner of things start installing and my MSN starts to automatically send this link to all of my online contacts

So I turned the PC off. Then turned it back on again to find 3 new Desktop shortcuts, Windows Help/Support kept opening and a website opened which typed: "Hey, is this a picture of you?" followed by a URL into the address bar.

I pressed CTRL+Alt+Del to find that a program called visionbasic (i think) was running about ten times. So I ended all "visionbasics" and the problem with Help continuously opening appeared to stop. Then I ran an Ad-Aware scan and it found the usual stuff + a trojan horse so i removed that.

I went on Add/Remove programs to look for any suspicious things and removed an "888 toolbar." everything else looked normal.

I then restarted the PC. Everything was as it should be except for a message coming up about MSN Messenger and this website automatically opened and typing in that link. So i closed it quickly so I didn't redownload the file(s).
I then uninstalled MSN Messenger.

I looked on a few help forums and they recommended that I remove MSN from start up and look in My MSN Received Files and locate the dodgy file and delete it there. Seeing as I'd already uninstalled Messenger I couldn't do this.

I then ran a Norton update, it said I had to restart my PC to continue. I restarted and everything was fine except the internet auto-opening with the same URL thing, again I quickly closed the internet.

I'm currently running a Norton AntiVirus full system scan.
Hopefully it will locate and remove anymore troublesome files and this thread can be binned.

But if the problem persists (which as far as I can tell is just this website auto-opening on start up) does anyone know how I can remove/fix this problem?


Any help is GREATY appreciated

you usually can select and change the 'open page at launch' in any of the browsers I use (Camino, Safari and Firefox) under preferences, so I'd look there but I'm on a Mac and I don't have that virus shyte to deal with

OK the virus scan completed, it found 0 problems.
So I restarted the PC but that bloody page opened again. The website address that it wants to open is
"web.links4all.biz"

I don't know if it then links to another website coz I closed it straight away.

How do I stop this from opening on start up? (I use Internet Explorer, save the jokes)

if you know the name of the virus/spyware you got, do a Google Search for cleaning instructions, some of them are little buggers. Once you've followed those instructions do the following :

Run Adaware again, see if it finds anything.

Download and install Spaybot - Search and Destroy. Update it and run

Download and install Spyware Blaster. Update it and hit the Enable All protection option.

And the reason people are banging on about using Firefox as your main browser rather than IE is because of the exact thing that has happened to you! use Firefox!

first up...delete all your cookies
second...in your control panel (found on your startup) select the icon for internet options and select your home page url (or use blank to see if it works)...apply!

my guess is that you have a nasty which will not be moved...and without seeing the actual files in the folder to be removed you'll never find all of them...they self populate/reproduce...

back up all your saveable stuff...get as much online as you can and on disc...then...re-format your hard drive...re install all your drivers/software programes and before you insert any of your back-up'd discs get your self a decent virus scanner (panda springs to mind...six months free too)...bin your norton as it's s**t!

enjoy!

I done as CellThree said and ran them two anti-spyware programs.

They found problems and stuff. I removed the problems, restarted my computer and again this site opens. So I (reluctantly) let the site fully open and it's just a blank page

How do I view my startup procedure and stop this site from opening?

James Blast wrote:I'm on a Mac and I don't have that virus shyte to deal with

Not quite how I would have put it had you not got there before me....

robertzombie wrote: How do I view my startup procedure and stop this site from opening?

You can use AutoRuns from Sysinternals to see startup settings http://www.microsoft.com/technet/sysint ... oruns.mspx Also Process Explorer is very useful. Have also used TrojanHunter http://www.misec.net/ on a 30 day evaluation to kill spyware that Spybot detects but does not remove completly.

Michael

robertzombie wrote:I done as CellThree said and ran them two anti-spyware programs.

They found problems and stuff. I removed the problems, restarted my computer and again this site opens. So I (reluctantly) let the site fully open and it's just a blank page

that's all they need...just to confirm it's blank...click on the tab {View} and then {source}...if there's nothing there in the HTML code then it's blank

robertzombie wrote:How do I view my startup procedure and stop this site from opening?

see my above post...been there don't that got the T shirt!

How to get to startup :

1. Click Start
2. Click Run
3. Type in MSCONFIG
4. Go to the Startup tab
5. Have a look down the list of the ticked objects and see if anything looks suspicious.

Why do people buy Anti-virus, Firewalls and Anti-spyware programs? There are good free ones available on the net. Removal tools for viruses and spyware can usually be found on the net for free as well.

Using the tools I've already mentioned plus AVG Anti-virus Free and Kerio Free firewall I've never had a virus/tojan or any spyware (bar a few cookies) in the past 4 years.

Burn wrote:

robertzombie wrote:How do I view my startup procedure and stop this site from opening?

see my above post...been there don't that got the T shirt!

Don't you mean, been there don't that got the virus?

best I stop watching this topic...

For the startup list etc. I use Registry cleaner. It tells you quite a bit about what´s happening on your computer, helps you at uninstalling software, can tell you which files get used by what software etc. A nice thing for Windows.
I forbid my firewall to let the IE get access to the web. I don´t trust it. There areother browsers indeed, I´d consider Opera for Windows, Firefox, or simply search through the freeware pages for a browser nobody uses and you like. It´s less interesting for malware to attack not so widely spread software, thus it hardly does.
@James: No shopping guide this time?
Oh, and robertzombie, what about an alternative OS for you? It´s a lot of work to get into a new operating system, but it surely pays off in the long run.

Ccleaner (Crap Cleaner) has a nice thing for editing your startup menu although it deletes the entries rather then just disabling them. It's a useful program though as it cleans the registry as well as deleting all your junk files (browser caches, temp files etc etc) from the computer.

If it is still there after all these guys said, find a wee proggie called HijackThis.

Run it, DON'T LET IT DELETE ANYTHING YET, but just print off the list of stuff it detects and post it here or send me a PM...

IZ.

CellThree wrote:Ccleaner (Crap Cleaner) has a nice thing for editing your startup menu although it deletes the entries rather then just disabling them. It's a useful program though as it cleans the registry as well as deleting all your junk files (browser caches, temp files etc etc) from the computer.

Yes CCleaner is a great program, I can really recommend that.

You can download it for free here.

Logfile of HijackThis v1.99.1
Scan saved at 19:57:57, on 26/11/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\QSGOGX\TEZAFM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\LVCOMSX.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\LOGITRAY.EXE
C:\PROGRAM FILES\INKLINE GLOBAL\PC BOOSTER\PCBOOSTER.EXE
C:\WINDOWS\WINSTALL.EXE
C:\PROGRAM FILES\COMMON FILES\{1BE62B74-0000-2057--002C}\UPDATE.EXE
C:\PROGRAM FILES\EPSON\EPSON SMART PANEL FOR SCANNER\ESPMAIN.EXE
C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\EREG\REMIND32.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\INTERVIDEO\COMMON\BIN\WINCINEMAMGR.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\FXSVR2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mepxdtzk] C:\PROGRAM FILES\QSGOGX\TEZAFM.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\SYSTEM\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\WINSTALL.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/A ... ngctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://hisinfernalmajesty666.spaces.liv ... nPUpld.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/a ... _en_dl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://newdesk.eur.sgcib.com/ICAWEB/en ... wficat.cab

I was gonna suggest hijackthis but someone beat me to it. Looking at the log, the following seem dodgy.

C:\PROGRAM FILES\QSGOGX\TEZAFM.EXE
O4 - HKLM\..\Run: [Mepxdtzk] C:\PROGRAM FILES\QSGOGX\TEZAFM.EXE

Dunno what these 2 are, the filenames suggest something random and nasty, unless you recognise what it is.



C:\WINDOWS\WINSTALL.EXE
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\WINSTALL.EXE

These 2 are possibly a virus or some sort: http://www.bleepingcomputer.com/forums/topic22402.html


Delete at your own risk, or wait for someone else to concur, but it it was me I'd delete those 4.

Yeh I thought "QSGOGX\TEZAFM.EXE" looked dodgy. I will remove that but I'll wait for confirmation on "C:\WINDOWS\WINSTALL.EXE"

thanks for the help

Getting a Mac or switching to Linux may not be an option cos of the relearning involved, but at the very least you need to get off Windows ME . It has so many back doors left wide open that even scotty could probably break in. And they won't be closed either cos it's a dead OS.

If you need to stick to Windows, I suggest 2000 Pro or XP Pro (not Home) and spending some time learning how to use the Group Policy Editor. It can really help a lot to prevent this kind of thing from ever happening again.

Using Firefox is also highly recommended.

There's lots of nassssty looking stuff up there in your HKLM\...\Run key, by the way, so I've a feeling that you got lucky here in that what happened at least had a visible manifestation rather than lurking in the background doing bad things, and so alerted you to these in the first place.

That's been spreading around the guys from school's MSN accounts too.. I ended up using Remote Assistance to control two girls' PCs to download anti-spyware programs, turn their firewalls on, and use virus scans.

It's fun being tech support to the incapable.. as I'm sure scotty well knows.

robertzombie wrote:Yeh I thought "QSGOGX\TEZAFM.EXE" looked dodgy. I will remove that but I'll wait for confirmation on "C:\WINDOWS\WINSTALL.EXE"

thanks for the help

In over 8 years of supporting all versions of Windows from 95 up at both client and server level, I've never heard of a legit process called "winstall.exe", so I'd remove that too.

Mostly the stuff in your "Run" keys are little "helper" applications that you never really actually need, so they can be very safely deleted.

This is a useful page: http://www.hijackthis.de/index.php?langselect=english
You paste the hijackthis log into it and it tells you what each process is (if it knows).

One tip: When pasting in the log, omit the first line (Logfile of HijackThis v1.99.1), as if you don't have the latest version of hijackthis the ruddy page actually refuses to analyse the log until you've downloaded the newest version!

You still need to take care in removing things as that page says some stuff is bad when it isn't, so take care.

Incidentally my hijackthis log is 57 lines (XP Pro) compared to this one 123 lines!

I removed "QSGOGX\TEZAFM.EXE" and "C:\WINDOWS\WINSTALL.EXE", restarted the PC and the site didn't come up! SUCCESS!

Thanks guys

Dan wrote:I was gonna suggest hijackthis but someone beat me to it. Looking at the log, the following seem dodgy.

C:\PROGRAM FILES\QSGOGX\TEZAFM.EXE
O4 - HKLM\..\Run: [Mepxdtzk] C:\PROGRAM FILES\QSGOGX\TEZAFM.EXE

Dunno what these 2 are, the filenames suggest something random and nasty, unless you recognise what it is.



C:\WINDOWS\WINSTALL.EXE
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\WINSTALL.EXE

These 2 are possibly a virus or some sort: http://www.bleepingcomputer.com/forums/topic22402.html


Delete at your own risk, or wait for someone else to concur, but it it was me I'd delete those 4.

I PMed him exactly the same!

Winstall is indeed spyware (I always use the LIUTILITIES website to check), and that other one indeed looked dodgy...

IZ.