Hi dressydoll,

There seems to be a strange Desktop image loaded on your PC.
If you have installed this deliberately please skip this Item.
Otherwise, follow these next instructions:

Go to Start > Control Panel > Display properties > Desktop > Customize Desktop > Web tab
Uncheck and delete everything you find in there (except for "My current home page")
Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Click Apply, Apply and Exit Display properties.

Run HijackThis.

• Click the Do a system scan only button.
• Check the boxes for the all the entries listed below:

O24 - Desktop Component 0: (no name) - http://www.uogamers.com/forum/images/artakus/artakus_bg.gif

• Now close all windows other than HijackThis and click Fix Checked.
• Close HijackThis.

Please rescan with HijackThis & post the log created.

Cheers,

sage5

This post has been edited by sage5: May 26 2008, 06:36 AM

sage5, I didn't see the entry that you said. The last entry on Hijackthis was 023 - Service: Indexing Service (CiSvc) - Unknown Owner - C:\WINDOWS\system32\cisvc.exe (file missing)

Look at the screen shot.


This post has been edited by dressydoll: May 26 2008, 11:02 AM

Can you post me a fresh HijackThis log to check you are all clear?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:26 AM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

--
End of file - 3690 bytes

Hi dressydoll

Congratulations, your new log looks clear, so we can now deal with some final clean up jobs.

Clean out cookies, temp files etc:
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
  
  If you use Firefox browser
  
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Cleanup with OTMoveIt:

• Please double-click OTMoveIt2.exe to run it.
• Click the Clean up button
• Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
• Click Yes to the reboot.

To Clear Restore points, please do the following:

• Go to Start > Settings > Control Panel.
• Double-click the System icon.
  
  NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.
• Click the System Restore tab.
• Put a check by Disable System Restore.
• Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.

After reboot, you must turn System Restore back on:

• Go back to the Troubleshooting tab.
• UNcheck Disable System Restore.
• Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.

Lastly, some extra or better security for your PC:

The programs recommended below are freeware alternatives to some of your security software & might reduce the potential for spyware infection in the future:-

Spyware Prevention:
Spyware Blaster by JavaCool Software, prevents spyware installing and consumes no system resources.
IE/SpyAd, stops suspect sites loading ActiveX, popups etc onto your PC. An excellent tutorial is Here

Spyware Detection:
Malwarebytes Anti-Malware is my favourite here.

Anti-Virus:
The first line of defence, especially since some will now detect trojans as well.
Avira's Antivir PersonalEdition Classic and Grisoft's Avast! Free Edition are among the best freebies.
*Please note* You should never install more than one anti-virus program on a PC, as it will cause conflicts.

Firewall:
A Firewall is an essential tool in the security of any PC connected to the Internet.
Sunbelt Personal Firewall and Comodo are both excellent freeware.

Alternate Browsers:
Thankfully, there are now some excellent alternatives to MS Internet Explorer. They offer better security, more stability, and better speed.
A couple of good examples are: Firefox and Opera

Other Updates:
Vital security patches and updates are available for Microsoft Windows and Internet Explorer at the Windows Update Site
It is equally important to update the other security software you use, on a regular basis.

Further reading about these issues is available in a very good article: How did I get infected in the first place ? (by Tony Klein and dvk01)

All the best & safe surfing in the future,

sage5

This post has been edited by sage5: May 27 2008, 07:55 AM

sage5

I can't seem to find the OTMoveIt software. And when I go to SYSTEM in Control Panel, I didn't find the System Restore tab.

This post has been edited by dressydoll: May 27 2008, 08:35 AM

You should have downloaded OTMoveIt in the first instructions, but maybe that got missed.
Try this:

Time for some housekeeping:

Follow these steps to uninstall Combofix and tools used in the removal of malware
[List]
• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

When that is done try to access System Restore via:
Start > Right Click on My Computer > select Properties.
There should be a System Restore tab on that page.

If not see if the System Restore option is available at Start > Help & Support > Pick a Task

sage5

I am receiving an error message.

'Windows cannot find helpctr.exe'

Sounds like at least one of your System Files has been fried during the infection & or fix.

It is simple to fix:

System File Checker:

• Go to Start > Run and type sfc /scannow (Note the space between the c & the /)
• /scannow starts the System File Checker immediately.
• You will probably need your Windows XP CD to be handy as it may be required.
  If you have Service Pack 2 installed, you will need the SP2 version of the CD. This can be done with a borrowed CD, if you don't have one.
• Allow the scan to run and when complete reboot the system

This post has been edited by sage5: May 28 2008, 08:49 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.