Hi, I have a virus/spyware problem for about 1 week and I can't get rid of it. Please help! THE ORIGINAL PROBLEM: - IE crashed (luckily I had WINSCP2 installed, so I was able to download different AV programs and install Mozilla, using my Unix account at work) - The Desktop showed a black-and red screen, said : "DANGER:SPAYWARE" and contained a link to a page where they sell some so-called anti-spyware programs (I think I have saved a copy of the text in html format) - The Desktop wallpaper could't be changed by the Windows setup - All my previous Icons on the Desktop disappeared, except "My Files", "My computer", "AOL", "IE", "Trash" - My Desktop icons still exist in the Folder C/Documents and settings/"My name"/Desktop - All new icons that I install on the new black-and-red desktop apppear twice - Rickt-click is disabled on the desktop and in Explorer If I'm not wrong (see the post of Cretemonster on http://www.geekstogo.com/forum/DANGERSPYWARE_Problem-t13784-s15.html), this virus is called Spywad-B, and there are 2 programs that claim to deal with it: NOD32 and Sophos AV, but they don't; NOD32 cannot be updated after installation (this option is not available) and Sophos AV doesn't start (claims some, actually inexistent, compatibility problems with the system). WHAT I DID: scanned the computer with - AVG 7.0 - Ad-Aware SE (+VX2 cleaner plugin) - Spybot S&D - avast! Antivirus - stinger AV - Kill2Me - TDS3 - HSremove - CWShredder - vcleaner - AboutBuster - Hijackthis (saved in the folder Hijack on the desktop) - online scans at Panda, Trend Housecall All the programs are updated versions. Some scans were successful (removed the detected malware), some weren't (malware could't be removed or appeared again at the next scan. No malware was detected yesterday. IE works again. I have read the post http://www.geekstogo.com/forum/You_Must_Read_This_Before_Posting_A_Hijackthis_Log-t2852.html and followed the instructions. I have also read the thread http://www.geekstogo.com/forum/DANGERSPYWARE_Problem-t13784-s15.html and I have downloaded the programs that were recommended there: - SpSeHjfix - StartDreck - Pocket KillBox (haven't used them yet) WHAT I ALSO DID (Maybe some of it was wrong): - because I could't change the wallpaper, I picked a web page for it, namely a blank one); as a result, the desktop was split in 2, one still containing the "DANGER SPYWARE", the rhs was white, and right-clicking was allowed there); the border can be moved to right or left, but now the corresponding web-page cannot be deleted from the desktop settings - Panda detected some files, and I deleted them. Many of them had 3-letter names, were html files (as desktop.html and popup.html, see the post from Cretemonster on and containded the "DANGER SPYWARE" image. So this image is now gone. Panda also detected a file called C/WINDOWS/system32/webdlg32.inf that I could't find with explorer, so I could't delete it. Later on, TDS3 detected it too and deleted it. - a few days ago I've taken the freedom to fix some entries in the registry using HijackThis. I've chosen the entries such that they referred to something the AV programs referred to also. So I don't think I removed anything vital, the computer works. -Yesterday I tried to improve the image quality to watch a DVD during the day, so I edited the THX settings from ATI>>Settings>>Advanced>>"Covering" (I have a german Windows and It's called "Ueberlagerung", and it's situated on the same line with "Direct3D" and "Options") Now these settings are enabled, but I can't change them anymore (all buttons are disabled) THE PROBLEM TODAY: - the computer is very slow (might be also due to multiple AV programs, I will uninstall avast!) - Right-click is disabled on the desktop and in Explorer. Moreover, double-click on "\:C" in MyComputer opens a search Window and doeas not open the HD Folder (I have to select "open" in the File menu) - old desktop icons are hidden and any new icon appears twice - wallpaper cannot be changed; it is split in 2 and the border can be moved: lhs it is monochrome (I can set the colour) and admits no right-click; rhs is a white (blank) web-page that can be set but not removed - colour settings for THX (e.g. Power DVD) cannot be changed. Please note that I'm not talking about the settings of Power DVD, but the monitor settings) Please help me and tell me what to do. I don't think I'm able to remove the right entries in the registry. HERE IS MY HIJACKTHIS LOG FILE Logfile of HijackThis v1.99.1 Scan saved at 16:17:20, on 11.04.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programme\Antivirus\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Programme\Antivirus\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\Programme\Launch Manager\Wbutton.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\System32\qttask.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\Elaborate Bytes\DVD Region Killer\RegKillTray.exe C:\Programme\TV PVR\RecSche.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\PROGRA~1\ANTIVI~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\atiptaxx.exe C:\WINDOWS\System32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\RegisterTools\Windows Registry Repair Pro\RegistryRepairPro.exe C:\WINDOWS\System32\remote.exe C:\Desktop\Hijack\HijackThis.exe C:\Programme\Antivirus\Alwil Software\Avast4\setup\avast.setup R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.polytechnique.fr:8080 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: AddressBar Class - {1474CE44-8057-4AE3-8F3E-ED37C7C63D8A} - C:\WINDOWS\system32\iasad.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTIVI~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe" O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Windows System Manager] winsystem.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Programme\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill O4 - HKLM\..\Run: [RegKillTray] C:\Programme\Elaborate Bytes\DVD Region Killer\RegKillTray.exe O4 - HKLM\..\Run: [LVRemote] C:\WINDOWS\System32\remote.exe O4 - HKLM\..\Run: [RecSche] "C:\Programme\TV PVR\RecSche.exe" O4 - HKLM\..\Run: [Vbaqn] C:\WINDOWS\epbto.exe O4 - HKLM\..\Run: [V÷h$æÆõö/ØF%)ßfÏNbC:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\epbto.exe O4 - HKLM\..\Run: [Disk Keeper] C:\DOKUME~1\FLORIN~1\LOKALE~1\Temp\keep.exe O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\GEMEIN~1\WinTools\WToolsA.exe O4 - HKLM\..\Run: [Jfg] C:\WINDOWS\Uij.exe O4 - HKLM\..\Run: [Bfu] C:\WINDOWS\Ikg.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ANTIVI~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe O4 - HKLM\..\RunServices: [Windows System Manager] winsystem.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [Windows System Manager] winsystem.exe O4 - HKCU\..\Run: [Jfg] C:\WINDOWS\Uij.exe O4 - HKCU\..\Run: [Bfu] C:\WINDOWS\Ikg.exe O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Programme\RegisterTools\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4/teleir_cert.cab O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.130/e9xr2.chm::/file.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8FA20D1B-27B2-46F4-BA90-7A172F950C83}: NameServer = 139.18.25.3 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mathematik.uni-leipzig.de O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mathematik.uni-leipzig.de O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mathematik.uni-leipzig.de O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Antivirus\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Antivirus\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Antivirus\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Antivirus\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (I also have a log in safe mode, but I think my post is already long as it is.)