[steel]

I had a my desktop changed to a red desktop with Danger: Spyware and some links to some spyware removal website. After running the programs in the read this before posting, it got rid of the red background and the Danger: Spyware ad, but no my desktop is just blue. I noticed it's looking in c:\desktop for my desktop icons instead of c:\documents and settings\administrator\desktop like it should. As well, I can't right click in explorer or my desktop, or bring up the task menu with the keyboard, and simple explorer commands like open a folder or especially copy & paste cause explorer to close (my start bar disappears, then comes back as it loads back up and all open explorer and internet explorer windows are closed). Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:13:25 PM, on 06/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
c:\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.steelers.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.steelers.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112317773711
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Thanks for your help

[Advertisements]

Unwanted advice removed

Edited by ScHwErV, 08 April 2005 - 07:48 PM.

[fatih]

Unwanted advice removed

Edited by ScHwErV, 08 April 2005 - 07:48 PM.

[steel]

I don't have any restore points before the spyware started affecting my computer.

[spywareproblems]

Unwanted advice removed

Edited by ScHwErV, 08 April 2005 - 07:43 PM.

[steel]

Thanks for your help. I can right click again and change my desktop. I've got 2 more questions though. First, all my desktop icons appear twice..and it's not a second copy cause if i delete one and try to run the identical one, it says it doesn't exist anymore. Somehow it's refrencing the same icons and folders twice. Secong thing is spybot comes up at startup and says a System Startup global registry entry - value deleted. Entry: secboot. Old data: C:\windows\system32\vtd_16.exe !! Should i allow or deny this change? Thanks again for the help. I've included a new HijackThis log in case it helps

Logfile of HijackThis v1.99.1
Scan saved at 12:21:21 AM, on 08/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
c:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.steelers.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.steelers.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112317773711
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Mark

[fatih]

to steel you dont have to have restore points,you can back to a date your system,this chance is available for all windows xp,i hope this is enough explanatory

[ukmobil]

A couple of checkers I use both indicate R3 should be fixed - I don't know if that will resolve the problem but at least you'll have dealt with one problem.

[spywareproblems]

unwanted advice removed

Edited by ScHwErV, 08 April 2005 - 07:41 PM.

[steel]

faith - The spyware is removed from my system, I don't need to to back to a restore point.

ukmobil - That's not the problem. That's my search URL.

When the spyware first started affecting my computer (changed my desktop to C:\desktop instead of where it's supposed to be) all my icons added to that desktop started showing up twice. I'm guessing that an extra registry value was added which also points to my desktop besides the correct one, making windows look threw my folder twice when looking for icons/folders and putting them on there twice.

In a search threw my registry, I found in "HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" a value Desktop, which point to my desktop, and a value named CustomDesktop, which also points to my desktop. Should the CustomDesktop value be deleted? Could somebody please verify that this key is not needed? I found the same 2 values in "HKEY_USERS\S-1-5-21-1343024091-854245398-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"

As well, in "HEKY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" I found the value CommonDesktop which also pointed to my desktop location. Does this mean that all icons from that location are put on every users desktop plus their own icons? Cause this could also be the problem. If that's the case, changing that value to an empty folder would fix the problem.

I'll wait for someone more knowledgeable than myself to tell me if either of those guesses are correct before I change anything in my registry.

Thanks for you help

Edited by steel, 08 April 2005 - 02:34 PM.

[spywareproblems]

Unwanted advice removed

Edited by ScHwErV, 08 April 2005 - 07:40 PM.

[Avohir]

TO ALL MEMBERS REPLYING IN THIS THREAD

if you'd like to post help, you need to join GeekU.

to the thread starter: please wait for a Staff member to assist you, as advice from members may be ineffectual, or even harmful

[jconsuelos]

How do you remove the spyware?

What is the solution Staff members?

You can re-edit the previous answers to see the solution?

10x

B B J

[steel]

I fixed all the problems. If anyone else needs help with this issue, message me and i'll be able to help you out.

Steel