[nyjens]

Please help! I had a System Stopped desktop background that I finally got rid of with one of my spyware programs, but I still can't change the desktop background. Also, My Notepad program doesn't work, and I keep getting popups from Aurora, part of the ABI network. Computer is running very slowly, and I've tried running Trend micro, spybot search and destroy, adaware, spyware blaster, spy sweeper, ewido security suite and I've tried doing that nailfix killbot in safe mode fix, but nothing has worked. These were all at the advice of other sites. Hopefully I haven't screwed things up too badly!

Logfile of HijackThis v1.99.1
Scan saved at 2:50:50 PM, on 6/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jen\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msnbc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.msnbc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = www.msnbc.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msnbc.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msnbc.com
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120167562001
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

[Advertisements]

Still having problems... help!

[nyjens]

Still having problems... help!

[Excal]

Hi nyjens and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.



Excal

[nyjens]

Logfile of HijackThis v1.99.1
Scan saved at 2:06:45 PM, on 7/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jen\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msnbc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.msnbc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = www.msnbc.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msnbc.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msnbc.com
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120167562001
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

[Excal]

Your log looks clean. There must be something hiding on us.

Lets see if this gets your desktop back.

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then reboot.


After reboot check to see if you can adjust your desktop.

Run this online virus scan: ActiveScan - Save and post the results from the scan!

Thanks,



Excal

[nyjens]

Ok I can change my wallpaper now. THANKS! Here are the results of the activescan:


Incident Status Location

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\msxct1.ini
Adware:Adware/MemoryWatcher No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\DOCUME~1\Jen\LOCALS~1\Temp\cfout.txt
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\tool1.exe
Adware:Adware/Transponder No disinfected C:\DOCUME~1\Jen\LOCALS~1\Temp\DrTemp
Adware:Adware/Adsmart No disinfected C:\WINDOWS\System32\vx.tll
Adware:Adware/PopCapLoader No disinfected C:\Documents and Settings\Jen\Desktop\backups\backup-20050428-200348-722.inf
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Jen\Desktop\backups\backup-20050626-141022-303
Adware:Adware/PopCapLoader No disinfected C:\Documents and Settings\Jen\Desktop\backups\backup-20050626-141023-134.inf
Adware:Adware/Midaddle No disinfected C:\Documents and Settings\Jen\Local Settings\Temp\Cw6XF24iZ.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Jen\Local Settings\Temp\i5.tmp
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\hosts
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\msxct1.ini
Adware:Adware/Transponder No disinfected C:\WINDOWS\ryunwr.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050626-221035.backup
Virus:Trj/Downloader.DGU Disinfected C:\WINDOWS\system32\msdcom32.dll
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vx.tll
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxh8jkdq5.exe
Virus:Trj/LowZones.EZ Disinfected C:\WINDOWS\tool1.exe

[Excal]

Hi nyjens,

Glad you got your desktop back!

Just a few random bad files and folders to clean up.

Please remove the following folders using Windows Explorer (if present):

C:\WINDOWS\hosts

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• Click on "Delete File on Reboot"
• Navigate to this file - C:\WINDOWS\tool1.exe
• Double click on that file.
• HJT asks you if you want to reboot, now. Click "no".
  
  Do that for the following files also, until you get to the last one, then click "yes" when HJT asks you to reboot.

C:\WINDOWS\System32\vx.tll
C:\Documents and Settings\Jen\Desktop\backups\backup-20050428-200348-722.inf
C:\Documents and Settings\Jen\Desktop\backups\backup-20050626-141022-303
C:\Documents and Settings\Jen\Desktop\backups\backup-20050626-141023-134.inf
C:\WINDOWS\msxct1.ini
C:\WINDOWS\ryunwr.exe
C:\WINDOWS\system32\drivers\etc\hosts.20050626-221035.backup
C:\WINDOWS\system32\msdcom32.dll
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\vxh8jkdq5.exe

Post back when you finish and tell me how your computer is running

[Excal]

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if the main link does not work) and install it.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Edited by Excal, 08 July 2005 - 04:12 PM.

[nyjens]

I was unable to find:

C:\WINDOWS\tool1.exe
C:\WINDOWS\hosts
C:\WINDOWS\system32\drivers\etc\hosts.20050626-221035.backup
C:\WINDOWS\system32\msdcom32.dll

Is that a problem?

[Excal]

try doing this and then look again

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.



Excal

[Excal]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.