Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I still can't change my desktop!


  • This topic is locked This topic is locked

#1
Diego8

Diego8

    Member

  • Member
  • PipPipPip
  • 189 posts
Last week my computer got infected with Spy Sheriff. I ran all sorts of spyware removal tools, including HiJackThis and Ewido.
After running this tools i created two new user accounts. An administrator account and an advanced user account (which i use for Internet access).
These two accounts are working fine but the problem is with the old one.
I can´t change my desktop, even after running smitfraud.reg file.

Is there any way to fix this?.

Thanks.
  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi sorry for the late reply, Did you try rebooting to safe mode merging smitfraud.reg under the user your still having the issue with ?
Reboot to noraml mode,
See if that takes care of it,

If not could you post an HJT log from that user please
  • 0

#3
Diego8

Diego8

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 189 posts
I tryed merging that reg file under safe mode and it didn't work.
A few days ago i entered the registry manually and changed the value NoChangingWallpaper from 1 to 0 and it worked.

Thanks.
  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
So your all set ?
  • 0

#5
Diego8

Diego8

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 189 posts
I guess so. But my computer is a little bit slower than before. Maybe it's because i installed Panda Titanium 2005. By the way, while it was updating, it detected some registry entries related to SpySheriff.
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Could you post a HJT log so we can get a look at whats running
  • 0

#7
Diego8

Diego8

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 189 posts
Below there is a HJT log file.
Two more things. Panda Titanium 2005 detected the file srvany.exe as a hacktool. The name of the hack tool was HackTool/SRunner.C , the antivirus program deleted this file.
The last one, after a random time of been conected a huge amount of data starts to download and i don't know where it comes from becuase all automatic program updates are disabled (including Windows Update) and there is no Internet Related program running.


Logfile of HijackThis v1.99.1
Scan saved at 10:13:05 p.m., on 17/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\Archivos de programa\Security Task Manager\taskman.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Grabaciones\SpySheriff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{447A65BA-7F31-407E-9BE8-04F6C0BDE094}: NameServer = 200.40.220.245 200.40.30.245
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Archivos de programa\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Archivos de programa\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi again Diego8

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the services called:

Reset 5


When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.
  • Please set your system to show
    all files; please see here if you're unsure how to do this.





  • Close all programs leaving only HijackThis running. Place a check against each of the following:

    O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
    O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe (file missing)


    Click on Fix Checked when finished and exit HijackThis.




  • Reboot into Safe Mode: please see here if you are not sure how to do this.


    Using Windows Explorer, locate the following files/folders, and delete them:

    C:\WINDOWS\pxwma.dll
    C:\WINDOWS\SYSTEM32\reset5.dll

    Exit Explorer, and reboot as normal afterwards.
Post back a fresh HijackThis log and we will take another look.
  • 0

#9
Diego8

Diego8

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 189 posts
Sorry for not answering to this post for almost a week. I finally got rid of SpySheriff.
Yesterday i got infected by another spyware (i guess), but that's another story, which is posted in a new topic.

Thanks.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP