[blairman]

My desktop background has been replaced with this message:

WARNING!
YOU'RE IN DANGER!



ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.

Every site you or somebody or even something, like spyware, opened in your browser, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life!


SECURE YOURSELF RIGHT NOW!

Removal instructions


and my hijack this log:

Logfile of HijackThis v1.98.2
Scan saved at 12:31:46 PM, on 11/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AceGain\LiveUpdate\aceagent.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Rolfe\Shared\programs\HijackThis1982.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [CleanRegPath] C:\PROGRA~1\ADSLUT~1\CleanReg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099692437515

i've done all the things i'm supposed to do before posting here, and a whole lot more, someone, please help me!

[Advertisements]

Lets start by scanning with hijack this and put a check in the box next to this entry:

O4 - HKLM\..\Run: [CleanRegPath] C:\PROGRA~1\ADSLUT~1\CleanReg.exe

Click "Fix Checked"
Reboot your computer into safe mode by tapping the F8 key right after the first screen comes up on reboot. You will then have a list of choices, choose "Safe Mode" Once in windows navigate to C:\PROGRA~1 find the directory ADSLUT~1 and delete it. Reboot normally and post a new hijack log with any further details pertaining to your problem.

-=jonnyrotten=-

[-=jonnyrotten=-]

Lets start by scanning with hijack this and put a check in the box next to this entry:

O4 - HKLM\..\Run: [CleanRegPath] C:\PROGRA~1\ADSLUT~1\CleanReg.exe

Click "Fix Checked"
Reboot your computer into safe mode by tapping the F8 key right after the first screen comes up on reboot. You will then have a list of choices, choose "Safe Mode" Once in windows navigate to C:\PROGRA~1 find the directory ADSLUT~1 and delete it. Reboot normally and post a new hijack log with any further details pertaining to your problem.

-=jonnyrotten=-

[blairman]

okay, i did that, but my desktop background is still this message with a link to the site where i can download its product. And don't worry, i won't click on it.

heres my hijack this log now:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\AceGain\LiveUpdate\aceagent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Rolfe\Shared\programs\HijackThis1982.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099692437515

[-=jonnyrotten=-]

Well there's nothing too awfully bad in your log. Hmmmm first scan again and remove these entries.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing

What is the website that the shortcut is to? Also go to your desktop properties and check the filename of your desktop and post this information to further help in removing this from your pc.

In the meantime please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Please post new log when finished.

-=jonnyrotten=-

[blairman]

it takes me to

http://213.159.117.130/?affid=NAT-10

and it tells me to buy their smart security privacy protection tool, beacuse if i don't, my wife, boss, girlfriend, children, cat & probably taxi driver will find out what i look at and my this will "broke my life"
and all with really really bad spelling and grammar.

it has a link to smart-security.info/main.php

any idea how i can get rid of this desktop background stealing, life broking spyware?

[blairman]

i searched smart security on google, and there's a lot of info about how to remove all their crap. so it is now gone, but thank you for your time and trying to help.
ahh i am happy again!
...now back to studying for exams