Tech Problem Aggregator

Thank you for looking and offering any suggestions to cleanse my system.
This is my symptoms:
Sometimes is not possible for me to shut down the computer.
My wallpaper on my XP Home Edition (version 5.1) w/SP2 has changed to a reddish background with three reddish wishbone imags. It also says YOUR PRIVACY IS IN DANGER! DOWNLOAD PRIVACY PROTECTION SOFTWARE NOW!
http://www.ucleaner.com/main.php?wmid=6010&mid=MjI6Mjo4OQ==&lndid=2
More over I found dangerous: XVORFWBD.DLL in C:\WINDOWS
I tried to manually delete the same, but could not do the same.
On startup I receive a dialog box stating the following:
Windows has detected an Internet attack attempt....
Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your PC from Internet attacks, hijacking attempts, and spyware! Click here to download spyware removal for total protection.
When I am not connected to the Internet a box appears asking me if I want to work offline or try again.
After he scanning, it created log file. I am pasting the entire log file here:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21: VIRUS ALERT!, on 24/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Ascential\DataStage\Engine\bin\dsservice.exe
C:\Ascential\DataStage\Engine\bin\dsrpcd.exe
C:\Ascential\DataStage\Engine\bin\tl_dsservice.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\AntiSpyware Enterprise\Mcshield.exe
C:\Program Files\McAfee\AntiSpyware Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
C:\Program Files\WinPcap\rpcapd.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\System Doctor\dcmon.exe
C:\Program Files\USS\USS.exe
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
C:\Program Files\Filseclab\Twister\twister.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Ram\Ram desktop\Ram\antivirus\Trojan Remover\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\AntiSpyware Enterprise\scriptproxy.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: vrmdtneg - {266F6829-949E-4645-AAEA-1323B59E826C} - C:\WINDOWS\vrmdtneg.dll (file missing)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Workflow] F:\Workflow.exe
O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup
O4 - HKLM\..\Run: [PCPrivacyCleaner] C:\Program Files\PCPrivacyCleaner\pcpc.exe
O4 - HKLM\..\Run: [System Doctor Free] C:\Program Files\System Doctor Free\systemdoc.exe -scan
O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\System Doctor\dcmon.exe" dm=http://systemdoctor.com" target="_blank" class="invilink">http://systemdoctor.com ad=http://systemdoctor.com sd=http://log.systemdoctor.com/
O4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\System Doctor Free\systemdoc.exe /min
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe" dm=http://winantivirus.com ad=http://winantivirus.com sd=http://ulog.winantivirus.com
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\AntiSpyware Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [twister] "C:\Program Files\Filseclab\Twister\twister.exe" -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Crammer] E:\Ram\Utility\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [JustVoip] "C:\Program Files\JustVoip.com\JustVoip\JustVoip.exe" -nosplash -minimized
O4 - HKCU\..\Run: [96995415387279829695917112926216] C:\Program Files\XP Antivirus\xpa.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Filseclab Messenger.lnk = ?
O4 - Global Startup: ImageFox.lnk = ?
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O21 - SSODL: xvorfwbd - {73E48B35-569D-4708-B933-8BB2290CDCDA} - C:\WINDOWS\xvorfwbd.dll (file missing)
O23 - Service: AffinegyService - Affinegy LLC - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DataStage Engine Resource Service (DSEngine) - Ascential Software Corporation - C:\Ascential\DataStage\Engine\bin\dsservice.exe
O23 - Service: DSRPC Service (dsrpc) - Ascential Software Corporation - C:\Ascential\DataStage\Engine\bin\dsrpcd.exe
O23 - Service: DataStage Telnet Service (dstelnet) - Ascential Software Corporation - C:\Ascential\DataStage\Engine\bin\tl_dsservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\AntiSpyware Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\AntiSpyware Enterprise\VsTskMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - C:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - C:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 15052 bytes

Please suggest what I should do now!

The latest addition to the problems is: The 'All Programs' has disappeared from the 'Start Menu'.

1 more replies

Thank you for looking and offering any suggestions to cleanse my system.
This is my symptoms:
Sometimes is not possible for me to shut down the computer.

My wallpaper on my XP Home Edition w/SP2 has changed to a reddish background with three reddish wishbone imags. It also says YOUR PRIVACY IS IN DANGER! DOWNLOAD PRIVACY PROTECTION SOFTWARE NOW!

Security Warning!
Worm.Win32.NetBooster detected on your machine. This virus is distributed via the Internet through e-mail and Active-X objects.......
Click Yes to remove it from your PC immediately.
On startup I receive a dialog box stating the following:
Windows has detected an Internet attack attempt....
Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your PC from Internet attacks, hijacking attempts, and spyware! Click here to download spyware removal for total protection.

When I am not connected to the Internet a box appears asking me if I want to work offline or try again. Eventually IE 7 opens up to safenavweb.com.

This the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:34 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe

A:Wallpaper changed to YOUR PRIVACY IS IN DANGER and other issues

Hello brainwave89 and welcome to TSG. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
If you use Firefox browser, do this also:

Click Firefox at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

Click Opera at the top and choose Select All from the list.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
In the Drivers section click on Non-Microsoft.
Under Additional Scans click the checkboxes in front of the following items to select them:

3 more replies

Resolved.

More replies

A:Virus Alert! Next To Clock. Error Cleaner, Privacy Protector On Desktop. Wallpaper Changed

15 more replies

Hey all, this is my first post. I was having trouble with some spyware that changed the background on my niece's laptop. It changed to a red pic with a sort of biohazard symbol that said "Your Privacy is in danger," plus it was giving her all kinds of pop-ups. Before I got my confirmation e-mail a few mins. ago, I read This thread., and based off of that, installed SuperAntiSpyware, ran it, and got rid of 97 objects. I also installed hijack this. I just rebooted after the SAS scan, and when I did, the red background was back at first, but then, SAS had an alert window about an Internet Explorer (she uses IE, because for some reason, it goes faster than Firefox on her laptop -- I'm gonna try to find out why) homepage change. I clicked "don't allow" on there, and then the background went back to normal, and there haven't been any pop-ups since. I was hoping maybe someone could check my hijack this log to see if there's any more steps I should take? Much appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:29 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

A:Solved: Desktop Changed: Red "Your Privacy's in danger"

6 more replies

Hello, I'm hoping someone can help me. Something has infected my computer and I keep getting a privacy is in danger red wallpaper on my computer. The file seems to re-create itself as I have found it in my C:/ drive and delete it each time. I also keep getting aked to download anti-spyware programmes and the internet explorer pages just open automatically. I'm really worried about this as I do a lot of Internet banking and I'd hate for someone to be able to hack into my accounts.

My HijackThis Log is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:09:36, on 03/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

A:Privacy is in danger wallpaper

11 more replies

Help...I received the wallpaper noted in subject with limited functionality on the pc such as the Windows start button does not provide for control panel, run option etc. I can not even open windows explorer. I keep getting popups telling me my pc is infected with links to antivirus 2008 and other problems. I also can not go to websites as it redirects me to antivirus sites. I am very frustrated and don't know where to start.

I also tried installing Adware Away but that won't install saying I am missing a file.

A:Your Privacy is in Danger Wallpaper and limited functionality

Welcome to TSG

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
Once the program has loaded, select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.

1 more replies

I have loaded Spybot, CW Shredder and Hijack This! and have also used the coolsearch killer V1/2 but cannot stop my homepage from changing to www.solanges.com or something similair. Everytime I run Spybot I also get the following being identified :-
CoolWWWSearch: IE start page (Registry change, nothing done)

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3403473811-972506294-598665437-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

Below is a log report from Hijack This! :-
Logfile of HijackThis v1.97.7
Scan saved at 15:54:22, on 21/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.0... Read more

More replies

Try changing the home page settings on your browser, close the browser down and then open it back up again and see what happens.

6 more replies

Everytime I open up my browser, it goes to the following site:

res://eihjb.dll/index.html#44272

I can go to internet properties and switch the home page but it does no good. I am constantly removing 10-30 adware items from the Ad-ware scan and have picked up a few viruses with symantec. How do I get rid of this mess? Thanks for any help.

13 more replies

I am using windows 98, and everytime I log onto the internet it tries to change my home page and my search engine when I use google. I have installed Spy Sweeper, which protects my home page, and lets me know when they are trying to change my search engine. But I get a search page 'Searching the Search pages' that keeps popping up. Can this be fixed. I have run hijackthis and got the following log:Logfile of HijackThis v1.97.7
Scan saved at 6:38:22 PM, on 9/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\ATLQE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\xqntp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\... Read more

8 more replies

I realise that I was infacted by hijack. I run the program HiJackThis and got this log file. what to do next?
Thanks.
Uri.
logfile:
--------
Logfile of HijackThis v1.97.7
Scan saved at 01:00:54, on 08/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
D:\NORTON~1\navapw32.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\my programs\babylon\Babylon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Interwise\Student\pull.exe
D:\My Programs\Fax\v3CallCenter\V3faxecp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
D:\office\Office10\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\HPZipm12.exe
D:\My Programs\WinRAR\WinRAR.exe

Go to www.merijn.org/files/CWShredder.exe and run. Click on CWShredder.exe Click on FIX not SCAN ONLY>

Install the program and launch it.

First in the main window look in the bottom right-hand corner and click on Check for updates now and download the latest reference files.

Make sure the following settings are made and on -------ON=GREEN

From main window: Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right click the window and choose select all from the drop down menu and click Next)

http://tomcoyote.com/SPYBOT/index1.php

1 more replies

My home page gets changed at the start-up to res://mshp.dll/index.html#37049. I have changed done a few things including running spybot, but at the restart or if you push "default" it resets to that web page.HELP.

Hi and welcome to TSG,

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

Then restart your computer and post another log.

IMPORTANT! To help prevent this from happening again, you should install all the security patches and critical updates.

Then download Hijack This and post a scan log for the experts to look at.

Close all open windows and open HIJACK THIS. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.

1 more replies

I have a new installation of Windows XP.
The homepage constantly resets to MSN.
I am reluctant to alter the registry without clear, explicit instructions.
I have tried to reset and before I can close IE it has reset to MSN homepage.

3 more replies

i was working on a project when a video would not down load so i down loaded uniblue registry booster said i had something like 550 errors and corrected them some time after that my adobe
wouldnt open. did our taxes it wouldnt let us print them out and its not because of our computer and printer configurations

More replies

When reboot XP Spywareguard gives Warning: IE homep age has been changed, do you wish to restore old homepage.

I just ran adaware and spyware doctor in safe mode.

Just ran hijack this

Any takers?

Logfile of HijackThis v1.98.2
Scan saved at 8:48:50 PM, on 11/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Frank Rabzel\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

More replies

Hello I'm trying to find out how to remove this spyware.

IE 9 seems to be stuck on About:Blank for my home page and I can't change it.

I'm thinking I've been infected which seems odd because I an A/V and Malwarebytes pro.

Some how it got in...

Should I just wipe out my hard drive. I wish I could just remove it but this gmer scanner will not work correctly.

I ran a combofix log though.

It shows the spyware I think.

Quote:

.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Wayne\AppData\Local\Temp\{53BB7233-569B-49AB-8AA2-CBFAF8AF0200}\fpb.tmp
c:\users\Wayne\AppData\Roaming\vso_ts_preview.xml
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-04-03 to 2012-05-03 )))))))))))))))))))))))))))))))
.
.
2012-05-03 23:07 . 2012-05-03 23:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-03 21:23 . 2012-05-03 21:38 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-05-03 21:23 . 2012-05-03 21:26 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-05-03 21:16 . 2012-05-03 21:16 -------- d-----w- c:\program files (x86)\VS Revo Group
2012-05-03 07:10 . 2012-05-03 07:10 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-05-03 07:10 . 2012-05-03 07:10 476960 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-05-03 07:10 . 2012-05-03 07:10 -------- d-----w- c:\program files (x86)\Java

1 more replies

When I try to pull up my start page this is what I get...

res://C:\WINNT\System32\shdoclc.dll/navcancl.htm

I've run Adaware, Spybot S&D, and CWShredder but it's still there. Can anybody tell me where to go from here.
I have included my Hijack Log file...

Logfile of HijackThis v1.99.0
Scan saved at 5:07:19 PM, on 12/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ups.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\PROMon.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AccessRamp\ARMon32.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log?..

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-bon
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-bon
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://s-redirect.com/?a=2&b=n-bon
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://s-... Read more

1 more replies

Suddenly I can't hold my desired home page in default. Instead it goes immediately to "blank" or www.protectionways.com and the screen warns me of the vulnerability of my Windows XP system, citing malware, etc. In particular it mentions mozilla/4.0 and W32.Myzor.FKyf. I have no clue what all that means, but I have not downloaded anything from that site which wants me to download some anti-viral software, cleaners, etc. It's a site that gets bad reviews from McAfee, and I can find no documentation on it that it's in anyway connected w/ Microsoft or McAfee or any other reputable outfit I recognize.
I'm assuming I am infected, but don't know what it is or how to recover from it. I'm a novice, folks, so if you can help me, I'd be grateful.
-pamikemy-

See the following Bleeping Computer removal guide:How to remove the Smitfraud / Generic Zlob / Quicknavigate / Virtual Maid

4 more replies

Hi All:
I've seen other posts with similar problems but here's mine. After my computer has been on for an hour or so Browser Hijack Blaster (BHB) informs me that my home page on Internet Explorer 6 SP1 (IE) has had an attempt to change it to blank. I tell BHB not to allow it and then IE won't start again when I click on it's desktop icon. When I turn off the computer and restart everything is O.K. with my old homepage and then the process starts again. I did have a cool search problem but CWShredder seemed to take care of it. AVG says no viruses, Ad-aware and Spybot find nothing as well. Here's my Hijack This log. Any help would be appreciated. Thanks.

Logfile of HijackThis v1.97.7
Scan saved at 10:21:50 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\palm\HOTSYNC.EXE
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe

More replies

What should I do?

First tell us what your OPerating system is,the antivirus and spyware tools installed.

BTW welcome to the forum..

3 more replies

It said every thing I was doing was being read from another location and that I should down load their security thing to stop it. I think it was http://www.newgrounds.com
And something about Saturn of Stamford. This computer was used at a Saturn dealership up to a month ago. The Saturn store closed and I did get the computer from there.

Can you take a look at this and suggest anything, thank you.

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:20:29 AM, on 9/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

All right, Internet options, privacy, advanced. The “Prompt” was checked off on “Third-Party Cookies” I changed it to Block. I was getting a lot of prompts to allow cookies. I just assumed it was for the page I was on. The last one was from some site I never herd of before and I hit block.

2 more replies

Run the following and post the logs:

Double click on the icon to run it, Vista or Windows 7 users right click and select Run as Administartor. Make sure all other windows are closed and to let it run uninterrupted.
In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
Under the Custom Scan box paste this in

Code:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
eventvwr.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply

Kevin

1 more replies

Method - open IE > Tools > Internet Options > General Tab > Choose 'Blank Page' > click Apply and OK.

I reboot and the IE Home Page has changed to the desired Blank Page.

But when I reboot again, the IE Home Page is back to where it was before.

How can I make the change permanent?

Best wishes. whatapalaver

Method - open IE > Tools > Internet Options > General Tab > Choose 'Blank Page' > click Apply and OK.I reboot and the IE Home Page has changed to the desired Blank Page.Have you actually typed in an address that you want IE to use as your Home page?eg...... http://www.hotmail.comBut when I reboot again, the IE Home Page is back to where it was beforeExactly what is this page..... what's IE taking you to?

10 more replies

My home firefox page got hijacked to www.ask-yoda.com. and I cant get it back to www.google.com . theres also an add on on the browser of a yellow house that takes u to www.ask-yoda.com. I got rid of what did this but cant get my home page back normal . right now I have norton blocking www.ask-yoda.com. so when it pops up the homepage to www.ask-yoda.com it just comes up as page not found . so what should I do

thanx

Wanna send a special thanks out to all of the helpers who have read my post over and over but refuse to offer any help . thanks bunches

gonefishin

1 more replies

Hello,

It appears that I am being hijacked similarly to other posts I have read in this forum and would like help analyzing my "Hijackthis.log". I am running Windows 2000 with SP4. I am using Internet Explorer v5.51 SP2 (5.51.4807.2300)

My homepage is being changed to "res://wridl.dll/index.html#37049" and my searchURL is changed to something similar. I am also getting a lot of popups. I have searched the windows registry for "wridl" and removed these entries but as soon as I open IE my homepage is changed again. I have run SpyBot and it is not finding anything significant (just a couple cookies) I previously had the CoolWebSearch hijacker about a week prior to this variant and CWShredder took care of it.

I am posting my Hijackthis.log below in hopes that someone can help me this problem. Thank you for your help.

--------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 3:54:36 PM, on 6/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

You need to go into your registry and into the hkcu\software\microsoft\internet explorer\main,serarch page and change the entry into which ever search page you wanna use....
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
is the default search string
and on the start page you should just change to what you want your start page to be, like either http://www.msn.com or whichever you decided
then look down a couple folders into the search url and change that setting to
http://home.microsoft.com/access/autosearch.asp?p=%s

in HKLM\software\microsoft\internet explorer\main, default_page_URL should be
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
which is the default string
and the default_search_URL should be
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
a couple settings down on the list you should see the search page again and it should be
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
and the start page is whatever you want it to be again
just basically go thru it all and find software\microsoft\internet explorer and look for all the start and search settings and change them to the default settings, then look in your add/remove programs and see if you have anything installed that you don't know about and take it off
this too is the default string

2 more replies

http://67.132.177.100:8000/cgi-bin/mark.cgi

Has anyone seen this before? I'm running Windows 98 with Internet Explorer. MSN is my home page and hadn't changed in my tools folder. When I clicked 0n the home page button, I went to MSN. I can't tell anything is wrong, yet something changed my opening page.

You need to go here http://www.majorgeeks.com/download3155.html and download hijackthis to its own folder away from the desktop,like for instance in my documents,then post back the log that it produces for analysis ......

1 more replies

Help, pleaseMy home page has been changed to "http://asafetyprocedure.com/" and I also have a Security Toolbar 7.1 on my IE that I cannot get rid off. My hijackthis log is below:ogfile of HijackThis v1.99.1Scan saved at 15:51:11, on 14/10/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Common Files\Symantec Shared\DJSNETCN.exeC:\Program Files\Common Files\EPSON\EBAPI\SAgent... Read more

Please download SmitfraudFixExtract the content (a folder named SmitfraudFix) to your Desktop.Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htm

7 more replies

Hello my computer is infected or something every time I log into windows a get an error message and my home page was changed. I was told to fix this entries:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about-blank.inO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O4 - HKLM\..\Run: [KOfcpfwSvcs.exe] C:\WINDOWS\system32\KOfcpfwSvcs.exeand erase this fileC:\WINDOWS\system32\KOfcpfwSvcs.exebut I was unable to find it, I tried to kill with fileassissin but it didnt find the file and everything stills the same Can you please help me???Here is my log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 09:59:50 a.m., on 27/12/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\... Read more

Welcome to the BleepingComputer HijackThis Logs and Analysis forum. My name is Richie and i'll be helping you to fix your problems.Apologies for the late response,as i'm sure you can appreciate we are absolutely snowed under with logs.If you still require help,please post a new Hijackthis log into your next reply.

9 more replies

A:Ahh Www.systemwarning.com! It Has Changed My Home Page And Possibly Done More!

HiDownload WindPFindExtract WinPFind.zip to your c:\ folder.Open c:\WinPFind and double-click on WinPFind.exe.When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.When it is done, it will show a log and tell you the scan is completed. Post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.Please post also a fresh HijackThis log.

7 more replies

Home Page keeps returning to about:blank despite repeated changes to my desired weather related site. Also, several items are added to my favorite list, mostly porn related sites. I have repeatedly deleted these added sites but the return again and again. I have used the "Preparation Guide for use before Posting a Highjackthis Log" and tried using some other Spyware products without total success. Any additional help would be appreciated.Logfile of HijackThis v1.99.1Scan saved at 3:33:33 PM, on 1/14/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\STOPzilla!\SZServer.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\ewido anti-mal... Read more

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.Please download ewido anti-malware it is a free version of the program.Install ewido security suiteWhen installing, under "Additional Options" uncheck..Install background guardInstall scan via context menuLaunch ewido, there should be an icon on your desktop, double-click it.The program will now open to the main screen.When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update.Then click on Start Update.The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")If you are having problems with the updater, you can use this link to manually update ewido.ewido manual updatesOnce the updates are installed do the following:Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Run Ewido:Click on scannerClick on Complete System Scan and the scan will begin.You will be prompted to clean the first infection.Select "Perform action on all infections", then proceed.Once the scan has completed, there will be a button located on the bottom ... Read more

1 more replies

Hello all,
A few days ago my interenet explorer starting coming up REALLY slow and would try to go to idgsearch.com instead of my normal Yahoo page. I have changed my homepage back to yahoo several times and it keeps getting changed back to that idgsearch page?????
When I see that idgsearch page coming up when I open IE, I immediately hit stop. When I do this I can't do anything with IE for about 45 seconds (as though it locks up). Then It's good to go after that, Until I try to bring up another one, (I am notorious for having several IE windows open at once).
Ok, I just ran the Hijack thing I see on here and this is what I cam up with,,,,Any advice?

Thanks!!

Logfile of HijackThis v1.97.3
Scan saved at 11:27:58 AM, on 11/6/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe

16 more replies

A friend of mine has a windows 8 laptop and his isp has changed his home page and shortcuts etc. I do not have physical access to the computer but he says he has tried the usual way to change home page in IE

Would hijack this show the problem. I ran hijack this on my computer to see what is shows and it shows my home page in the registry. Could his page be changed back in the registry

Hello DOPEY13 and welcome to Bleeping Computer.
please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
if you don't understand something, please don't hesitate to ask for clarification before proceeding
the fixes are specific to your problem and should only be used for this issue on this machine.
please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!
IMPORTANT:
Please DO NOT run any scans other than those requested.

===================================================

Is there some reason why your friend can't start their own topic? I'll supply some instructions assuming that that is the case.

12 more replies

Our CEO is having a problem where his home page keeps changing to some sort of directory page: res://mshp.dll/index.html. Weird. Also, he keeps getting a popup blocker ad. I suspect he's been hijacked (he had the ehttp problem a couple of months ago). Can anyone suggest a fix? I've attached the log below...thanks!

Roy

Logfile of HijackThis v1.97.7
Scan saved at 2:26:56 PM, on 1/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\[email protected]\[email protected]
C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Treo Mail\vma.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
X:\Utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start ... Read more

9 more replies

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-02-2015 01
Ran by LizzieS (administrator) on LIZZIES-PC on 27-02-2015 23:02:12
Loaded Profiles: LizzieS (Available profiles: LizzieS)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSv... Read more

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Using the Add/Remove programs applet delete this process in bold.SupplementPro (HKLM-x32\...\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{23afdfe}) (Version: - Software Publisher) <==== ATTENTION===Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CreateRestorePoint:
CloseProcesses:

(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\ToolbarUpdater.exe
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\loggingserver.exe
() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [3033112 2015-02-27] ()
HKU\S-1-5-21-3205690185-1226381487-526044824-1000\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3205690185-1226381487-526044824-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://mysearch.avg.com/?cid={BA7F367E-FF34-4DD2-A696-78D52072E23E}&mid=7e554bd70f4947d1b8a8cd3c4e3b7cac-c0abbc4fe6dc8ff5c2e9f541d3176252c2e5713e&lang=en&ds=AVG&coid=avgtbavg&cmpid=0215av&... Read more

10 more replies

When I hit home it goes to this: http://www.claro-search.com/?affID=114506&tt=4112_8&babsrc=HP_clro&mntrId=c43bea1b000000000000001372384e07

Steps I've taken. I updated SAS and ran a quick scan and found nothing. I updates MBAM and ran a full scan and found 70 plus problems.

I deleted the stuff labeled CLaro in the program removal section of Control Panel. But there must be more. Here are the logs from MBAM.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.16.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512

6/15/2012 9:06:31 PM
mbam-log-2012-06-15 (21-06-31).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 351006
Time elapsed: 3 hour(s), 5 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKCR\CLSID\{22222222-2222-2222-2222-220022462239} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCR\CLSID\{33333333-3333-3333-3333-330033463339} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCR\Interface\{66666666-6666-6666-6666-660066466639} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.

14 more replies

Logfile of HijackThis v1.99.1
Scan saved at 8:22:23 PM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\System32\fast.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\PROGRA~1\Webshots\webshots.scr

9 more replies

Hi all, Sorry, previous log seems to be not full. Here's my full log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:21:54 PM, on 10/2/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\acluie.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeD:\Program\Common Framework\FrameworkService.exeD:\Program\NetworkAssociates\mcshield.exeD:\Program\NetworkAssociates\vstskmgr.exeC:\WINDOWS\system32\nvsvc32.exeD:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\WFXSVC.EXEC:\WINDOWS\Explorer.EXED:\Program\Winfax\Symantec\WinFax\WFXMOD32.EXEC:\Program Files\Java\jre1.5.0_11\bin\jusched.exeD:\Program\NetworkAssociates\SH... Read more

14 more replies

I have run spybot, ad-aware, noadware and Norton about 30 times and have fixed everything that has shown up but I still get pop-ups from xlime optimizer. Also every time I load IE my home page gets changed no matter how many times I set it back to blank. Here is my Hijack This log file.

Thanks for the help

13 more replies

Hi, I've recently been searching around the internet for some speed accelerators, etc., and tried a few. The next day I turned on my computer and my firefox loaded with a totally different webpage. This site called turbo-search101.com replaced my regular jpopasia.com/charts. So as anyone would do I'm sure, I opened up the options and changed it back. I clicked the home page button but the same page popped up! I checked my options again and it indeed said turbo-search101.com. So I tried it again. turbo-search101.com popped back up. I checked my antivirus and the "block any home page changes" was on, interestingly enough, the "alert me if an attempt is blocked" as also on. I uninstalled any software i might have downloaded but still came up with the same result.

13 more replies

Logfile of HijackThis v1.99.1Scan saved at 12:16:53 AM, on 2/23/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Ideazon\Zboard Software\Driver\Zb... Read more

Please follow the steps in this topic and then post a new hijackthis log as a reply to this topic.How To Remove Spyfalcon And Dxmpp.dllAlso post the c:\smitfiles.txt log as well.

1 more replies

I was trying to help this person which had her home page changed. It got me curious as to how this can happen.....did they do it with activeX and does she have to change a registry setting to get back the ability to restore her homepage. Thanks

My home page was changed to something that says duolaimi.net (You probably shouldn't go there unless you want problems too) with my old home page url following it.

When I click properties to change it back to my home page the section that allows home page selection is 'greyed' out and does not respond..Click to expand...

16 more replies

Hello all. First time post.

My McAfee virus scan keeps telling me I have the trojan FakeAlert-B. I can't seem to get rid of it. I also now have a security toolbar in IE that I didn't install and my hame page was changed to about.blank. I go into Internet Options and change it but it goes right back to about.blank. I have ran McAfee, Ccleaner, and Ewido. I have cleaned all files they each recommended. I have a copy of my Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 9:47:59 AM, on 4/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe

Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.

Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
Save it in the same folder you made earlier (c:BFU).

Do not do anything with these ye... Read more

1 more replies

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:19:15, on 03-Feb-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

getting warning for Zafi.B

1 more replies

You might try Spybot. AVG is an anti-virus package that's better than a lot of commercial a-v software, and it's free! ZoneAlarm has a good, free firewall that you may want to take a look at, also.

5 more replies

Hi
my home page was changed after my computer detected a virus.I deleted it,scan with several antivirus programs and the problem still exists.Moreover it added some pages in my favorites ( 7 days free porno ......, lookcc........stuff like that).My home page is changed to about:blank.I try to change it from the settings but it is still changing by itself.This is my hijackthis log file.PLEASE HELP ME!!!

Logfile of HijackThis v1.99.1
Scan saved at 3:00:01 &#956;&#956;, on 30/6/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RSCMPT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\NETXO.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\IPOX.EXE
C:\WINDOWS\SYSTEM\ATLSJ.EXE
C:\WINDOWS\SYSTEM\ATLSJ.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\ATLSJ.EXE
C:\WINDOWS\SYSTEM\ATLSJ.EXE
C:\WINDOWS\SYSTEM\ATLSJ.EXE

9 more replies

Hello guys,My home page was hijacked. It is always changed to Home Search(URL displaying "about: blank") and a lots ads pop out. I tried every thing to fix it but failed. The following is the log of HijackThis, thank you for your help in advance.Logfile of HijackThis v1.98.2Scan saved at 4:32:26 PM, on 11/6/2004Platform: Windows 2000 SP3 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\svchost.exeC:\PROGRA~1\Navnt\navapsvc.exeC:\PROGRA~1\Navnt\npssvc.exeC:\WINNT\addxu32.dll:ifckfC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\PROGRA~1\Navnt\alertsvc.exeC:\WINNT\System32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\ipkv32.exeC:\Program Files\Navnt\navapw32.exeC:\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bbviz.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer... Read more

15 more replies

My mother's computer is running slow and I think it is because I went to some naughty sites in the past. I ran malwarebytes and it is a little better but wondering if it is still on her computer. It seems like the programs open slower than before. Also, Whatever it was it changed my homepage to searchnu.com/406. I ran the HJT, DDS and GMER and pasted them below. Thank you in advance for any help you give.
HERE IS THE HJT LOG:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:35:59 PM, on 12/4/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17114)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe

13 more replies

Getting frustrated over here

It all started when I started seeing an ad for laughnetwork.com on the bottom of my screen about once a day. Additionally I started getting an update alert message approximately once per hour. Contents of the message titled update alert: New version is available would you like to download and install new version? Then it gives me the options yes and no, whatever I choose it just closes and pops up again within the hour. It doesn't let me close the message without choosing an option only through task manager – end task.

I also cannot log into yahoo mail beta. This is the error message I get: Yahoo mail beta cannot function properly under your browser's current settings. Please select internet options and from security set script activeX controls marked safe fro scripting to enable. Xmldom: failure -2146827859 automation server can't create object xmlhttp: success. I checked my settings it was already enabled.

I ran the following:
Spybot
Counter spy
Winpatrol
Avg antispyware
Super antispyware

I developed a new problem: my home page changed to msn.com and I can't change it.

I blocked all cookies by internet options. Every few second I get a message asking for permission to save a cookie from ad.yieldmanager.com.

Also the shortcut to internet explorer disappeared from the start menu and my desktop.

It seems the longer I wait without resolving the issue more problems crop up….

16 more replies

There's a wallpaper that constantly appears "Your Privacy is In Danger" and I manually remove it, but it always comes back.
Things I have done
1. Spybot S&D Scan
2. Symantec Anti-Virus [can't update, read below] Scan
4. Trend Micro Scan [can't update definitions]

All of these turn up some threats and remove them, however the problem is that my desktop is always getting changed. Which leads me to my next problem.

I can't view specific websites
It's pretty much anything that's related to anti-virus. The page won't load. I can ping it, but it won't load. I can't update the definitions because of this. I checked the hosts file and it's clean, I removed the lines from Spybot S&D too just to be sure there wasn't something else that was up.

Suggestions?

Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

1 more replies

My HiJack this log...

Deckard's System Scanner v20071014.68
Run by Brian on 2007-10-28 13:57:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
40: 2007-10-28 17:57:25 UTC - RP458 - Deckard's System Scanner Restore Point
39: 2007-10-28 04:20:08 UTC - RP457 - System Checkpoint
38: 2007-10-26 21:42:51 UTC - RP456 - System Checkpoint
37: 2007-10-25 18:41:00 UTC - RP455 - Configured Adobe Reader for Pocket PC
36: 2007-10-24 22:53:14 UTC - RP454 - System Checkpoint

-- First Restore Point --
1: 2007-09-21 01:39:14 UTC - RP419 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-10-28 13:59:23
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin... Read more

A:Red background wallpaper,"Your Privacy is in Danger"

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk... Read more

19 more replies

More replies

Argh, I'm back yet again.

Alright, I've gotten my computer cleaned from all the spyware and viruses I have had before (Yay Avast!). My computer is cleaned and protected better than ever.

But now I got a new problem.

When trying to set a wallpaper on my desktop, it doesn't show up. I can change the background color, but not the background itself. This is getting a little frustrating to me since I like to have my desktop feature my artwork from time to time. When going into my Display properties, I can't select any of the preset backgrounds, nor can I hit browse to select my own.

I've provided screen shots of my desktop settings to show you what I'm seeing.

http://img.photobucket.com/albums/v29/kakurine/Desktop1.jpg
http://img.photobucket.com/albums/v29/kakurine/Desktop2.jpg

I also apologize if this is in the wrong forum section (again). I don't know how to classify this problem, other than I'm running on Windows XP.

Also, for the record, I've tried setting a wallpaper from the internet, and right clicking on the picture in my files and hitting "set as desktop background". Neither worked.

A:Wallpaper unable to be changed.

This sites thread with a similar issue may help

http://www.geekstogo.com/forum/cant-change-desktop-background-t38725.html

2 more replies

Hi,

Is there a way to prevent the wallpaper being changed on the PC? I tried this method: Prevent Changing the Screen Saver and Wallpaper in Windows 7

It works. However, when I open firefox/IE, I can still change the wallpaper by "set as desktop background" anything I want. Any ideas?

A:How to prevent wallpaper being changed?

Hello mystvearn,

If you like, you could do either option in the red warning box at the top of the tutorial below to either specify a desktop background (recommended) for all users, or remove the "Set as desktop background" context menu to help with this.

Desktop Background - Allow or Prevent Changing - Windows 7 Help Forums

10 more replies

Hi,

I'm pretty sure I'm infected with something. Looks like I was asked to upgrade my Flash software but apparently it wasn't a legite Adobe. I did a quick search on Conduit search and toolbar removal, as this is what I saw on my IE next, with urls being redirected to some non-existing ones, IE home page was changed to something else (though I tried changing it back from Internet Options). Can you please help?

Thanks, Yuval

A:Conduit toolbar, browser home-page changed, browser hanging

10 more replies

we have a customer who has a windows 7 professional running 24/7 with several users per day. someone changed the desktop wallpaper and the supervisor asked me how to tell when it was changed.

My understanding is that windows 7 creates a timestamp whenever a file is accessed but I can't seem to locate the timestamp for when the wallpaper was changed.

any help is greatly appreciated.

A:How to determine when the wallpaper was changed in windows 7 pro

Welcome to the Seven Forums

Try going to C:\Users\YOUR USER NAME\AppData\Roaming\Microsoft\Windows\Themes and right click on the TranscodedWallpaper.jpg and look at the Properties .
AppData is hidden use step 3 of this tutorial to unhide it File and Folder - Hide or Unhide

Jerry

1 more replies

Not sure what is going on, but I keep getting this pop up stating that my computer has been infected with a trojan smp/lx. My wallpaper has been changed to "Security Alert". I ran AVG and it found nothing, and malware has found nothing. I am at my wits end, and need some help please. I am attaching the hijack this report.
Please bear with me to, Im a beginner with this technical stuff.
Traci
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:20 PM, on 8/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe

A:changed wallpaper keeps telling me trojan smp/lx

7 more replies

hi guys...this morning i switched my pc on and my wallpaper(a supra drifting) was changed to a blue wallpaper saying that "Warning: Spyware threat detected on your pc" and click here to remove the spy...but i believe it itself is a spyware...i tried antiviruses like nod32 but didn't realy work...please help me out cause since than my pc is so darn slow that you guys don't have any idea how i am typing this one!

A:My Wallpaper Changed To A Spyware Threat

take a look in the security section , follow the 5 steps and wait for a security team member to reply .. be patient ..

1 more replies

a-squared,
Combofix
Malware bytes anti malware
Norton (though my subscription has run out on that)
AVG 8.5 (and 7.5 before I updated it)
A few other online ones that I can?t ... Read more

A:Unsure TROJANS have gone, now my wallpaper has changed!!!

Welcome to BCPlease do not post a Combofix log in this forumUpdate mbam and run a FULL scanPlease post the resultsThen tryATFPlease download ATF Cleaner by Atribune & save it to your desktop.Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox browser click Firefox at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser click Opera at the top and choose: Select AllClick the Empty Selected button.

4 more replies

Ok I've done everything to solve this but i got nothing... so here is my main.txt:

Deckard's System Scanner v20071014.68
Run by Dimitris on 2007-11-17 15:38:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 2 Restore Point(s) --
2: 2007-11-17 13:38:18 UTC - RP38 - Deckard's System Scanner Restore Point
1: 2007-11-16 22:30:35 UTC - RP37 - Removed XBList

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Dimitris.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:33 μμ, on 17/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe

A:"Your privacy is in danger" wallpaper

Right click SDFix.zip
Select: Extract All to extract it to its own folderNow, reboot to Safe Mode Restart your computer.
When the machine starts, tap the F8 key before Windows starts
Select the option for Safe Mode using the arrow keys.
Press Enter to boot into Safe Mode.
In Safe Mode, open the SDFix folder on the DesktopDouble click RunThis.bat to start the script.
Type Y to begin the cleanup process.
The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.
Press any key to restart the PC.
When the PC restarts the SDFix will run again and complete the removal process
It then displays Finished
Press any key to end the script and load the Desktop icons.
Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.
Save to the Desktop. <<<Important!!

Then type 1 and press Enter to begin the scan.

Do not mouse-click the ComboFix window while it runs. It may cause it to stall.

When finished, a log, ComboFix.txt, is produced.

~~~~
Run HijackThis once again to obtain a new log.

~~~~

1 more replies

im getting a ton of popups and my wallpaper is stuck as some screen warning me to DL their fake software. ad-aware / trend micro house call dont seem to be enough here they keep coming back. heres my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:12 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\All Users\Application Data\mtglorwd\gxcvwfyl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\TSKS~1\wowexec.exe
C:\DOCUME~1\Drew2\LOCALS~1\Temp\ie.exe
C:\WINDOWS\system32\ubctqfif.exe

More replies

I'm getting constant popups to download virus software even though I already have Avast. Also my wallpaper now reads "I am infected and need to do download virus software". So somewhere I'm infected. I've ran a ComboFix log and HijackThis log for your review. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:43 AM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

A:Being asked to DL Virus Software/wallpaper changed

ComboFix 08-07-21.2 - Sam 2008-07-22 21:03:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.523 [GMT -7:00]
Running from: C:\Documents and Settings\Sam\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Sam\Application Data\rhceg0j0erfl
C:\Program Files\rhceg0j0erfl
C:\WINDOWS\system32\_003910_.tmp.dll
C:\WINDOWS\system32\phcag0j0erfl.bmp

.
((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-22 21:02 . 2008-07-22 21:02 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Apple Computer
2008-07-22 21:01 . 2008-07-22 21:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-22 21:01 . 2008-07-22 21:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-22 19:19 . 2008-07-22 19:19 <DIR> d-------- C:\WINDOWS\Sun
2008-07-22 19:18 . 2008-07-22 19:18 <DIR> d-------- C:\Program Files\Java
2008-07-22 19:18 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-22 19:17 . 2008-07-22 19:17 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-22 18:26 . 2008-07-22 18:27 2,869,536 --a------ C:\Program Files\spywareblastersetup41.exe
2008-07-22 17:59 . 2008-07-22 17:59 268 --ah----- C:\sqmdata08.sqm

3 more replies

I had a user click on something from a cigar web site and suddenly it took that icon and made it their desktop wallpaper. It also resized the screen to be very small. adjusting the monitor will get the screen back but if you select the graphics accelerator it changes the screen size again. I am never able to change the wallpaper, no matter what I choose it flashes and stays the same. Here is the log.. Thanks in advance.

Deckard's System Scanner v20070826.66
Run by Gene on 2007-09-05 11:52:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Gene.exe) ------------------------------------------------

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-05 11:54:28
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe

A:wallpaper overtaken & desktop size changed

I dont see any problems in your log and I'm sure the problem is not malware related.But just to be on the safe side......

Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
==================================

Please perform a scan with Kaspersky Webscan Online Virus Scanner

1. Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
2. Read the Requirements and Privacy statement, then select "Accept".
3. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
4. Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
6. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
7. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
8. Click "OK".
9. Under "Select a target to scan", click on "My Computer".

5 more replies

Hello,
I added a wallpaper to my pictures folder, and I then used that as my logon screen wallpaper.
However everytime I turn the computer off, and on the default rainbow wallpaper keeps coming on. If I restart or log off, my wallpaper shows. How can this be? Can anyone please help me?

A:I changed the logon screen wallpaper, but the default....

Sounds like you set the Desktop background picture but did not change the "Lock Screen". See this See pictures on the desktop, Start, and the lock screen - Windows Help

6 more replies

I was searching for information on GPS units on googlw when all of a sudden something happened to my computer. I was not able to close the popups from the task manager. I went ahead and restarted my machine but somehow it managed to change my desktop wallpaper to a warning message (see attachment). Also some of the Display Properties ar missing. I only have the Themes, Apperance, and settings tabs and am not able to change my wallpaper.

I have a Windows XP SP3 machine. After this happened I installed AVG antivirus, Ad-aware, but they did not fixed the problem. Spyhunter 3 found windowsxp-kb929969-x86-enu.exe but requires that I pay to remove it. Is that file my problem?

Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:17 AM, on 8/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

A:Solved: Wallpaper changed to a Warning message

I went ahead and reinstalled windows.

1 more replies

I was backing up all my files and C drive onto a memory stick overnight.  (Prior to planned upgrade to Windows 10).  In the morning I found that the desktop wallpaper had changed to  Lenovo with Lenovo logo.  The original wallpaper has disappeared from the options.  Should I be concerned?  I have verified with PC World that the laptop I bought is a genuine HP Pavilion

More replies

My wallpaper suddenly changed and i dont know what to do.. my Vrus scan programm alerts my multiple times...

of a Dropper...

c:\\windows\system32\hhk.dll

DR\puper.A.3

TZhank you

her is my hijack logFIle

Logfile of HijackThis v1.99.1
Scan saved at 18:14:16, on 03.06.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\shnlog.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\ICQLite\ICQLite.exe
D:\Winamp\winampa.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programme\D-Tools\daemon.exe
C:\WINDOWS\system32\intmon.exe
C:\Programme\Free Surfer\fs20.exe
C:\Programme\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Programme\MessengerPlus! 3\MsgPlus.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\DIGStream\digstream.exe
C:\Programme\AVPersonal\AVGNT.EXE

A:My Deskstop wallpaper suddenly changed to a Spyware warning...

9 more replies

Hi, i went onto a website and all of a sudden i got popups and then once i got all the windows to close the wallpaper had turned blue and yellow and said warning virus found...etc. I changed the wallpaper and then found that the ctfmonb one wasnt there but it is still in the C:/WINDOWS/system32 folder along with other suspicious looking exe files (ctfmon, cscript, conime). Ive attached some logs from the '5 steps before posting thread'. Thanks in advance for the help.

Heres the main log file from deckard:

Deckard's System Scanner v20071014.68
Run by Home on 2008-06-02 23:04:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
80: 2008-06-02 22:04:35 UTC - RP222 - Deckard's System Scanner Restore Point
79: 2008-06-02 17:34:11 UTC - RP221 - System Checkpoint
78: 2008-06-01 13:44:41 UTC - RP220 - System Checkpoint
77: 2008-05-31 12:52:26 UTC - RP219 - System Checkpoint
76: 2008-05-29 20:08:18 UTC - RP218 - System Checkpoint

-- First Restore Point --
1: 2008-03-05 17:52:33 UTC - RP143 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 448 MiB (512 MiB recommended).
System Drive C: has 3.96 GiB (less than 15%) free.

-- HijackThis Clone -------------------------... Read more

A:ctfmonb.bmp - wallpaper changed and lots of viruses detected by AVG but not all could

Hello and welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Your hard drive is almost full.

Quote:

System Drive C: has 3.96 GiB (less than 15%) free.
C: is Fixed (NTFS) - 76.29 GiB total, 3.96 GiB free.

Having too little free space on your hard drive can compromise system performance. I suggest you move pictures, music, etc. to an... Read more

10 more replies

My wallpaper changed to a strange message saying that I have spyware on my computer. I am also recieving messages from my taskbar saying that I have spyware.

I ran Spybot Search and Destroy and Adware and CWShredder already. I have also made a Hijack This log:
Logfile of HijackThis v1.97.7
Scan saved at 5:40:00 PM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe

A:My Deskstop wallpaper suddenly changed to a Spyware warning...

16 more replies

Hi, the background on my brother's laptop was changed to some statement about a virus and a need to pay to fix it. Here is the pic of the wallpaper.

Also the CPU usage is almost always at 100% so everything goes super slow. I am not able to do a system restore and Malwarebytes protection monitoring can not be turned on. Not even Malwarebytes chameleon works. Any help would be greatly appreciated.

System Specs:
Toshiba Satellite L505
Windows 7 Home Premium Service Pack 1
64- bit operating system

A:High CPU Usage. No system restore. Wallpaper Changed.

A repository of all current knowledge regarding CTB Locker and Critroni Ransomware is provided by Grinler (aka Lawrence Abrams), in this tutorial: CTB Locker and Critroni Ransomware Information Guide and FAQ
Reading that Guide will help you understand what CTB Locker (Critroni) does and provide information for how to deal with it. Newer CTB Locker variants typically change the extension of encrypted files using a 6-7 length extension with random characters. At this time there is no fix tool and no way to retrieve the private key that can be used to decrypt your files without paying the ransom.
More information in this article: New Critroni variant offers free test decryption and now uses CTB2 extension. Unfortunately, there is still no known method of decrypting your files without paying the ransom.
There is also an ongoing discussion in this topic: CTB Locker or DecryptAllFiles.txt Encrypting Ransomware. Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.
Credit: quietman7, Global Moderator

1 more replies

So one of my users desktop changed to "Your computer is infected, Scan with A/V" or something to this nature. His machine started rebooting by itself and when booting said something about missing tmp.vbs file. We currently use Trend Micro Client/Server Security Agents and his reported the following:

- PAK_Generic.001 which appeared about 5 times during the day.
- TROJ_TIBS.QM Appeared Twice in Temp Internet Files and as C:\Windows\11qqaaswww.exe
- TROJ_AGENT.AILT Appeared Twice in Temp Internet Files and C:\Windows\file.exe
- BKDR_AGENT.UKJ (This was in SDFix\backups\aspimgr.exe) and it quarantined this. Luckily it was after I turned the A/V back on after running SDFix.

All appeared to have been cleaned successfully or quarantined except the PAK.Generic. In any case it did not resolve any of the main problems above so I guess it didn't really fix much. Below are logs of SDfix, ComboFix, and then HijackThis.

SDFix

Quote:

SDFix: Version 1.182
Run by Administrator on Thu 05/15/2008 at 09:44 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
aspimgr
lanmandrv

Path :
C:\WINDOWS\system32\aspimgr.exe
\??\C:\WINDOWS\System32\lanmandrv.sys

aspimgr - Deleted
lanmandrv - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting

Checking Files :

Trojan Files Found:

A:Trojan: Desktop Wallpaper Changed to Your Computer is Infected

ComboFix

Quote:

ComboFix 08-05-12.1 - Administrator 2008-05-15 1020.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1460 [GMT -4:00]
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\joeb\g2mdlhlpx.exe
C:\WINDOWS\g32.txt
C:\WINDOWS\system32\86653.exe
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\nvrsma.dll

----- BITS: Possible infected sites -----

hxxp://blc06
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LANMANDRV

((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-15 09:40 . 2008-05-15 09:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-15 09:40 . 2008-05-15 09:58 <DIR> d-------- C:\SDFix
2008-05-14 16:22 . 2008-05-14 16:27 <DIR> d-------- C:\Program Files\CCleaner
2008-05-14 15:28 . 2008-05-14... Read more

3 more replies

Hi
In our domain we have a policy to change the wallpaper every month. The change is done from server side.
Now wallpaper of most of users is changed but for few it remains the old wallpaper.

For example I have windows 8 and mine is not updated.
I also have tried gpupdate /force. No luck.

This issue is only with few systems running windows xp 7 and 8.

These systems only show the last months wallpaper not the one updated.

Also these windows are fully updated as of now.

A:Desktop wallpaper not changed on domain joined users

Any help m?

4 more replies

I recently enoucountered an infection with my brother's PC, after he rebooted, the wallpaper had changed to ablack background with a red box in thelower right hand corner that read "Your computer is in Danger! Windows Security Center has detected spyware/adware infection! it is strongly recommended to use special antispyware tools to prevent damage"

The task manager was also disabled during this time,which i fixed using a program on the net.

Furthermore, the system would automatically reboot, crashing because of a file named spooldr.sys, i removed the file and other related files but i'm not sureif the problem with this still persists.

here's a log i recieved from the computer, transfered to my laptop with a flash drive.

Logfile of HijackThis v1.99.1
Scan saved at 9:08:47 AM, on 08/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C... Read more A:Solved: Spooldy.sys crashes computer on startup, Wallpaper changed 16 more replies Answer Match 79.8% Tech Support Guy System Info Utility version 1.0.0.1 OS Version: Microsoft Windows 7 Home Premium , 64 bit Processor: Intel(R) Core(TM) i3 CPU M 330 @ 2.13GHz, Intel64 Family 6 Model 37 Stepping 2 Processor Count: 4 RAM: 3894 Mb Graphics Card: Intel(R) Graphics Media Accelerator HD, 1723 Mb Hard Drives: C: Total - 291440 MB, Free - 129156 MB; D: Total - 13499 MB, Free - 2246 MB; E: Total - 99 MB, Free - 95 MB; Motherboard: Hewlett-Packard, 3658, 32.24, CNF0068CHM Antivirus: McAfee Anti-Virus and Anti-Spyware, Updated and Enabled Hi, and thanks in advance for your help to recover missing (or hidden) files. It appears all the programs are gone from the start bar and all the documents are gone. 1. Received McAfee msg that a trojan was found and removed. 2. Received msg that I had hdd problems and needed to reboot. 3. On reboot, window appears stating "An Error Has Occurred" Failed to save settings: An error occurred loading a configuration file: Unable to open file 'C:\Users\xxxxx\AppData\Local\Hewlett-Packard \HPAdvisor.exe_Url_mcixdsg4ikd5i1gipqgefy0tj33souow\3.3.9512.3162\user.config' for writing because it is read-only or hidden. (C:\Users\xxxxx\AppData\Local\Hewlett-Packard \HPAdvisor.exe_Url_mcixdsg4ikd5i1gipqgefy0tj33souow\3.3.9512.3162\user.config) OK 4. Downloaded and ran Malwarebytes which found 5 objects were infected. 5. Selected to remove them (log report is below) 6. Rebooted to completed the removal process, but files (documents & pro... Read more A:Files & Docs not visible, wallpaper changed, Trojan.FakeAlert It took a while because the MyDocs are not visible, but finally found the HiJackThis log that was run... Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 3:55:47 AM, on 6/14/2011 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16766) Boot mode: Normal Running processes: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\acrotray.exe C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT/1 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL... Read more 2 more replies Answer Match 79.8% I copied an "inspirational saying" from a Facebook page and I felt something change. It copied, but I deleted it. My desktop wallpaper changed to a black background with heart and spade cards, fb people, other symbols, & the words Facebook twice. The whole image is distorted and stretched out. I immediately ran a full Norton Anti-Virus Scan and a CCleaner.com scan. I ran Norton's NPE.exe file also. While on FB, a pop-up appeared on the taskbar and said, "Do you want to access this site, security certificate invalid" and I immediately felt like someone else may be controlling my computer. I was already on FB and not trying to access any other site. Help please. When running the GMER, it immediately said, "GMER found system modification caused by root activity" but when I ran it, it kept running the long version and I had to stop it. I unchecked boxes as instructed, but I received no question asking me if I wanted to run the long version...it just kept doing it automatically. I don't know if what I am posting here is correct. I definitely had a problem with it. I appreciate any help you can give me. Thank you. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 6:29:27 AM, on 9/19/2012 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.... Read more More replies Answer Match 78.96% Hi guys, so I have a little problem, I've downloaded FileTypesMan because I wanted to change the .exe files appearance on my computer. I did this using this program - all .exe file icons changed, however, with them changed ALL the shortcuts to all the programs that I have on my laptop - now they all look the same. I can't figure out how to change it all back. Any help would be greatly appreciated. THanks Max View image: Capture - how my Desktop looks now A:Programs shortcuts'icons changed when changed exe file icon appearance Hello Max, and welcome to Seven Forums. If you like, you might see if downloading and merging the .reg file for the listed exe item in the tutorial below may be able to help. It'll restore the default association and registry entries for exe files. Default File Type Associations - Restore 3 more replies Answer Match 78.96% Hi everyone, well before posting this I ran MBAM because my wallpaper changed to a different one saying: "Dangerous Spyware. Many virses were found on your computer...". Every time I tried to open firefox I would get this Mozilla Crash Report. On my quick launch, I'd get a pop up saying "Warning! Security Report...". And my computer is running extremely slow. Surprisingly I was able to run MBAM, here's my log: Malwarebytes' Anti-Malware 1.33 Database version: 1825 Windows 5.1.2600 Service Pack 3 3/7/2009 2:16:03 PM mbam-log-2009-03-07 (14-16-03).txt Scan type: Quick Scan Objects scanned: 94378 Time elapsed: 19 minute(s), 39 second(s) Memory Processes Infected: 11 Memory Modules Infected: 10 Registry Keys Infected: 12 Registry Values Infected: 21 Registry Data Items Infected: 19 Folders Infected: 1 Files Infected: 69 Memory Processes Infected: C:\WINDOWS\Temp\B777.tmp (Backdoor.KeyStart) -> Unloaded process successfully. C:\WINDOWS\Temp\winlognn.exe (Trojan.Agent) -> Unloaded process successfully. C:\Documents and Settings\Mom & Dad\Local Settings\Temp\icna1h7n.exe (Trojan.Agent) -> Unloaded process successfully. C:\Documents and Settings\Mom & Dad\Local Settings\Temp\kcdwgx4ceu5.exe (Trojan.Agent) -> Unloaded process successfully. C:\Documents and Settings\Mom & Dad\Local Settings\Temp\sgpv0sd2v0x.exe (Tr... Read more A:Computer running slow, wallpaper changed, mozilla crash report and more. Hello.You have a backdoor infeciton.Backdoor ThreatIMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do want to continue you should do the following: We will probably need to move you to the HJT-Malware Removal forum afterwards.Run MBAM again and this time Update It and run a Full Scan.Next please run Smitfra... Read more 7 more replies Answer Match 78.54% Hi all- Apologies in advance as I am not exactly technologically sound. I tried plugging in my digital camera today, and though it did not come up, I hunted down the Removable Disk (E) drive, which I figured would open it. It told me that I had to choose a program to open it with, so I chose some kind of picture viewer. Then all the icons on my desktop turned into said picture viewer, and I cannot open anything but that program from the desktop. Also, when I go into Programs and try to open them, they don't work there either. Help! I am using Windows 7. I have tried System Restore but it told me that it could not complete it and gave me some kind of error message with 0x80070005. It recommended that I turn off my protection or whatever to complete it, but I have Norton 360 and no idea how to turn it off! Any help is greatly appreciated- we just bought this computer in November and now my husband is ticked off! A:Solved: accidentally changed removable disk, now changed every program? Welcome Tuckersmom ! When I connect my camera to either of our computers, the camera itself indicates on the viewer how to handle the pictures.... To replace the icons on the desk top, right click any empty place and select refresh, I think this should restore them for you. My daughter uses Norton 360 and we have found that it disables the system restore. She does regular backups with Norton 360. If you have done that, you should be able to restore from one of those backups. GOOD LUCK Let us know how it goes. Vicks 2 more replies Answer Match 78.54% this is very confusing to me ive never seen it so i found a way back onto the internet by using a shortcut i had. not even sure how to start this. i dont know exactly what i did but everything was changed. i was going to try to watch a movie thats on my laptop, it said 'avi' and when i clicked on it nothing happened. i dragged it into itunes to see if it would play there, nope. i right-clicked it, picked 'open with' VLC, still nothing. right clicked it again and chose windows media center, nothing happened. i tried transfering the folder with the option available in media center, still didnt play. when i closed media center i saw all my desktop stuff was changed to open with media center, i knew immediatly i screwed up pretty bad somewhere. i right clicked internet explorer and changed it to open with internet explorer, it then changed everything to open with internet explorer. when i clicked on internet explorer it didnt open, but it did open the download bar as if i downloaded it. it says "Internet Explorer.Ink" or .lnk. when i click open, the window comes up but closes right away. can someone help me by telling me how to get everything back to normal? A:[SOLVED] changed one thing to open with a different application and it changed everyt It sounds like what you've done is associate a .lnk file (shortcut type) with an application and now all shortcuts will run with that application. The avi file you were referring too may be just that as well: a shortcut. This has also been known to be caused by a malware infection, in which case if you suspect it, you'll have to report it to our security team in the appropriate Virus/Trojan/Spyware Help subforum. This may help with the situation. 5 more replies Answer Match 78.54% Turned on my comupter this morning and got the following errors: I have not opened the computer tower, I have not added or removed any drives: Primary IDE channel NO 80 Conductor cable installed Flopply Disk 40 missing Then restarted system and got this message: "cpu has been changed or CPU Ratio change failed" Hit F1 to continue or DEL go to into setup I have gone to CMOS set up and used f7 to optimize and hit f10 to save come back with the third error. this computer has always done a memory test when it starts up 99% of the time I let it run, total startup time if I do, 10minutes, if I skip memory test still 10 minutes. Now slower than ever trying to start up I have read your various threads and none I found discuss these errors just suddenly apprearing. This computer was a built from scratch by an IT friend of mine who has moved away I have all the documentation that came with it. I have tried system restore back one week did not work, I was following ASK tech page guide and downloaded REGSERVO program came back with 6800 errors and wanted 39.00, well as you know the economy is in the tank and I do not have the extra money, but i do have the extra time if someone could walk me through what to do. I use Norton utilities and clean the drive/registries/and explorer weekly. Please send any advise possible Thank you NascarLady A:sudden error message CPU has been changed or CPU Ratio changed failed REGSERVO is a Rogue program that tells you, you have problems and "we will fix them for you for$39.00!" "But. Wait! for an extra amount for shipping and handling we will really screw your Windows installation up!"

Of course they make you wait until they find the registry errors to tell you that you have to pay \$39.00. I just did a google search on REGSERVO and the only ones that give RegServo good reviews are, and hear is the drum roll, Regservo itself. Stay away from any of these programs that say they will fix your registry then want money to fix the problems they found.

Also there is no need to run any registry cleaner. More often than not it will not help your problem or speed up your computer, and can indeed break your registry to the extent of having to reinstall windows.

If this is the system in yur Computer specs, have you been having any problems with needing to adjust the date and time lately?

1 more replies

Any help appreciated.

I have had the messgage: You Privacy Is In Danger! Download Privacy Protection Software Now, with a red background and bio hazard logo, come up on my PC.

I have looked into other similar viruses, which all say to run a program or remove a certain file. Unfortunately I can't do anything (I don't think). I open up the Start Menu and can not select the 'All programs' button, the 'Run' command the 'Search' button.

In addition there are lots of pop ups saying that my PC is infected and asking me to run 'Vista AntiVirus 2000' which on my XP is obviously a hoax.

What can I do? It seems to have really messed up my PC.

I haven't got HJT and It seems as though I can not open IE to download it.

Just tried safe mode, and that doesn't work either! Arrrhhhhh!!

Aleeg_1981

More replies

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-01-07 20:55:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
30: 2008-01-08 02:56:14 UTC - RP30 - Deckard's System Scanner Restore Point
29: 2008-01-07 21:57:43 UTC - RP29 - Software Distribution Service 3.0
28: 2008-01-07 21:27:13 UTC - RP28 - Microsoft OneCare Protection Checkpoint
27: 2008-01-07 20:37:48 UTC - RP27 - Software Distribution Service 3.0
26: 2008-01-07 20:35:17 UTC - RP26 - Installed Windows Internet Explorer 7.

-- First Restore Point --
1: 2007-12-28 13:54:21 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:36 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\VMware\VMware Tools\vmacthlp.exe

More replies

Hi,
I recently purchased the

Wintergreen PM800-M2 Socket 478 Barebone Kit / 52x32x52x CD-RW / Modem / 350 Watt Power Supply / Keyboard / Mouse / Speakers

I put in the Prescot 3.0E 1M L2 Catch CPU and 512MB Kingston 3200 DDR ram also it has a Maxtor 60GB 7200RPM hard drive

When I start the pc it gives the message above, also it does not let me save the cmos settings for cpu i.e. it just hangs but it does let me change the settings for date time etc so I think it rules out a bad cmos battery.

I have also double checked the heat sink and fan connection + the memory.

The CPU is running at 58 degrees according to the cmos/bios

Any help would be greatly appreciated

Thanks.

A:Warning! CPU has been changed or CPU ratio changed fail.

I had the same problem (but on an Abit board) - it turned out to be defective memory so I siggest you run memtest for an hour ( www.memtest.org), which is a bootable CD or Floppy.

6 more replies

ok heres my problem my computer has a virus and my desktop is red with a biohazard sign in the middle of it and under that it says "YOUR PRIVACY IS IN DANGER DOWNLOAD PRIVACY PROTECTER NOW" this virus as also added like 4 or 5 new icons on my computer when i get online with it to search for solutions it wouldnt let me go to any actual website it keep redirecting me to ad websites unrealated to what i was searching for. I have searched the web for solutions on my girlfriends laptop but there are no step by step guides for me, since i am a little slow when it comes to computers but if it helps i have windows xp and i hope someone will message me back with some solutions on how to fix this and what this virus actually does because i have some person information on my computer that i would not like to be stolen thanks and plz help!!!!!

More replies

Dell Intel Core 2 Duo Processor E7500 Computer
Inspirion 545s 00
6GB Memory
Antivirus: Avast; Spyware Prevention: Spybot, Spyware Blaster. MalwareBytes, CCleaner, and Super AntiSpyware

I'm not sure if this is a Windows situation or something with a program I use called Paint Shop Pro (PSP), but the page has changed that I view when saving a file within PSP. My apologies for posting if it's not windows related, but thought I'd try here first.

When I save a file, the page save dialog box comes up for me to tell it where to save it. It used to be that the page underneath that box would show the files and folders in the right pane, and in the left pane would be the Explore tree showing what's on computer. Now, when I save something in PSP, I only see the files and folders and not the tree.

If I save a Works document, I do see what I'm used to seeing, so that's what made me think it may just be a malfunction of my PSP program.

I have tried to resize the window as it comes up full screen and it will not let me grab any side to resize. The 2 small black arrows show up only on the left-hand side and won't appear on any other side of the page. However, even with that, it just won't budge.

It just started appearing in this format in the past week -- until then, I saw the Explore Tree as well. It's no biggie and I can live with it, but just wondered why it changed and if there was a way to get it back to what I was used to seeing.

A:Save page has changed

In the Save as dialog, click on Organize, Layout then check Navigation Pane.

9 more replies

I'm not sure what to make of this, however, I'm a paranoid person so what the heck!

This is something I've ignored because it doesn't really seem to have changed the operation of my computer.

What happens:

First Issue: When I start my computer I will see the windows start screen (where the progress bar shows its status), but sometimes when it does the transition to the login page I get a blank screen (like the video card is not detected) and have to shut down and try again. After which, it starts fine the second time around. However, I kind of think this is a hardware conflict with Windows...don't know really.

Second Issue: Normally after a fresh install of Windows the login screen will show the cursor already in the input box. However, after some time the normal login changes and I have to click on the login area to get the input box to show. My paranoid thoughts are that some kind of rootkit has gotten a hold of my system...again not sure just don't have a lot of time to chase down phantoms...
Thanks for any help and sorry if this is vague.
Steve

Neither of these issues sound malware/virus related, at all.

The first could be explained by quite a few things, and we can pursue it further if you like.

The second sounds like a setting that was changed back to default after a fresh install of Windows. You should be able to find the solution in Control Panel > User Accounts. Either that or an update with a Service Pack. Is the PC fully updated?

1 more replies

My startup page is www.yahoo.com.sg
But everytime its changed to

http://searchweb2.com/passthrough/index.html?http://www.yahoo.com.sg/

Even if i change it, it will automatically changed back by itself. I have run ad-aware and spybot. And removed everything thats suspicious. But when i retart my pc, its back again.

Any help?

A:Startup page changed in IE6

2 more replies

Hi there.
When I enter an incorrect address, instead of it querying the default search page (in either IE or firefox), it looks up http://64.28.178.4/index.php and redirects me to a random website, varying from adult entertainment to adult learning.
I have tried using Spybot, Spyware Doctor, Ad-Aware, and looking through hijackthis myself, but cannot find anything unusual.
I'll post a HJT log. Hope someone can help.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:53:03, on 24/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

A:Search page changed (I think :P)

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Note: You must have an active Internet connection when running this fix, in order to download the Brute Force Uninstaller (BFU).

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
=====================================
Fix these with HiJackThis – mark them, close IE, click fix checked

O17 - HKLM\System\CCS\Services\Tcpip\..\{EEE2FE52-4BA1-4103-9307-FD5173011990}: NameServer = 85.255.116.101,85.255.112.184

2 more replies

I got a brand new laptop yesterday, spent the entire night transfering all files, installing all apps/updates and unninstalling bloatware (unninstalled McAfee that came with the laptop and installed Bitdefender).

In the middle of all this, I went to open Chrome and suddently I noticed my Google page looked something like this (not a PrtScreen):

And whenever I search something, the results look nothing like they normally look.

Obviously Google doesn't look like this, so obviously I must've got some infection somehow. So I installed Bitdefender and MalwareBytes, and combined they found like 4 or 5 issues that were easily fixed (can't remember the names exactly, but I know one of the infections was a "INetCookie" or something like that in my AppData folder). After that it still shows google like that...

It can't be the USB drives I used to transfer files and apps, because I used Bitdefender on another computer to scan for viruses and found nothing. I also tried clearing cache, history and cookies...nothing. Formatting OS is not an option, this happened while I was preparing everything to make the backup like I wanted it to be...which was probably my biggest mistake, now that I think about it

Random thoughts:

Did you set Chrome with a desired homepage after installation ? Was Chrome part of the file transfer or a new download of Chrome ?

Or uninstall Chrome and run a scan. Should be able to save your Chrome data. Then reinstall.

2 more replies

Can going to a website change your desktop wallpaper ? I have a photo on the main screen that is on my hardrive . One day the main wall paper changed and I put it back and it is ok .
Weird I scanned with freeAVG spywear ,adware ,., spybot I have Norton 2008 IS it was free Aslo protected with free spywearblaster .
No sign of infection. Should I be concerned and can you tell in hijack if there is a problem ?

I am not as computer literate as a lot on this forum and would appreciate what the experts think.
Thanks

Logfile of HijackThis v1.99.1
Scan saved at 12:58:52 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe