Hello,

Im having some problems with my computer, when i rebooted my computer i'm getting a desktop with WARNING You're in Danger , secure yourself right now .. (linked to a company called: smart-security.info) it's spyware but i don't know i can delete it.
My startup page from IE is also changed because of this ad.

My computer is also very slow now..
Do someone know what I must do ?? Thanks.

Hijack Log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\ojyxdm.exe
C:\WINDOWS\mstasks2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Downloads\hijackthis1977.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [rqmvlr] C:\WINDOWS\System32\ojyxdm.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [wsock32] C:\WINDOWS\System32\wsock32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab27571.cab
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...8057.365474537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab

Are you a dutchman by any chance? I see you start your internet normally with startpagina.nl
But anyway, you are indeed infected.
First run Ad-aware6.0 and UPDATE accordingly with the [check for updates now] button and afterwards delete everything it finds. Especially bridge.dll

Perform an online virus scan at Trend Micro's Housecall. Remove every virus.

reboot

Download, install and UPDATE Spybot Search and Destroy. Scan and fix all items maked in RED.

reboot

And post your log here again.

Yes im dutch .. :cheesy:

But i did already run ad-aware 6.0 with update.

But i'll do the things u said and post the log after that!
Thanks... :!:

Here 2 Screenshots of the problem (spyware) and the new hijack log file after some changes and after scanning spyware programs.
But stil have the problem... hope someone can help me, thanks :!:

http://www.baroyo.demon.nl/spyware1.jpg

http://www.baroyo.demon.nl/spyware2.jpg

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
Crogram FilesCommon FilesSymantec SharedccSetMgr.exe
Crogram FilesCommon FilesSymantec SharedccEvtMgr.exe
C:WINDOWSsystem32spoolsv.exe
Crogram FilesNorton AntiVirusnavapsvc.exe
C:WINDOWSSystem32svchost.exe
Crogram FilesCommon FilesSymantec SharedccApp.exe
Crogram FilesWinampwinampa.exe
C:WINDOWSSOUNDMAN.EXE
Crogram FilesJavaj2re1.4.2_03binjusched.exe
Crogram FilesMessenger Plus! 3MsgPlus.exe
C:WINDOWSSystem32ctfmon.exe
Crogram FilesU.S. Robotics 802.11g WLANUSRWLANG.exe
Crogram FilesMessengermsmsgs.exe
Crogram FilesInternet Exploreriexplore.exe
C:WINDOWSexplorer.exe
Cownloadshijackthis1977.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = C:WINDOWSsecure.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = C:WINDOWSsecure.html
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = C:WINDOWSsecure.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = C:WINDOWSsecure.html
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WINDOWSsecure.html
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WINDOWSsecure.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page_bak = http://www.startpagina.nl/
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - Crogram FilesNorton AntiVirusNavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O4 - HKLM..Run: [ccApp] "Crogram FilesCommon FilesSymantec SharedccApp.exe"
O4 - HKLM..Run: [WinampAgent] Crogram FilesWinampwinampa.exe
O4 - HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..Run: [NeroCheck] C:WINDOWSSystem32NeroCheck.exe
O4 - HKLM..Run: [QuickTime Task] "Crogram FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [SunJavaUpdateSched] Crogram FilesJavaj2re1.4.2_03binjusched.exe
O4 - HKLM..Run: [MessengerPlus3] "Crogram FilesMessenger Plus! 3MsgPlus.exe"
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = Crogram FilesMicrosoft OfficeOfficeOSA9.EXE
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab27571.cab
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...8057.365474537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R0 - HKCUSoftwareMicrosof tInternet ExplorerMain,Start Page = C:WINDOWSsecure.html
R1 - HKCUSoftwareMicrosof tInternet ExplorerMain,Default _Page_URL = C:WINDOWSsecure.html
R0 - HKLMSoftwareMicrosof tInternet ExplorerMain,Start Page = C:WINDOWSsecure.html
R1 - HKLMSoftwareMicrosof tInternet ExplorerMain,Default _Page_URL = C:WINDOWSsecure.html
R0 - HKCUSoftwareMicrosof tInternet ExplorerMain,Local Page = C:WINDOWSsecure.html
R0 - HKLMSoftwareMicrosof tInternet ExplorerMain,Local Page = C:WINDOWSsecure.html
R0 - HKCUSoftwareMicrosof tInternet ExplorerToolbar,Link sFolderName = Koppelingen

Uninstall Messenger Plus as it comes with LOP. You can reinstall it without the sponsor.

Thanks for the help guys!

Did that solve your problem??

nice to see another dutchmen!

Yes it's solved , but i start up in safe mode and delete the lines from hijack this and reboot my pc.
After that i had still that desktop u see on the screenshot .. I delete that via desktop options in configration screen and changed the desktop options and it was gone!

But thanks again guys!

ps. hup Holland hup

So you refreshed your background? Just gotta hate spyware for ruining a good background.


p.s we gaan winnen! :p