"Your Windows is corrupted with spyware virus" Popup

Question

JohnnyMitchell 0 Newbie Poster

19 Years Ago

This popup appears every 5 minutes :

_________________________________
Microsoft Windows Security Warning
_________________________________

Your Windows is corrupted with spyware virus.
You must patch your PC urgently to protect yourself.
Private info is accessed by ports :
-8080
-3128

You can patch your PC for free only now and delete all spyware viruses.
Click OK to choose and download free spyware removal using antiSPY.
(OK) (Cancel)

____________________________________________________________

See this post for the same problem:
http://www.daniweb.com/techtalkforums/showthread.php?p=79432&posted=1#post79432

____________________________________________________________

Tried everything but a reinstall to get rid of this. Ive got all my Windows Updates, I'm running ad-aware and PC-Cillan, and I've run every other anti-spam/worm/trojan/virus/spyware app I could find.

I cleaned out my registry start-up entries manually, tried all of this in safe mode too.

Logfile of HijackThis v1.99.0
Scan saved at 7:41:32 PM, on 12/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Johnny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1104263596270
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Thanks in Advance

windows-virus

6 Contributors
19 Replies
895 Views
6 Months Discussion Span
Latest Post 18 Years Ago Latest Post by crunchie

All 19 Replies

crunchie 990 Most Valuable Poster

19 Years Ago

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/

Reboot and post another log.

Download shoot the messenger then double click on it when you have it. It will disable Windows messenger.

crunchie 990 Most Valuable Poster

19 Years Ago

It is very important that all instances of Internet Explorer and any Windows explorer windows are closed before fixing with hijackthis. That is the most common reason for these entries not being fixed.
I see nothing else there other than the R0 entry causing the redirection.

crunchie 990 Most Valuable Poster

19 Years Ago

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

crunchie 990 Most Valuable Poster

19 Years Ago

Got the little sucker :). Can you go to C:\WINDOWS\System32\systr.dll and zip the systr.dll file up and email it to me at number1dad2000atyahoo.com.au (substitute at for @)

Download the Pocket KillBox
Unzip the file to your desktop.
Open TheKillbox.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\System32\systr.dll

When given the option to reboot select yes.

Once back in Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/

Let me know how you get on. Please post both logs from silentrunners and HJT.

crunchie 990 Most Valuable Poster

19 Years Ago

Have uploaded a regfile for you. Unzip it then double click the regfile to run it. When asked if you wish to merge, click yes.

Please post your whole hijackthis log and another silent runners log please.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

JohnnyMitchell 0 Newbie Poster · Answer 1 · 2004-12-30T21:55:00+00:00

Thanks for your help, bro.

Unfortunately, the redirect to hotoffers.com persists, even after following your suggestion. I rebooted immediately after removing the entry using hijack this. heres the new log

Logfile of HijackThis v1.99.0
Scan saved at 10:52:38 AM, on 12/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Johnny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104263596270
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Any suggestions would be greatly appreciated.

JohnnyMitchell 0 Newbie Poster · Answer 2 · 2004-12-31T00:05:44+00:00

It is very important that all instances of Internet Explorer and any Windows explorer windows are closed before fixing with hijackthis. That is the most common reason for these entries not being fixed.
I see nothing else there other than the R0 entry causing the redirection.

Yo, I feel you on that. I read MANY posts across daniweb, and took all of their advice before posting, i assure you.

Even after closing ALL explorer and internet explorer windows, then removing the entry, the registry entry (or whatever it is) continues to reappear, after a few minutes. I've been working on this for a week now....

It all started when my roommate opened an attachment in an email (price.scr). Such a knucklehead, that one.

Anyhow, I'm starting to think theres an application somewhere, or a process thats not apparent. Ive tried running hijack this in safe mode, with all windows closed.... ive even run hijack this with explorer.exe closed. upon opening explorer.exe again, it reappears.

Im about out of ideas, and ready to reinstall, i think....

thaks crunchie,.
j

JohnnyMitchell 0 Newbie Poster · Answer 3 · 2004-12-31T08:22:37+00:00

thanks again for getting back to me, I really appreciate this.
Heres the log content:

"Silent Runners.vbs", revision 28, launched at: 21:20
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP SP2

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Ad-aware" = ""C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c" ["Lavasoft Sweden"]
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"" ["Trend Micro Incorporated."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default)" = "Windows Desktop Update"
                                       \StubPath   = "regsvr32.exe /s /n /i:U shell32.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{C0351348-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351347-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134A-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134C-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351346-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351349-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134B-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll" ["Trend Micro Incorporated."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"
  -> resolves to: {CLSID}\InprocServer32\(Default) = C:\WINDOWS\System32\systr.dll [null data]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
TabletService, TabletService, "C:\WINDOWS\System32\Tablet.exe" ["Wacom Technology, Corp."]
Trend Micro Central Control Component, PcCtlCom, "C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe" ["Trend Micro Incorporated."]
Trend Micro Proxy Service, tmproxy, "C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe" ["Trend Micro Inc."]
Trend Micro Real-time Service, Tmntsrv, "C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe" ["Trend Micro Incorporated."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

JohnnyMitchell 0 Newbie Poster · Answer 4 · 2005-01-01T01:30:53+00:00

AWESOME, Youre the man, crunchie. I knew I wasnt losing my mind, and the thought of admitting defeat and reinstalling my OS because of some spyware BS was really just unthinkable.

I believe its taken care of, heres the logs:

Silent Runners:
"Silent Runners.vbs", revision 28, launched at: 14:27
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP SP2


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Ad-aware" = ""C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c" ["Lavasoft Sweden"]
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"" ["Trend Micro Incorporated."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default)" = "Windows Desktop Update"
                                       \StubPath   = "regsvr32.exe /s /n /i:U shell32.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{C0351348-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351347-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134A-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134C-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351346-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351349-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134B-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll" ["Trend Micro Incorporated."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"
  -> resolves to: {CLSID}\InprocServer32\(Default) = C:\WINDOWS\System32\systr.dll [file not found]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
TabletService, TabletService, "C:\WINDOWS\System32\Tablet.exe" ["Wacom Technology, Corp."]
Trend Micro Central Control Component, PcCtlCom, "C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe" ["Trend Micro Incorporated."]
Trend Micro Proxy Service, tmproxy, "C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe" ["Trend Micro Inc."]
Trend Micro Real-time Service, Tmntsrv, "C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe" ["Trend Micro Incorporated."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

_____________________________________________________________
_____________________________________________________________


Hijack This Log:
Logfile of HijackThis v1.99.0
Scan saved at 2:22:12 PM, on 12/31/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Documents and Settings\Johnny\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

JohnnyMitchell 0 Newbie Poster · Answer 5 · 2005-01-05T01:48:02+00:00

Have uploaded a regfile for you. Unzip it then double click the regfile to run it. When asked if you wish to merge, click yes.

Please post your whole hijackthis log and another silent runners log please.

Thanks again Crunchie, this has completely fixed my problem, I applaud your skill and generosity. You rock.

Logfile of HijackThis v1.99.0
Scan saved at 10:03:56 AM, on 1/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Johnny\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [url]http://*.windowsupdate.microsoft.com[/url] 
O15 - Trusted Zone: [url]http://*.windowsupdate.com[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104263596270[/url]
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


_______________________________________________________

"Silent Runners.vbs", revision 28, launched at: 10:02
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP SP2


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Ad-aware" = ""C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c" ["Lavasoft Sweden"]
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"" ["Trend Micro Incorporated."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default)" = "Windows Desktop Update"
                                       \StubPath   = "regsvr32.exe /s /n /i:U shell32.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{C0351348-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351347-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134A-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134C-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351346-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351349-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134B-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll" ["Trend Micro Incorporated."]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
TabletService, TabletService, "C:\WINDOWS\System32\Tablet.exe" ["Wacom Technology, Corp."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 6 · 2005-01-05T03:06:30+00:00

crunchie 990 Most Valuable Poster

19 Years Ago

Nice and clean. Thank you too :).

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 7 · 2005-01-05T19:09:41+00:00

I emailed you with the contents of the dll. Notice the contents from your 1st post? That was written into the dll to give you the warning. :).

unabobber 0 Newbie Poster · Answer 8 · 2005-03-09T08:58:53+00:00

Has anyone figued out how to get rid of this popup? I've tried some of the suggestions here and i have only slowed down my system.

Thanks,

Bob

This popup appears every 5 minutes :
_________________________________
Microsoft Windows Security Warning
_________________________________
Your Windows is corrupted with spyware virus.
You must patch your PC urgently to protect yourself.
Private info is accessed by ports :
-8080
-3128
You can patch your PC for free only now and delete all spyware viruses.
Click OK to choose and download free spyware removal using antiSPY.
(OK) (Cancel)
____________________________________________________________
See this post for the same problem:
http://www.daniweb.com/techtalkforums/showthread.php?p=79432&posted=1#post79432
____________________________________________________________
Tried everything but a reinstall to get rid of this. Ive got all my Windows Updates, I'm running ad-aware and PC-Cillan, and I've run every other anti-spam/worm/trojan/virus/spyware app I could find.
I cleaned out my registry start-up entries manually, tried all of this in safe mode too.
Logfile of HijackThis v1.99.0
Scan saved at 7:41:32 PM, on 12/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Johnny\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1104263596270
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Thanks in Advance

deonnanicole 5 Posting Whiz in Training · Answer 9 · 2005-03-09T19:30:21+00:00

Hi unabobber...you should start your own thread whenever you have a problem, no matter how similar the problems may seem. "Piggybacking" threads isn't allowed, because not only does it take away from the originial poster's question, but you also do not get the attention you need for your problem, and it can get pretty confusing. And since this thread has already been marked as solved, you are even less likely to get a response. Click on new thread at the top of the forum, and state your problem, and it may be a good idea to go ahead and post a HijackThis log. Be sure you are using the newest version (1.99.1) and to have it in it's own permanent folder, not a temp one. Someone will have a look at it and help you soon I'm sure. :) Good luck!

KbCb 0 Newbie Poster · Answer 10 · 2005-04-21T20:48:44+00:00

Hello all.. I have recently found a similar problem to this, but found that it was a different source .dll file. The file that I removed to fix (almost all of) the problem, was C:\Windows\System32\param32.dll. However, I now have a resulting problem, that hopefully someone can help me solve, in that the virus/trojan removed my "Display Property"'s "Desktop", "Screensaver", and "Appearance" tabs. Now, I can't figure out how to get them back - I thought they would come back after removing the virus, but they did not. Any ideas from anyone would be greatly appreciated...

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 11 · 2005-04-22T03:16:02+00:00

Download the following file and double click to run it. Set a system restore point first!!
The file is for Windows XP only!!

http://www.kellys-korner-xp.com/reg.../desktoptab.reg

KbCb 0 Newbie Poster · Answer 12 · 2005-04-22T21:30:35+00:00

KbCb 0 Newbie Poster

18 Years Ago

Sure enough... That fixed it. Thank you!

BILLY MAC 0 Newbie Poster · Answer 13 · 2005-07-07T01:44:21+00:00

Hello all. My son went onto a website and we ended up being hijacked by hotoffers. I see that other people have had this before and you have tried to help them. I have tried the system that you put down and to no avail. I am not that good on computers well very bad really. If you could help could you please sent any info that could solve this terrible headache.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 14 · 2005-07-15T19:25:35+00:00

This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

Include the link to the thread and detail why you need it reopened.

If this is not your thread please start a New Topic.

"Your Windows is corrupted with spyware virus" Popup

Recommended Answers Collapse Answers

All 19 Replies

Recommended Answers