0

This popup appears every 5 minutes :

_________________________________
Microsoft Windows Security Warning
_________________________________

Your Windows is corrupted with spyware virus.
You must patch your PC urgently to protect yourself.
Private info is accessed by ports :
-8080
-3128

You can patch your PC for free only now and delete all spyware viruses.
Click OK to choose and download free spyware removal using antiSPY.
(OK) (Cancel)

____________________________________________________________

See this post for the same problem:
http://www.daniweb.com/techtalkforums/showthread.php?p=79432&posted=1#post79432

____________________________________________________________

Tried everything but a reinstall to get rid of this. Ive got all my Windows Updates, I'm running ad-aware and PC-Cillan, and I've run every other anti-spam/worm/trojan/virus/spyware app I could find.

I cleaned out my registry start-up entries manually, tried all of this in safe mode too.

Logfile of HijackThis v1.99.0
Scan saved at 7:41:32 PM, on 12/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Johnny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1104263596270
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Thanks in Advance

6
Contributors
19
Replies
21
Views
12 Years
Discussion Span
Last Post by crunchie
0

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/

Reboot and post another log.

Download shoot the messenger then double click on it when you have it. It will disable Windows messenger.

0

Thanks for your help, bro.

Unfortunately, the redirect to hotoffers.com persists, even after following your suggestion. I rebooted immediately after removing the entry using hijack this. heres the new log

Logfile of HijackThis v1.99.0
Scan saved at 10:52:38 AM, on 12/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Johnny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104263596270
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Any suggestions would be greatly appreciated.

0

It is very important that all instances of Internet Explorer and any Windows explorer windows are closed before fixing with hijackthis. That is the most common reason for these entries not being fixed.
I see nothing else there other than the R0 entry causing the redirection.

0

It is very important that all instances of Internet Explorer and any Windows explorer windows are closed before fixing with hijackthis. That is the most common reason for these entries not being fixed.
I see nothing else there other than the R0 entry causing the redirection.

Yo, I feel you on that. I read MANY posts across daniweb, and took all of their advice before posting, i assure you.

Even after closing ALL explorer and internet explorer windows, then removing the entry, the registry entry (or whatever it is) continues to reappear, after a few minutes. I've been working on this for a week now....

It all started when my roommate opened an attachment in an email (price.scr). Such a knucklehead, that one.

Anyhow, I'm starting to think theres an application somewhere, or a process thats not apparent. Ive tried running hijack this in safe mode, with all windows closed.... ive even run hijack this with explorer.exe closed. upon opening explorer.exe again, it reappears.

Im about out of ideas, and ready to reinstall, i think....


thaks crunchie,.
j

0

thanks again for getting back to me, I really appreciate this.
Heres the log content:

"Silent Runners.vbs", revision 28, launched at: 21:20
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP SP2

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Ad-aware" = ""C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c" ["Lavasoft Sweden"]
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"" ["Trend Micro Incorporated."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default)" = "Windows Desktop Update"
                                       \StubPath   = "regsvr32.exe /s /n /i:U shell32.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{C0351348-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351347-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134A-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134C-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351346-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351349-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134B-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll" ["Trend Micro Incorporated."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"
  -> resolves to: {CLSID}\InprocServer32\(Default) = C:\WINDOWS\System32\systr.dll [null data]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
TabletService, TabletService, "C:\WINDOWS\System32\Tablet.exe" ["Wacom Technology, Corp."]
Trend Micro Central Control Component, PcCtlCom, "C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe" ["Trend Micro Incorporated."]
Trend Micro Proxy Service, tmproxy, "C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe" ["Trend Micro Inc."]
Trend Micro Real-time Service, Tmntsrv, "C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe" ["Trend Micro Incorporated."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Edited by Reverend Jim: Fixed formatting

0

Got the little sucker :). Can you go to C:\WINDOWS\System32\systr.dll and zip the systr.dll file up and email it to me at number1dad2000atyahoo.com.au (substitute at for @)


Download the Pocket KillBox
Unzip the file to your desktop.
Open TheKillbox.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\System32\systr.dll

When given the option to reboot select yes.

Once back in Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/

Let me know how you get on. Please post both logs from silentrunners and HJT.

0

AWESOME, Youre the man, crunchie. I knew I wasnt losing my mind, and the thought of admitting defeat and reinstalling my OS because of some spyware BS was really just unthinkable.

I believe its taken care of, heres the logs:

Silent Runners:
"Silent Runners.vbs", revision 28, launched at: 14:27
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP SP2


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Ad-aware" = ""C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c" ["Lavasoft Sweden"]
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"" ["Trend Micro Incorporated."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default)" = "Windows Desktop Update"
                                       \StubPath   = "regsvr32.exe /s /n /i:U shell32.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{C0351348-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351347-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134A-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134C-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351346-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351349-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134B-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll" ["Trend Micro Incorporated."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"
  -> resolves to: {CLSID}\InprocServer32\(Default) = C:\WINDOWS\System32\systr.dll [file not found]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
TabletService, TabletService, "C:\WINDOWS\System32\Tablet.exe" ["Wacom Technology, Corp."]
Trend Micro Central Control Component, PcCtlCom, "C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe" ["Trend Micro Incorporated."]
Trend Micro Proxy Service, tmproxy, "C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe" ["Trend Micro Inc."]
Trend Micro Real-time Service, Tmntsrv, "C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe" ["Trend Micro Incorporated."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

_____________________________________________________________
_____________________________________________________________


Hijack This Log:
Logfile of HijackThis v1.99.0
Scan saved at 2:22:12 PM, on 12/31/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Documents and Settings\Johnny\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

Edited by Reverend Jim: Fixed formatting

0

Have uploaded a regfile for you. Unzip it then double click the regfile to run it. When asked if you wish to merge, click yes.

Please post your whole hijackthis log and another silent runners log please.

0

Have uploaded a regfile for you. Unzip it then double click the regfile to run it. When asked if you wish to merge, click yes.

Please post your whole hijackthis log and another silent runners log please.

Thanks again Crunchie, this has completely fixed my problem, I applaud your skill and generosity. You rock.

Logfile of HijackThis v1.99.0
Scan saved at 10:03:56 AM, on 1/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Johnny\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [url]http://*.windowsupdate.microsoft.com[/url] 
O15 - Trusted Zone: [url]http://*.windowsupdate.com[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104263596270[/url]
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


_______________________________________________________

"Silent Runners.vbs", revision 28, launched at: 10:02
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP SP2


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Ad-aware" = ""C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c" ["Lavasoft Sweden"]
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"" ["Trend Micro Incorporated."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default)" = "Windows Desktop Update"
                                       \StubPath   = "regsvr32.exe /s /n /i:U shell32.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{C0351348-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351347-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134A-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134C-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351346-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C0351349-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{C035134B-7B7D-4fcc-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\TortoiseSVN\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
  -> CLSID InProcServer32 resolves to: "C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll" ["Trend Micro Incorporated."]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
TabletService, TabletService, "C:\WINDOWS\System32\Tablet.exe" ["Wacom Technology, Corp."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Edited by Reverend Jim: Fixed formatting

0

I emailed you with the contents of the dll. Notice the contents from your 1st post? That was written into the dll to give you the warning. :).

0

Has anyone figued out how to get rid of this popup? I've tried some of the suggestions here and i have only slowed down my system.

Thanks,

Bob

This popup appears every 5 minutes :

_________________________________
Microsoft Windows Security Warning
_________________________________

Your Windows is corrupted with spyware virus.
You must patch your PC urgently to protect yourself.
Private info is accessed by ports :
-8080
-3128

You can patch your PC for free only now and delete all spyware viruses.
Click OK to choose and download free spyware removal using antiSPY.
(OK) (Cancel)

____________________________________________________________

See this post for the same problem:
http://www.daniweb.com/techtalkforums/showthread.php?p=79432&posted=1#post79432

____________________________________________________________

Tried everything but a reinstall to get rid of this. Ive got all my Windows Updates, I'm running ad-aware and PC-Cillan, and I've run every other anti-spam/worm/trojan/virus/spyware app I could find.

I cleaned out my registry start-up entries manually, tried all of this in safe mode too.

Logfile of HijackThis v1.99.0
Scan saved at 7:41:32 PM, on 12/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Johnny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1104263596270
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Thanks in Advance

0

Hi unabobber...you should start your own thread whenever you have a problem, no matter how similar the problems may seem. "Piggybacking" threads isn't allowed, because not only does it take away from the originial poster's question, but you also do not get the attention you need for your problem, and it can get pretty confusing. And since this thread has already been marked as solved, you are even less likely to get a response. Click on new thread at the top of the forum, and state your problem, and it may be a good idea to go ahead and post a HijackThis log. Be sure you are using the newest version (1.99.1) and to have it in it's own permanent folder, not a temp one. Someone will have a look at it and help you soon I'm sure. :) Good luck!

0

Hello all.. I have recently found a similar problem to this, but found that it was a different source .dll file. The file that I removed to fix (almost all of) the problem, was C:\Windows\System32\param32.dll. However, I now have a resulting problem, that hopefully someone can help me solve, in that the virus/trojan removed my "Display Property"'s "Desktop", "Screensaver", and "Appearance" tabs. Now, I can't figure out how to get them back - I thought they would come back after removing the virus, but they did not. Any ideas from anyone would be greatly appreciated...

0

Hello all. My son went onto a website and we ended up being hijacked by hotoffers. I see that other people have had this before and you have tried to help them. I have tried the system that you put down and to no avail. I am not that good on computers well very bad really. If you could help could you please sent any info that could solve this terrible headache.

0

This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

Include the link to the thread and detail why you need it reopened.

If this is not your thread please start a New Topic.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.