0

The desktop background is locked and shows the message from a spyware "Your system is infected......". It's my kids computer and he is freaking out.
I think I got rid of the problem but i still cannot change the desk top back.

I did a HiJack this log.... maybe I didn't get all of it...

HELP !!!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:50 PM, on 12/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070313
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070313
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 67.215.245.21 www.google-analytics.com
O1 - Hosts: 95.211.99.111 google.ae
O1 - Hosts: 95.211.99.111 google.as
O1 - Hosts: 95.211.99.111 google.at
O1 - Hosts: 95.211.99.111 google.az
O1 - Hosts: 95.211.99.111 google.ba
O1 - Hosts: 95.211.99.111 google.be
O1 - Hosts: 95.211.99.111 google.bg
O1 - Hosts: 95.211.99.111 google.bs
O1 - Hosts: 95.211.99.111 google.ca
O1 - Hosts: 95.211.99.111 google.cd
O1 - Hosts: 95.211.99.111 google.com.gh
O1 - Hosts: 95.211.99.111 google.com.hk
O1 - Hosts: 95.211.99.111 google.com.jm
O1 - Hosts: 95.211.99.111 google.com.mx
O1 - Hosts: 95.211.99.111 google.com.my
O1 - Hosts: 95.211.99.111 google.com.na
O1 - Hosts: 95.211.99.111 google.com.nf
O1 - Hosts: 95.211.99.111 google.com.ng
O1 - Hosts: 95.211.99.111 google.ch
O1 - Hosts: 95.211.99.111 google.com.np
O1 - Hosts: 95.211.99.111 google.com.pr
O1 - Hosts: 95.211.99.111 google.com.qa
O1 - Hosts: 95.211.99.111 google.com.sg
O1 - Hosts: 95.211.99.111 google.com.tj
O1 - Hosts: 95.211.99.111 google.com.tw
O1 - Hosts: 95.211.99.111 google.dj
O1 - Hosts: 95.211.99.111 google.de
O1 - Hosts: 95.211.99.111 google.dk
O1 - Hosts: 95.211.99.111 google.dm
O1 - Hosts: 95.211.99.111 google.ee
O1 - Hosts: 95.211.99.111 google.fi
O1 - Hosts: 95.211.99.111 google.fm
O1 - Hosts: 95.211.99.111 google.fr
O1 - Hosts: 95.211.99.111 google.ge
O1 - Hosts: 95.211.99.111 google.gg
O1 - Hosts: 95.211.99.111 google.gm
O1 - Hosts: 95.211.99.111 google.gr
O1 - Hosts: 95.211.99.111 google.ht
O1 - Hosts: 95.211.99.111 google.ie
O1 - Hosts: 95.211.99.111 google.im
O1 - Hosts: 95.211.99.111 google.in
O1 - Hosts: 95.211.99.111 google.it
O1 - Hosts: 95.211.99.111 google.ki
O1 - Hosts: 95.211.99.111 google.la
O1 - Hosts: 95.211.99.111 google.li
O1 - Hosts: 95.211.99.111 google.lv
O1 - Hosts: 95.211.99.111 google.ma
O1 - Hosts: 95.211.99.111 google.ms
O1 - Hosts: 95.211.99.111 google.mu
O1 - Hosts: 95.211.99.111 google.mw
O1 - Hosts: 95.211.99.111 google.nl
O1 - Hosts: 95.211.99.111 google.no
O1 - Hosts: 95.211.99.111 google.nr
O1 - Hosts: 95.211.99.111 google.nu
O1 - Hosts: 95.211.99.111 google.pl
O1 - Hosts: 95.211.99.111 google.pn
O1 - Hosts: 95.211.99.111 google.pt
O1 - Hosts: 95.211.99.111 google.ro
O1 - Hosts: 95.211.99.111 google.ru
O1 - Hosts: 95.211.99.111 google.rw
O1 - Hosts: 95.211.99.111 google.sc
O1 - Hosts: 95.211.99.111 google.se
O1 - Hosts: 95.211.99.111 google.sh
O1 - Hosts: 95.211.99.111 google.si
O1 - Hosts: 95.211.99.111 google.sm
O1 - Hosts: 95.211.99.111 google.sn
O1 - Hosts: 95.211.99.111 google.st
O1 - Hosts: 95.211.99.111 google.tl
O1 - Hosts: 95.211.99.111 google.tm
O1 - Hosts: 95.211.99.111 google.tt
O1 - Hosts: 95.211.99.111 google.us
O1 - Hosts: 95.211.99.111 google.vu
O1 - Hosts: 95.211.99.111 google.ws
O1 - Hosts: 95.211.99.111 google.co.ck
O1 - Hosts: 95.211.99.111 google.co.id
O1 - Hosts: 95.211.99.111 google.co.il
O1 - Hosts: 95.211.99.111 google.co.in
O1 - Hosts: 95.211.99.111 google.co.jp
O1 - Hosts: 95.211.99.111 google.co.ug
O1 - Hosts: 95.211.99.111 google.co.uk
O1 - Hosts: 95.211.99.111 google.co.za
O1 - Hosts: 95.211.99.111 google.co.zm
O1 - Hosts: 95.211.99.111 google.com
O1 - Hosts: 95.211.99.111 google.com.af
O1 - Hosts: 95.211.99.111 google.com.ag
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Ddede] rundll32.exe "C:\WINDOWS\ufudelub.dll",Startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-24379480-3997785782-2581516009-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'User')
O4 - HKUS\S-1-5-21-24379480-3997785782-2581516009-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'User')
O4 - HKUS\S-1-5-21-24379480-3997785782-2581516009-1005\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'User')
O4 - HKUS\S-1-5-21-24379480-3997785782-2581516009-500\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\notepad.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\notepad.exe (User 'Default user')
O4 - Startup: PMB Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} (SonyOnlineInstallerX) - http://www-cdn.freerealms.com/gamedata/plugins/1.0.3.93/FreeRealmsInstaller.cab?v=1044
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{239F4BF3-0C62-4322-BF62-0C538EBFB095}: NameServer = 193.104.110.38,4.2.2.1,192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC03058C-012C-4299-8F7F-34750E3FD1CA}: NameServer = 193.104.110.38,4.2.2.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL c:\windows\system32\yemiruje.dll c:\windows\system32\mowukiwe.dll,puwisuro.dll
O21 - SSODL: kemegeron - {ab51671d-ef49-47c8-9adf-3585e07b5293} - (no file)
O22 - SharedTaskScheduler: mujuzedij - {ab51671d-ef49-47c8-9adf-3585e07b5293} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RemotePC Support (remote support) - Pro Softnet Corp - C:\Program Files\Remote Support Host\RemoteSH.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13955 bytes

2
Contributors
1
Reply
2
Views
7 Years
Discussion Span
Last Post by unitedwaykat
0

I see some problems: getantivirusplusnow.com and any other item with that name shows as an infection on my computer when I try to go to that site. This is in the hosts log. Try restarting your computer and hit the F8 key and choose "safe mode with networking". When that loads go to your Norton Antivirus and run a total scan to see if that will catch it and quarantine those items. A favorite trick is for a message to show up on your screen saying "Your computer is infected - Go to this site now to remove it" when actually you click on that you launch the virus. Always avoid those UNLESS it is from your own Antivirus program.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.